Detect Wordpress? Look for wp-login.php
Wordpress is pretty common and actually pretty secure these days. One area that still needs some work though is protection for the default login page wp-login.php. Most installations leave this page publicly exposed and a lot do not implement the recommended brute force mitigations here:
http://codex.wordpress.
Onavo took the easy approach and used Pagely. Pagely offer managed security which in theory should mean you are more secure...
Testing for bruteforce
So let's try and brute force Onavo's wp-login page.
You can see after only a few requests we start getting redirected (302). This redirection actually takes you to a Pagely captcha page.
The magical "pagelyvalid" cookie
I was curious how they implemented the verification once past the captcha so took a look at the response and saw that the captcha check just set a cookie called "pagelyvalid" to true. Hmmm. Lets try our brute force attack again but this time including the magical pagelyvalid cookie.
Lots of 200's. So simply including the pagelyvalid true cookie we can bypass the Pagely brute force mitigation and guess passwords night and day. And like I said at the start this didn't just affect Onavo but every site that used the Pagely service. Yikes!
Final Thoughts
A lot of sites miss brute force mitigations and rate limiting in general. Third parties can offer a quick fix but it's important to remember you are trusting your security to that third party and assuming they will do a good job (which isn't always the case!).
Both Facebook and Pagely responded reasonably quickly (the Pagely CEO even sent me a message!) and a fix has now been deployed. Hope you guys found this interesting, as usual if you have questions or suggestions just drop me a comment below.
Pwndizzle out
