Interesting: how to hack websites right upon installation. Basically, monitoring issued TLS certificates and trying to access e.g. WordPress installations before the user was able to configure a password.

That relies on a sloppy deployment process, of course - like making a live installation that is online immediately.

Source: https://portswigger.net/daily-swig/...

That is interesting. I usually use deployment tools. I only enable encryption after the site is setup for new domains. So it never requests this while the site is vulnerable (if it even is). I think there are some protections in the deployment tools too. I will have to look at this. Clever attack that could affect other sites besides wordpress based ones.

Wouldn't someone see it is already compromised and just wipe it and start over?

@Demolishun No, because they will only install a backdoor, but not use it for the time being. The unsuspecting user won't notice anything unusual until later.

Ofc, doing some sort of examination would reveal that, but nobody does that while believing to have a pristine installation.

@Fast-Nop So this attack could happen anytime a cert is renewed. So it is not just the first time then.

@Demolishun No, because when the cert is renewed, the installation already has its password.

It's the case of an installation that cannot require a password on its very first use because the password is set from within said installation.

The professional solution in the installer: don't install in the public directory, but in some "internal" one first, then have the user set the password, then move it public.

Or if you only have a shitty installer, first use .htaccess to password protect the whole site, then install, then log in to your .htaccess protected site, log into the "open" installation, set a password, then remove the .htaccess protection. Lousy user experience though.

@Fast-Nop I get that. But every time the cert is renewed they will try again. So you cannot assume this attack only occurs when the domain is new.

@Demolishun Sure, but that's no additional risk because they will try such attacks continuously anyway even without cert renewal. The difference is that the "right after installation" attack has a high chance of success.

@TheCommoner282 You just look at the Certificate Transparency logs. It's public data.

To be fair, to me WordPress means easy remote shell. 😂

Admittedly, it's not so much WordPress itself but the crappy plugins people publish.

@CoreFusionX But fresh Wordpress installation should have default plugins only. Doesn't this mean that Wordpress itself sucks?

@daniel-wu That hack does not rely on any security holes in plugins, themes, or WordPress itself. It would work the same with any other CMS as well.

The issue is in the deployment process, not in the CMS.