WordPress CMS Pentesting/ Configuration Audit

# WordPress CMS Pentesting/Configuration Audit 1. WAF Detection > Before proceeding with wpscan or automated scans(nmap dirsearch etc.,), it's crucial to understand the WAF protection and User-agent dependency of the target application. Use appropriate WAF bypass payloads and techniques then perform scan by appropriate aproach like request rate-limit, origin IP identification etc., ![](https://hackmd.io/_uploads/r1bIjkUC3.png) 2. Check the `xml-rpc.php` access * check if pingback functionality is enabled for the xml-rpc.php ``` POST /xmlrpc.php HTTP/1.1 Host: localhost:8052 Content-Type: text/xml User-Agent: Mozilla/5.0 <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>pingback.ping</methodName> <params> <param><value>https://example.com/post-url</value></param> <param><value>https://your-site.com/pingback-endpoint</value></param> </params> </methodCall> ``` * Replace https://example.com/post-url with the URL of a post on your WordPress site. * Replace https://your-site.com/pingback-endpoint with the URL of the site or endpoint where you want to send the pingback. 3. User Enumeration ``` wpscan --url http://example.com --enumerate u Check the API access from the browser http://example.com/wp-json/wp/v2/users ``` Remediation: 1. Disable the WordPress REST API if you are not using it. 2. Disable WordPress XML-RPC if you are not using it. 3. Configure your web server to block requests to /?author=\<number> 4. Don’t expose /wp-admin and /wp-login.php directly to the public Internet. 4. Theme Enumeration, version & check known issues >Before doing the scan, you have to get the wpscan API key by signup an account [here](https://wpscan.com/register) >If the application is behind firewall use "-t 1" to limit the max threads. ``` wpscan --url https://target-wordpres.com --enumerate at --api-token <wpscan-api-key> --random-user-agent ``` 5. Plugin enumeration, version & check known issues ``` wpscan --url https://target-wordpres.com --enumerate ap --api-token <wpscan-api-key> --random-user-agent ``` 6. WordPress Version and known issues 7. Enumerate configuration backup ``` wpscan --url https://target-wordpres.com --enumerate cb --random-user-agent ``` 8. Enumerate DB Exports ``` wpscan --url https://target-wordpres.com --enumerate dbe --random-user-agent ``` 9. Nuclei CVE Scan * Use "-H" flag to avoid false negatives * Use rate-limit flag to avoid WAF restrictions ``` nuclei -u https://target-wordpres.com -t ~/nuclei-templates/http/cves -tags wordpress -vv ``` 10. Nuclei vulnerabilities templates scan ``` nuclei -u https://target-wordpres.com -t ~/nuclei-templates/http/vulnerabilities -tags wordpress -vv ``` 11. Nuclei misconfiguration templates scan ``` nuclei -u https://entersoftsecurity.com/blog/ -t ~/nuclei-templates/http/misconfiguration -tags wordpress -vv ``` 12. public access to "wp-admin" login 13. User Enumeration at wp-admin login 14. wp-admin login brute-force protection (CAPTCHA/account lockout) 15. Directory listing 16. CAPTCHA protection on public forms. 17. Check the "wp-cron.php" access [Reference](https://vulners.com/hackerone/H1:1888723) 18. DoS via WP-JSON API CORS Misconfiguration [Reference](https://nathandavison.com/blog/corsing-a-denial-of-service-via-cache-poisoning) >The above issue is impactful, if the WordPress is used in headless mode using "[WordPress REST API](https://wpengine.com/resources/the-ultimate-guide-to-the-wordpress-rest-api/)". 19. Response Headers Analysis * X-Frame-Options * Content-Security-Policy * HTTP Strict Transport Security (HSTS) * X-Content-Type-Options 20. Nuclei scan wordfence-cve templates ``` https://github.com/topscoder/nuclei-wordfence-cve ```