Byt lösenord när du byter partner

This article in Swedish has previously been published on my Linkedin site.

Internetstiftelsen i Sverige gav i september ut en rapport om svenskars lösenordsvanor. Jag vet inte om jag vill rekommendera läsning eller ej. Tycker du som jag att lösenord och informationssäkerhet är intressant? Då är det en lättläst och matnyttig översikt för den intresserade. Tycker du att lösenord ett frustrerande gissel? Hoppa detta.

Continue reading “Byt lösenord när du byter partner”

Exploiting my own WordPress part 4 – Attack surface

TL;DR:
I rerun ZAP and wpscan online password attack against a presumably less defended target, and realize that sometimes just talking to people is the best trouble shooting methodology

Before leaving ZAP and trying out new tools, I do a scan of this blog, emalstm.tech.

My hypothesis is that ZAP will find more flags on this WordPress. The only protective measure I’ve implemented on this site is secure ssh connection, disallowing root login and putting up a firewall including fail2ban.
Continue reading “Exploiting my own WordPress part 4 – Attack surface”

Exploiting my own WordPress part 3 – ZAP and Securityheaders.io

TL;DR: 
ZAP find  almost a 1000 potential vulns in my site. I patch them with a plugin – or so I thought – and get MORE vulnerabilities – or do I? 

ZAP is a Flagship Project from OWASP. I adore OWASP for its work on Top 10 lists for Web and Mobile Vulnerabilities, and their Cheat Sheets for defense. I know it is in every pen testers arsenal, so let’s go look at it!

Continue reading “Exploiting my own WordPress part 3 – ZAP and Securityheaders.io”

Exploiting my own WordPress part 2 – online password attack

TL;DR:

When attempting an online password attack, I find that wpscan gives me false positive and false negative results . Also I find my defenses work, but not as I expect them to.

 

This is part 2 of my attempt to hack myself. After successfully DoSing my own site using a vulnerability I found with wpscan, I decide to try out wpscan’s password guessing feature. I do not expect this to be successful. An online password guessing attack will be prohibitively expensive, because I’m using a computer generated, long password that I store in my password vault. Also I only allow three login attempts and my login page is not called /wp-admin or /wp-login.php.

Continue reading “Exploiting my own WordPress part 2 – online password attack”