Basic Vulnerability Assessment and Penetration Testing of a Website
I started with information gathering, by using whatweb we can see what services and technology this site is using, we can see below this site is using WordPress as CMS, Apache web server running on Ubuntu. After checking on http://wappalyzer.com we can confirm above discovery. We got lots more details about running services on this site. Enumerating web application firewall Before going any further, we should first confirm if the site’s using any firewall or not, so we can decide how many threads or request to send before it block our access. For this I am gonna use wafw00f as shown below. So it’s confirm this site is not using any web app firewall now we can move ahead in our assessment. Exploiting XML-RPC API Many WordPress sites are vulnerable to xmlprc brute-force attack. A bad guy can use brute-force attack against the target site. We can see xmlrpc is available by going digitalfobot.com/xmlrpc.php directory. We can use Metasploit mo