Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
Kali ile Linux'e Giriş | IntelRAD
Next

5

Share

Wordpress security

cumartesi günü düzenlenen PHP Meetup 011'de konu Wordpress'ti. Bizde Doruk Fişek ile birlikte bir joint sunum gerçekleştirdik. Ben işin Wordpress Security tarafını o ise Wordpress Sunucu Güvenliği tarafını ele aldı. Benim sunumuma aşağıdaki slideshare bağlantısı üzerinden ulaşabilirsiniz.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Wordpress security

  1. 1. Wordpress Security Mehmet Ince ~Istanbul PHP Meetup #011~
  2. 2. Who Am I Ince, Mehmet Dursun Senior Penetration Tester, @ PRODAFT / INVICTUS Ordinarily; ● Hack the app. ● Make it secure. ● Hack it again. Blogger https://www.mehmetince.net
  3. 3. This talk is all about SECURITY
  4. 4. Security engineers says; security is ● COMPLICATED ● HARD ● PAINFULL ● ENDLESS ● ...
  5. 5. Devs says; security is ● XSS, HUH?! IT’S NOTHING ● MY CODE IS FLAWLESS ● YOUR ARE USELESS. ● FCUK YOU Pentester. ● BEST PROGRAMMING LANGUAGE IS BLABLA...
  6. 6. The truth is ● Neither “Best secure programming language is PHP.”, nor “PHP is most vulnerable language” are TRUE..! ● The truth is, programming languages are innocent. The problem is YOU..!
  7. 7. Getting started with “Wordpress security” basics.
  8. 8. Run applications with least privileges ● Do NOT run your application with root privileges. E.g; HHVM and MySQL processes should be initiated by different user, supervisord. ● CHMOD 777 is not a HTTP 403 errors solution, it will cause bigger problems. ● CHOWN apache:apache -R www/ is not a “correct” solution for HTTP 403 as well. It will cause MUCH bigger problem.
  9. 9. Database security ● It is wise to consider keeping them in separate databases each managed by a different user. ● Disable remote access, use SSH Tunneling. ● Disable LOAD_FILE() etc, ● Remove anonymous users. ● If you have an external database server, enable MySQL SSL ● https://www.mehmetince.net/mysql-veri-tabani-guvenligi-checklist/
  10. 10. Be a “Lone Wolf” ● It’s 2015…! ○ Stop using “Shared Hosting”. ○ Stop using cPanel. ○ Stop using WHMCS. ● Having a basic SSD Linux server, for just 5$/month. E.g; Digitalocean, vultr, ...
  11. 11. DDoS ● L3 DDoS. ● L7 DDoS. ● Varnish ?! ● Memcache ?!
  12. 12. Wp-admin ~ Wp-config ● 2-step authentication https: //wordpress. org/plugins/authy-two-factor- authentication/ ● Captcha https://wordpress. org/plugins/no-captcha- recaptcha/ ● BasicAuth might also break some WP func., such as the AJAX handler at wp- admin/admin-ajax.php ● define( 'DISALLOW_FILE_EDIT', true ); ● define('FS_METHOD', 'direct');
  13. 13. Brute-force XMLRPC ● /xmlrpc.php ● Brute-force hundreds of thousands of username & password pairs within ONE HTTP request through system.multicall method of XML-RPC. ● Disable xmlrpc.php access. If you need to use it, disable system.multicall, system. listMethods, system. getCapabilities.
  14. 14. HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS
  15. 15. WAF ● A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. By customizing the rules to your application, many attacks can be identified and blocked. ●
  16. 16. Wordpress 4.2.3 SQL Injection Commit = 70128fe7605cb963a46815cf91b0a5934f70eff5 | Date = 4 August 2015
  17. 17. 23.02.2014 WP < 4.1 Stored XSS (Critical) vulnerability found by researcher. 31.03.2014 Issue acknowledge by Wordpress Team. 07.04.2014 Initial patch received from WP team. ... FUUUUUUUUUUUU UUUUUUUUUUUUU UUUUUUUUUUUUU 21.04.2015 Finally, WP team released patch.
  18. 18. WTF ● Exploit does NOT require a logged-in user. Everyone may trigger vulnerability..! On the other hand, Stored-XSS means that anyone, who visiting the infected article, going to be HACKED! but Wordpress Team patched the issue after 14 months!
  19. 19. DEMO
  20. 20. Themes “Nothing Is Free In This World.” If you are using free theme, I’m sorry but YOU GOT PWNED.
  21. 21. CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● Identified by Foxit-Security at May 2014. ● A researcher from Foxit-Security found a following HTTP request generated by their customer server. [08/May/2014:12:44:10 +0100] "POST http://worldcute.biz/ HTTP/1.1" … unexpected journey has begun.
  22. 22. CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● There is no USER-AGENT ● There is no Referrals ● HTTP Post request to the .biz domain. ● and POST data contains encrypted information..! ● Upon further inspection, they found the only action that occurred before the HTTP POST request was the install of a plug-in onto a Joomla instance by the administrator of the website.
  23. 23. CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● Latest installed plug-in was JSecure. ● ZIP file of JSecure contained following information.
  24. 24. CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● All files seems normal, other than jsecure.php. It’s updated on March 26..!
  25. 25. CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● Jsecure.php codes were innocent as well. Unless last line.
  26. 26. CryptoPHP ~ Most Sophisticated CMS Backdoor Case mince@rootlab admin $ file images/social.png images/social.png: PHP script, ASCII text, with very long lines
  27. 27. CryptoPHP ~ Most Sophisticated CMS Backdoor Case Obfuscated PHP codes.
  28. 28. CryptoPHP ~ Most Sophisticated CMS Backdoor Case CMS Detection
  29. 29. CryptoPHP ~ Most Sophisticated CMS Backdoor Case
  30. 30. CryptoPHP ~ Most Sophisticated CMS Backdoor Case ● One backdoor to rule them all ( Wordpress, Drupal, Joomla ) ● Public key encryption between Command & Control servers. ● Ability to update itself. ● Method hook ● ... Details : https://www.mehmetince.net/cryptophp-backdoor-analizi-ve- tespiti/
  31. 31. Thank you @mdisec https://www.mehmetince.net
  • EjderHakanAtlkarnca

    Aug. 16, 2018
  • Mehmetzdemir21

    Dec. 29, 2017
  • AriDosHika

    Mar. 18, 2017
  • MertSevim

    Dec. 12, 2016
  • YasinAydn2

    Sep. 24, 2016

cumartesi günü düzenlenen PHP Meetup 011'de konu Wordpress'ti. Bizde Doruk Fişek ile birlikte bir joint sunum gerçekleştirdik. Ben işin Wordpress Security tarafını o ise Wordpress Sunucu Güvenliği tarafını ele aldı. Benim sunumuma aşağıdaki slideshare bağlantısı üzerinden ulaşabilirsiniz.

Views

Total views

1,229

On Slideshare

0

From embeds

0

Number of embeds

302

Actions

Downloads

0

Shares

0

Comments

0

Likes

5

×