Access Denied

Paul Gilzow
Paul GilzowProgrammer/Analyst-Expert at University of Missouri
ACCESS DENIEDKEEPING YOURSELF OFF AN ATTACKER’S RADAR Paul Gilzow
 gilzow@missouri.edu
 Twitter: @gilzow
 Facebook: https://fb.com/gilzow
 https://www.linkedin.com/in/gilzow
TL;DSWTGMC SUMMARY ▸Implicitly Deny ▸Defense-in-Depth (Too Long; Didn’t Stay, Went to Get More Coffee)
WHY DO ATTACKERS TARGET YOU ▸Your site resources ▸Your domain ▸Your SEO reputation ▸Your visitors
WHY WORDPRESS IS AN ATTRACTIVE TARGET ▸ Market share ▸ Open Source ▸ Extremely easy to set up and get running, not so easy to secure ▸ Anyone can create and submit a theme/ plugin
“WHAT MAKES WORDPRESS SO INSECURE IS THAT IT'S HIGHLY EXTENSIBLE AND EASY TO USE; WORDPRESS SECURITY ISSUES REVOLVE ALMOST ENTIRELY AROUND THIS EXTENSIBILITY AND EASYNESS OF USE.” Tony Perez, @perezbox
CURRENT STATE OF WORDPRESS SECURITY ▸Most compromises occur through ▸vulnerable plugins and themes ▸Weak passwords ▸Wordpress out-of-date
AS AN OWNER/MAINTAINER OF A 
 WORDPRESS SITE, IT IS YOUR 
 RESPONSIBILITY TO BE PARANOID
SO WHAT DO WE DO?
DEFENSE-IN-DEPTH
WPSCAN ▸ Robots.txt ▸ Interesting headers ▸ Multisite ▸ Must-use plugins ▸ Xml-rpc ▸ Wordpress version ▸ Plugins/themes Passive (non-intrusive) Scan
Access Denied
Access Denied
Access Denied
Access Denied
Access Denied
Access Denied
WPSCAN Active scan ▸ Scans for signs of vulnerable plugins ▸ Scans for signs of vulnerable themes ▸ Scans for signs of timthumb ▸ Attempts to enumerate user account names
Access Denied
Access Denied
Access Denied
Access Denied
Access Denied
COUNTER MEASURES ▸ Prevent php execution in /wp-content/uploads/
Access Denied
COUNTER MEASURES ▸ Prevent php execution in /wp-content/uploads/ ▸ Protect wp-content completely ▸ Not only prevent php execution, but ▸ Implicit deny (only allow what is necessary and expected)
Access Denied
Access Denied
Access Denied
Access Denied
COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes
Access Denied
COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes ▸ Protect wp-admin
Access Denied
64.85.59.68 —> 64.85.0.0/16
Access Denied
Access Denied
COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes ▸ Protect wp-admin ▸ Protect the root
Access Denied
Access Denied
Access Denied
Access Denied
COUNTER MEASURES ▸ Prevent ?author= redirection Account enumeration
Access Denied
Access Denied
COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink Account enumeration
Access Denied
Access Denied
Access Denied
Access Denied
COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes Account enumeration
Access Denied
Access Denied
Access Denied
Access Denied
COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes Account enumeration ▸ Remove user “slug” property from users endpoint in 
 REST API
Access Denied
Access Denied
Access Denied
Access Denied
Access Denied
Access Denied
Access Denied
COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes ▸ Remove users endpoint from REST API Account enumeration ▸ Remove default login failure error messages
Access Denied
Access Denied
SUMMARY ▸ Be paranoid; be skeptical ▸ Uninstall plugins/themes that aren’t in use ▸ Disable php from executing where it shouldn’t ▸ Limit access to everything where you can
SUMMARY CONT. ▸Implicitly deny ▸Defense-in-depth In other words…
“[SECURITY IS A] CONTINUOUSLY MOVING TARGET… THAT REQUIRES CONSTANT VIGILANCE TO UNDERSTAND AND APPRECIATE.” Tony Perez, @perezbox
WHAT QUESTIONS DO YOU HAVE FOR ME?
CONTACT ▸ Contact ▸ gilzow@missouri.edu ▸ @gilzow on twitter ▸ gilzow on wordpress.org ▸ Files: https://github.com/gilzow/access-denied/, wckc2017 branch
1 of 70

Access Denied

Download to read offline
Technology

Keeping yourself off an attacker's radar. After performing the basic WordPress hardening steps, what next? In this talk we look at black box scanning tools to discover what data our sites are leaking, and steps to stops those leaks.

Paul Gilzow
Paul GilzowProgrammer/Analyst-Expert at University of Missouri

Recommended

Website Security AMA: Best Practices Website Security AMA: Best Practices
Website Security AMA: Best Practices Adam W. Warner
1.2K views24 slides
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
797 views29 slides
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
3.5K views37 slides
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITEAcodez IT Solutions
48 views6 slides
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
4.3K views103 slides
How We Hacked LinkedIn and What Happened Next | JFall 2016How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016Ruben van Vreeland
429 views67 slides

More Related Content

What's hot

What's hot(20)

WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
Tony Perez1.5K views
Secure wordpress siteSecure wordpress site
Secure wordpress site
firojkhansahu49 views
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
Tony Perez2.3K views
SEO Sanity During a RedesignSEO Sanity During a Redesign
SEO Sanity During a Redesign
Mike Gracen452 views
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
ajitdhumale236 views
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site Clean
Sucuri 536 views
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference2.4K views
How to get recover from a hacked websiteHow to get recover from a hacked website
How to get recover from a hacked website
mounika k353 views
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir Goldshlager31K views
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri 2.6K views
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
Tony Perez1.1K views
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri 2.4K views
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
Sucuri 700 views
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta1.8K views
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP10.5K views
Locking Down Your WordPress SiteLocking Down Your WordPress Site
Locking Down Your WordPress Site
Frank Corso221 views
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien455 views
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri 1.5K views
The 7 Deadly Sins of WordPress SecurityThe 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress Security
Joseph Herbrandson6.8K views
From delivering plugins to delivering "as a Service" - Atlassian connect 2017From delivering plugins to delivering "as a Service" - Atlassian connect 2017
From delivering plugins to delivering "as a Service" - Atlassian connect 2017
Quentin Adam430 views

Similar to Access Denied

Similar to Access Denied(20)

WordPress SecurityWordPress Security
WordPress Security
Jennifer Riehle McFarland535 views
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
Zachary Klein398 views
RVASec AWS Survival Guide 2.0RVASec AWS Survival Guide 2.0
RVASec AWS Survival Guide 2.0
Ken Johnson544 views
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security Plugins
Chris Burgess3.2K views
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
Christopher Caplan183 views
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
Priyanka Aash1.2K views
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen2K views
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101
Seravo5.2K views
WebHack #13 Web authentication essentialsWebHack #13 Web authentication essentials
WebHack #13 Web authentication essentials
昉达 王236 views
Secure Wordpress - 2016[17May - Mashhad]Secure Wordpress - 2016[17May - Mashhad]
Secure Wordpress - 2016[17May - Mashhad]
HaMiD Fadaei650 views
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
Otto Kekäläinen477 views
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
Otto Kekäläinen1.6K views
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham3K views
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Mohammed A. Imran20.2K views
Hardening WordPress - Friends of Search 2014 (WordPress Security)Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)
Bastian Grimm13.5K views
Basic Plugin Recommendations to get your WordPress Website StartedBasic Plugin Recommendations to get your WordPress Website Started
Basic Plugin Recommendations to get your WordPress Website Started
Nile Flores2.5K views
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com7.7K views
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
Primary Image Ltd2.9K views
Locking down word pressLocking down word press
Locking down word press
Zachary Russell885 views
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
Chris Watts115 views

Recently uploaded

Recently uploaded(20)

TE Connectivity: Card Edge InterconnectsTE Connectivity: Card Edge Interconnects
TE Connectivity: Card Edge Interconnects
CXL Forum93 views
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi77 views
MemVerge: Past Present and Future of CXLMemVerge: Past Present and Future of CXL
MemVerge: Past Present and Future of CXL
CXL Forum105 views
"Thriving Culture in a Product Company — Practical Story", Volodymyr Tsukur"Thriving Culture in a Product Company — Practical Story", Volodymyr Tsukur
"Thriving Culture in a Product Company — Practical Story", Volodymyr Tsukur
Fwdays35 views
ChatGPT and AI for Web DevelopersChatGPT and AI for Web Developers
ChatGPT and AI for Web Developers
Maximiliano Firtman152 views
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray1042 views
PyCon ID 2023 - Ridwan Fadjar Septian.pdfPyCon ID 2023 - Ridwan Fadjar Septian.pdf
PyCon ID 2023 - Ridwan Fadjar Septian.pdf
Ridwan Fadjar163 views
.conf Go 2023 - SIEM project @ SNF.conf Go 2023 - SIEM project @ SNF
.conf Go 2023 - SIEM project @ SNF
Splunk163 views
Microchip: CXL Use Cases and Enabling EcosystemMicrochip: CXL Use Cases and Enabling Ecosystem
Microchip: CXL Use Cases and Enabling Ecosystem
CXL Forum107 views
ThroughputThroughput
Throughput
Moisés Armani Ramírez28 views
Samsung: CMM-H Tiered Memory Solution with Built-in DRAMSamsung: CMM-H Tiered Memory Solution with Built-in DRAM
Samsung: CMM-H Tiered Memory Solution with Built-in DRAM
CXL Forum96 views
Level-up Your Cloud Visibility Into AWS With ThousandEyesLevel-up Your Cloud Visibility Into AWS With ThousandEyes
Level-up Your Cloud Visibility Into AWS With ThousandEyes
ThousandEyes74 views
JCon Live 2023 - Lice coding some integration problemsJCon Live 2023 - Lice coding some integration problems
JCon Live 2023 - Lice coding some integration problems
Bernd Ruecker61 views
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman20 views
"How we switched to Kanban and how it integrates with product planning", Vady..."How we switched to Kanban and how it integrates with product planning", Vady...
"How we switched to Kanban and how it integrates with product planning", Vady...
Fwdays59 views
Green Leaf Consulting: Capabilities DeckGreen Leaf Consulting: Capabilities Deck
Green Leaf Consulting: Capabilities Deck
GreenLeafConsulting170 views
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk75 views
Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa...Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa...
Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa...
The Digital Insurer24 views
Astera Labs: Intelligent Connectivity for Cloud and AI InfrastructureAstera Labs: Intelligent Connectivity for Cloud and AI Infrastructure
Astera Labs: Intelligent Connectivity for Cloud and AI Infrastructure
CXL Forum118 views
AMD: 4th Generation EPYC CXL DemoAMD: 4th Generation EPYC CXL Demo
AMD: 4th Generation EPYC CXL Demo
CXL Forum117 views

Access Denied