Sunday, July 27, 2014

WPScan

I saw this tool as being fairly useful for evalulating wordpress security. It's a tool that many web publishers could probably use by themselves. But really if people took any interests in security they would not be using WP. If you visit the black hat forums there's a zero day exploit for some wordpress plugin nearly every day. While word press is fairly secure as a stand alone script most of the plugins are not very well tested. Many are vulnerable to SQL injection or cross site scripting. But that's another story. I found this video tutorial for WPScan entertaining.

Here's the official site. It's pretty easy to install. There are install instructions for just about every platform. WPScan

This videos gives a more realistic impression of brute forcing than others. Notice the tester fails to find the password. This is usually the case. If you pick a strong password you are less likely to be bruteforced do to the amount of time it takes to run the authentication requests against the web login. If you pick a long password with special characters and and numbers along with upper and lowercase letters it's a lot better than a simple dictionary word. Dictionary words are just that dictionary words. Dictionary words and permutations and subject to dictionary attacks. Words not in the dictionary are less likely to get found. With a better dictionary file the attacker may have been successful.





No comments:

Post a Comment