Does not stop user enumeration (no I’m not logged in)

  • Hi!

    I am searching for a plugin to avoid wpscan listing the users of my blog, and I found yours.

    In a first approach, I installed it, and re-launched wpscan, and the users were still there. I read the FAQ and I realized that I was logged in, I logged out and tried again the scan, same result.

    My WP version is: 5.6.2
    The plugin version: 1.3.29

    What am I doing wrong?

    Regards and thanks for your time,

    • This topic was modified 3 years, 8 months ago by lunit4.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Alan Fuller

    (@alanfuller)

    It may be WP Scan is using different techniques now to bypass this.

    Can you provide me exact confirmation of the scans you used, was it using their online site or a local install. If local what command line was used.

    Thread Starter lunit4

    (@lunit4)

    Hi Alan,

    Sure, here you are 2 examples, with passive checks and aggressive mode. The difference between using the aggressive mode is that I retrieve a new user.

    Non-aggressive scan: ./wpscan -e u --url=<yourWebsiteURL>

[+] Enumerating Users (via Passive Methods)

[i] User(s) Identified:

[+] John
 | Found By: Rss Generator (Passive Detection)

[+] Bot
 | Found By: Rss Generator (Passive Detection)

Aggressive scan: ./wpscan --detection-mode aggressive -e u --url=<yourWebsiteURL>

[+] Enumerating Users (via Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <=======================================================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] user
 | Found By: Oembed API - Author URL (Aggressive Detection)
 |  - <yourWebsiteURL>/wp-json/oembed/1.0/embed?url=<yourWebsiteURL>/&format=json

[+] John
 | Found By: Rss Generator (Aggressive Detection)

[+] Bot
 | Found By: Rss Generator (Aggressive Detection)

    KR,

    Plugin Author Alan Fuller

    (@alanfuller)

    OK

    So none of the scan returned a user login name, they returned a ‘nickname’ from the RSS feed and Oembed – which is what they call passive – because it isn’t actually the user name, it is the display name.

    The aggressive scan is the one that returns actual user login names, and that returned none.

    The main issue is that users, being lazy leave their nickname to = their login name

    nicknames are exposed all over the place, themes, RSS feeds, post embed feeds as demonstrated by your scan

    If you set up fail2ban to block the scanning IP the aggressive scan will trigger the block of the aggressor.

    Maybe there is scope for a plugin to validate the nicknames/display names are not the same as login names ( case transformed ) – something to think about.

    • This reply was modified 3 years, 8 months ago by Alan Fuller.
    • This reply was modified 3 years, 8 months ago by Alan Fuller.
    Plugin Author Alan Fuller

    (@alanfuller)

    Try the latest version, go to setting and enable restrict the sitemap leak.

    Plugin Author Alan Fuller

    (@alanfuller)

    From your logs it appears the ‘leak’ is via oEmbed.

    I have added an option, please upgrade, and go to setting and enable the stop oEmbed leak option and re test with wpscan and please report back.

    Alan

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Does not stop user enumeration (no I’m not logged in)’ is closed to new replies.

Tags