Why and how to hide usernames on your Wordpresss.

6 months ago 37

BOOK THIS SPACE FOR AD

ARTICLE AD

Wordpress is a revolution, let’s face it. The reason for this introduction is that Wordpress powers 42.7% of all websites currently online.

Photo by Justin Morgan on Unsplash

In my current job, also when I’m doing bug bounty, I come across quite a few targets running on wordpress. All right, in most cases it’s properly protected, except for a few plugins containing CVEs or directory listings here and there.

One of the most common security misconfigurations is the automatic or manual enumeration of users. We’ll look at both ways.

How is enumeration possible?

As with every modern application, APIs are consumed in abundance and… by default. By “default”, I’m referring to the configuration set up so that it works, and fast. People don’t have the time for secure configuration either.

But an API that isn’t properly configured can lead to disasters, like Linkedin. Even if a Wordpress site isn’t Linkedin and doesn’t contain as many APIs, it would be a shame to have your site, which presents your company or your online store, hacked just because a user has been compromised!

In fact, the weakness comes from the fact that Wordpress, by default, displays the list of users in its API. quite simply!

Manual exploration

The endpoint disclosing the identifiers can be reached directly at the following link:

> htts://domain.tld/wp-json/wp/v2/users/

A JSON string is then displayed, and you’ll see the list of users.Automatic exploration

My little favorite for enumeration is Nuclei. This tool lets me display information graphically.

Entering the following command, I listed my target and came across the following information:

Nuclei also gives the full path to the application. The perfectionist in me pushed myself to go and look at the path to see if it was a false positive.

Danger

So, as things stand, we can’t yet talk about vulnerability. In this case, if you can’t find a place to connect, don’t bother going on, you won’t be able to justify it as a vulnerability.

On the other hand, if you come across a worst-case authentication system that has no anti-bruteforce protection, you can try a dictionary attack.

On wordpress, the juicy endpoints for the connection are as follows:

- /wp-login
- /wp-login.php
- /manager
- /wp-admin
- /login

It is also possible to enumerate the list using gobuster or ffuf. using the famous SecLists dictionary.How to protect

There are two ways to protect this kind of information disclosure:

Use a pluginAdd the following code to functions.php to tell the wordpress core to hide usernames.add_action( 'rest_authentication_errors', function( $access ) {
if ( is_user_logged_in() ) {
return $access;
}

if ( ( preg_match( '/users/i', $_SERVER['REQUEST_URI'] ) !== 0 )
|| ( isset( $_REQUEST['rest_route'] ) && ( preg_match( '/users/i', $_REQUEST['rest_route'] ) !== 0 ) )
) {
return new \WP_Error(
'rest_cannot_access',
'Only authenticated users can access the User endpoint REST API.',
[
'status' => rest_authorization_required_code()
]
);
}

return $access;
} );

Reward

I recently earn €50 by reporting this security misconfiguration in as much detail as possible, so as not to waste the time of the company’s security teams.

Summary

Let’s be clear, this vulnerability is not significant, unless default passwords are used, and also if no anti bruteforce mechanism is in place.

The aim of this article is to show that with a few drops, it’s possible to destroy a dam.

Cheers,

#wordpress, #pentest, #bugbounty, #infosec, #security

Suat

Read Entire Article