WordPress XML-RPC PingBack Vulnerability Analysis

 

Recent articles have outlined how to use WordPress's XML-RPC pingback functionality for DDos attacks. This article will analyze the attack and provide information to website administrators to protect their websites.

This is not a new Vulnerability

WordPress's XML-RPC API is not new. Below are wordpress bug Data seven years ago.

 

Although the vulnerability is not the latest, the attack code/tool has been around for nearly two years. The emergence of tools provides convenience for script kiddies, resulting in more DDoS attacks.

WordPress XML-RPC Pingback DDoS Attack Process

The XML-RPC pingback feature provides a legal way to connect content from different authors. This article describes how to use some blog site XML-RPC function to attack third-party websites.

Patsy Proxy attack

At The DerbyCon conference in 2012, SpiderLabs colleague Daniel Crowley demonstrated The article "The Patsy Proxy: Getting others to do your dirty work, this article discusses various methods of sending attack traffic through a third-party website. (View the PPT ). in addition, tools for exploits are released. one of the tools is "DDoS attacks via other sites execution tool (DAVOSET)", which can send attack traffic through many different sites. the URL list used in the following DAVOSET

It is very easy to send attack data through a "Patsy Proxy" site. Let's take a closer look at the WordPress XML-RPC Pingback problem.

WordPress XML-RPC Pingback DDoS Attack

The following is a command to use curl for attack

The highlighted data in yellow is a WordPress "Patsy Proxy" website, which is attacked when highlighted in orange. Note that for testing purposes, you need to add"Content-Type: text/xmlOtherwise the XML-RPC Service considers the request illegal and then responds as follows:

After the attacker sends the request, the Patsy Proxy WordPress site will send the following HTTP request to the attacked site:

Note that the HTTP request format is only two rows:

• URI
• Host request header

However, WAF (web application protection system) on the attacked site recognizes this attack to protect the website. normal browser requests contain many headers. because pingback DDoS attacks are not the same as other protocol attacks (such as NTP), they do not use any type of amplification attacks, if the requested URI causes the attack site to perform background computing, the damage will be even greater.

Protection disable XML-RPC

If you don't want to use the XML-RPC, disabling it is entirely possible. Refer to the article: even plugins that will disable it.

Disable Pingback requests

You can disable pingback by adding the following file to function. php:

Identify the original Pingback request

You can use WAF to identify the original pingback XML attack request. For more information, see here.

Identify Pingback original Requests on the affected website

As mentioned earlier, even though the URI is dynamically changing,But all the proxy XML-RPC pingback has only two lines of HTTP requests. You can use WAF to identify and respond to the exception (for example, adding the requested IP address to the blacklist.

[Via @ spiderlabs/91ri.org]