I was asked to do an interview about WPScan and WordPress security in general. Thought I’d share it here too.
For those of you who have been living under a rock, BruCON is a security conference held every year in Belgium (originally Brussels, now Ghent). I have attended every BruCON conference since the second. Last year was the 5th time the conference had been held (correct me if I’m wrong) and so the year before (2012) they setup what they called 5by5. This allowed BruCON, as it’s a non-for-profit, to share its extra left over cash by supporting community projects.
Last year, they allocated up to 5,000 euros to 4 different community projects. These projects were:
1. OWASP OWTF (Abraham Aranguren)
2. The Cloudbug Project (Carlos Garcia Prado)
3. A tool a month (Robin Wood)
4. Eccentric Authentication (Guido Witmond)
As last year was such a success, they’re doing it again this year! And this year I put in a proposal!
GitHub was recently the target of a large weak password brute force attack which involved 40k unique IP addresses. One of many of the security measures GitHub has now taken is to ban users to register with ‘commonly-used weak passwords’.
To find out what GitHub considers as ‘commonly-used weak passwords’ I decided to compile a list of GitHub valid passwords from a few password lists found online and one of my own.
GitHub’s password policy is reasonable (at least 7 chars, 1 number and 1 letter) so from all of the wordlists used only 331 passwords were found to conform to GitHub’s password policy.
1. *Advisory Information*
Title: SimpleRisk v.20130915-01 CSRF-XSS Account Compromise
Advisory ID: RS-2013-0001
Date Published: 2013-09-30
2. *Vulnerability Information*
Type: Cross-Site Request Forgery (CSRF) [CWE-352, OWASP-A8], Cross-Site Scripting (XSS) [CWE-79, OWASP-A3]
Impact: Full Account Compromise
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE-ID: CVE-2013-5748 (CSRF) and CVE-2013-5749 (non-httponly cookie)
3. *Software Description*
SimpleRisk a simple and free tool to perform risk management activities. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time. SimpleRisk is truly Enterprise Risk Management simplified. 
Recently I became faced with my first Web Application Security Assessment which relied heavily on HTML5′s WebSockets.
The initial WebSocket handshake is carried out over HTTP using an ‘upgrade request‘. After the initial exchange over HTTP all future communication is carried out over TCP. On the application I was testing the WebSocket handshake over HTTP within WireShark looked like this:
GET /SocketHandler HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0 Sec-WebSocket-Version: 13 Origin: http://www.example.com Sec-WebSocket-Key: iiral7et1zfQMGu9udIYHA== Cookie: Login=1234567 Connection: keep-alive, Upgrade Upgrade: websocket Content-length: 0 Host: www.example.com
HTTP/1.1 101 Switching Protocols Upgrade: Websocket Server: Microsoft-IIS/8.0 Sec-WebSocket-Accept: 9ZPK0lC0SB6dhIJHRt3q/GN88Ng= Connection: Upgrade Date: Fri, 30 Aug 2013 13:33:42 GMT