Negligence of website owners
In the 21st century, many people have their own websites or blogs. Nowadays, creating a website doesn't necessarily require special knowledge in the field, as there are website builders and platforms that can set up a website on hosting within a minute. Websites are also often ordered "turnkey," and website owners may not have a clear understanding of how everything works, simply using the admin panel of the website's platform.
🛡️ Disclaimer: This material is provided solely for informational purposes and represents a fictional example developed by an independent editor. The information is not intended for use in privacy violations, illegal activities, or any other unethical actions. We strongly recommend respecting the privacy of others and using the skills and tools responsibly and in accordance with the laws of your country.
Unfortunately, even some web developers ignore basic security principles. Today, we will examine in detail one such case.
For the example, we have chosen an English-language website built on the WordPress platform. We utilized the tools of the Project bot, specifically the "Vulnerability and Exploit Search" functionality, to conduct a basic vulnerability assessment.
In the response, we obtained information indicating that the website is using a vulnerable version of jQuery. You know what's great about the bot? When it detects vulnerabilities, it automatically searches for suitable exploits. If it finds any, it presents a ready-to-use command in the results, which you can copy with just one click and use to obtain the exploit.
As a result, using one of the provided exploits, it can be inferred that the outdated version of jQuery on the website is vulnerable to XSS (Cross-Site Scripting) vulnerabilities.
Next, let's take a look at the results of a full website vulnerability scan:
Inside the tool, let's select WordPress, as it's known that the website operates on this platform (this can easily be determined by viewing the page source code in a browser).
After waiting for the scan results, it's evident that this website is a "swiss cheese" in terms of vulnerabilities:
By selecting one of the detected CVEs and inputting the command into Project bot, we obtain an exploit for executing SQL injection on the website:
If the website owner doesn't update the engine, templates, and plugins to their latest versions in a timely manner, it can lead to serious security issues with the website.
We strongly recommend avoiding such mistakes and checking your websites using the Project bot!
But that's not all!
It might seem like the website is vulnerable, and that's already clear. But you can conduct another check using the following tool from the same category:
Which provided the following results:
By the third line, it can be immediately understood that posts on the website are being made at least under the username "admin". However, the most interesting part was in the "Directory traversal" section. Clicking on the link revealed the following:
A complete copy of the website's files was found in the downloaded zip archive.
The standard WordPress configuration file contains the database connection information and the salts used by the engine.
In addition to this, the archive contains templates and plugins used on the site.
In the open SQL database dump, there is one user of the site, "admin," and their email.
Knowing the email, you can try to retrieve their passwords using specialized tools from the "Data Leak Search" category.
Friends, we strongly recommend you to carefully maintain the software versions on your servers, as well as the versions of your website's engines, plugins, templates, and libraries to avoid exposing them to the risk of hacking. Also, always forbid directory listing on your website. For example, in Apache, you can solve this by adding just one line to your .htaccess file: Options -Indexes
Use Project bot to detect vulnerabilities and other issues on your resources!