Welcome to the Patchstack Weekly Security Update, Episode 42! This update is for week 40 of 2022.
In this week's knowledge share I will continue to share with you some tips and tricks with OWASP ZAP. I will go over ZAP's HUD - or heads-up display - so you can get an idea of what it can be used for.
This week's vulnerability roundup will feature no vulnerable plugins. Instead, I will share details about a recent compromise of FastCompany's WordPress website. I'll share details about the alleged attack vector (as claimed by the attackers) and what we all can learn from the incident.
OWASP ZAP HUD
Today, I will be discussing more ZAP's HUD and how to navigate it on your website. I hope you have already got OWASP ZAP set up and are able to get the heads up display (HUD) running. If not, check out last week's Patchstack weekly to find out how to download and get started with OWASP ZAP.
The ZAP HUD is an interface to interact with ZAP, right in your browser. You will see the HUD adds three new frames right in your browser, and they are displayed on top of your web application as you view its pages, if you need to hide these three frames then you can turn on/off the HUD using the simple green (or grey) radar button located at the bottom right of the browser page, in the bottom frame.
This bottom frame is also where you can view the ZAP menu (gear icon), and view the HTTP request history (by clicking on the "History", or arrow icons)
Moving on to the right side frame. This is where you can see site wide alerts based on severity, as well as turn on some powerful ZAP features like the Spider, AJAX Spider, Active Scan, and Attack mode. You may feel free to look into these features and how they work on your own, but I won't get into them until another week.
On the left side frame, you have some more useful tools for page debugging. Starting with the top is the Scope button which is an easy way to add a domain to the "Scope" of ZAP (something that tells ZAP, "This is the target we are testing" and helps it avoid performing attacks against out-of-scope websites.)
Next up on the left is the Break or breakpoint option, a powerful tool that will intercept the next HTTP request and allow you to modify it on the fly.
After breakpoints is a lightbulb icon, which is used to show hidden form fields as well as allow us to modify any form field right in the web application.
Finally, there is another set of multi-colored flags on the left. Just like in the right frame, these are alerts but on the left, the alerts are just for loaded page. Right side alerts are site wide, left side alerts are only for the loaded page.
Finally, both the left and right panel can be customized. Just click on the green plus icon at the bottom which you can use to add up to 10 ZAP interface buttons to each side, for a total of 20 configurable buttons. To remove any of the ZAP interface buttons, just right click on the icon and a dialog will pop up allowing you to customize or remove the button from the frame.
FastCompany WordPress Compromise
The WordPress website for popular online magazine FastCompany suffered a breach this week.
Attackers claimed they were able to break into the FastCompany.com WordPress installation by bypassing two layers of security. The first bypass was getting around HTTP-based authentication which was protecting the WordPress website's wp-login page. Once the attackers could access the WordPress login page, they brute-forced an easily guessable password on one of the user accounts.
Defacement and defamation appear to be the attacker's intent and before the team at FastCompany could react the damage was already done. The attackers used their access to the WordPress CMS, to gain copies of access keys for third-party services like Apple News. The attackers then used these secret keys then to post obscene and racist notifications to Apple News as if they were FastCompany.com.
Apple News immediately revoked FastCompany.com's access to post stories when the obscene posts were made. FastCompany took the website offline as well, and it has stayed offline since September 28th to prevent further defacement or defamatory comments to be made on the website. A third-party security contractor has been contracted to perform the incident response, the goal here is to identify for themselves how the attacker(s) got into the website, what data the attacker(s) accessed, what actions the attacker(s) performed, and what further action needs to be performed to secure the site. This is the purpose of proper incident response, they aren't just cleaning up malware or revoking access, FastCompany is doing all the right things here and it may take some time.
As of the time of my writing this post, Sunday October 2nd, FastCompany.com's WordPress site is still offline. In its place a simple HTML page issuing an apology and explaining the circumstances of the breach.
What can we learn from this incident?
If the attacker's claims of a bypass and weak password are true, then the lesson here is that multi-factor authentication should not be a DIY solution using two passwords, or two "known" factors. In other words: adding another password step, is not the same as true multi-factor authentication.
There are many ways to lock down your WordPress authentication with multi-factor authentication steps. Including Time-Based One Time Passwords (TOTP) which are those 6-digit codes that rotate every 30 or 60 seconds. Hardware tokens, like Yubikeys, SSO (Single Sign On) or a reverse proxy tunnel like Cloudflare Argo tunnels.
Any of these could have been set up instead of HTTP authentication and would have less likelihood of being bypassed.
Thanks and appreciation
This week's thanks and understanding goes out to the FastCompany IT and security response teams. I know this week was likely the most stressful with this unexpected and emergency work load. Your response so far has been great; taking offline the compromised website, communicating clearly with the public about what they need to know regarding the situation, and hiring a third party incident response crew to assist. Great job.
I hope FastCompany shares further details about this incident because that would make a great story for their blog or magazine … but I also know that is not required, so only the most confident IT and security teams would share this information after the fact. That is me, encouraging anyone at FastCompany to prove their confidence in their IT, security, and incident response teams.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly Security Update!