Ready to get started?Download WordPress


Stop User Enumeration
Bypass protection with POST requests (5 posts)

  1. urbanadventurer
    Posted 5 months ago #

    An attacker can bypass the username enumeration protection by using POST requests. The protection currently only stops GET requests to enumerate users.

    By sending POST requests with the body of "author=1" and incrementing the number for successive requests, the entire set of WordPress users can be enumerated.

    The WordPress user information is disclosed in the HTML response body, unlike being disclosed in the redirect header, as with GET requests.

    POST / HTTP/1.1
    Host: www.wordpress.com
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 8


  2. llocally
    Plugin Author

    Posted 5 months ago #

    Any ideas on trapping this then?

  3. llocally
    Plugin Author

    Posted 5 months ago #

    Just thinking about this, what about restricting all POSTS not from the local server? Is there ever a genuine reason that a WordPress site woudl expect a POST from a third party server?

  4. Ov3rfly
    Posted 5 months ago #

    Would not intercept all POSTs in general, only 'author' POSTs, something like isset( $_POST['author'] ) or similar.

    Edit: Unnecessary code-example removed...

    PS. Are post vars case-sensitive? Would 'autHor=x' work with WordPress if it gets through?

  5. llocally
    Plugin Author

    Posted 4 months ago #

    Thanks, some good ideas, I will get testing.


You must log in to post.

About this Plugin

About this Topic