Successfully reported this slideshow.

WordPress through the bad guys’ glasses

2

Share

1 of 22
1 of 22

WordPress through the bad guys’ glasses

2

Share

Download to read offline

Slides from #wceu session.
Q&A: https://smitka.me/2019/06/22/wordcamp-eu/
Video: https://www.youtube.com/watch?time_continue=9976&v=Y3y74POsDvc

Slides from #wceu session.
Q&A: https://smitka.me/2019/06/22/wordcamp-eu/
Video: https://www.youtube.com/watch?time_continue=9976&v=Y3y74POsDvc

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

WordPress through the bad guys’ glasses

  1. 1. https://lynt.cz + https://smitka.me @smitka Vláďa Smitka vladimir.smitka@lynt.cz @smitka Lynt services s.r.o. 22.06.2019 1 WordPress through bad guys' glasses
  2. 2. https://lynt.cz + https://smitka.me @smitka22.06.2019 2 No security HTTP Headers!
  3. 3. https://lynt.cz + https://smitka.me @smitka22.06.2019 3
  4. 4. https://lynt.cz + https://smitka.me @smitka22.06.2019 4 /home/XYZ/public_html/ /var/www/clients/clientX/webY /var/www/vhosts/XYZ/httpdocs/
  5. 5. https://lynt.cz + https://smitka.me @smitka22.06.2019 5
  6. 6. https://lynt.cz + https://smitka.me @smitka22.06.2019 6
  7. 7. https://lynt.cz + https://smitka.me @smitka22.06.2019 7 MD5 of e-mail Password stuffing https://leakprobe.net/ https://spycloud.com Phishing
  8. 8. https://lynt.cz + https://smitka.me @smitka22.06.2019 8 2FA, Password manager Shortlink: ohno.fun
  9. 9. https://lynt.cz + https://smitka.me @smitka22.06.2019 9
  10. 10. https://lynt.cz + https://smitka.me @smitka22.06.2019 10 More than 45k comments with e-mails http://wordpressexpose.chrisgherbert.com/
  11. 11. https://lynt.cz + https://smitka.me @smitka What to do with thousands of e-mails? Sell them on the BlackMarket! 22.06.2019 11 Comodity Common BlackMarket price WordPress account 1$ Facebook account 3-6$ E-mail account 1-4$ NetFlix account 6-8$ Booking/AirBnB account 3-6$ Tested credit card 10% of limit Credit/Debet - numbers only 5-40$ PayPal account 250$ 100k national e-mail adressess 3$ 100k european e-mail addresses 1$ Quality scan ID/drivers license scan 20$ Photo of ID/drivers license (1 side) 0,5$
  12. 12. https://lynt.cz + https://smitka.me @smitka Developers ❤️ git • Developers hate configuring servers • Unrestricted .git folder => source files reconstruction => wp-config.php • /.git/logs/HEAD => developer‘s e-mail • Fun fact: VCS disables WP autoupdates 22.06.2019 12
  13. 13. https://lynt.cz + https://smitka.me @smitka22.06.2019 13
  14. 14. https://lynt.cz + https://smitka.me @smitka Another config issues • Directory listings 22.06.2019 14
  15. 15. https://lynt.cz + https://smitka.me @smitka Forgotten DB endpoints • Old PHPmyAdmin/Adminer => External MySQL server => LOAD DATA LOCAL INFILE => access to any file => wp-config.php 22.06.2019 15
  16. 16. https://lynt.cz + https://smitka.me @smitka Let‘s make it a little bit personal 22.06.2019 16
  17. 17. https://lynt.cz + https://smitka.me @smitka 22.06.2019 17 Julia‘s e-mail Leaked passwords Julia‘s personal blog about her cat
  18. 18. https://lynt.cz + https://smitka.me @smitka EXIF metadata 22.06.2019 18
  19. 19. https://lynt.cz + https://smitka.me @smitka22.06.2019 19
  20. 20. https://lynt.cz + https://smitka.me @smitka22.06.2019 20
  21. 21. https://lynt.cz + https://smitka.me @smitka22.06.2019 21
  22. 22. https://lynt.cz + https://smitka.me @smitka Thank you! Be careful what you share on the internet! Q&A: https://smitka.me 22.06.2019 22

×