WordPress through the bad guys’ glasses
Report
Vladimír SmitkaFollow
Jun. 22, 2019•0 likes•3,843 views
2 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
WordPress through the bad guys’ glasses
Jun. 22, 2019•0 likes•3,843 views
2 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
Slides from #wceu session. Q&A: https://smitka.me/2019/06/22/wordcamp-eu/ Video: https://www.youtube.com/watch?time_continue=9976&v=Y3y74POsDvc
Vladimír SmitkaFollow
WordPress through the bad guys’ glasses
- https://lynt.cz + https://smitka.me @smitka Vláďa Smitka vladimir.smitka@lynt.cz @smitka Lynt services s.r.o. 22.06.2019 1 WordPress through bad guys' glasses
- https://lynt.cz + https://smitka.me @smitka22.06.2019 2 No security HTTP Headers!
- https://lynt.cz + https://smitka.me @smitka22.06.2019 3
- https://lynt.cz + https://smitka.me @smitka22.06.2019 4 /home/XYZ/public_html/ /var/www/clients/clientX/webY /var/www/vhosts/XYZ/httpdocs/
- https://lynt.cz + https://smitka.me @smitka22.06.2019 5
- https://lynt.cz + https://smitka.me @smitka22.06.2019 6
- https://lynt.cz + https://smitka.me @smitka22.06.2019 7 MD5 of e-mail Password stuffing https://leakprobe.net/ https://spycloud.com Phishing
- https://lynt.cz + https://smitka.me @smitka22.06.2019 8 2FA, Password manager Shortlink: ohno.fun
- https://lynt.cz + https://smitka.me @smitka22.06.2019 9
- https://lynt.cz + https://smitka.me @smitka22.06.2019 10 More than 45k comments with e-mails http://wordpressexpose.chrisgherbert.com/
- https://lynt.cz + https://smitka.me @smitka What to do with thousands of e-mails? Sell them on the BlackMarket! 22.06.2019 11 Comodity Common BlackMarket price WordPress account 1$ Facebook account 3-6$ E-mail account 1-4$ NetFlix account 6-8$ Booking/AirBnB account 3-6$ Tested credit card 10% of limit Credit/Debet - numbers only 5-40$ PayPal account 250$ 100k national e-mail adressess 3$ 100k european e-mail addresses 1$ Quality scan ID/drivers license scan 20$ Photo of ID/drivers license (1 side) 0,5$
- https://lynt.cz + https://smitka.me @smitka Developers ❤️ git • Developers hate configuring servers • Unrestricted .git folder => source files reconstruction => wp-config.php • /.git/logs/HEAD => developer‘s e-mail • Fun fact: VCS disables WP autoupdates 22.06.2019 12
- https://lynt.cz + https://smitka.me @smitka22.06.2019 13
- https://lynt.cz + https://smitka.me @smitka Another config issues • Directory listings 22.06.2019 14
- https://lynt.cz + https://smitka.me @smitka Forgotten DB endpoints • Old PHPmyAdmin/Adminer => External MySQL server => LOAD DATA LOCAL INFILE => access to any file => wp-config.php 22.06.2019 15
- https://lynt.cz + https://smitka.me @smitka Let‘s make it a little bit personal 22.06.2019 16
- https://lynt.cz + https://smitka.me @smitka 22.06.2019 17 Julia‘s e-mail Leaked passwords Julia‘s personal blog about her cat
- https://lynt.cz + https://smitka.me @smitka EXIF metadata 22.06.2019 18
- https://lynt.cz + https://smitka.me @smitka22.06.2019 19
- https://lynt.cz + https://smitka.me @smitka22.06.2019 20
- https://lynt.cz + https://smitka.me @smitka22.06.2019 21
- https://lynt.cz + https://smitka.me @smitka Thank you! Be careful what you share on the internet! Q&A: https://smitka.me 22.06.2019 22