Tag Archives: pingback

WordPress Pingback Attack

Yesterday I wrote a post titled On WordPress Pingbacks. While writing this I came to several conclusions that resulted in some interesting experiments and results.

WordPress Pingback Attacks

I was going to publish my results along with that post, however, I wanted to make sure that the WordPress Security mailinglist had nothing against my publishing such information. With no word from them (I guess I expected too much to be contacted back within 24 hours), I’ve decided to dedicate a whole article to the Pingback attack, its potential, its limitations and further considerations and concerns.

Continue reading



On WordPress Pingbacks

WordPress supports Pingbacks and these are enabled by default. Having noticed a missing pingback from one of my posts and having made sure that it wasn’t caught as spam or still pending, I decided to investigate a bit and try to resend it manually.

On WordPress Pingbacks

Armed with the Pingback specification, and the XML-RPC RFC, I was able to successfully have a request cURLed over.

curl "https://.../xmlrpc.php" --header "Content-Type: text/xml" --data "<?xmlversion="1.0"?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>https://.../</string></value></param><param><value><string>https://.../</string></value></param></params></methodCall>"

<?xml version="1.0"?>
<methodCall>
   <methodName>pingback.ping</methodName>
   <params>
      <param>
        <value><string>https://.source./</string></value>
      </param>
      <param>
        <value><string>https://.target./</string></value>
      </param>
   </params>
</methodCall>

For which I got a nice response:

<?xml version="1.0"?>
<methodResponse>
  <params>
    <param>
      <value>
      <string>Pingback from https://.source./ to https://.target./ registered. Keep the web talking! :-)</string>
      </value>
    </param>
  </params>
</methodResponse>

Mission accomplished, got the Pingback thorough, great! But what if…?

Continue reading