Is Your Website Internationally Safe?

BWW provides you an Advanced Security Services

This was done in collaboration with

Summary

CMS (Open Source Content Management System) which can be used for websites, web applications, blogs. CMS has security system it self and it helps to keep all programs safe and under security. The CMS Team believes in Responsible Disclosure by alerting the security team immediately of any potential vulnerabilities. Potential security vulnerabilities can be signaled to the Security Team.

Main thing to keep the CMS in secure is updating themes and plugins and WP and with strong passwords

For more advanced security system for CMS, we can do some updates manually and activate the advanced security system and can avoid the issues a mentioned in the case study.

This document contains the issues that can be raised in CMS, brief explanation on the issue, action to activate the security system and  the advantages when activate the advanced security system

CMS Login Disclosure

Overview of the issue

Login for WordPress CMS admin page is exposed to the public and it’s vulnerable to brute force attack or dictionary attack and attacker may easily compromise or perform several attacks to gain access to backend of the web application and system.

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Public and third party users cannot be used the CMS admin page.
  • Cannot be compromise to force attack or dictionary attack
  • Cannot be compromise to access the backend of the web application

Patch Management

Overview of the issue

The obsolete versions were found affected by publicly known exploits. Hence this web application / system is stand vulnerable. Obsolete software is no longer supported by the respective product vendors and new vulnerabilities would not be fixed. Without new vulnerabilities being patched, the web application is vulnerable to newly found vulnerabilities and exploits. Attackers could use the publicly available exploits to gain control of these web application and further attack on the internal networks

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Vulnerabilities can be fixed with the update of CMS versions
  • Updated software can be supported by the respective product vendors
  • New vulnerabilities can be patched with the updated versions

XML – RPC is Enabled

Overview of the issue

CMS provides an XML-RPC interface via the xmlrpc.php script. XML-RPC is remote procedure calling using HTTP as the transport and XML as the encoding. An attacker may abuse this interface to brute force authentication credentials using API calls such as wp. getUsersBlogs. The main weaknesses associated with XML-RPC are: Brute force attacks: Attackers try to login to CMS using xmlrpc.php.

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Public users cannot be able to abuse the XML – RPC interface.
  • Attackers cannot be able to login to CMS using xmlrpc.php

Improper Input Validation

Overview of the issue

This issue leads to almost all of the major vulnerabilities in applications or systems. Data from the client should never be trusted, the client has every possibility to tamper with the data or execute malicious scripts.

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Client cannot be able to login and cannot be able to tamper with the data and or execute malicious scripts.

HTTP Methods are Allowed

Overview of the issue

HTTP protocol contains several methods that can be used to perform specific actions on the webserver. GET and POST is the most well-known methods that are used to access and submit information provided by a web server, respectively. HTTP protocol allows PUT, CONNECT, TRACE, HEAD, DELETE methods as well which can be used or malicious purposes if the web server is left misconfigured and hence poses a major security risk for the web application, as this could allow an attacker to modify the files stored on the web server.

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Public users cannot modify the files stored on the web server

Unwanted Ports Exposed to Public

Overview of the issue

Unnecessary Ports being opened could lead to further malicious attacks

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Public users cannot open ports and do malicious attack

Vulnerable Java Script

Overview of the issue

The Java Script version used is vulnerable and this may lead to exploit security vulnerabilities

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Public users cannot be able to attack and exploit java script version

Vulnerable to Directory Traversal

Overview of the issue

Any web directories revealing sensitive information enables the attackers to gain access to resources at a given path, and analyze resources for various attacking purposes. Directory traversal is type of HTTP exploits that is used by attackers to gain unauthorized access to restricted directories and files.

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Attacker cannot be able to login to any web directories
  • Attacker cannot be able to analyze the resources for attack
  • Attacker cannot be able to access restricted directories files

Vulnerable to Click Jacking

Overview of the issue

This is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Attacker cannot be able to trick the user to click on a button or link on another page when the user intending to click on the top level page using transparent layers.
  • Attacker cannot be able to hijack any page and route them to another page owned by another applications or a domain.

Exposed to Email Spamming Attack

Overview of the issue

An attacker could send spam emails by using an automated tool to the listed email addresses and execute the various attacks. CMS hacked sending spam may be due to a malware infection. Online services that monitor servers for spam and blacklist your IP for WordPress hacked sending spam. As a result, the legitimate emails you send end up in the spam folder of the recipient.

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Attackers cannot be able to send any spam emails to listed email addresses using automated tool
  • Attackers cannot be able to execute any various attacks.

Web Browser XSS Protection is not Enabled

Overview of the issue

Any supplied code by the attacker can perform a wide variety of actions, such as stealing the victim’s session token, performing arbitrary actions on the victim’s behalf, and logging their keystrokes. Web Browser XSS Protection is not enabled or is disabled by the configuration of the ‘X-XSS-Protection’ HTTP response header on the webserver

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Attacker cannot be able to perform disturbance using any supplied codes
  • Attacker cannot be able to steal the victim’s session tokens, attacker cannot be able to disturb by performing arbitrary actions on the victim’s and logging victim’s keystrokes

X – Content - Type - Options Header Missing

Overview of the issue

The Anti-MIME-Sniffing Header X-Content-Type-Options was not set to ‘nosniff’. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Helps to protect XSS , MITM and Clickjacking attacks

Strict Transport Security is not Enforced

Overview of the issue

The application has not been configured to prevent connections over unencrypted connections. The attacker has the ability to modify traffic from legitimate users and use the application as a platform for attacks against the user

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Attacker cannot be able to modify the traffic from legitimate user
  • Attacker cannot be able to use the application as the platform for any attacks against the user

Content Security Policy

Overview of the issue

CSP defense content helps to mitigate injections and xss attacks. This permits the web application to trust and determine the origins of the contents to be loaded to the webpage

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Content Security Policy acts as an added layer of security that helps to detect and mitigate certain types of attacks.

“http” Redirection

Overview of the issue

URL redirection, also known as URL forwarding, is a technique to give more than one URL address to a page, a form, or a whole Web site/application. HTTP has a special kind of response, called an HTTP redirect.

Action to activate the security system

Our team will implement the security system on this regard. Contact our sales team via [email protected] for the inquires

Advantages of activating the security system

  • Temporary redirects during site maintenance or downtime
  • Permanent redirects to preserve existing links/bookmarks after changing the site's URLs, progress pages when uploading a file, etc.