SlideShare uma empresa Scribd logo

Wordpress security

Mehmet Ince
Mehmet Ince

cumartesi günü düzenlenen PHP Meetup 011'de konu Wordpress'ti. Bizde Doruk Fişek ile birlikte bir joint sunum gerçekleştirdik. Ben işin Wordpress Security tarafını o ise Wordpress Sunucu Güvenliği tarafını ele aldı. Benim sunumuma aşağıdaki slideshare bağlantısı üzerinden ulaşabilirsiniz.

Software
1 de 31
Wordpress Security Mehmet Ince ~Istanbul PHP Meetup #011~
Who Am I Ince, Mehmet Dursun Senior Penetration Tester, @ PRODAFT / INVICTUS Ordinarily; ● Hack the app. ● Make it secure. ● Hack it again. Blogger https://www.mehmetince.net
This talk is all about SECURITY
Security engineers says; security is ● COMPLICATED ● HARD ● PAINFULL ● ENDLESS ● ...
Devs says; security is ● XSS, HUH?! IT’S NOTHING ● MY CODE IS FLAWLESS ● YOUR ARE USELESS. ● FCUK YOU Pentester. ● BEST PROGRAMMING LANGUAGE IS BLABLA...
The truth is ● Neither “Best secure programming language is PHP.”, nor “PHP is most vulnerable language” are TRUE..! ● The truth is, programming languages are innocent. The problem is YOU..!
Getting started with “Wordpress security” basics.
Run applications with least privileges ● Do NOT run your application with root privileges. E.g; HHVM and MySQL processes should be initiated by different user, supervisord. ● CHMOD 777 is not a HTTP 403 errors solution, it will cause bigger problems. ● CHOWN apache:apache -R www/ is not a “correct” solution for HTTP 403 as well. It will cause MUCH bigger problem.
Database security ● It is wise to consider keeping them in separate databases each managed by a different user. ● Disable remote access, use SSH Tunneling. ● Disable LOAD_FILE() etc, ● Remove anonymous users. ● If you have an external database server, enable MySQL SSL ● https://www.mehmetince.net/mysql-veri-tabani-guvenligi-checklist/
Be a “Lone Wolf” ● It’s 2015…! ○ Stop using “Shared Hosting”. ○ Stop using cPanel. ○ Stop using WHMCS. ● Having a basic SSD Linux server, for just 5$/month. E.g; Digitalocean, vultr, ...
DDoS ● L3 DDoS. ● L7 DDoS. ● Varnish ?! ● Memcache ?!
Wp-admin ~ Wp-config ● 2-step authentication https: //wordpress. org/plugins/authy-two-factor- authentication/ ● Captcha https://wordpress. org/plugins/no-captcha- recaptcha/ ● BasicAuth might also break some WP func., such as the AJAX handler at wp- admin/admin-ajax.php ● define( 'DISALLOW_FILE_EDIT', true ); ● define('FS_METHOD', 'direct');
Brute-force XMLRPC ● /xmlrpc.php ● Brute-force hundreds of thousands of username & password pairs within ONE HTTP request through system.multicall method of XML-RPC. ● Disable xmlrpc.php access. If you need to use it, disable system.multicall, system. listMethods, system. getCapabilities.
HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS
WAF ● A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. By customizing the rules to your application, many attacks can be identified and blocked. ●
Wordpress 4.2.3 SQL Injection Commit = 70128fe7605cb963a46815cf91b0a5934f70eff5 | Date = 4 August 2015
23.02.2014 WP < 4.1 Stored XSS (Critical) vulnerability found by researcher. 31.03.2014 Issue acknowledge by Wordpress Team. 07.04.2014 Initial patch received from WP team. ... FUUUUUUUUUUUU UUUUUUUUUUUUU UUUUUUUUUUUUU 21.04.2015 Finally, WP team released patch.
WTF ● Exploit does NOT require a logged-in user. Everyone may trigger vulnerability..! On the other hand, Stored-XSS means that anyone, who visiting the infected article, going to be HACKED! but Wordpress Team patched the issue after 14 months!
DEMO
Themes “Nothing Is Free In This World.” If you are using free theme, I’m sorry but YOU GOT PWNED.
CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● Identified by Foxit-Security at May 2014. ● A researcher from Foxit-Security found a following HTTP request generated by their customer server. [08/May/2014:12:44:10 +0100] "POST http://worldcute.biz/ HTTP/1.1" … unexpected journey has begun.
CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● There is no USER-AGENT ● There is no Referrals ● HTTP Post request to the .biz domain. ● and POST data contains encrypted information..! ● Upon further inspection, they found the only action that occurred before the HTTP POST request was the install of a plug-in onto a Joomla instance by the administrator of the website.
CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● Latest installed plug-in was JSecure. ● ZIP file of JSecure contained following information.
CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● All files seems normal, other than jsecure.php. It’s updated on March 26..!
CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● Jsecure.php codes were innocent as well. Unless last line.
CryptoPHP ~ Most Sophisticated CMS Backdoor Case mince@rootlab admin $ file images/social.png images/social.png: PHP script, ASCII text, with very long lines
CryptoPHP ~ Most Sophisticated CMS Backdoor Case Obfuscated PHP codes.
CryptoPHP ~ Most Sophisticated CMS Backdoor Case CMS Detection
CryptoPHP ~ Most Sophisticated CMS Backdoor Case
CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● One backdoor to rule them all ( Wordpress, Drupal, Joomla ) ● Public key encryption between Command & Control servers. ● Ability to update itself. ● Method hook ● ... Details : https://www.mehmetince.net/cryptophp-backdoor-analizi-ve- tespiti/
Thank you @mdisec https://www.mehmetince.net

Recomendados

Breaking The Framework's Core #PHPKonf 2016
Breaking The Framework's Core #PHPKonf 2016Breaking The Framework's Core #PHPKonf 2016
Breaking The Framework's Core #PHPKonf 2016Mehmet Ince
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basicsAnant Shrivastava
 
PHPCS (PHP Code Sniffer)
PHPCS (PHP Code Sniffer)PHPCS (PHP Code Sniffer)
PHPCS (PHP Code Sniffer)Oleksii Prohonnyi
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
Browser exploit framework
Browser exploit frameworkBrowser exploit framework
Browser exploit frameworkPrashanth Sivarajan
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 

Recomendados

Breaking The Framework's Core #PHPKonf 2016
Breaking The Framework's Core #PHPKonf 2016Breaking The Framework's Core #PHPKonf 2016
Breaking The Framework's Core #PHPKonf 2016Mehmet Ince
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basicsAnant Shrivastava
 
PHPCS (PHP Code Sniffer)
PHPCS (PHP Code Sniffer)PHPCS (PHP Code Sniffer)
PHPCS (PHP Code Sniffer)Oleksii Prohonnyi
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
Browser exploit framework
Browser exploit frameworkBrowser exploit framework
Browser exploit frameworkPrashanth Sivarajan
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)Anatoliy Okhotnikov
 
Pwnstaller
PwnstallerPwnstaller
PwnstallerWill Schroeder
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeMohammed A. Imran
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 
ZeroNights - SmartTV
ZeroNights - SmartTV ZeroNights - SmartTV
ZeroNights - SmartTV Sergey Belov
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat Security Conference
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Selenium Testing with TestingBot.com
Selenium Testing with TestingBot.comSelenium Testing with TestingBot.com
Selenium Testing with TestingBot.comtestingbot
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmSecurity Bootcamp
 
Intro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web ApplicationsIntro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web ApplicationsTECKpert, Hubdin
 
Nginx warhead
Nginx warheadNginx warhead
Nginx warheadSergey Belov
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure CodingPrathan Phongthiproek
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorialimlaurel2
 
Kali ile Linux'e Giriş | IntelRAD
Kali ile Linux'e Giriş | IntelRADKali ile Linux'e Giriş | IntelRAD
Kali ile Linux'e Giriş | IntelRADMehmet Ince
 
Ransomware (Fidye Yazılım)
Ransomware (Fidye Yazılım)Ransomware (Fidye Yazılım)
Ransomware (Fidye Yazılım)Volkan Vural
 

Mais conteúdo relacionado

Mais procurados

Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeMohammed A. Imran
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 
ZeroNights - SmartTV
ZeroNights - SmartTV ZeroNights - SmartTV
ZeroNights - SmartTV Sergey Belov
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat Security Conference
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Selenium Testing with TestingBot.com
Selenium Testing with TestingBot.comSelenium Testing with TestingBot.com
Selenium Testing with TestingBot.comtestingbot
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmSecurity Bootcamp
 
Intro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web ApplicationsIntro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web ApplicationsTECKpert, Hubdin
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorialimlaurel2
 

Mais procurados (20)

Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
ZeroNights - SmartTV
ZeroNights - SmartTV ZeroNights - SmartTV
ZeroNights - SmartTV
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
Flashack
FlashackFlashack
Flashack
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Selenium Testing with TestingBot.com
Selenium Testing with TestingBot.comSelenium Testing with TestingBot.com
Selenium Testing with TestingBot.com
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
 
Intro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web ApplicationsIntro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web Applications
 
Nginx warhead
Nginx warheadNginx warhead
Nginx warhead
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorial
 

Destaque

Kali ile Linux'e Giriş | IntelRAD
Kali ile Linux'e Giriş | IntelRADKali ile Linux'e Giriş | IntelRAD
Kali ile Linux'e Giriş | IntelRADMehmet Ince
 
Ransomware (Fidye Yazılım)
Ransomware (Fidye Yazılım)Ransomware (Fidye Yazılım)
Ransomware (Fidye Yazılım)Volkan Vural
 
Yapılan ağ saldırılarına karşı önlemler
Yapılan ağ saldırılarına karşı önlemlerYapılan ağ saldırılarına karşı önlemler
Yapılan ağ saldırılarına karşı önlemlerIlkin Azizov
 
Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu GeliştirimesiDrupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu GeliştirimesiMehmet Ince
 
Web Uygulamalarında Kayank Kod Analizi – II
Web Uygulamalarında Kayank Kod Analizi – IIWeb Uygulamalarında Kayank Kod Analizi – II
Web Uygulamalarında Kayank Kod Analizi – IIMehmet Ince
 
Web Uygulamalarında Kaynak Kod Analizi - 1
Web Uygulamalarında Kaynak Kod Analizi - 1Web Uygulamalarında Kaynak Kod Analizi - 1
Web Uygulamalarında Kaynak Kod Analizi - 1Mehmet Ince
 
ISO 27001 Bilgi Güvenliği Yönetim Sistemi
ISO 27001 Bilgi Güvenliği Yönetim SistemiISO 27001 Bilgi Güvenliği Yönetim Sistemi
ISO 27001 Bilgi Güvenliği Yönetim SistemiEmre ERKIRAN
 
Ağ tabanlı Saldırı Tespit Sistemleri
Ağ tabanlı Saldırı Tespit SistemleriAğ tabanlı Saldırı Tespit Sistemleri
Ağ tabanlı Saldırı Tespit Sistemleriosmncht
 
Sosyal mühendislik saldırıları
Sosyal mühendislik saldırılarıSosyal mühendislik saldırıları
Sosyal mühendislik saldırılarıAlper Başaran
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linuxHelder Oliveira
 
Beyaz Şapkalı Hacker (CEH) Lab Kitabı
Beyaz Şapkalı Hacker (CEH) Lab KitabıBeyaz Şapkalı Hacker (CEH) Lab Kitabı
Beyaz Şapkalı Hacker (CEH) Lab KitabıBGA Cyber Security
 
Sızma Testi ve Güvenlik Denetlemeleri - Temel Linux Bilgisi
Sızma Testi ve Güvenlik Denetlemeleri - Temel Linux BilgisiSızma Testi ve Güvenlik Denetlemeleri - Temel Linux Bilgisi
Sızma Testi ve Güvenlik Denetlemeleri - Temel Linux BilgisiFerhat Ozgur Catak
 
LinkedIn Publisher Offerings - InShare / LinkedIn Today - Jan 2013
LinkedIn Publisher Offerings - InShare / LinkedIn Today - Jan 2013LinkedIn Publisher Offerings - InShare / LinkedIn Today - Jan 2013
LinkedIn Publisher Offerings - InShare / LinkedIn Today - Jan 2013Rohan Verma
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 7, 8, 9
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 7, 8, 9Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 7, 8, 9
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 7, 8, 9BGA Cyber Security
 
Temel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve KomutlarıTemel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve KomutlarıAhmet Gürel
 
Temel Ağ Sızma Testine Giriş Dökümanı
Temel Ağ Sızma Testine Giriş DökümanıTemel Ağ Sızma Testine Giriş Dökümanı
Temel Ağ Sızma Testine Giriş DökümanıAhmet Gürel
 

Destaque (20)

Kali ile Linux'e Giriş | IntelRAD
Kali ile Linux'e Giriş | IntelRADKali ile Linux'e Giriş | IntelRAD
Kali ile Linux'e Giriş | IntelRAD
 
Ransomware (Fidye Yazılım)
Ransomware (Fidye Yazılım)Ransomware (Fidye Yazılım)
Ransomware (Fidye Yazılım)
 
Yapılan ağ saldırılarına karşı önlemler
Yapılan ağ saldırılarına karşı önlemlerYapılan ağ saldırılarına karşı önlemler
Yapılan ağ saldırılarına karşı önlemler
 
Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu GeliştirimesiDrupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
 
Web Uygulamalarında Kayank Kod Analizi – II
Web Uygulamalarında Kayank Kod Analizi – IIWeb Uygulamalarında Kayank Kod Analizi – II
Web Uygulamalarında Kayank Kod Analizi – II
 
Web Uygulamalarında Kaynak Kod Analizi - 1
Web Uygulamalarında Kaynak Kod Analizi - 1Web Uygulamalarında Kaynak Kod Analizi - 1
Web Uygulamalarında Kaynak Kod Analizi - 1
 
ISO 27001 Bilgi Güvenliği Yönetim Sistemi
ISO 27001 Bilgi Güvenliği Yönetim SistemiISO 27001 Bilgi Güvenliği Yönetim Sistemi
ISO 27001 Bilgi Güvenliği Yönetim Sistemi
 
Ağ tabanlı Saldırı Tespit Sistemleri
Ağ tabanlı Saldırı Tespit SistemleriAğ tabanlı Saldırı Tespit Sistemleri
Ağ tabanlı Saldırı Tespit Sistemleri
 
Tools kali
Tools kaliTools kali
Tools kali
 
Sosyal mühendislik saldırıları
Sosyal mühendislik saldırılarıSosyal mühendislik saldırıları
Sosyal mühendislik saldırıları
 
Kali linux
Kali linuxKali linux
Kali linux
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linux
 
Beyaz Şapkalı Hacker (CEH) Lab Kitabı
Beyaz Şapkalı Hacker (CEH) Lab KitabıBeyaz Şapkalı Hacker (CEH) Lab Kitabı
Beyaz Şapkalı Hacker (CEH) Lab Kitabı
 
Sizma testi bilgi toplama
Sizma testi bilgi toplamaSizma testi bilgi toplama
Sizma testi bilgi toplama
 
Sızma Testi ve Güvenlik Denetlemeleri - Temel Linux Bilgisi
Sızma Testi ve Güvenlik Denetlemeleri - Temel Linux BilgisiSızma Testi ve Güvenlik Denetlemeleri - Temel Linux Bilgisi
Sızma Testi ve Güvenlik Denetlemeleri - Temel Linux Bilgisi
 
Web uygulama açıklıklarından faydalanarak sistem ele geçirme
Web uygulama açıklıklarından faydalanarak sistem ele geçirmeWeb uygulama açıklıklarından faydalanarak sistem ele geçirme
Web uygulama açıklıklarından faydalanarak sistem ele geçirme
 
LinkedIn Publisher Offerings - InShare / LinkedIn Today - Jan 2013
LinkedIn Publisher Offerings - InShare / LinkedIn Today - Jan 2013LinkedIn Publisher Offerings - InShare / LinkedIn Today - Jan 2013
LinkedIn Publisher Offerings - InShare / LinkedIn Today - Jan 2013
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 7, 8, 9
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 7, 8, 9Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 7, 8, 9
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 7, 8, 9
 
Temel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve KomutlarıTemel Linux Kullanımı ve Komutları
Temel Linux Kullanımı ve Komutları
 
Temel Ağ Sızma Testine Giriş Dökümanı
Temel Ağ Sızma Testine Giriş DökümanıTemel Ağ Sızma Testine Giriş Dökümanı
Temel Ağ Sızma Testine Giriş Dökümanı
 

Semelhante a Wordpress security

Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Chris Tankersley
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Information gathering
Information gatheringInformation gathering
Information gatheringMoTechInc
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
 

Semelhante a Wordpress security (20)

Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the script
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Information gathering
Information gatheringInformation gathering
Information gathering
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
Web server security techniques by Khawar Nehal
Web server security techniques by Khawar NehalWeb server security techniques by Khawar Nehal
Web server security techniques by Khawar Nehal
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 

Mais de Mehmet Ince

Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks
Devfest istanbul'14 - Web Application Attacks and Trusting FrameworksDevfest istanbul'14 - Web Application Attacks and Trusting Frameworks
Devfest istanbul'14 - Web Application Attacks and Trusting FrameworksMehmet Ince
 
Devfest istanbul'14 web app security and framework
Devfest istanbul'14 web app security and framework Devfest istanbul'14 web app security and framework
Devfest istanbul'14 web app security and framework Mehmet Ince
 
Siber güvenlik konferansı' 14 client-side security & csp (1)
Siber güvenlik konferansı' 14 client-side security & csp (1)Siber güvenlik konferansı' 14 client-side security & csp (1)
Siber güvenlik konferansı' 14 client-side security & csp (1)Mehmet Ince
 
Web Uygulama Güvenliği 101
Web Uygulama Güvenliği 101Web Uygulama Güvenliği 101
Web Uygulama Güvenliği 101Mehmet Ince
 
Ozgur web teknolojileri'13
Ozgur web teknolojileri'13Ozgur web teknolojileri'13
Ozgur web teknolojileri'13Mehmet Ince
 
Oylg2013 web uygulamalari sizmatesti
Oylg2013 web uygulamalari sizmatestiOylg2013 web uygulamalari sizmatesti
Oylg2013 web uygulamalari sizmatestiMehmet Ince
 

Mais de Mehmet Ince (6)

Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks
Devfest istanbul'14 - Web Application Attacks and Trusting FrameworksDevfest istanbul'14 - Web Application Attacks and Trusting Frameworks
Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks
 
Devfest istanbul'14 web app security and framework
Devfest istanbul'14 web app security and framework Devfest istanbul'14 web app security and framework
Devfest istanbul'14 web app security and framework
 
Siber güvenlik konferansı' 14 client-side security & csp (1)
Siber güvenlik konferansı' 14 client-side security & csp (1)Siber güvenlik konferansı' 14 client-side security & csp (1)
Siber güvenlik konferansı' 14 client-side security & csp (1)
 
Web Uygulama Güvenliği 101
Web Uygulama Güvenliği 101Web Uygulama Güvenliği 101
Web Uygulama Güvenliği 101
 
Ozgur web teknolojileri'13
Ozgur web teknolojileri'13Ozgur web teknolojileri'13
Ozgur web teknolojileri'13
 
Oylg2013 web uygulamalari sizmatesti
Oylg2013 web uygulamalari sizmatestiOylg2013 web uygulamalari sizmatesti
Oylg2013 web uygulamalari sizmatesti
 

Último

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 

Último (20)

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 

Wordpress security

  • 2. Who Am I Ince, Mehmet Dursun Senior Penetration Tester, @ PRODAFT / INVICTUS Ordinarily; ● Hack the app. ● Make it secure. ● Hack it again. Blogger https://www.mehmetince.net
  • 3. This talk is all about SECURITY
  • 4. Security engineers says; security is ● COMPLICATED ● HARD ● PAINFULL ● ENDLESS ● ...
  • 5. Devs says; security is ● XSS, HUH?! IT’S NOTHING ● MY CODE IS FLAWLESS ● YOUR ARE USELESS. ● FCUK YOU Pentester. ● BEST PROGRAMMING LANGUAGE IS BLABLA...
  • 6. The truth is ● Neither “Best secure programming language is PHP.”, nor “PHP is most vulnerable language” are TRUE..! ● The truth is, programming languages are innocent. The problem is YOU..!
  • 7. Getting started with “Wordpress security” basics.
  • 8. Run applications with least privileges ● Do NOT run your application with root privileges. E.g; HHVM and MySQL processes should be initiated by different user, supervisord. ● CHMOD 777 is not a HTTP 403 errors solution, it will cause bigger problems. ● CHOWN apache:apache -R www/ is not a “correct” solution for HTTP 403 as well. It will cause MUCH bigger problem.
  • 9. Database security ● It is wise to consider keeping them in separate databases each managed by a different user. ● Disable remote access, use SSH Tunneling. ● Disable LOAD_FILE() etc, ● Remove anonymous users. ● If you have an external database server, enable MySQL SSL ● https://www.mehmetince.net/mysql-veri-tabani-guvenligi-checklist/
  • 10. Be a “Lone Wolf” ● It’s 2015…! ○ Stop using “Shared Hosting”. ○ Stop using cPanel. ○ Stop using WHMCS. ● Having a basic SSD Linux server, for just 5$/month. E.g; Digitalocean, vultr, ...
  • 11. DDoS ● L3 DDoS. ● L7 DDoS. ● Varnish ?! ● Memcache ?!
  • 12. Wp-admin ~ Wp-config ● 2-step authentication https: //wordpress. org/plugins/authy-two-factor- authentication/ ● Captcha https://wordpress. org/plugins/no-captcha- recaptcha/ ● BasicAuth might also break some WP func., such as the AJAX handler at wp- admin/admin-ajax.php ● define( 'DISALLOW_FILE_EDIT', true ); ● define('FS_METHOD', 'direct');
  • 13. Brute-force XMLRPC ● /xmlrpc.php ● Brute-force hundreds of thousands of username & password pairs within ONE HTTP request through system.multicall method of XML-RPC. ● Disable xmlrpc.php access. If you need to use it, disable system.multicall, system. listMethods, system. getCapabilities.
  • 14. HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS
  • 15. WAF ● A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. By customizing the rules to your application, many attacks can be identified and blocked. ●
  • 16. Wordpress 4.2.3 SQL Injection Commit = 70128fe7605cb963a46815cf91b0a5934f70eff5 | Date = 4 August 2015
  • 17. 23.02.2014 WP < 4.1 Stored XSS (Critical) vulnerability found by researcher. 31.03.2014 Issue acknowledge by Wordpress Team. 07.04.2014 Initial patch received from WP team. ... FUUUUUUUUUUUU UUUUUUUUUUUUU UUUUUUUUUUUUU 21.04.2015 Finally, WP team released patch.
  • 18. WTF ● Exploit does NOT require a logged-in user. Everyone may trigger vulnerability..! On the other hand, Stored-XSS means that anyone, who visiting the infected article, going to be HACKED! but Wordpress Team patched the issue after 14 months!
  • 19. DEMO
  • 20. Themes “Nothing Is Free In This World.” If you are using free theme, I’m sorry but YOU GOT PWNED.
  • 21. CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● Identified by Foxit-Security at May 2014. ● A researcher from Foxit-Security found a following HTTP request generated by their customer server. [08/May/2014:12:44:10 +0100] "POST http://worldcute.biz/ HTTP/1.1" … unexpected journey has begun.
  • 22. CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● There is no USER-AGENT ● There is no Referrals ● HTTP Post request to the .biz domain. ● and POST data contains encrypted information..! ● Upon further inspection, they found the only action that occurred before the HTTP POST request was the install of a plug-in onto a Joomla instance by the administrator of the website.
  • 23. CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● Latest installed plug-in was JSecure. ● ZIP file of JSecure contained following information.
  • 24. CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● All files seems normal, other than jsecure.php. It’s updated on March 26..!
  • 25. CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● Jsecure.php codes were innocent as well. Unless last line.
  • 26. CryptoPHP ~ Most Sophisticated CMS Backdoor Case mince@rootlab admin $ file images/social.png images/social.png: PHP script, ASCII text, with very long lines
  • 27. CryptoPHP ~ Most Sophisticated CMS Backdoor Case Obfuscated PHP codes.
  • 28. CryptoPHP ~ Most Sophisticated CMS Backdoor Case CMS Detection
  • 29. CryptoPHP ~ Most Sophisticated CMS Backdoor Case
  • 30. CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● One backdoor to rule them all ( Wordpress, Drupal, Joomla ) ● Public key encryption between Command & Control servers. ● Ability to update itself. ● Method hook ● ... Details : https://www.mehmetince.net/cryptophp-backdoor-analizi-ve- tespiti/