How Hackers Abuse XML-RPC to Launch Bruteforce and DDoS Attacks

Understanding XML-RPC Vulnerabilities and Their Exploitation in very detail Analysis

Introduction

XML-RPC (XML Remote Procedure Call) is a protocol that allows remote communication between applications using XML for encoding and HTTP as a transport mechanism. It is widely used by content management systems (CMS) like WordPress for various administrative functions. its utilizes XML-RPC for remote publishing, mobile app integration, and third-party services.

Why It Matters

While XML-RPC simplifies website management, it also creates security risks. Hackers often exploit it for brute force and Distributed Denial of Service (DDoS) attacks if not properly managed. In this article, we’ll explore how these attacks work and how you can protect your website.

How to find this vulnerability

Initial Reconnaissance

Your first step is to identify your target and locate the XML-RPC endpoint which is typically accessible at /xmlrpc.php on WordPress websites

If the site’s response shows “XML-RPC server accepts POST requests only” it means XML-RPC is enabled. Next intercept this request using Burp Suite, send it to the Repeater, change the request method from GET to POST and click Send. The response will typically look like this:

After receiving the response check for all available methods by using the “List all Methods” call. Simply insert the following XML request into the request body:

<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>