SlideShare uma empresa Scribd logo

Dan Catalin Vasile - Hacking the Wordpress Ecosystem

Transferir como PPTX, PDF
Dan Vasile
Dan Vasile

Dan Catalin Vasile - Hacking the Wordpress Ecosystem OWASP Romania InfoSec Conference, Bucharest, October 25, 2013

TecnologiaNegócios
1 de 34
Hacking the Wordpress Ecosystem
About Me Dan Catalin VASILE • Information Security Consultant • Researcher / Writer / Presenter • OWASP Romania Board Member • Online presence – http://www.pentest.ro – dan@pentest.ro / @DanCVASILE
About the talk Hacking the Wordpress Ecosystem WHY?
About the talk More numbers
About the talk Finding Wordpress!
Scope
Scope TO SCARE!!!! Attacks on: - The Worpress platform Plugins Themes Infrastructure Humans
Scope and TO REPAIR. Focus on: - Infrastructure Installation process Protective server side measures Protective client side measures Reviewing source code Maintenance
Wordpress Ecosystem Infrastructure Users Base platform Themes Plugins
Hacking the infrastructure Physical security
Hacking the infrastructure Common web server vulnerabilities • • • • • Overflows DoS Remote command execution XSS in internal tools Security Misconfiguration … just to name a few http://httpd.apache.org/security/vulnerabilities_22.html & more
Hacking the infrastructure PHP vulnerabilities • DoS • Overflows • Remote command execution • • • • • SQL injection XSS Source code disclosure RFI CSRF &more
Hacking the Wordpress platform One example from the CVE Database
Hacking the plugins How many plugins are there? 27,596 PLUGINS, 536,317,915 DOWNLOADS (as of October 2013) How many of them are vulnerable?  Not as many as you’ve expected. CVE lists ‘only’ 164 vulnerabilities (not all related to plugins) Fear not! New plugins everyday & new disclosures on old plugins.
Hacking the themes Themes can be vulnerable! They sometimes come up with other plugins necessary to get the functionality needed Think about TimThumb vulnerability!
Hacking the themes What is TimThumb? A small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications. The problem! “TimThumb” essentially, caches even remote files locally, without doing any proper sanitization. The problem for hackers The file “timthumb.php” does however, check if to see if the target file is actually an image or not. This timthumb file is also quite often renamed to something else and is used in many themes.
TimThumb hack The easiest way to trick TimThumb into believing a remotely stored image (that also contains evil PHP code) is an actual image (with timthumbcraft)
TimThumb hack Uploading the file
TimThumb hack Additional problems with the TimThumb hack - When uploading the image, the php script will be located in the cache directory with a ‘random’ name
TimThumb hack We’re IN!
Hacking the users Last but not least, hacking the human element: - Social engineering - Phishing - Exploiting bad habits
Let’s fix it Let’s start fixing the Wordpress Ecosystem Short recap: - Infrastructure - Wordpress base platform - Wordpress plugins - Wordpress themes - Users
Fixing the Infrastructure INFRASTRUCTURE - Choose a decent data-center - Use encryption for physical disks - Use secure communication channels with the server (SSH, SFTP); do you still use FTP? You should be banned from the world. - Keep the Web Server, PHP and Database updated to the latest version - Secure configurations (disable directory listing, secure php.ini configuration, etc.) - Log and analyze
Fixing the Wordpress platform WORDPRESS PLATFORM - INSTALLATION - Always download the platform from a trusted source; use https://wordpress.org/download/ - Change the default ‘admin’ username - Set a strong password - Change the default ‘wp_’ table prefix - Set an insane database password - Move wp-config.php outside /public_html
Fixing the Wordpress platform WORDPRESS PLATFORM - MAINTENANCE - BACKUP!!! (BackWPup plugin) Update! Use SSL for authentication Use CAPTCHA for logging in (Captcha on Login plugin) - Limit the access to /wp-admin (form .htaccess) - Source code audit
Fixing the themes THEMES - Update - Review the code
Fixing the plugins PLUGINS - Delete unused plugins Update Review ratings and user comments Source code audit
Fixing the users USERS - Awareness - Set user roles and give only the privileges they need - Log & audit user actions (ARYO Activity Log plugin) - Personal computer security - Enforce the use of strong passwords (Minimum Password Strength plugin)
Further actions Install one or more security plugins • • • • • • • Login Security Solution AntiVirus WP Security Scan WordPress File Monitor Plus OSE Firewall Security Block Bad Queries Wordfence
Further actions Monitor the website from an external party • WebsiteDefender • Pingdom • Change Detection
Further actions Source code audit
What to do If you know what you’re doing, do the whole ecosystem yourself. Otherwise go with a managed solution: • Wordpress.org • Wpengine.com • Godaddy.com Etc.
Goal Wordpress Security Checklist project on OWASP https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project My part: - Establish the structure - Contribute with content I need help for: - Content - Plugin suggestions and reviews - Source code audits
Questions Thank you!

Recomendados

WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
Dan Vasile
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Vasile
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security Basics
Ryan Plas
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
Micah Hoffman
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policy
Anton Dedov
 
10 Ways to Secure WordPress
10 Ways to Secure WordPress10 Ways to Secure WordPress
10 Ways to Secure WordPress
Jeremy Green
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
Catch Themes
 

Recomendados

WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
Dan Vasile
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Vasile
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security Basics
Ryan Plas
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
Micah Hoffman
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policy
Anton Dedov
 
10 Ways to Secure WordPress
10 Ways to Secure WordPress10 Ways to Secure WordPress
10 Ways to Secure WordPress
Jeremy Green
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
Catch Themes
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
Micah Hoffman
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
Mickey Mellen
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality Development
Gareth Davies
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration Vulnerability
Micah Hoffman
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali
HackIT Ukraine
 
The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hacked
Marko Heijnen
 
Securing your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesSecuring your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy pieces
Kevin Koehler
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
rebelpixel
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
rebelpixel
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
Michele Butcher-Jones
 
Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1
Mohammad Mafi
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
Vladimír Smitka
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
Pavu Jas
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
Lalit Nama
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
Peter Baylies
 
Seven steps to better security
Seven steps to better securitySeven steps to better security
Seven steps to better security
Michael Pignataro
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
Shady A. Sharaf
 

Mais conteúdo relacionado

Mais procurados

Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
rebelpixel
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
rebelpixel
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
Pavu Jas
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 

Mais procurados (18)

Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality Development
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration Vulnerability
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali
 
The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hacked
 
Securing your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesSecuring your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy pieces
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
 
Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
 

Semelhante a Dan Catalin Vasile - Hacking the Wordpress Ecosystem

Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
Seven steps to better security
Seven steps to better securitySeven steps to better security
Seven steps to better security
Michael Pignataro
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
Think Media Inc.
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
Csaba Fitzl
 

Semelhante a Dan Catalin Vasile - Hacking the Wordpress Ecosystem (20)

Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
 
Seven steps to better security
Seven steps to better securitySeven steps to better security
Seven steps to better security
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
Battling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support TaleBattling the WSOD - A Tech Support Tale
Battling the WSOD - A Tech Support Tale
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress Installation
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Último (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

Dan Catalin Vasile - Hacking the Wordpress Ecosystem

  • 2. About Me Dan Catalin VASILE • Information Security Consultant • Researcher / Writer / Presenter • OWASP Romania Board Member • Online presence – http://www.pentest.ro – dan@pentest.ro / @DanCVASILE
  • 3. About the talk Hacking the Wordpress Ecosystem WHY?
  • 7. Scope TO SCARE!!!! Attacks on: - The Worpress platform Plugins Themes Infrastructure Humans
  • 8. Scope and TO REPAIR. Focus on: - Infrastructure Installation process Protective server side measures Protective client side measures Reviewing source code Maintenance
  • 11. Hacking the infrastructure Common web server vulnerabilities • • • • • Overflows DoS Remote command execution XSS in internal tools Security Misconfiguration … just to name a few http://httpd.apache.org/security/vulnerabilities_22.html & more
  • 12. Hacking the infrastructure PHP vulnerabilities • DoS • Overflows • Remote command execution • • • • • SQL injection XSS Source code disclosure RFI CSRF &more
  • 13. Hacking the Wordpress platform One example from the CVE Database
  • 14. Hacking the plugins How many plugins are there? 27,596 PLUGINS, 536,317,915 DOWNLOADS (as of October 2013) How many of them are vulnerable?  Not as many as you’ve expected. CVE lists ‘only’ 164 vulnerabilities (not all related to plugins) Fear not! New plugins everyday & new disclosures on old plugins.
  • 15. Hacking the themes Themes can be vulnerable! They sometimes come up with other plugins necessary to get the functionality needed Think about TimThumb vulnerability!
  • 16. Hacking the themes What is TimThumb? A small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications. The problem! “TimThumb” essentially, caches even remote files locally, without doing any proper sanitization. The problem for hackers The file “timthumb.php” does however, check if to see if the target file is actually an image or not. This timthumb file is also quite often renamed to something else and is used in many themes.
  • 17. TimThumb hack The easiest way to trick TimThumb into believing a remotely stored image (that also contains evil PHP code) is an actual image (with timthumbcraft)
  • 19. TimThumb hack Additional problems with the TimThumb hack - When uploading the image, the php script will be located in the cache directory with a ‘random’ name
  • 21. Hacking the users Last but not least, hacking the human element: - Social engineering - Phishing - Exploiting bad habits
  • 22. Let’s fix it Let’s start fixing the Wordpress Ecosystem Short recap: - Infrastructure - Wordpress base platform - Wordpress plugins - Wordpress themes - Users
  • 23. Fixing the Infrastructure INFRASTRUCTURE - Choose a decent data-center - Use encryption for physical disks - Use secure communication channels with the server (SSH, SFTP); do you still use FTP? You should be banned from the world. - Keep the Web Server, PHP and Database updated to the latest version - Secure configurations (disable directory listing, secure php.ini configuration, etc.) - Log and analyze
  • 24. Fixing the Wordpress platform WORDPRESS PLATFORM - INSTALLATION - Always download the platform from a trusted source; use https://wordpress.org/download/ - Change the default ‘admin’ username - Set a strong password - Change the default ‘wp_’ table prefix - Set an insane database password - Move wp-config.php outside /public_html
  • 25. Fixing the Wordpress platform WORDPRESS PLATFORM - MAINTENANCE - BACKUP!!! (BackWPup plugin) Update! Use SSL for authentication Use CAPTCHA for logging in (Captcha on Login plugin) - Limit the access to /wp-admin (form .htaccess) - Source code audit
  • 26. Fixing the themes THEMES - Update - Review the code
  • 27. Fixing the plugins PLUGINS - Delete unused plugins Update Review ratings and user comments Source code audit
  • 28. Fixing the users USERS - Awareness - Set user roles and give only the privileges they need - Log & audit user actions (ARYO Activity Log plugin) - Personal computer security - Enforce the use of strong passwords (Minimum Password Strength plugin)
  • 29. Further actions Install one or more security plugins • • • • • • • Login Security Solution AntiVirus WP Security Scan WordPress File Monitor Plus OSE Firewall Security Block Bad Queries Wordfence
  • 30. Further actions Monitor the website from an external party • WebsiteDefender • Pingdom • Change Detection
  • 32. What to do If you know what you’re doing, do the whole ecosystem yourself. Otherwise go with a managed solution: • Wordpress.org • Wpengine.com • Godaddy.com Etc.
  • 33. Goal Wordpress Security Checklist project on OWASP https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project My part: - Establish the structure - Contribute with content I need help for: - Content - Plugin suggestions and reviews - Source code audits