Hacking the WordpressEcosystem



Similar documents
Nikolay Zaynelov Annual LUG-БГ Meeting nikolay.zaynelov.com

WordPress Security Scan Configuration

FRIENDS OF SEARCH HARDENING WORDPRESS VARIOUS TWEAKS FOR BETTER WP SECURITY

DiamondStream Data Security Policy Summary

Cloud Security:Threats & Mitgations

Passing PCI Compliance How to Address the Application Security Mandates

How to Install WordPress Manually: Securing and De-Bloating WordPress

Content Management System

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Welcome To Advanced Topics in WordPress: Beyond the Bootcamp

Welcome To Advanced Topics in WordPress: Beyond the Bootcamp April 2013

10 BEST PRACTICES FOR A SECURE AND SUCCESSFUL ENTERPRISE WORDPRESS DEPLOYMENT WHITE PAPER

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Directory and File Transfer Services. Chapter 7

Protect Your Websites and Beat the Hackers

THE OPEN UNIVERSITY OF TANZANIA

Web Plus Security Features and Recommendations

Best Practices (Top Security Tips)

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Thick Client Application Security

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Ruby on Rails Secure Coding Recommendations

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Using Nessus In Web Application Vulnerability Assessments

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Online Vulnerability Scanner Quick Start Guide

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

OWASP TOP 10 ILIA

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Livezilla How to Install on Shared Hosting By: Jon Manning

Columbia University Web Security Standards and Practices. Objective and Scope

CYBERTRON NETWORK SOLUTIONS

CRYPTUS DIPLOMA IN IT SECURITY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Hacking de aplicaciones Web

QUANTIFY INSTALLATION GUIDE

Codes of Connection for Devices Connected to Newcastle University ICT Network

Adobe Systems Incorporated

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

Where every interaction matters.

Data Breaches and Web Servers: The Giant Sucking Sound

Rensselaer Union Club Webhosting CPanel Guide

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Essential IT Security Testing

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Web Application Report

Hardening WordPress. (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot gray Sunday, March 15, 15

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

WordPress File Monitor Plus Plugin Configuration

Virtualization System Security

MatriXay Database Vulnerability Scanner V3.0

RemotelyAnywhere. Security Considerations

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Website Optimization Tips for Speed

REDCap Technical Overview

FERPA: Data & Transport Security Best Practices

Securing SharePoint 101. Rob Rachwald Imperva

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

Online Vulnerability Scanner User Manual

Course Title: Course Description: Course Key Objective: Fee & Duration:

Web application security

Web Security School Entrance Exam

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up.

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

Magento Security and Vulnerabilities. Roman Stepanov

Web Application Vulnerability Testing with Nessus

Web Hosting Wordpress, Joomla, Drupal Integration

MySQL Security for Security Audits

1. Building Testing Environment

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Locking down a Hitachi ID Suite server

NNT CIS Microsoft SQL Server 2008R2 Database Engine Level 1 Benchmark Report 0514a

Web Application Security

Security from the Cloud

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

REDCap General Security Overview

SiteLock. Internet Security: Big Threats for Small Business. Presented by: Neill Feather, President

Web Vulnerability Assessment Report

Columbia University Web Application Security Standards and Practices. Objective and Scope

DEVELOP ROBOTS DEVELOPROBOTS. We Innovate Your Business

Sitefinity Security and Best Practices

The easy way to a nice looking website design. By a total non-designer (Me!)

Penetration: from Application down to OS

WEB APPLICATION SECURITY

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Backup and Restore MySQL Databases

FortiWeb 5.0, Web Application Firewall Course #251

Release Notes for Websense Security v7.2

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Transcription:

Hacking the WordpressEcosystem

About Me Dan Catalin VASILE Information Security Consultant Researcher / Writer / Presenter OWASP Romania Board Member Online presence http://www.pentest.ro dan@pentest.ro/ @DanCVASILE

About the talk Hacking the Wordpress Ecosystem WHY?

More numbers About the talk

Finding Wordpress! About the talk

Scope

Scope TO SCARE!!!! Attacks on: - The Worpress platform - Plugins - Themes - Infrastructure - Humans

Scope and TO REPAIR. Focus on: - Infrastructure - Installation process - Protective server side measures - Protective client side measures - Reviewing source code - Maintenance

Wordpress Ecosystem Infrastructure Base platform Themes Plugins Users

Physical security Hacking the infrastructure

Hacking the infrastructure Common web server vulnerabilities Overflows DoS Remote command execution XSS in internal tools Security Misconfiguration just no name a few http://httpd.apache.org/security/vulnerabilities_22.html & more

Hacking the infrastructure PHP vulnerabilities DoS Overflows Remote command execution SQL injection XSS Source code disclosure RFI CSRF &more

One example from the CVE Database Hacking the Wordpress platform

Hacking the plugins How many pluginsare there? 27,596 PLUGINS, 536,317,915 DOWNLOADS (as of October 2013) How many of them are vulnerable? Not as many as you ve expected. CVE lists only 164 vulnerabilities (not all related to plugins) Fear not! New pluginseveryday & new disclosures on old plugins.

Hacking the themes Themes can be vulnerable! They sometimes come up with other plugins necessary to get the functionality needed Think about TimThumb vulnerability!

Hacking the themes What is TimThumb? A small phpscript for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications. The problem! TimThumb essentially, caches even remote files locally, without doing any proper sanitization. The problem for hackers The file timthumb.php does however, check if to see if the target file is actually an image or not. This timthumbfile is also quite often renamed to something else and is used in many themes.

TimThumb hack The easiest way to trick TimThumbinto believing a remotely stored image (that also contains evil PHP code) is an actual image (with timthumbcraft)

Uploading the file TimThumb hack

TimThumb hack Additional problems with the TimThumb hack -When uploading the image, the phpscript will be located in the cache directory with a random name

We re IN! TimThumb hack

Hacking the users Last but not least, hacking the human element: - Social engineering - Phishing - Exploiting bad habits

Let s fix it Let s start fixing the Wordpress Ecosystem Short recap: - Infrastructure - Wordpress base platform - Wordpress plugins - Wordpress themes - Users

Fixing the Infrastructure INFRASTRUCTURE - Choose a decent data-center - Use encryption for physical disks - Use secure communication channels with the server (SSH, SFTP); do you still use FTP? You should be banned from the world. - Keep the Web Server, PHP and Database updated to the latest version - Secure configurations (disable directory listing, secure php.ini configuration, etc.) - Log and analyze

Fixing the Wordpress platform WORDPRESS PLATFORM - INSTALLATION - Always download the platform from a trusted source; use https://wordpress.org/download/ - Change the default admin username - Set a strong password - Change the default wp_ table prefix - Set an insane database password - Move wp-config.php outside /public_html

Fixing the Wordpress platform WORDPRESS PLATFORM - MAINTENANCE - BACKUP!!! (BackWPup plugin) - Update! - Use SSL for authentication - Use CAPTCHA for logging in (Captcha on Login plugin) - Limit the access to /wp-admin (form.htaccess) - Source code audit

Fixing the themes THEMES - Update - Review the code

Fixing the plugins PLUGINS - Delete unused plugins - Update - Review ratings and user comments - Source code audit

Fixing the users USERS - Awareness - Set user roles and give only the privileges they need - Log & audit user actions (ARYO Activity Log plugin) - Personal computer security - Enforce the use of strong passwords (Minimum Password Strength plugin)

Further actions Install one or more security plugins Login Security Solution AntiVirus WP Security Scan WordPress File Monitor Plus OSE Firewall Security Block Bad Queries Wordfence

Further actions Monitor the website from an external party WebsiteDefender Pingdom Change Detection

Source code audit Further actions

What to do If you know what you re doing, do the whole ecosystem yourself. Otherwise go with a managed solution: Otherwise go with a managed solution: Wordpress.org Wpengine.com Godaddy.com Etc.

Goal Wordpress Security Checklist project on OWASP https://www.owasp.org/index.php/owasp_wordpress_security_checklist_project My part: - Establish the structure - Contribute with content I need help for: - Content - Plugin suggestions and reviews - Source code audits

Thank you! Questions

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information