SlideShare a Scribd company logo

String.fromCharCode(60)script>alert("XSS")String.fromCharCode(60)/script>

Muhammad Sohail
Muhammad Sohail

String.fromCharCode(34, 62, 60, 105, 109, 103, 32, 115, 114, 99, 61, 120, 32, 111, 110, 101, 114, 114, 111, 114, 61, 112, 114, 111, 109, 112, 116, 40, 49, 41, 59, 62)

BusinessTechnology
1 of 17
Download to read offline
CVE-2008-1930: WORDPRESS 2.5 COOKIE INTEGRITY PROTECTION VULNERABILITY By Louis Nyffenegger <Louis@PentesterLab.com>
2 4 5 5 5 6 8 8 8 12 13 16 17 Table of Content Table of Content Introduction About this exercise License Syntax of this course The web application The issue Introduction The code The vulnerability Exploitation Patch Conclusion 2/17 PentesterLab.com » CVE-2008-1930
3/17 PentesterLab.com » CVE-2008-1930
Introduction This course details the exploitation of an issue in the cookies integrity mechanism of Wordpress. This issue was found in 2008 and allowed an attacker to gain administrator access to a wordpress instance if user registration is enabled. This issue is a really good example of what can go wrong with cryptographic function and I thought it will do a really good exercise. 4/17 PentesterLab.com » CVE-2008-1930
About this exercise License This exercise by PentesterLab is licensed under the Creative Commons Attribution- NonCommercial-NoDerivs 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/. Syntax of this course 5/17 PentesterLab.com » CVE-2008-1930
The red boxes provide information on mistakes/issues that are likely to happen while testing: An issue that you may encounter...An issue that you may encounter... The green boxes provide tips and information if you want to go further. You should probably check...You should probably check... The web application Once the system has booted, you can then retrieve the current IP address of the system using the command ifconfig: $ ifconfig eth0 eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56 inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:88 errors:0 dropped:0 overruns:0 frame:0 TX packets:77 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:10300 (10.0 KiB) TX bytes:10243 (10.0 KiB) Interrupt:11 Base address:0x8000 In this example the IP address is 10.0.2.15. 6/17 PentesterLab.com » CVE-2008-1930
Throughout the training, the hostname vulnerable is used for the vulnerable machine, you can either replace it by the IP address of the machine, or you can just add an entry to your host file with this name and the corresponding IP address. It can be easily done by modifying: on Windows, your C:WindowsSystem32Driversetchosts file; on Unix/Linux and Mac OS X, your /etc/hosts file. The IP address can change if you restart the system, don'tThe IP address can change if you restart the system, don't forget to update your hosts file.forget to update your hosts file. 7/17 PentesterLab.com » CVE-2008-1930
The issue Introduction This functionnality was used to remember users after they close their browser. A cookie "AUTH_COOKIE" (named wordpress_...) is created by the application and sent back to users. Only the application is able to generate this cookie since it's generated using the WordPress "secret key". The code The vulnerable function is wp_validate_auth_cookie included in the file wp- includes/pluggable.php (line 470 to 499). The full code of the function is below: 8/17 PentesterLab.com » CVE-2008-1930
function wp_validate_auth_cookie($cookie = '') { if ( empty($cookie) ) { if ( empty($_COOKIE[AUTH_COOKIE]) ) return false; $cookie = $_COOKIE[AUTH_COOKIE]; } list($username, $expiration, $hmac) = explode('|', $cookie); $expired = $expiration; // Allow a grace period for POST and AJAX requests if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] ) $expired += 3600; if ( $expired < time() ) return false; $key = wp_hash($username . $expiration); $hash = hash_hmac('md5', $username . $expiration, $key); if ( $hmac != $hash ) return false; $user = get_userdatabylogin($username); if ( ! $user ) return false; return $user->ID; 9/17 PentesterLab.com » CVE-2008-1930
} First the code retrieves the cookie AUTH_COOKIE if no cookie was provided during the function call. If no cookie was provided and the cookie AUTH_COOKIE is empty, the function returns false and the authentication fails. Once the cookie is retrieved, it gets split into 3 values: $username: the user name; $expiration: its expiration date; $hmac: the signature of the previous values to make sure it's a guenuine cookie. The following code performs this action, | (%7C) is used as a separator: list($username, $expiration, $hmac) = explode('|', $cookie); Then the code makes sure the $expired value (based on the value $expiration) is greater than the current time: if ( $expired < time() ) return false; The code ensures that the signature is correct: 10/17 PentesterLab.com » CVE-2008-1930
$key = wp_hash($username . $expiration); $hash = hash_hmac('md5', $username . $expiration, $key); if ( $hmac != $hash ) return false; The function wp_hash provide the encryption, it's based on Worpress SECRET_KEY and use $username and $expiration to generate an unique key. You can check this function's behaviour in the file wp-includes/pluggable.php starting line 1071. Once the hash is validated, the current user $user is retrieved using the value $username: $user = get_userdatabylogin($username); if ( ! $user ) return false; return $user->ID; If you look at the code quickly, everything seems perfect: the cookie expired at a given time; only the application can generate the key used to sign the cookie and this key is unique and not predictable; the cookie is signed based on a unique key and can't be tampered (theorically); 11/17 PentesterLab.com » CVE-2008-1930
The vulnerability The issue comes from this line: $hash = hash_hmac('md5', $username . $expiration, $key); It is possible to generate a collision between two chosen values. For example, the following values will give the same hash: `$username` `$expiration` `HASH($username.$expiration)` admin1 1353464343 1ba7d82099dd6119781b54ecf8b79259 admin 11353464343 1ba7d82099dd6119781b54ecf8b79259 We see that it's possible to get a collision between two hashes even if the usernames are different. The collision is interesting because it is possible to have a valid hash generated by the application for a user (admin1) and use it to pretend to be another user admin. The $expiration value will become even bigger for the user admin since we added the final 1 from admin1. 12/17 PentesterLab.com » CVE-2008-1930
Exploitation As we saw above, an attacker is able to get the application to generate a valid hash for a user admin1 and reuse this signature for the user admin. To exploit this vulnerability, you need to be able to create a user named admin1 for example (any users followed by an integer will actually work). This can be done using the registration page: http://vulnerable/wp-login.php?action=register. Here the source code of Wordpress has been modified toHere the source code of Wordpress has been modified to create users with the hardcoded password `pentesterlab`. In acreate users with the hardcoded password `pentesterlab`. In a traditional Wordpress, the attacker need to provide a validtraditional Wordpress, the attacker need to provide a valid email address and will set his own password.email address and will set his own password. If you create a user admin1 and log in with this user. You should receive a valid cookie: 13/17 PentesterLab.com » CVE-2008-1930
HTTP/1.1 200 OK [...] Set-Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_177e685d5ab0d655bdbe4896d7cdadf4=admin1%7C1353464343%7C1ba7 d82099dd6119781b54ecf8b79259 [...] Once you log in, you should see the traditional Worpdress page: Now that we have a valid cookie we can use this vulnerability to gain access to the admin account: Using the a valid cookie: admin1%7C1210158445%7C49718d2581bd399916b90a088a11ec84 We can generate a new valid cookie for the user admin: admin%7C11210158445%7C49718d2581bd399916b90a088a11ec84. If you're using Firefox, you can use the following extension to modify your cookies: Cookie manager +. After reloading the page, you should be able to see the "Admin version" of the website: 14/17 PentesterLab.com » CVE-2008-1930
15/17 PentesterLab.com » CVE-2008-1930
Patch The patch for this vulnerabilty was pretty simple, to avoid the vulnerability, Worpdress' developers just had to make sure that $username and $expiration were correctly separated. To do so they introduced the following change: $hash = hash_hmac('md5', $username . '|' . $expiration, $key); With this simple |, it not possible for an attacker to tamper the cookie and still get a valid signature since $expiration and/or $username are not simply concatenate to generate the signature. 16/17 PentesterLab.com » CVE-2008-1930
Conclusion This exercise explained how this vulnerability works and how it was possible to use it to gain access to Wordpress administration pages. To me this issue represents perfectly a common pattern in most interesting vulnerabilities: "The devil is in the detail". And that even a ridiculous small change can make a lot the difference between secure and vulnerable code. And since Code review is mostly a matter of “déjà vu”, you will have another thing to check for if you search for vulnerabilities. 17/17 PentesterLab.com » CVE-2008-1930

Recommended

Building @Anywhere (for TXJS)
Building @Anywhere (for TXJS)Building @Anywhere (for TXJS)
Building @Anywhere (for TXJS)danwrong
 
HTML5 Web Messaging
HTML5 Web MessagingHTML5 Web Messaging
HTML5 Web MessagingMike Taylor
 
Protect you site with Honeypots
Protect you site with HoneypotsProtect you site with Honeypots
Protect you site with Honeypots🏁 Pierre-Henry Soria 💡
 
Lecture8 php page control by okello erick
Lecture8 php page control by okello erickLecture8 php page control by okello erick
Lecture8 php page control by okello erickokelloerick
 
32373 uploading-php-shell-through-sql-injection
32373 uploading-php-shell-through-sql-injection32373 uploading-php-shell-through-sql-injection
32373 uploading-php-shell-through-sql-injectionAttaporn Ninsuwan
 
Php session
Php sessionPhp session
Php sessionargusacademy
 
Taking the pain out of signing users in
Taking the pain out of signing users inTaking the pain out of signing users in
Taking the pain out of signing users inFrancois Marier
 
Persona: a federated and privacy-protecting login system for the whole Web
Persona: a federated and privacy-protecting login system for the whole WebPersona: a federated and privacy-protecting login system for the whole Web
Persona: a federated and privacy-protecting login system for the whole WebFrancois Marier
 

Recommended

Building @Anywhere (for TXJS)
Building @Anywhere (for TXJS)Building @Anywhere (for TXJS)
Building @Anywhere (for TXJS)danwrong
 
HTML5 Web Messaging
HTML5 Web MessagingHTML5 Web Messaging
HTML5 Web MessagingMike Taylor
 
Protect you site with Honeypots
Protect you site with HoneypotsProtect you site with Honeypots
Protect you site with Honeypots🏁 Pierre-Henry Soria 💡
 
Lecture8 php page control by okello erick
Lecture8 php page control by okello erickLecture8 php page control by okello erick
Lecture8 php page control by okello erickokelloerick
 
32373 uploading-php-shell-through-sql-injection
32373 uploading-php-shell-through-sql-injection32373 uploading-php-shell-through-sql-injection
32373 uploading-php-shell-through-sql-injectionAttaporn Ninsuwan
 
Php session
Php sessionPhp session
Php sessionargusacademy
 
Taking the pain out of signing users in
Taking the pain out of signing users inTaking the pain out of signing users in
Taking the pain out of signing users inFrancois Marier
 
Persona: a federated and privacy-protecting login system for the whole Web
Persona: a federated and privacy-protecting login system for the whole WebPersona: a federated and privacy-protecting login system for the whole Web
Persona: a federated and privacy-protecting login system for the whole WebFrancois Marier
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessionsLena Petsenchuk
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessionsUdaAs PaNchi
 
An introduction to Vue.js
An introduction to Vue.jsAn introduction to Vue.js
An introduction to Vue.jsTO THE NEW Pvt. Ltd.
 
Session Management & Cookies In Php
Session Management & Cookies In PhpSession Management & Cookies In Php
Session Management & Cookies In PhpHarit Kothari
 
Windows power shell and active directory
Windows power shell and active directoryWindows power shell and active directory
Windows power shell and active directoryDan Morrill
 
Get started with meteor | designveloper software agency meteor prime partner
Get started with meteor | designveloper software agency meteor prime partnerGet started with meteor | designveloper software agency meteor prime partner
Get started with meteor | designveloper software agency meteor prime partnerDesignveloper
 
Experienced Selenium Interview questions
Experienced Selenium Interview questionsExperienced Selenium Interview questions
Experienced Selenium Interview questionsarchana singh
 
Meteor Day Talk
Meteor Day TalkMeteor Day Talk
Meteor Day TalkBrandon Bechtel
 
Create a meteor chat app in 30 minutes
Create a meteor chat app in 30 minutesCreate a meteor chat app in 30 minutes
Create a meteor chat app in 30 minutesDesignveloper
 
Websockets talk at Rubyconf Uruguay 2010
Websockets talk at Rubyconf Uruguay 2010Websockets talk at Rubyconf Uruguay 2010
Websockets talk at Rubyconf Uruguay 2010Ismael Celis
 
Webpack Encore Symfony Live 2017 San Francisco
Webpack Encore Symfony Live 2017 San FranciscoWebpack Encore Symfony Live 2017 San Francisco
Webpack Encore Symfony Live 2017 San FranciscoRyan Weaver
 
JSON Rules Language
JSON Rules LanguageJSON Rules Language
JSON Rules Languagegiurca
 
Introduction to php web programming - sessions and cookies
Introduction to php web programming - sessions and cookiesIntroduction to php web programming - sessions and cookies
Introduction to php web programming - sessions and cookiesbaabtra.com - No. 1 supplier of quality freshers
 
Java script programms
Java script programmsJava script programms
Java script programmsMukund Gandrakota
 
How to build twitter bot using golang from scratch
How to build twitter bot using golang from scratchHow to build twitter bot using golang from scratch
How to build twitter bot using golang from scratchKaty Slemon
 
Simpan data- ke- database
Simpan data- ke- databaseSimpan data- ke- database
Simpan data- ke- databaseTri Sugihartono
 
WordPress plugin #2
WordPress plugin #2WordPress plugin #2
WordPress plugin #2giwoolee
 
Automating Windows Azure
Automating Windows AzureAutomating Windows Azure
Automating Windows AzureIdo Flatow
 
Remove php calls and scale your site like crazy !
Remove php calls and scale your site like crazy !Remove php calls and scale your site like crazy !
Remove php calls and scale your site like crazy !Wim Godden
 
NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation FrameworkFrancis Alexander
 
White-Box HMAC. Make your cipher secure to white-box attacks.
White-Box HMAC. Make your cipher secure to white-box attacks.White-Box HMAC. Make your cipher secure to white-box attacks.
White-Box HMAC. Make your cipher secure to white-box attacks.yalegko
 
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...Arc & Codementor
 

More Related Content

What's hot

Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessionsUdaAs PaNchi
 
Session Management & Cookies In Php
Session Management & Cookies In PhpSession Management & Cookies In Php
Session Management & Cookies In PhpHarit Kothari
 
Windows power shell and active directory
Windows power shell and active directoryWindows power shell and active directory
Windows power shell and active directoryDan Morrill
 
Get started with meteor | designveloper software agency meteor prime partner
Get started with meteor | designveloper software agency meteor prime partnerGet started with meteor | designveloper software agency meteor prime partner
Get started with meteor | designveloper software agency meteor prime partnerDesignveloper
 
Experienced Selenium Interview questions
Experienced Selenium Interview questionsExperienced Selenium Interview questions
Experienced Selenium Interview questionsarchana singh
 
Create a meteor chat app in 30 minutes
Create a meteor chat app in 30 minutesCreate a meteor chat app in 30 minutes
Create a meteor chat app in 30 minutesDesignveloper
 
Websockets talk at Rubyconf Uruguay 2010
Websockets talk at Rubyconf Uruguay 2010Websockets talk at Rubyconf Uruguay 2010
Websockets talk at Rubyconf Uruguay 2010Ismael Celis
 
Webpack Encore Symfony Live 2017 San Francisco
Webpack Encore Symfony Live 2017 San FranciscoWebpack Encore Symfony Live 2017 San Francisco
Webpack Encore Symfony Live 2017 San FranciscoRyan Weaver
 
JSON Rules Language
JSON Rules LanguageJSON Rules Language
JSON Rules Languagegiurca
 
How to build twitter bot using golang from scratch
How to build twitter bot using golang from scratchHow to build twitter bot using golang from scratch
How to build twitter bot using golang from scratchKaty Slemon
 
Simpan data- ke- database
Simpan data- ke- databaseSimpan data- ke- database
Simpan data- ke- databaseTri Sugihartono
 
WordPress plugin #2
WordPress plugin #2WordPress plugin #2
WordPress plugin #2giwoolee
 
Automating Windows Azure
Automating Windows AzureAutomating Windows Azure
Automating Windows AzureIdo Flatow
 
Remove php calls and scale your site like crazy !
Remove php calls and scale your site like crazy !Remove php calls and scale your site like crazy !
Remove php calls and scale your site like crazy !Wim Godden
 

What's hot (19)

Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
An introduction to Vue.js
An introduction to Vue.jsAn introduction to Vue.js
An introduction to Vue.js
 
Session Management & Cookies In Php
Session Management & Cookies In PhpSession Management & Cookies In Php
Session Management & Cookies In Php
 
Windows power shell and active directory
Windows power shell and active directoryWindows power shell and active directory
Windows power shell and active directory
 
Get started with meteor | designveloper software agency meteor prime partner
Get started with meteor | designveloper software agency meteor prime partnerGet started with meteor | designveloper software agency meteor prime partner
Get started with meteor | designveloper software agency meteor prime partner
 
Experienced Selenium Interview questions
Experienced Selenium Interview questionsExperienced Selenium Interview questions
Experienced Selenium Interview questions
 
Meteor Day Talk
Meteor Day TalkMeteor Day Talk
Meteor Day Talk
 
Create a meteor chat app in 30 minutes
Create a meteor chat app in 30 minutesCreate a meteor chat app in 30 minutes
Create a meteor chat app in 30 minutes
 
Websockets talk at Rubyconf Uruguay 2010
Websockets talk at Rubyconf Uruguay 2010Websockets talk at Rubyconf Uruguay 2010
Websockets talk at Rubyconf Uruguay 2010
 
Webpack Encore Symfony Live 2017 San Francisco
Webpack Encore Symfony Live 2017 San FranciscoWebpack Encore Symfony Live 2017 San Francisco
Webpack Encore Symfony Live 2017 San Francisco
 
JSON Rules Language
JSON Rules LanguageJSON Rules Language
JSON Rules Language
 
Introduction to php web programming - sessions and cookies
Introduction to php web programming - sessions and cookiesIntroduction to php web programming - sessions and cookies
Introduction to php web programming - sessions and cookies
 
Java script programms
Java script programmsJava script programms
Java script programms
 
How to build twitter bot using golang from scratch
How to build twitter bot using golang from scratchHow to build twitter bot using golang from scratch
How to build twitter bot using golang from scratch
 
Simpan data- ke- database
Simpan data- ke- databaseSimpan data- ke- database
Simpan data- ke- database
 
WordPress plugin #2
WordPress plugin #2WordPress plugin #2
WordPress plugin #2
 
Automating Windows Azure
Automating Windows AzureAutomating Windows Azure
Automating Windows Azure
 
Remove php calls and scale your site like crazy !
Remove php calls and scale your site like crazy !Remove php calls and scale your site like crazy !
Remove php calls and scale your site like crazy !
 

Viewers also liked

NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation FrameworkFrancis Alexander
 
White-Box HMAC. Make your cipher secure to white-box attacks.
White-Box HMAC. Make your cipher secure to white-box attacks.White-Box HMAC. Make your cipher secure to white-box attacks.
White-Box HMAC. Make your cipher secure to white-box attacks.yalegko
 
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...Arc & Codementor
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON
 
Composer 從入門到實戰
Composer 從入門到實戰Composer 從入門到實戰
Composer 從入門到實戰Shengyou Fan
 
Visual Studio Code 快速上手指南
Visual Studio Code 快速上手指南Visual Studio Code 快速上手指南
Visual Studio Code 快速上手指南Shengyou Fan
 
Encrypted Traffic in Egypt - an attempt to understand
Encrypted Traffic in Egypt - an attempt to understandEncrypted Traffic in Egypt - an attempt to understand
Encrypted Traffic in Egypt - an attempt to understandAhmed Mekkawy
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 

Viewers also liked (10)

NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation Framework
 
White-Box HMAC. Make your cipher secure to white-box attacks.
White-Box HMAC. Make your cipher secure to white-box attacks.White-Box HMAC. Make your cipher secure to white-box attacks.
White-Box HMAC. Make your cipher secure to white-box attacks.
 
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
 
Redis Security
Redis SecurityRedis Security
Redis Security
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
 
Composer 從入門到實戰
Composer 從入門到實戰Composer 從入門到實戰
Composer 從入門到實戰
 
Visual Studio Code 快速上手指南
Visual Studio Code 快速上手指南Visual Studio Code 快速上手指南
Visual Studio Code 快速上手指南
 
Php security common 2011
Php security common 2011Php security common 2011
Php security common 2011
 
Encrypted Traffic in Egypt - an attempt to understand
Encrypted Traffic in Egypt - an attempt to understandEncrypted Traffic in Egypt - an attempt to understand
Encrypted Traffic in Egypt - an attempt to understand
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 

Similar to String.fromCharCode(60)script>alert("XSS")String.fromCharCode(60)/script>

Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationMichele Orru'
 
Debugging - Figuring it out yourself (WordCamp Dublin 2019)
Debugging - Figuring it out yourself (WordCamp Dublin 2019)Debugging - Figuring it out yourself (WordCamp Dublin 2019)
Debugging - Figuring it out yourself (WordCamp Dublin 2019)Damien Carbery
 
case study1 web defacement answer.pdf
case study1 web defacement answer.pdfcase study1 web defacement answer.pdf
case study1 web defacement answer.pdfSetiya Nugroho
 
Crud tutorial en
Crud tutorial enCrud tutorial en
Crud tutorial enforkgrown
 
[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to TestZsolt Fabok
 
Automation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsAutomation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsMunir Njiru
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber SecurityChris Watts
 
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at MozillaDevDay.org
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
Malware analysis
Malware analysisMalware analysis
Malware analysisDen Iir
 
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitPrivileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitVishal Kumar
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsAlessandro Pilotti
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxmydrynan
 
August Patch Tuesday Analysis
August Patch Tuesday AnalysisAugust Patch Tuesday Analysis
August Patch Tuesday AnalysisIvanti
 
Online Bank Hack
Online Bank HackOnline Bank Hack
Online Bank HackCaleb Sima
 

Similar to String.fromCharCode(60)script>alert("XSS")String.fromCharCode(60)/script> (20)

Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser Exploitation
 
Debugging - Figuring it out yourself (WordCamp Dublin 2019)
Debugging - Figuring it out yourself (WordCamp Dublin 2019)Debugging - Figuring it out yourself (WordCamp Dublin 2019)
Debugging - Figuring it out yourself (WordCamp Dublin 2019)
 
case study1 web defacement answer.pdf
case study1 web defacement answer.pdfcase study1 web defacement answer.pdf
case study1 web defacement answer.pdf
 
Crud tutorial en
Crud tutorial enCrud tutorial en
Crud tutorial en
 
[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test
 
Devise and Rails
Devise and RailsDevise and Rails
Devise and Rails
 
Automation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsAutomation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploits
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
 
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018
 
Pushing the Web: Interesting things to Know
Pushing the Web: Interesting things to KnowPushing the Web: Interesting things to Know
Pushing the Web: Interesting things to Know
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using MetasploitPrivileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on Windows
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
 
August Patch Tuesday Analysis
August Patch Tuesday AnalysisAugust Patch Tuesday Analysis
August Patch Tuesday Analysis
 
Detecting windows horizontal password blog
Detecting windows horizontal password blogDetecting windows horizontal password blog
Detecting windows horizontal password blog
 
Online Bank Hack
Online Bank HackOnline Bank Hack
Online Bank Hack
 
Sql full tutorial
Sql full tutorialSql full tutorial
Sql full tutorial
 
PHP 2
PHP 2PHP 2
PHP 2
 

Recently uploaded

Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...lizamodels9
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionMintel Group
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchirictsugar
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...lizamodels9
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Timedelhimodelshub1
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailAriel592675
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...lizamodels9
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 

Recently uploaded (20)

Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted Version
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Time
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detail
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 

String.fromCharCode(60)script>alert("XSS")String.fromCharCode(60)/script>

  • 1. CVE-2008-1930: WORDPRESS 2.5 COOKIE INTEGRITY PROTECTION VULNERABILITY By Louis Nyffenegger <Louis@PentesterLab.com>
  • 2. 2 4 5 5 5 6 8 8 8 12 13 16 17 Table of Content Table of Content Introduction About this exercise License Syntax of this course The web application The issue Introduction The code The vulnerability Exploitation Patch Conclusion 2/17 PentesterLab.com » CVE-2008-1930
  • 4. Introduction This course details the exploitation of an issue in the cookies integrity mechanism of Wordpress. This issue was found in 2008 and allowed an attacker to gain administrator access to a wordpress instance if user registration is enabled. This issue is a really good example of what can go wrong with cryptographic function and I thought it will do a really good exercise. 4/17 PentesterLab.com » CVE-2008-1930
  • 5. About this exercise License This exercise by PentesterLab is licensed under the Creative Commons Attribution- NonCommercial-NoDerivs 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/. Syntax of this course 5/17 PentesterLab.com » CVE-2008-1930
  • 6. The red boxes provide information on mistakes/issues that are likely to happen while testing: An issue that you may encounter...An issue that you may encounter... The green boxes provide tips and information if you want to go further. You should probably check...You should probably check... The web application Once the system has booted, you can then retrieve the current IP address of the system using the command ifconfig: $ ifconfig eth0 eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56 inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:88 errors:0 dropped:0 overruns:0 frame:0 TX packets:77 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:10300 (10.0 KiB) TX bytes:10243 (10.0 KiB) Interrupt:11 Base address:0x8000 In this example the IP address is 10.0.2.15. 6/17 PentesterLab.com » CVE-2008-1930
  • 7. Throughout the training, the hostname vulnerable is used for the vulnerable machine, you can either replace it by the IP address of the machine, or you can just add an entry to your host file with this name and the corresponding IP address. It can be easily done by modifying: on Windows, your C:WindowsSystem32Driversetchosts file; on Unix/Linux and Mac OS X, your /etc/hosts file. The IP address can change if you restart the system, don'tThe IP address can change if you restart the system, don't forget to update your hosts file.forget to update your hosts file. 7/17 PentesterLab.com » CVE-2008-1930
  • 8. The issue Introduction This functionnality was used to remember users after they close their browser. A cookie "AUTH_COOKIE" (named wordpress_...) is created by the application and sent back to users. Only the application is able to generate this cookie since it's generated using the WordPress "secret key". The code The vulnerable function is wp_validate_auth_cookie included in the file wp- includes/pluggable.php (line 470 to 499). The full code of the function is below: 8/17 PentesterLab.com » CVE-2008-1930
  • 9. function wp_validate_auth_cookie($cookie = '') { if ( empty($cookie) ) { if ( empty($_COOKIE[AUTH_COOKIE]) ) return false; $cookie = $_COOKIE[AUTH_COOKIE]; } list($username, $expiration, $hmac) = explode('|', $cookie); $expired = $expiration; // Allow a grace period for POST and AJAX requests if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] ) $expired += 3600; if ( $expired < time() ) return false; $key = wp_hash($username . $expiration); $hash = hash_hmac('md5', $username . $expiration, $key); if ( $hmac != $hash ) return false; $user = get_userdatabylogin($username); if ( ! $user ) return false; return $user->ID; 9/17 PentesterLab.com » CVE-2008-1930
  • 10. } First the code retrieves the cookie AUTH_COOKIE if no cookie was provided during the function call. If no cookie was provided and the cookie AUTH_COOKIE is empty, the function returns false and the authentication fails. Once the cookie is retrieved, it gets split into 3 values: $username: the user name; $expiration: its expiration date; $hmac: the signature of the previous values to make sure it's a guenuine cookie. The following code performs this action, | (%7C) is used as a separator: list($username, $expiration, $hmac) = explode('|', $cookie); Then the code makes sure the $expired value (based on the value $expiration) is greater than the current time: if ( $expired < time() ) return false; The code ensures that the signature is correct: 10/17 PentesterLab.com » CVE-2008-1930
  • 11. $key = wp_hash($username . $expiration); $hash = hash_hmac('md5', $username . $expiration, $key); if ( $hmac != $hash ) return false; The function wp_hash provide the encryption, it's based on Worpress SECRET_KEY and use $username and $expiration to generate an unique key. You can check this function's behaviour in the file wp-includes/pluggable.php starting line 1071. Once the hash is validated, the current user $user is retrieved using the value $username: $user = get_userdatabylogin($username); if ( ! $user ) return false; return $user->ID; If you look at the code quickly, everything seems perfect: the cookie expired at a given time; only the application can generate the key used to sign the cookie and this key is unique and not predictable; the cookie is signed based on a unique key and can't be tampered (theorically); 11/17 PentesterLab.com » CVE-2008-1930
  • 12. The vulnerability The issue comes from this line: $hash = hash_hmac('md5', $username . $expiration, $key); It is possible to generate a collision between two chosen values. For example, the following values will give the same hash: `$username` `$expiration` `HASH($username.$expiration)` admin1 1353464343 1ba7d82099dd6119781b54ecf8b79259 admin 11353464343 1ba7d82099dd6119781b54ecf8b79259 We see that it's possible to get a collision between two hashes even if the usernames are different. The collision is interesting because it is possible to have a valid hash generated by the application for a user (admin1) and use it to pretend to be another user admin. The $expiration value will become even bigger for the user admin since we added the final 1 from admin1. 12/17 PentesterLab.com » CVE-2008-1930
  • 13. Exploitation As we saw above, an attacker is able to get the application to generate a valid hash for a user admin1 and reuse this signature for the user admin. To exploit this vulnerability, you need to be able to create a user named admin1 for example (any users followed by an integer will actually work). This can be done using the registration page: http://vulnerable/wp-login.php?action=register. Here the source code of Wordpress has been modified toHere the source code of Wordpress has been modified to create users with the hardcoded password `pentesterlab`. In acreate users with the hardcoded password `pentesterlab`. In a traditional Wordpress, the attacker need to provide a validtraditional Wordpress, the attacker need to provide a valid email address and will set his own password.email address and will set his own password. If you create a user admin1 and log in with this user. You should receive a valid cookie: 13/17 PentesterLab.com » CVE-2008-1930
  • 14. HTTP/1.1 200 OK [...] Set-Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_177e685d5ab0d655bdbe4896d7cdadf4=admin1%7C1353464343%7C1ba7 d82099dd6119781b54ecf8b79259 [...] Once you log in, you should see the traditional Worpdress page: Now that we have a valid cookie we can use this vulnerability to gain access to the admin account: Using the a valid cookie: admin1%7C1210158445%7C49718d2581bd399916b90a088a11ec84 We can generate a new valid cookie for the user admin: admin%7C11210158445%7C49718d2581bd399916b90a088a11ec84. If you're using Firefox, you can use the following extension to modify your cookies: Cookie manager +. After reloading the page, you should be able to see the "Admin version" of the website: 14/17 PentesterLab.com » CVE-2008-1930
  • 16. Patch The patch for this vulnerabilty was pretty simple, to avoid the vulnerability, Worpdress' developers just had to make sure that $username and $expiration were correctly separated. To do so they introduced the following change: $hash = hash_hmac('md5', $username . '|' . $expiration, $key); With this simple |, it not possible for an attacker to tamper the cookie and still get a valid signature since $expiration and/or $username are not simply concatenate to generate the signature. 16/17 PentesterLab.com » CVE-2008-1930
  • 17. Conclusion This exercise explained how this vulnerability works and how it was possible to use it to gain access to Wordpress administration pages. To me this issue represents perfectly a common pattern in most interesting vulnerabilities: "The devil is in the detail". And that even a ridiculous small change can make a lot the difference between secure and vulnerable code. And since Code review is mostly a matter of “déjà vu”, you will have another thing to check for if you search for vulnerabilities. 17/17 PentesterLab.com » CVE-2008-1930