For a talk given at the Wordpress Meetup in Fort Collins, CO. Slides coupled with live demonstration when given.

1. Hacking Wordpress
A crash course in Web Application hacking.

2. Disclaimer
This information is given for strictly
educational purposes only. It is not cool
(and is illegal) to hack sites that you don’t
own or control. All the sites we’ll hack tonight
have been setup specifically for the purpose
of hacking and contain no sensitive data.

3. Disclaimer #2
We will be conducting most of our
tests in real time. We’ve tested them
extensively, but an any moment
something may go wrong. We
apologize in advance.

4. OWASP Top 10

5. Tonight We’ll Do:
• Brute Force Password Attacking
• Man-In-The-Middle Attacks
• Session Hijacking (via cookie jacking)
• XSS

6. Brute Force Attacks
A common approach (brute-force attack) is to try
guesses repeatedly for the password and check them
against an available cryptographic hash of the
password.

7. Brute Forcing Wordpress
• Wordpress has no built in Brute Force defense
• You can install some plugins to reduce the risk of
a brute force attack.
• We’ll be brute forcing Wordpress using WP-Scan

8. Preventing Brute Force
Attacks
• Use strong passwords (also encourage users to
use strong passwords)
• Use unique passwords
• Limit login attempts by user/IP with email reset

9. Let’s Demonstrate

10. What is a
Man-in-the-Middle Attack?
User Makes Request
Server Sends Response

11. What is a
Man-in-the-Middle Attack?
User Makes Request
Server Sends Response
Attacker can intercept
and *change* communication

12. Let’s Demonstrate

13. How can someone get “in
the middle”?
• WiFi Sniffing/Wifi Pineapple
• Network Administrators
• ISP/Governments
• Datacenters

14. Session Hijacking
Session hijacking, also known as TCP session hijacking,
is a method of taking over a Web user session by
surreptitiously obtaining the session ID and
masquerading as the authorized user.

15. HTTP is a stateless protocol.
That means we have to reauthenticate
every time we make a request.
We do this using cookies:

16. Session Hijacking
User authenticates with username
and password
Once verified, server sends
authentication cookie to user
On all future requests, user sends
the cookie to ensure that they are
authenticated

17. Session Hijacking
User authenticates with username
and password
Once verified, server sends
authentication cookie to user
On all future requests, user sends
the cookie to ensure that they are
authenticated
If we can steal
this cookie,
we can become
the user.

18. Let’s Demonstrate

19. Preventing Man-in-the-Middle
and Session Hijacking
• Use HTTPS site wide!!!!
• Set Cookies to “HTTP only”
• Set Cookies to “Secure”

20. XSS Attack
Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications. XSS
enables attackers to inject client-side script into web
pages viewed by other users.

21. XSS Attacks
• The attacker installs a small snippet of malicious
javascript that runs on the client (your) browser
• Attacks allow us to:
• Steal cookies
• Log keypresses
• Trick the user into taking an action

22. Let’s Demonstrate

23. Protecting From XSS
• Developer:
• Sanitize all inputs (use a LIBRARY!!!)
• Sanitize all outputs
• User
• Browser provide some level or protection
• Be skeptical of anything that asks you to enter
information

24. Tools
• Beef - http://beefproject.com/
• WpScan - http://wpscan.org/
• Burp Suite - https://portswigger.net/burp/
• Edit This Cookie (Chrome) - https://
chrome.google.com/webstore/detail/
editthiscookie/
fngmhnnpilhplaeedifhccceomclgfbg?hl=en

25. Further Reading
• Troy Hunt - http://www.troyhunt.com/
• Brian Krebs - http://krebsonsecurity.com/
• Courses:
• Troy’s courses on Plural Sight - https://
www.pluralsight.com/authors/troy-hunt
• One Month Web Security - https://
onemonth.com/courses/web-security