Security issues in WordPress XML-RPC DDoS Explained

[Nytro]

Security issues in WordPress XML-RPC DDoS Explained

G_Victor| September 4, 2014

A number of months ago a DDoS attack against a website used a functionality in all WordPress sites since 2005 as an amplification vector. According to one report more than 162,000 WordPress Sites sent requests to the target.

What is this DDoS?

WordPress has a feature that can send requests to another WordPress site. This function has been abused for several years and just a few months ago a DDoS attack was mounted again using the XML-RPC feature to amplify the Pingbacks to an unsuspected target.

WordPress Prevelance

WordPress is everywhere. About 22% of all sites on the Internet are WordPress sites according to Akamai’s State of the Internet Q1 2014 Report. It powers sites small to large.

What is it? WordPress and XML-RPC

WordPress is a Content Management System for blogging using plugin architecture and templates. XML-RPC is a specification explaining how a HTTP-POST request and XML as the encoding allows software running on different operating systems, in different environments to make procedure calls over the Internet.

This feature has been available in WordPress since version 3.5.

An administrator can manage almost any aspect of the WordPress installation from any application that implements XMLRPC such as a mobile device. Users, posts, pages or tags can be created, modified and deleted by administrators.

How is it used? For Good.

According to the specification this is the minimal requirements to receive a list of methods WordPress supports:

A list that uses the XML-RPC WordPress API can be found here XML-RPC WordPress API « WordPress Codex

The Attack. What Is Pingback And How Does It Work?

One such method is pingback.ping, which is a feature that links one post from one site, to another post in another site. Another way to put it is that, SiteA is notified that SiteB has linked back to it. The advantage of this is that SiteA increases its credibility by most search engines standards and SiteB cites authorship.

How Can It Be Abused? DDoS Attack?

Even though this “bug” was documented in 2007 (https://core.trac.wordpress.org/ticket/4137), and WordPress has attempted to reduce the vulnerability of the attack, in March 2014, more than 160,000 WordPress site used this amplification technique to perform a DDoS attack against a single site. All that was necessary was the source and target URI.

The Taxonomy Of The Attack

To craft the attack simply POST a request like this:

With this call the Target receives a GET request to the non-existent page forcing a full page reload and taking away resources needed for legitimate users. If many WordPress sites all point to the same site, the Target will experience a DDoS. The Source can be any URL.

Defend Yourselves

A WordPress site owner can defend against being used as pivot point in launching a DDoS by upgrading to the latest WordPress, either on the Dashboard or download it here. https://wordpress.org/latest.zip

About HP Fortify on Demand

HP Fortify on Demand is a cloud-based application security testing solution. We perform multiple types of manual and automated application security testing, including web assessments, mobile application security assessments, thick client testing, and ERP testing, etc. We do it both statically and dynamically, both in the cloud and on premise.

Sursa: Security issues in WordPress XML-RPC DDoS Explaine... - HP Enterprise Business Community