Hacking WordpressA crash course in Web Application hacking.

DisclaimerThis information is given for strictly

educational purposes only. It is not cool (and is illegal) to hack sites that you don’t

own or control. All the sites we’ll hack tonight have been setup specifically for the purpose

of hacking and contain no sensitive data.

Disclaimer #2We will be conducting most of our

tests in real time. We’ve tested them extensively, but an any moment something may go wrong. We

apologize in advance.

OWASP Top 10

Tonight We’ll Do:

• Brute Force Password Attacking

• Man-In-The-Middle Attacks

• Session Hijacking (via cookie jacking)

• XSS

Brute Force AttacksA common approach (brute-force attack) is to try

guesses repeatedly for the password and check them against an available cryptographic hash of the

password.

Brute Forcing Wordpress

• Wordpress has no built in Brute Force defense

• You can install some plugins to reduce the risk of a brute force attack.

• We’ll be brute forcing Wordpress using WP-Scan

Preventing Brute Force Attacks

• Use strong passwords (also encourage users to use strong passwords)

• Use unique passwords

• Limit login attempts by user/IP with email reset

Let’s Demonstrate

What is a Man-in-the-Middle Attack?

User Makes Request

Server Sends Response

What is a Man-in-the-Middle Attack?

User Makes Request

Server Sends ResponseAttacker can intercept

and *change* communication

Let’s Demonstrate

How can someone get “in the middle”?

• WiFi Sniffing/Wifi Pineapple

• Network Administrators

• ISP/Governments

• Datacenters

Session HijackingSession hijacking, also known as TCP session hijacking,

is a method of taking over a Web user session by surreptitiously obtaining the session ID and

masquerading as the authorized user.

HTTP is a stateless protocol.

That means we have to reauthenticate every time we make a request.

We do this using cookies:

Session Hijacking

User authenticates with username and password

Once verified, server sends authentication cookie to user

On all future requests, user sends the cookie to ensure that they are

authenticated

Session Hijacking

User authenticates with username and password

Once verified, server sends authentication cookie to user

On all future requests, user sends the cookie to ensure that they are

authenticated

If we can steal this cookie,

we can become the user.

Let’s Demonstrate

Preventing Man-in-the-Middle and Session Hijacking

• Use HTTPS site wide!!!!

• Set Cookies to “HTTP only”

• Set Cookies to “Secure”

XSS AttackCross-site scripting (XSS) is a type of computer security

vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web

pages viewed by other users.

XSS Attacks• The attacker installs a small snippet of malicious

javascript that runs on the client (your) browser

• Attacks allow us to:

• Steal cookies

• Log keypresses

• Trick the user into taking an action

Let’s Demonstrate

Protecting From XSS• Developer:

• Sanitize all inputs (use a LIBRARY!!!)

• Sanitize all outputs

• User

• Browser provide some level or protection

• Be skeptical of anything that asks you to enter information

Tools• Beef - http://beefproject.com/

• WpScan - http://wpscan.org/

• Burp Suite - https://portswigger.net/burp/

• Edit This Cookie (Chrome) - https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=en

Further Reading• Troy Hunt - http://www.troyhunt.com/

• Brian Krebs - http://krebsonsecurity.com/

• Courses:

• Troy’s courses on Plural Sight - https://www.pluralsight.com/authors/troy-hunt

• One Month Web Security - https://onemonth.com/courses/web-security