WordPress XMLPRC: Brute Force Amplification Attack

It is always interesting to hear about the bugs in world’s most famous systems, this time it is WordPress. Yes the world’s most famous content management system is vulnerable to the Brute Force Amplification attacks.

Some researchers from a security firm Sucuri have discovered a way to implement the Brute Force Amplification Attack on WordPress’ built-in XML-RPC feature to crack the administration credentials.

What is XML-RPC?

It is the simplest technique which is used to exchange the data between the computers through Internet. XML-RPC is Remote procedure call protocol which uses XML to encode its call and HTTP as a transport mechanism.

Brute Force

Brute Force Attack is the most common and oldest attack we still see on the internet, however it is not very difficult stop this attack, but these attacks are still successful. The secret behind the success of these attacks is that some people are not very good at choosing their password.

But there is a problem with Brute Force attack, they are very noisy. If a hacker is attempting 500 login attempts that would be captured by the server with each request and the IP will be blocked soon. But Brute Force Amplification is something different.

Now imagine if a hacker is able to reduce the noise, means if a hacker can make it so that it is a 1 to many relationship between each request? Think about a request that is able to attempt 500 passwords in one go. It is what the Brute Force Amplification is all about.

WordPress’ Brute Force Amplification Attack.

There is a concealed feature of XML-RPC which make use of system.multicall method to perform multiple methods in a single request. And this the feature for which the hackers were looking for.

The security firm wrote on their blog “We’ve actually been tracking this for a few weeks (first attack spotted on 2015/Sep/10), and it keeps getting more traction and becoming more popular. Instead of going against wp-login.php (which can be easily blocked or protected via .htaccess) or doing a single attempt against xmlrpc, attackers are leveraging the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request.”

It means by just 3 or 4 HTTP requests hackers can attempt more than thousand password attempts. Which is ultimately befooling the blocking mechanism made for blocking the Brute Force Attack.

How you can protect yourself from the Attack

Now talking about the defence against these amplification attacks. It is recommended to block the access to xmlrpc.php if you are not using the plugins like Jetpack and the plugins which requires XML-RPC.

Other Idea is to block system.multicall method if you are using WAF (web application firewall).

Stay Safe 🙂

Have something to add on WordPress XMLPRC attack? Please add in comments.

Follow us on Facebook, Google Plus and Twitter to get more Tech News and reviews.

NO COMMENTS