SlideShare a Scribd company logo
1 of 22
https://lynt.cz + https://smitka.me @smitka
Vláďa Smitka
vladimir.smitka@lynt.cz
@smitka
Lynt services s.r.o.
22.06.2019 1
WordPress through bad
guys' glasses
https://lynt.cz + https://smitka.me @smitka22.06.2019 2
No security HTTP Headers!
https://lynt.cz + https://smitka.me @smitka22.06.2019 3
https://lynt.cz + https://smitka.me @smitka22.06.2019 4
/home/XYZ/public_html/
/var/www/clients/clientX/webY /var/www/vhosts/XYZ/httpdocs/
https://lynt.cz + https://smitka.me @smitka22.06.2019 5
https://lynt.cz + https://smitka.me @smitka22.06.2019 6
https://lynt.cz + https://smitka.me @smitka22.06.2019 7
MD5 of e-mail
Password stuffing
https://leakprobe.net/
https://spycloud.com
Phishing
https://lynt.cz + https://smitka.me @smitka22.06.2019 8
2FA, Password manager
Shortlink: ohno.fun
https://lynt.cz + https://smitka.me @smitka22.06.2019 9
https://lynt.cz + https://smitka.me @smitka22.06.2019 10
More than 45k comments
with e-mails
http://wordpressexpose.chrisgherbert.com/
https://lynt.cz + https://smitka.me @smitka
What to do with thousands of e-mails?
Sell them on the BlackMarket!
22.06.2019 11
Comodity Common BlackMarket price
WordPress account 1$
Facebook account 3-6$
E-mail account 1-4$
NetFlix account 6-8$
Booking/AirBnB account 3-6$
Tested credit card 10% of limit
Credit/Debet - numbers only 5-40$
PayPal account 250$
100k national e-mail adressess 3$
100k european e-mail addresses 1$
Quality scan ID/drivers license scan 20$
Photo of ID/drivers license (1 side) 0,5$
https://lynt.cz + https://smitka.me @smitka
Developers ❤️ git
• Developers hate configuring servers
• Unrestricted .git folder => source files
reconstruction => wp-config.php
• /.git/logs/HEAD => developer‘s e-mail
• Fun fact: VCS disables WP autoupdates
22.06.2019 12
https://lynt.cz + https://smitka.me @smitka22.06.2019 13
https://lynt.cz + https://smitka.me @smitka
Another config issues
• Directory listings
22.06.2019 14
https://lynt.cz + https://smitka.me @smitka
Forgotten DB endpoints
• Old PHPmyAdmin/Adminer => External
MySQL server => LOAD DATA LOCAL INFILE =>
access to any file => wp-config.php
22.06.2019 15
https://lynt.cz + https://smitka.me @smitka
Let‘s make it a little bit personal
22.06.2019 16
https://lynt.cz + https://smitka.me @smitka
22.06.2019 17
Julia‘s e-mail
Leaked passwords
Julia‘s personal blog about her cat
https://lynt.cz + https://smitka.me @smitka
EXIF metadata
22.06.2019 18
https://lynt.cz + https://smitka.me @smitka22.06.2019 19
https://lynt.cz + https://smitka.me @smitka22.06.2019 20
https://lynt.cz + https://smitka.me @smitka22.06.2019 21
https://lynt.cz + https://smitka.me @smitka
Thank you!
Be careful what you share on the internet!
Q&A: https://smitka.me
22.06.2019 22

More Related Content

More from Vladimír Smitka

Najčastejšie problémy WordPress webov
Najčastejšie problémy WordPress webovNajčastejšie problémy WordPress webov
Najčastejšie problémy WordPress webovVladimír Smitka
 
WordCamp Brno 2017 - rychlý a bezpečný web
WordCamp Brno 2017  - rychlý a bezpečný webWordCamp Brno 2017  - rychlý a bezpečný web
WordCamp Brno 2017 - rychlý a bezpečný webVladimír Smitka
 
WordPress - základy bezpečnosti
WordPress - základy bezpečnostiWordPress - základy bezpečnosti
WordPress - základy bezpečnostiVladimír Smitka
 
Nejčastejší problémy WordPress webů
Nejčastejší problémy WordPress webůNejčastejší problémy WordPress webů
Nejčastejší problémy WordPress webůVladimír Smitka
 
WordPress Security: Defend yourself against digital invaders
WordPress Security:Defend yourself against digital invadersWordPress Security:Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
WordPress: Základy - bezpečnost 3x3
WordPress: Základy - bezpečnost 3x3WordPress: Základy - bezpečnost 3x3
WordPress: Základy - bezpečnost 3x3Vladimír Smitka
 
WP výkon a jeho profilování
WP výkon a jeho profilováníWP výkon a jeho profilování
WP výkon a jeho profilováníVladimír Smitka
 
WordCamp Praha 2016 - Bezpečnost WordPress
WordCamp Praha 2016 - Bezpečnost WordPressWordCamp Praha 2016 - Bezpečnost WordPress
WordCamp Praha 2016 - Bezpečnost WordPressVladimír Smitka
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuningVladimír Smitka
 
Bezpečnost WordPress pro začátečníky
Bezpečnost WordPress pro začátečníkyBezpečnost WordPress pro začátečníky
Bezpečnost WordPress pro začátečníkyVladimír Smitka
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015Vladimír Smitka
 
České weby a Wordpress (Q4/2014)
České weby a Wordpress (Q4/2014)České weby a Wordpress (Q4/2014)
České weby a Wordpress (Q4/2014)Vladimír Smitka
 
Wordcamp Praha 2015 - další útržky z prezentace
Wordcamp Praha 2015 - další útržky z prezentaceWordcamp Praha 2015 - další útržky z prezentace
Wordcamp Praha 2015 - další útržky z prezentaceVladimír Smitka
 

More from Vladimír Smitka (20)

Najčastejšie problémy WordPress webov
Najčastejšie problémy WordPress webovNajčastejšie problémy WordPress webov
Najčastejšie problémy WordPress webov
 
Http/2 vs Image Sprites
Http/2 vs Image SpritesHttp/2 vs Image Sprites
Http/2 vs Image Sprites
 
Ansible
AnsibleAnsible
Ansible
 
WordCamp Brno 2017 - rychlý a bezpečný web
WordCamp Brno 2017  - rychlý a bezpečný webWordCamp Brno 2017  - rychlý a bezpečný web
WordCamp Brno 2017 - rychlý a bezpečný web
 
WordPress - základy bezpečnosti
WordPress - základy bezpečnostiWordPress - základy bezpečnosti
WordPress - základy bezpečnosti
 
Nejčastejší problémy WordPress webů
Nejčastejší problémy WordPress webůNejčastejší problémy WordPress webů
Nejčastejší problémy WordPress webů
 
Wordfence 2016
Wordfence 2016Wordfence 2016
Wordfence 2016
 
WordPress Security: Defend yourself against digital invaders
WordPress Security:Defend yourself against digital invadersWordPress Security:Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
 
WordPress: Základy - bezpečnost 3x3
WordPress: Základy - bezpečnost 3x3WordPress: Základy - bezpečnost 3x3
WordPress: Základy - bezpečnost 3x3
 
Instalace WordPress
Instalace WordPressInstalace WordPress
Instalace WordPress
 
WP výkon a jeho profilování
WP výkon a jeho profilováníWP výkon a jeho profilování
WP výkon a jeho profilování
 
WordCamp Praha 2016 - Bezpečnost WordPress
WordCamp Praha 2016 - Bezpečnost WordPressWordCamp Praha 2016 - Bezpečnost WordPress
WordCamp Praha 2016 - Bezpečnost WordPress
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuning
 
Výkon WordPress
Výkon WordPressVýkon WordPress
Výkon WordPress
 
Bezpečnost WordPress pro začátečníky
Bezpečnost WordPress pro začátečníkyBezpečnost WordPress pro začátečníky
Bezpečnost WordPress pro začátečníky
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
 
České weby a Wordpress (Q4/2014)
České weby a Wordpress (Q4/2014)České weby a Wordpress (Q4/2014)
České weby a Wordpress (Q4/2014)
 
Wordcamp Praha 2015 - další útržky z prezentace
Wordcamp Praha 2015 - další útržky z prezentaceWordcamp Praha 2015 - další útržky z prezentace
Wordcamp Praha 2015 - další útržky z prezentace
 
Dijskrův algoritmus
Dijskrův algoritmusDijskrův algoritmus
Dijskrův algoritmus
 

Recently uploaded

JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 

Recently uploaded (20)

JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 

WordPress through the bad guys’ glasses