WordPress is one of the most popular CMS and captures around 60% of the CMS market. There are many reasons to use like. Easy to use, not much hard work, good for blogs and allow nontechnical people to set up their websites. It’s important to know how we can test the security of a WordPress website or pentest a WordPress website with all the possible or common ways. The first step of Penetration testing is information gathering and enumeration on the target website. It could be manual or automated we will look at both methods in this blog.
For those who don’t know WordPress is a PHP based application mostly run on apache and MySQL. So we have our first information about the target website. it’s using PHP, MYSQL and Apache. Let’s find of the PHP version our target is using. The most common way to find is looking at the HTTP response headers.
You can see HTTP Response headers through a proxy like a burp suite and zap proxy or from the browser itself in network packet option or you can use Linux tools to send an HTTP Request to the target and get a response with Netcat and curl.
$ curl -I https://example.comHTTP/1.1 200 date: Wed, 26 Feb 2020 content-type: text/html; charset=UTF-8 x-powered-by: PHP/5
Looking at the response we can see the information it’s using PHP and it’s version, you can even check it through browser also, to do that right-click and select the inspect element and click network option and refresh the page to see the all the HTTP request. In Pentesting you can add it to your report as a low vulnerability with name as Server Fingerprinting.
Some case people add server fingerprinting for disclosing version in the HTTP response and another vulnerability outdated version if it’s there. In the example above we can see it’s outdated PHP version so we can add two problems in our report as Server Fingerprinting and Outdated Version.
Enumeration is the process of directly connecting to the server or application to find some information like username and hostname etc, as it’s web testing we will look at the username enumeration.
There could be multiple ways to find a username. In the case of WordPress, we have two most common option available to find or validate the username. Through the WordPress login page and through WordPress author redirect checking.
Go to the WordPress website admin login page https://example.com/wp-admin/ this is the page for admin login in WordPress, Now type the random username and see the error. Now type the right username with the wrong password and again check the error.
You can clearly see that WordPress show you that if the particular username is available or not. If you can do brute force attack with common username list and see the response to find out the username.
Another way is through author page in WordPress like this https://example.com/author/admin/ if the user admin exists you will be redirected to the home page if not you will see the error as page not found or something. again you can do brute-force or dictionary attack with a common username list. through Metasploit or burp suite.
Now enumeration depends on the application you are testing, whether it should be in your report or not. For example if the application is showing the username by itself. Then it doesn’t make any sense to add it in our report as Instagram does. so it depends on the application to application but for us, during testing. It’s good to test enumeration, it could be helpful in other vulnerability.
Another option to enumerate WordPress is its plugin. There are soo many plugins one WordPress website use. we need to find what are they if they are outdated or not if yes then we add it on our outdated version heading. To Enumerate the whole process we will use the name script for WordPress enumeration, with the following command.
$ nmap -sV --script http-wordpress-enum -p 443 allabouthack.com
During the HTTP/HTTPS testing, we should check the two most important things. If website is using a certificate or not to encrypt the communication and second if yes then what cipher they are using. If it’s not using any certificate then we have insecure transport vulnerability to add in our report.
In case if they are using encryption then we have to check the cipher it should be at least TLS 1.2 although TLS 1.3 is available still you can check for TLS, To check we have Nmap script and website. To check through Nmap use the following command.
$ nmap -sV --script ssl-enum-ciphers -p 443 example.com
This script will check for the cipher in the host, you just need to specify the port on which https is running most common is 443 as the default one. If you find they are not using TLS 1.2 or 1.3 then you can add it to your report as a weak cipher.
To do all the process we have done till Now we have WordPress security testing tool called wpscan. It will automatically scan for outdated version, plugin and other vulnerability. to get started with wpscan type:
$ wpscan --help $ wpscan --url example.com $ wpscan --url example.com --enumerate u
With the help of the above commands, you can check all the options with wpscan and enumerate the username. As this is just about some methodology you need to follow during the testing, in the next blog we will look some real kind of application, not CMS and will try to test it and will look at OWASP methods of testing. Most of the methods will be the same in the web application which we used here for WordPress.