Master Hack

WordPress REST API Vulnerability – Ads & Money Scam

41

WordPress has a major REST API vulnerability that breaks the first rule of web security. Learn what you need to do to patch your site if you haven’t already.

It’s an API economy. If you don’t have an API you’re already behind. APIs are the fuel driving organizations’ digital transformation. We’ve all heard something similar to these phrases in the past few years. And while they look like marketing, they taste like a truth. Because APIs really are transforming organizations and have taken hold as the de facto method of integration – internally, externally, laterally, and vertically. APIs enable mobile apps and things, web apps and middleware to communicate, collaborate, and extricate digital gold (that’s data, by the way).

So when there’s a vulnerability discovered in an API, it turns heads. Especially if it’s a vulnerability that is easily exploitable (this one is) and affects a significant number of publicly accessible resources (it does).

If you’re running WordPress versions 4.7.0 or 4.9.9 you are vulnerable. Stop reading this and go patch it right now. If you can’t for some reason and you’ve got a BIG-IP ASM you can apply these rules right now to protect vulnerable sites. I’m not kidding. I’ll wait right here.

As Per This WordPress BIG-IP ASM Scam, API Dex Programs Will Decrease Your Ads Earning That You Earn Via Ads & Someone May Control You Website.

I’ll Recommend You To Move Yours.Php Website To .NET  || Its Better Then WordPress & You May Earn a 99% More Faster Then Old Time Spare. | Your [CPC and CPM] Gonna Not be Scammed.            Below Read Full With Proof. I’ll explain Para By Para & how To Solve I.

Okay, now that we’ve got that out of the way, I want to talk about APIs and security for a moment because there seem to be some general misunderstandings about REST APIs and security that this vulnerability just happens to illustrate perfectly.

HTTP: The Foundation On Which REST APIs Are Built

REST stands for Representational State Transfer. Don’t worry too much about what that means, because what you really need to understand is that it’s an architectural style. If you were going to list it along with other methods of achieving the same thing (transfer of data between two endpoints) you might list: RPC, CORBA, and SOAP.

A REST API call is an HTTP request where the URI endpoint is typically indistinguishable from a web URI. The request looks the same.

Really, which of these two URIs is a call to an API:   GET /w/thing/snowmobile/id       GET /a/thing/snowmobile/id

See what I mean? No difference from outside. There’s no standard out there that requires a REST API contain some identifying guidelinesattribute or HTTP header that makes it different than a traditional web request. The Content-Type suggested by the JSON specification is application/json but like the Pirate Code, those are more guidelines than actual rules. Thus, one cannot rely solely on Content-Type to identify a REST API from a standard HTTP request. In fact, good old x-www-form-urlencoded is often used to invoke API calls from clients.

For example, here’s an HTTP request to an Express-based API I’m working on (for fun, cause I still do that) using Postman:

GET /api/user/1 HTTP/1.1 
Host: 192.168.0.57:8080 
Content-Type: application/x-www-form-urlencoded 
Cache-Control: no-cache 
Postman-Token: 6d2247a1-9923-4774-6b86-7ba334bd497e

And here’s one that does a POST, to send data to the API endpoint:

POST /api/login HTTP/1.1
Host: 192.168.0.57:8080
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Postman-Token: 32a29369-5d9d-6952-7de6-8aa4782d694d
name=Webmistress&passwd=xxxx

Now, these are API calls. And I’m betting that you noticed a couple of things:

  1. The REST API uses HTTP verbs like GET, POST, PUT, and DELETE.
  2. The URI is – and hold on to your hats now – a standard HTTP URI.
  3. The Content-Type does not help us determine whether this is a request to an API or a traditional web app.

These first two points are really important because it’s this basic foundation that lets us breathe (a little) easier when it comes to securing APIs. Because we already know a whole lot about HTTP and the myriad ways in which it can be exploited.

REST has become the de facto standard for communication because it’s far simpler than its predecessors and it relies solely on well-understood protocols and platforms, primarily HTTP. Building a REST API, then, means using HTTP to define a set of interfaces through which mobile apps, things, and web apps will communicate. These interfaces, in aggregate, comprise an API. And basically, they’re a set of URI endpoints invoked via HTTP and executed on by a server-side application*.

The fact that the architectural design is REST, and it’s an API, is irrelevant. The same code could have been written to support a traditional web-based system, because the problem isn’t with the API or REST, it’s with the code that’s processing the input provided. The WordPress vulnerability is not a vulnerability in its API, per se, but in the way the API implementation handles standard, well-understood HTTP mechanisms.

API implementations are often accomplished via frameworks (like Express, can you tell I’m a fan?) that take the tedium out of splitting apart the URI and distilling the paths into “routes” that are then used to call the appropriate function. In addition, this code is responsible for grabbing the query parameters (everything that comes after the ? in a URI, including the key-value pairs) and stuffing them into variables that can be used to do things like update databases, retrieve forum posts, and insert new content into the system.

In this case, the back-end code for the API improperly handles those variables (including some poorly considered authorization logic), failing to properly validate and sanitize it. In Dungeons and Dragons, we have the concept of “Rule Zero” and it comes before every other rule out there. It is foundational. There is a similar Rule Zero in security, and it is this:

[easy-social-share-popup]

THOU SHALT NOT TRUST USER INPUT. EVER.

It is Rule Zero that has been violated, and thus introduces this vulnerability to WordPress.

Now, you can certainly dig into the details and walk through the code (I like the type-casting logic that really makes this vulnerability work and the lazy sanitization attempt) but the point here is that REST API security relies a lot on the same, well-understood WEB security long preached by OWASP and every other security vendor out there. In fact, one could say it starts with strong, basic web security, the foundation of which is built upon rule zero.

Yes, there are other concerns with APIs with respect to security, and REST introduces some of them because it eschews state. That means it requires a more active or external means of authentication and authorization. And many security folks are still getting up to speed on JSON, as are many of the security services inserted into the data path between endpoints that inspect, scan, and scrub app layer data.

But if you’re trying to figure out where to start securing APIs, one of the best places is back to the beginning by laying down a strong set of secure coding practices that begins with Security’s Rule Zero.

Lovepreet Singh
CEO & FOUNDER OF" FIVE RIVERS INCORPORATION - LEADING SOFTWARE & CYBER SECURITY DEVELOPMENT COMPANY" || CERTIFIED ETHICAL HACKER || FUTURE TRILLIONAIRE || FUTURISTIC || "DULL SCHOOL STUDENT" || (Follow this link to message me on WhatsApp: https://wa.me/13018426470)

What Is SSL? How Do SSL Certificates Work?

Previous article

What is AWS Firecracker for Serverless Computing?

Next article

You may also like

41 Comments

  1. Buy Prevacid Bulk Viagra In America Buy Alli Pills Now [url=http://viaaorder.com]viagra[/url] Prix Xenical Au Maroc Order Cialis Cialis Prix Libre

  2. It’s going to be finish of mine day, however before end I am reading this
    enormous post to improve my know-how.

  3. … [Trackback]

    […] Read More on on that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  4. Thanks for every other informative web site. The place else may I
    am getting that type of info written in such a perfect means?
    I’ve a venture that I am just now working on, and I
    have been on the glance out for such information.

  5. … [Trackback]

    […] Here you will find 54261 additional Info to that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  6. I was recommended this blog by my cousin. I’m not sure whether this post is written by him as nobody else
    know such detailed about my difficulty. You are incredible!
    Thanks!

  7. … [Trackback]

    […] Read More on to that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  8. … [Trackback]

    […] Find More here on that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  9. Shelf Life Of Amoxicillin Package Insert Amoxicillin Dosage Accutane Buy Online Reviews [url=http://sildenafdosage.com]viagra online prescription[/url] Ordini Cialis Spese Di Spedizione Priligy De L’Inde Viagra For Sale Cannada

  10. … [Trackback]

    […] Info to that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  11. On Line No Prescription Viagra [url=http://sildenaf75mg.com]viagra[/url] Getmensmeds Reviews

  12. Canadian Internet Pharmacies [url=http://drugsor.com]order levitra at walmart[/url] Cialis Levitra Propecia Acheter Cialis Pour Femme Levitra Nach Herzinfarkt

  13. … [Trackback]

    […] Read More here to that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  14. … [Trackback]

    […] Read More on on that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  15. … [Trackback]

    […] Info to that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  16. … [Trackback]

    […] Information on that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  17. Hey! This is my first comment here so I just wanted to give a
    quick shout out and say I genuinely enjoy reading through your blog posts.
    Can you recommend any other blogs/websites/forums that cover the same topics?

    Thanks!

  18. Highly energetic post, I loved that a lot.
    Will there be a part 2?

  19. Greetings from Carolina! I’m bored to death at work so I decided to check
    out your website on my iphone during lunch break. I enjoy the information you present here and can’t wait to take a look when I get home.
    I’m shocked at how fast your blog loaded on my phone ..

    I’m not even using WIFI, just 3G .. Anyways, superb site!

  20. When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each
    time a comment is added I get three e-mails with the same comment.
    Is there any way you can remove people from that service? Many thanks!

  21. Wow that was strange. I just wrote an incredibly
    long comment but after I clicked submit my comment didn’t show up.
    Grrrr… well I’m not writing all that over again. Anyhow, just wanted to say fantastic blog!

  22. Wonderful post! We will be linking to this great article on our site.
    Keep up the good writing.

  23. Hi there everyone, it’s my first visit at this web site, and
    post is in fact fruitful in favor of me, keep up posting these
    types of articles or reviews.

  24. … [Trackback]

    […] Read More Information here on that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  25. Hello there, I discovered your site via Google whilst looking for a comparable subject, your website got here up, it seems to be great.
    I have bookmarked it in my google bookmarks.
    Hi there, just became alert to your blog thru Google, and located
    that it is truly informative. I’m going to be
    careful for brussels. I will be grateful in the event you
    proceed this in future. Lots of other folks will likely be benefited from your
    writing. Cheers!

  26. There is certainly a great deal to know about this topic.
    I like all of the points you’ve made.

  27. This is the right website for everyone who wishes to understand this topic.
    You understand a whole lot its almost hard to argue with you (not that I actually will need to…HaHa).
    You certainly put a brand new spin on a subject that has been written about
    for ages. Wonderful stuff, just excellent!

  28. … [Trackback]

    […] Info on that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  29. Heya this is kind of of off topic but I was wanting to know
    if blogs use WYSIWYG editors or if you have to manually code with
    HTML. I’m starting a blog soon but have no coding knowledge
    so I wanted to get guidance from someone with experience.
    Any help would be greatly appreciated!

  30. How Long Does Amoxicillin Rash Stay Sans Ordonnance Amoxicillin Sans Ordonnance Comprime L Alcool [url=http://realviaonline.com]cialis 40 mg[/url] Side Effects Of Cephalexin In Dogs Nexium Discount Card Canadian Drugs Accepting Visa Card

  31. … [Trackback]

    […] Read More on that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  32. Cialis In Svizzera Bull 100 [url=http://kamagpills.com][/url] Acheter Du Cialis En Toute Legalite Amoxicillin No Perscription Free Shipping

  33. Hi there, You have done an incredible job. I will definitely digg it and personally suggest to my friends. I’m sure they’ll be benefited from this site.

  34. Baclofen Vente 10mg Viagra Generika Aus Deutschland [url=http://brandcial.com]cialis without a doctor’s prescription[/url] order accutane online australia

  35. … [Trackback]

    […] Read More Information here on that Topic: techandsecurity.net/wordpress-rest-api-vulnerability-ads-money-scam.html […]

  36. Effexor Xr Without Prescription [url=http://xbmeds.com][/url] Inhousepharmacybiz Kamagra Achat 150 Mg Birth Control Pill Online Usa

  37. Can Cephalexin Affect Your Birth Control [url=http://cialionline.com]canadian pharmacy cialis 20mg[/url] Healthymale Viagra E Il Cuore [url=http://sildenafbuy.com]viagra[/url] Levitra Caratteristiche Cod Legally Pyridium Express Delivery Overseas Where Can I Buy Lasix Without A Prescription Candian Pharmacy Online Canada [url=http://tadalafonline.com]cialis without a doctor’s prescription[/url] Viagra Effetto Collaterale Canadian Pharmacys Amoxicillin Canine Dosage [url=http://buylevi.com]levitra brand[/url] Cheap Secure Doryx Microdox How To Buy Levitra In Usa Buy Viagra Online Reviews [url=http://cialcost.com]cialis overnight shipping from usa[/url] Tadalis Sx Soft Female Buy Ciprofloxacin Hydrochloride Ophthalmic Solution

  38. Prevacid Solutab Cheap Viagra Britain [url=http://rxbill8.com]cialis[/url] Cialis Acheter Online Cialis Prix Grenoble Viagra Prescription Buy [url=http://crdrugs.com]cheapest cialis[/url] Real Macrobid Fedex Shipping Cialis Cada Cuando Se Puede Tomar Amoxicillin Skin Rash Pictures Cialis Mg Dosage Walpharm [url=http://demalan.com]viagra[/url] Viagra In Der Schweiz Rezeptfrei Online.Vigara.No Zithromax Out Of Date Online Tadacip Dosis De Propecia Cialis Generique Apcalis 20mg [url=http://buycheapcial.com]online pharmacy[/url] Cialis Twitter

  39. Cialis Kaufen Wien [url=http://cpsmeds.com]cialis cheapest online prices[/url] Where I Can Buy Cialis Want to buy isotretinoin us free shipping Comparateur De Prix Propecia 100mg Doxycycline Tablets From India [url=http://exdrugs.com]viagra[/url] Costo Cialis In Francia Cialis 5mg Gunstig Kaufen Acheter Sildenafil 10 Mg Zithromax What Does It Treat [url=http://4nrxuk.com]avis acheter viagra ligne en noisy-le-grand[/url] Achat Sildenafil 120 Mg Acheter Priligy Pilules Order Xenical By Mail Prix Cialis Medicament [url=http://cdeine.com]buy viagra[/url] Amoxicillin And Daily Dosage Finasteride 1 Mg No Prescription Needed Isotretinoin isotretin best website

  40. Acheter Kamagra Amiens 1103 Lasix 100 [url=http://bpdrugs.com]generic cialis canada[/url] Differenza Viagra Cialis Levitra Cialis Precio En Espana Viagra Pour Rire Priligy Df [url=http://bestviaonline.com]viagra[/url] Cabergoline Mutuabile Comprare Propecia Generico Generic Isotretinoin Drugs By Money Order Overseas No Rx Order Generic Zentel Drugs Website Overseas Store India Pharmacy Viagra Expired Amoxicillin Clavulanic Potassium Tablets [url=http://tadalaffbuy.com]cialis[/url] Preise Cialis Angebote Cialis E Simili Where To Buy Inexspensive Viagra Cialis 10 Mg Prospecto [url=http://bestlevi.com]buy viagra levitra[/url] Overnight Zithromax Amoxicillin Dosing Children Otitis Media Generic Cialis Discover Cytotec 5 Mg Swollen Glands And Amoxicillin [url=http://bycheapvia.com]viagra[/url] Prednisone Online Order Amoxicillin For Kids Levitra Bayer Prix [url=http://cialtadalaf.com]canadian pharmacy cialis[/url] Stendra Avana Internet Australia Buy Kamagra Online Next Day Delivery

  41. Acheter Baclofen Cialis 10 Generic Without Perscription Clomid Plus Decapeptyl [url=http://catabs.com]priligy ficha tecnica[/url] Fluoxetine Next Day Delivery Levitra Price Uk

Leave a reply

Your email address will not be published. Required fields are marked *

More in Master Hack