Unveiling Vulnerabilities: How I Earned My First Bounty by Securing my Favorite Cyber Security YouTuber’s Website
In this blog, I will recount my experience of enumerating WordPress users and securing my first bounty from the website of my beloved cybersecurity YouTuber, Linuxndroid . To maintain confidentiality let’s consider the domain name is example.com running WordPress on it.
Below is the step by step POC:
1) Identify whether website is running WordPress on it or not. I manually tested the website and found that the website is using wordpress as a CMS .
2) Method 1: Try to access below endpoint to enumerate WordPress users. If it is protected then you will see custom error like below:
BUT I FAILED !!!
After some time I noticed that the error is 403 (FORBIDDEN) , which means that file is present there but I don’t have the access to read that file .
SO in order to read the file I need to bypass this security protection .
BYPASS METHOD ( 1 )
We can see that the usual REST route was blocked but updating the path with one uppercase character or more would fool the rewrite rule.
PAYLOAD -: https://www.example.com/wp-json/wp/v2/uSERS/
AND BOOM !!!
I BYPASSED THE SECURITY RULE …. :))))
BYPASS METHOD ( 2 )
HTTP PARAMETER “rest_route”
While Worpdress is configured — by default — to support URL rewriting to have search engine and human friendly URLs like
https://website.com/2020/12/breaking-news instead of
https://website.com/?p=2678, behind the scene, every request sent to /wp-json/ is entering the index page with the parameter “rest_route” set to /wp/v2/users.
AND BOOM !!!
ONCE AGAIN I BYPASSED THE SECURITY RULE …. :))))
Successful username enumeration leads to brute force attack or password guessing attack which further leads to account takeover.
Use this code which will hide the users list and give 404 as the result, while rest of the api calls keep running as they were.
If you find this blog useful then give clap and share as much as you can.
you can reach me on Linkedin:
Thanks Linuxndroid :)
Thank You For Your Valuable Time :)
Happy Ethical Hacking :)