We are living in an increasingly connected world, so every day more people gain access to the Internet, through more devices. These devices allow controlling certain aspects of our life, such as banking, transportation, and healthcare. There are countless apps and devices for these purposes.
A few years ago, a web page was only meant to be accessed through a web browser and a computer. Nowadays, we have web apps that are more prevalent than ever, with all the power of HTML5 or the increasing speed of Javascript. Even some OS are treating them like first-class apps, in fact, Firefox OS uses HTML5 apps for its entire functionality.
WordPress is one of the most commonly used CMS right now, but like every web application, it has security flaws. The purpose of this blog is to give a quick glance at the basic security in a PHP web page or application.
The first step is to check the OWASP (Open Source Web Applications Security Project) website which provides free information, tools, methodologies, and documentation about web application security (in general, not just for WordPress). Then, you will have a better chance to find something in your configuration or code, that may cause a security breach.
If you want to learn more about it, check out our blogpost OWASP: Top 10 Project for Applications Security
The most important thing here is to understand that it doesn’t exist something as “perfect security”, but we have tools or technologies that can be used to improve the current security and add layers to it. This process has to be balanced. Convenience is also an issue because the need for security measures is directly proportional to the value of what is being taken care of.
The best way to test a site’s security is using an automated tool made for this purpose.
In this case, I will use https://wpscan.org/ , a tool that uses known vulnerabilities as a checklist to test your site.
Let’s see how to use it:
First, you have to install wpscan on your computer. Go to the https://wpscan.org/ webpage and follow the installation steps or just use the Docker (I recommend this approach). If you know how to use Docker containers, they provide you with one.
If you have Docker previously installed and configured, you should do something like:
Get the Docker:
sudo docker pull wpscanteam/wpscan
Run the tool:
sudo docker run –rm wpscanteam/wpscan -u http://127.0.0.1 (or your host location)
You should get something like:
This is an example of a list of vulnerabilities that WPS can found.
Another utility of this tool is to get the list of users from the site; this brute force is a very basic technique, and with it, we get the usernames leaving only the passwords pending.
sudo docker run –rm wpscanteam/wpscan -u http://127.0.0.1 –enumerate u
The result is:
As you can see, the tool is really easy to use, you only need the docker command to run the image, the -u option + wordpress host + wpscan options
Along with the vulnerabilities of the previous command, this one provides some extra information about the WordPress page and the list of users.
Now we can brute force the password field and try to enter. First, create a text file, name it “pass.list” and write something like this:
- password
- 123456
- 12345678
- 1234
- qwerty
- 12345
- dragon
- baseball
- football
- monkey
- 696969
- abc123
- mustang
- michael
- shadow
- master
- jennifer
- 111111
- 2000
- jordan
- superman
- harley
- 1234567
You can put it wherever you want, I used the /tmp directory. So the file location is /tmp/pass.list
Then, try this command:
sudo docker run -v /tmp:/tmp/force –rm wpscanteam/wpscan -u http://127.0.0.1 –wordlist /tmp/force/pass.list –username admin
To execute the command, we have to create a Docker volume, the one in the example above means /tmp local directory content will be found in the /tmp/force directory of the Docker container. The result should be something like:
As you can see, in this case, the password of the wp-admin was the word “password”. This option can also be implemented using threads for a longer list.
This was just a tiny demonstration of what can be done with a little effort, this kind of thing could be solved with a tinier effort. Using a secure password is highly recommended to avoid this kind of issues.
You can find more info in:
https://github.com/wpscanteam/wpscan
https://hub.docker.com/r/wpscanteam/wpscan/