Hi there! I am Hulk from Avengers. Haha just kidding, I am Iron Man.
So here’s the story, I prefer reading research papers and write ups than courses made by your “Security Specialists” but about a month ago, I decided to join Cybrary.
But then I saw their login page
“Hmm…So they are using wordpress“, I said to myself with a spark in my eyes.
I thought it would be a great idea to test a thing that I learned recently, dangers of exposed WP-JSON API. So I visited the following page for a quick and dirty test:
It retrieved usernames as expected but I wasn’t happy with the results because there were just 10 usernames in the response but as we know the number of Cybrary users is in thousands.
I didn’t know what to do so to take a break I wrote a script to automate this:
Ignore those display names lmao.
So I showed this screenshot to my team mates and Shivam replied with a screenshot of wpscan and said, “Why would someone use your script if wpscan can enumerate the users too?”. He was right, I did nothing special, I didn’t discover anything new.
But then I saw the usernames enumerated by wpscan are different than users enumerated by my script.
Without wasting any time, I dived into the source code of wpscan to find out how it enumerates usernames.
I saw the wordpress uses the following query to enumerate usernames
Whoa! That was something cool and unexpected.
But hey! Why it didn’t enumerate ALL the usernames?
Well if an id doesn’t retrieve any username, wpscan would quit the scan.
I never expected wpscan programmers to be this du… *coughs* never mind.
I decided to write my own script which can keep running even after encountering a inactive user id.
*5 minutes into programming and chill*
I quickly contacted Cybrary support and told them about the issue, they did reply but didn’t fix the issue. Our email thread consists of 18 emails and its been a month now so I am just disclosing my findings.
Do you want to download the script? Alright here you go
That’s all for now!