Dictionary attack on Wordpress: Security and forensic analysis

The effective forensic investigation of a security attack on a web application relies on the forensic readiness of the web application system, supportive forensic tools, and skills of the forensic investigator. Web application forensic readiness incorporates evidence collection by enabling logging and the evidence protection for those log files through techniques such as permission settings in order to retain the integrity. Furthermore, a forensic investigator should have a good comprehension of web application functionality, web server architecture, and web application security issues. This paper focuses on a dictionary attack experiment against Wordpress (a web application) administered by a persona named Peter Quill (a fictitious character). The dictionary attack was able to successfully guess the seven-character password used for the persona's user account. A set of techniques and tools are critically analysed to determine whether they can be applicable to the experiment scenario. The techniques mostly focus on retrieving the log files from the web server, the application server, the database server, and the web application itself, while the tools deal with collecting, analysing, and presenting the log file data.

[1]  Bruce M. Maggs,et al.  Protecting Websites from Attack with Secure Delivery Networks , 2015, Computer.

[2]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[3]  Amor Lazzez,et al.  Forensics Investigation of Web Application Security Attacks , 2015 .

[4]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2011, 2012 IEEE Symposium on Security and Privacy.

[6]  Gregg H. Gunsch,et al.  An Examination of Digital Forensic Models , 2002, Int. J. Digit. EVid..

[7]  Mark John Taylor,et al.  Forensic investigation of cloud computing systems , 2011, Netw. Secur..

[8]  Artemios G. Voyiatzis,et al.  An Empirical Study on the Web Password Strength in Greece , 2011, 2011 15th Panhellenic Conference on Informatics.

[9]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[10]  S. Vaithyasubramanian,et al.  An Analysis of CFG Password Against Brute Force Attack for Web Applications , 2015 .

[11]  Ali Dehghantanha,et al.  Forensics investigation challenges in cloud computing environments , 2012, Proceedings Title: 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec).

[12]  Dan Boneh,et al.  Password Managers: Attacks and Defenses , 2014, USENIX Security Symposium.

[13]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[14]  Sudhir Aggarmal,et al.  Using probabilistic techniques to aid in password cracking attacks , 2010 .