Interesting: how to hack websites right upon installation. Basically, monitoring issued TLS certificates and trying to access e.g. WordPress installations before the user was able to configure a password.

That relies on a sloppy deployment process, of course - like making a live installation that is online immediately.

Source: https://portswigger.net/daily-swig/...

@Demolishun No, because they will only install a backdoor, but not use it for the time being. The unsuspecting user won't notice anything unusual until later.

Ofc, doing some sort of examination would reveal that, but nobody does that while believing to have a pristine installation.

@Demolishun No, because when the cert is renewed, the installation already has its password.

It's the case of an installation that cannot require a password on its very first use because the password is set from within said installation.

The professional solution in the installer: don't install in the public directory, but in some "internal" one first, then have the user set the password, then move it public.

Or if you only have a shitty installer, first use .htaccess to password protect the whole site, then install, then log in to your .htaccess protected site, log into the "open" installation, set a password, then remove the .htaccess protection. Lousy user experience though.

@Demolishun Sure, but that's no additional risk because they will try such attacks continuously anyway even without cert renewal. The difference is that the "right after installation" attack has a high chance of success.

@TheCommoner282 You just look at the Certificate Transparency logs. It's public data.

To be fair, to me WordPress means easy remote shell. 😂

Admittedly, it's not so much WordPress itself but the crappy plugins people publish.

@CoreFusionX But fresh Wordpress installation should have default plugins only. Doesn't this mean that Wordpress itself sucks?

@daniel-wu That hack does not rely on any security holes in plugins, themes, or WordPress itself. It would work the same with any other CMS as well.

The issue is in the deployment process, not in the CMS.