Hello everyone, in this article we are going to see a vulnerability called WordPress Usernames disclosure.
Before, going into the article, if you are a person who is looking for Account Takeover labs for free then you had arrived at the right place. We have 10 Account Takeover labs that will definitely help you to improve your skills.
Here is the link for the Account takeover labs: https://bepractical.tech/account-takeover-labs/
Now, come back to the main part of the article, which is about the WordPress username disclosure vulnerability.
Let’s have something before going to that,
What is WordPress and why WordPress is used?
WordPress is a content management system that allows you to host and build your website. So in simple terms we can say that, we can build a website using WordPress without any coding knowledge. And that could be a easy task for who don’t know programming and still want to build a website.
Now might understood why WordPress is being used and what is WordPress.
In WordPress, there will be different users who can write blog posts for that website. For Example, I hope you had seen different persons are writing articles in our website.
In the same way, there will be users who are writing blogs or articles for that website. Now, by disclosing the names of the users might be a vulnerability.
How to find this vulnerability?
In this article, I will definitely show you the ways to find the vulnerability.
- First, collect all the subdomains of the target.
- Next Check, whether WordPress is being used by the subdomain.
- Now, If you find any one subdomain which is using WordPress. Then I would say there, this vulnerability could be present.
I will show you the process I follow while looking for this vulnerability,
a. I will use sub finder, amass as subdomain enumeration tools to find out the subdomains of the target. And I had posted a article on how you could do subdomain enumeration in a better manner while discussing about subdomain takeover. If you hadn’t looked at that, then please stop reading this article and go have a look and come back.
The link of the article is : https://bepractical.tech/subdomain-takeover/
I will take example.com as my target for demonstration purpose.
- using sub finder
- using amass
After the tool provide us the output, I will combine both results and sort the subdomains, using the command. The command is mentioned below.
cat subfinderout.txt amassout.txt | sort | anew subdomains.txt
If, you had looked my previous article, on subdomain takeover then you might understand the command I used before. If you don’t understood still no problem I will give the idea.
cat is used to list the contents of the text file, and sort is to remove duplicate domains which are in the both of the text file, and anew is a tool developed by tomnomnom that can be used to create a new file.
Now, i hope you had got an idea what the command is about.
Now let’s dive into second step of the process.
After gathering all the subdomains of the target, I would run httpx. I think most of you think httpx is a tool that is used to find whether the subdomain is alive or not. I would suggest you to take the older version of httpx tool( v1.1.3) to correct. And the command would be:
cat subdomains.txt | httpx -status-code -tech-detect
cat –> cat is used to list the contents of the text file.
-status-code –> this will display the status-code of the website. like 200 for live subdomain, 403 for forbidden subdomain, etc…. If you want to know more about status codes then refer this you will get good idea.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
-tech-detect –> this will display on which technologies the subdomain is built with.
After, that if you find any subdomain which is having WordPress in that, then we have a subdomain that we could look for that vulnerability.
Where are the usernames are disclosed in the website?
I will show you, where you can find the usernames. I had installed WordPress Server in my Laptop. And I am running WordPress.
it is a sample page you get, when you install WordPress locally on your machine.
I had created two users to show the vulnerability. and there you go,
I will show you how you can get this for your target,
https://target.com/wp-json/wp/v2/users
if you replace the target.com with your original target then, if the website gives you an output mentioned above, then it is vulnerable.
Ok! ok Asif, you had shown us how to find the vulnerability. Now what could be the impact.
Impact of this vulnerability?
Impact of this vulnerability could be,
- we can do bruteforce attack, if the password is simple, then it might be bruteforced easily. You easily login with the username and password.
- This could takeover the website, if you have the admin credentials.
Now, what you know how to find the vulnerability, and what could be the impact.
I would like to say, that this could not be the vulnerability that is much risk.
If you restrict
- Login page access to everyone and give it some specific IP address or internal IP address.
- Always change the default credentials.
- Try to change the username of admin to something different.
I hope you had got information about the vulnerability. If you have any questions related to cyber security or do you want us to write an article of specific thing. Please let us know that in the comments section.
Thank You
