Nov 21, 2018
0 0

WordPress REST API Vulnerability – Ads & Money Scam

Written by

WordPress has a major REST API vulnerability that breaks the first rule of web security. Learn what you need to do to patch your site if you haven’t already.

It’s an API economy. If you don’t have an API you’re already behind. APIs are the fuel driving organizations’ digital transformation. We’ve all heard something similar to these phrases in the past few years. And while they look like marketing, they taste like a truth. Because APIs really are transforming organizations and have taken hold as the de facto method of integration – internally, externally, laterally, and vertically. APIs enable mobile apps and things, web apps and middleware to communicate, collaborate, and extricate digital gold (that’s data, by the way).

So when there’s a vulnerability discovered in an API, it turns heads. Especially if it’s a vulnerability that is easily exploitable (this one is) and affects a significant number of publicly accessible resources (it does).

If you’re running WordPress versions 4.7.0 or 4.9.9 you are vulnerable. Stop reading this and go patch it right now. If you can’t for some reason and you’ve got a BIG-IP ASM you can apply these rules right now to protect vulnerable sites. I’m not kidding. I’ll wait right here.

As Per This WordPress BIG-IP ASM Scam, API Dex Programs Will Decrease Your Ads Earning That You Earn Via Ads & Someone May Control You Website.

I’ll Recommend You To Move Yours.Php Website To .NET  || Its Better Then WordPress & You May Earn a 99% More Faster Then Old Time Spare. | Your [CPC and CPM] Gonna Not be Scammed.            Below Read Full With Proof. I’ll explain Para By Para & how To Solve I.

Okay, now that we’ve got that out of the way, I want to talk about APIs and security for a moment because there seem to be some general misunderstandings about REST APIs and security that this vulnerability just happens to illustrate perfectly.

READ ALSO  Secure Your Identity & Become Anonymous Online This Year.

HTTP: The Foundation On Which REST APIs Are Built

REST stands for Representational State Transfer. Don’t worry too much about what that means, because what you really need to understand is that it’s an architectural style. If you were going to list it along with other methods of achieving the same thing (transfer of data between two endpoints) you might list: RPC, CORBA, and SOAP.

A REST API call is an HTTP request where the URI endpoint is typically indistinguishable from a web URI. The request looks the same.

Really, which of these two URIs is a call to an API:   GET /w/thing/snowmobile/id       GET /a/thing/snowmobile/id

See what I mean? No difference from outside. There’s no standard out there that requires a REST API contain some identifying guidelinesattribute or HTTP header that makes it different than a traditional web request. The Content-Type suggested by the JSON specification is application/json but like the Pirate Code, those are more guidelines than actual rules. Thus, one cannot rely solely on Content-Type to identify a REST API from a standard HTTP request. In fact, good old x-www-form-urlencoded is often used to invoke API calls from clients.

For example, here’s an HTTP request to an Express-based API I’m working on (for fun, cause I still do that) using Postman:

GET /api/user/1 HTTP/1.1 
Content-Type: application/x-www-form-urlencoded 
Cache-Control: no-cache 
Postman-Token: 6d2247a1-9923-4774-6b86-7ba334bd497e

And here’s one that does a POST, to send data to the API endpoint:

POST /api/login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Postman-Token: 32a29369-5d9d-6952-7de6-8aa4782d694d

Now, these are API calls. And I’m betting that you noticed a couple of things:

  1. The REST API uses HTTP verbs like GET, POST, PUT, and DELETE.
  2. The URI is – and hold on to your hats now – a standard HTTP URI.
  3. The Content-Type does not help us determine whether this is a request to an API or a traditional web app.
READ ALSO  Windows CMD Remote Commands for the Aspiring Hacker, Part 1

These first two points are really important because it’s this basic foundation that lets us breathe (a little) easier when it comes to securing APIs. Because we already know a whole lot about HTTP and the myriad ways in which it can be exploited.

REST has become the de facto standard for communication because it’s far simpler than its predecessors and it relies solely on well-understood protocols and platforms, primarily HTTP. Building a REST API, then, means using HTTP to define a set of interfaces through which mobile apps, things, and web apps will communicate. These interfaces, in aggregate, comprise an API. And basically, they’re a set of URI endpoints invoked via HTTP and executed on by a server-side application*.

The fact that the architectural design is REST, and it’s an API, is irrelevant. The same code could have been written to support a traditional web-based system, because the problem isn’t with the API or REST, it’s with the code that’s processing the input provided. The WordPress vulnerability is not a vulnerability in its API, per se, but in the way the API implementation handles standard, well-understood HTTP mechanisms.

API implementations are often accomplished via frameworks (like Express, can you tell I’m a fan?) that take the tedium out of splitting apart the URI and distilling the paths into “routes” that are then used to call the appropriate function. In addition, this code is responsible for grabbing the query parameters (everything that comes after the ? in a URI, including the key-value pairs) and stuffing them into variables that can be used to do things like update databases, retrieve forum posts, and insert new content into the system.

READ ALSO  SQL Injection Vulnerabilities and How to Prevent Them

In this case, the back-end code for the API improperly handles those variables (including some poorly considered authorization logic), failing to properly validate and sanitize it. In Dungeons and Dragons, we have the concept of “Rule Zero” and it comes before every other rule out there. It is foundational. There is a similar Rule Zero in security, and it is this:


It is Rule Zero that has been violated, and thus introduces this vulnerability to WordPress.

Now, you can certainly dig into the details and walk through the code (I like the type-casting logic that really makes this vulnerability work and the lazy sanitization attempt) but the point here is that REST API security relies a lot on the same, well-understood WEB security long preached by OWASP and every other security vendor out there. In fact, one could say it starts with strong, basic web security, the foundation of which is built upon rule zero.

Yes, there are other concerns with APIs with respect to security, and REST introduces some of them because it eschews state. That means it requires a more active or external means of authentication and authorization. And many security folks are still getting up to speed on JSON, as are many of the security services inserted into the data path between endpoints that inspect, scan, and scrub app layer data.

But if you’re trying to figure out where to start securing APIs, one of the best places is back to the beginning by laying down a strong set of secure coding practices that begins with Security’s Rule Zero.

Article Tags:
· · ·
Article Categories:
Master Hack


Comments to WordPress REST API Vulnerability – Ads & Money Scam

  • Acheter Baclofen Cialis 10 Generic Without Perscription Clomid Plus Decapeptyl [url=]priligy ficha tecnica[/url] Fluoxetine Next Day Delivery Levitra Price Uk

    JeaInorse December 31, 2018 12:58 pm Reply
  • Acheter Kamagra Amiens 1103 Lasix 100 [url=]generic cialis canada[/url] Differenza Viagra Cialis Levitra Cialis Precio En Espana Viagra Pour Rire Priligy Df [url=]viagra[/url] Cabergoline Mutuabile Comprare Propecia Generico Generic Isotretinoin Drugs By Money Order Overseas No Rx Order Generic Zentel Drugs Website Overseas Store India Pharmacy Viagra Expired Amoxicillin Clavulanic Potassium Tablets [url=]cialis[/url] Preise Cialis Angebote Cialis E Simili Where To Buy Inexspensive Viagra Cialis 10 Mg Prospecto [url=]buy viagra levitra[/url] Overnight Zithromax Amoxicillin Dosing Children Otitis Media Generic Cialis Discover Cytotec 5 Mg Swollen Glands And Amoxicillin [url=]viagra[/url] Prednisone Online Order Amoxicillin For Kids Levitra Bayer Prix [url=]canadian pharmacy cialis[/url] Stendra Avana Internet Australia Buy Kamagra Online Next Day Delivery

    JeaInorse January 16, 2019 12:22 am Reply
  • Cialis Kaufen Wien [url=]cialis cheapest online prices[/url] Where I Can Buy Cialis Want to buy isotretinoin us free shipping Comparateur De Prix Propecia 100mg Doxycycline Tablets From India [url=]viagra[/url] Costo Cialis In Francia Cialis 5mg Gunstig Kaufen Acheter Sildenafil 10 Mg Zithromax What Does It Treat [url=]avis acheter viagra ligne en noisy-le-grand[/url] Achat Sildenafil 120 Mg Acheter Priligy Pilules Order Xenical By Mail Prix Cialis Medicament [url=]buy viagra[/url] Amoxicillin And Daily Dosage Finasteride 1 Mg No Prescription Needed Isotretinoin isotretin best website

    JeaInorse January 20, 2019 2:37 am Reply
  • Prevacid Solutab Cheap Viagra Britain [url=]cialis[/url] Cialis Acheter Online Cialis Prix Grenoble Viagra Prescription Buy [url=]cheapest cialis[/url] Real Macrobid Fedex Shipping Cialis Cada Cuando Se Puede Tomar Amoxicillin Skin Rash Pictures Cialis Mg Dosage Walpharm [url=]viagra[/url] Viagra In Der Schweiz Rezeptfrei Online.Vigara.No Zithromax Out Of Date Online Tadacip Dosis De Propecia Cialis Generique Apcalis 20mg [url=]online pharmacy[/url] Cialis Twitter

    JeaInorse January 30, 2019 11:29 pm Reply
  • Can Cephalexin Affect Your Birth Control [url=]canadian pharmacy cialis 20mg[/url] Healthymale Viagra E Il Cuore [url=]viagra[/url] Levitra Caratteristiche Cod Legally Pyridium Express Delivery Overseas Where Can I Buy Lasix Without A Prescription Candian Pharmacy Online Canada [url=]cialis without a doctor’s prescription[/url] Viagra Effetto Collaterale Canadian Pharmacys Amoxicillin Canine Dosage [url=]levitra brand[/url] Cheap Secure Doryx Microdox How To Buy Levitra In Usa Buy Viagra Online Reviews [url=]cialis overnight shipping from usa[/url] Tadalis Sx Soft Female Buy Ciprofloxacin Hydrochloride Ophthalmic Solution

    JeaInorse February 6, 2019 11:21 pm Reply
  • Effexor Xr Without Prescription [url=][/url] Inhousepharmacybiz Kamagra Achat 150 Mg Birth Control Pill Online Usa

    JeaInorse February 18, 2019 1:55 pm Reply
  • Pingback: art investment

  • Baclofen Vente 10mg Viagra Generika Aus Deutschland [url=]cialis without a doctor’s prescription[/url] order accutane online australia

    JeaInorse March 10, 2019 6:32 am Reply

Leave a Reply

Your email address will not be published. Required fields are marked *