SlideShare a Scribd company logo

Securing WordPress: OWASP Ottawa October 2015 Meetup

Shawn Hooper
Shawn Hooper

Presenting to the Ottawa OWASP Meetup Group on October 20, 2015.

Technology
1 of 80
Download to read offline
Securing WordPress OWASP Ottawa October 2015 Meetup ! Shawn Hooper
 Chief Technology Officer,Actionable Books @shawnhooper - shawnhooper.ca
• I’m Shawn Hooper, CTO at Actionable Books. Former Freelance Developer • WordPress Core Contributor • GIAC Certified .NET Secure Software Programmer Hi! @shawnhooper - shawnhooper.ca
• Open Source Content Management System (CMS) • PHP, MySQL, jQuery, BackboneJS • Runs 24.7% of all web sites • Has a 58.7% share of the CMS space WordPress @shawnhooper - shawnhooper.ca http://w3techs.com/technologies/overview/content_management/all
• WordPress.com is a hosted WordPress service run by Automattic • WordPress.org is the downloadable, self-hosted version of WordPress • A huge ecosystem of themes (2K just in .org repo) and plugins (40K) that take advantage of the hook and filter system WordPress @shawnhooper - shawnhooper.ca
WordPress @shawnhooper - shawnhooper.ca This market share makes it a big target for hackers!
Code Security @shawnhooper - shawnhooper.ca
We are going to look at a couple of different types of attacks and how to avoid them: 
 * SQL Injection * Cross Site Scripting (XSS) * Cross Site Request Forgery (CSRF) * Unvalidated Redirects and Forwards We’re Under Attack! @shawnhooper - shawnhooper.ca
! ! ! on the
 Open Web Application Security Project (OWASP) Top Ten List Injection Attacks @shawnhooper - shawnhooper.ca
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). - Wikipedia SQL Injection Attacks @shawnhooper - shawnhooper.ca
Without protecting against injection attacks, what would happen if a 
 login form allowed this: ! ' OR '1'='1' -- SQL Injection Attacks @shawnhooper - shawnhooper.ca
SELECT * FROM wp_users 
 WHERE user_pass = '' OR '1'='1' --' SQL Injection Attacks @shawnhooper - shawnhooper.ca
'; DROP TABLE wp_users; -- SQL Injection Attacks @shawnhooper - shawnhooper.ca
SELECT * FROM wp_users 
 WHERE user_pass = ''; DROP TABLE wp_users; -- SQL Injection Attacks @shawnhooper - shawnhooper.ca
! ! ! on the
 Open Web Application Security Project (OWASP) Top Ten List Cross Site Scripting (XSS) @shawnhooper - shawnhooper.ca
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client- side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. - Wikipedia Cross Site Scripting (XSS) @shawnhooper - shawnhooper.ca
Cross Site Scripting can be used to capture a user’s authentication / session cookie and then impersonate them on a trusted website. ! Reflected (ex, delivered by e-mail)
 vs. Persistant (ex, return by DB in a forum) Cross Site Scripting (XSS) @shawnhooper - shawnhooper.ca
! ! ! on the
 Open Web Application Security Project (OWASP) Top Ten List Cross Site Request Forgery @shawnhooper - shawnhooper.ca
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. -Wikipedia Cross Site Request Forgery @shawnhooper - shawnhooper.ca
An example of a simple CSRF attack would be getting you to visit a link that would change your password to something the attacker knows. Cross Site Request Forgery @shawnhooper - shawnhooper.ca
! ! ! on the
 Open Web Application Security Project (OWASP) Top Ten List Unvalidated Forwards & Redirects @shawnhooper - shawnhooper.ca
Could allow code in your website to forward the user to a malicious (ex: phishing) website. Unvalidated Forwards & Redirects @shawnhooper - shawnhooper.ca
@shawnhooper - shawnhooper.ca Scared Yet?
@shawnhooper - shawnhooper.ca Scared Yet? Let’s figure out how to stop all this stuff from happening…..
Sanitization & Validation @shawnhooper - shawnhooper.ca
Output Validation and Sanitization @shawnhooper - shawnhooper.ca
Validation @shawnhooper - shawnhooper.ca * Are values of the correct type? * Are values in range?
Validation @shawnhooper - shawnhooper.ca Is an input supposed to be an integer? 
 
 intval($_POST[‘quantity’])
 
 or
 
 absint($_POST[‘quantity’])
Validation @shawnhooper - shawnhooper.ca Is it in range? 
 $quantity = absint($_POST[‘quantity’]) ! if ( $quantity > 10 ) { die(‘Quantity Out of Range’); }
Validation @shawnhooper - shawnhooper.ca Should it be an e-mail address? 
 $email = is_email( $_POST[‘email’] ); returns false if invalid
Sanitization @shawnhooper - shawnhooper.ca Should it be an e-mail address? 
 $email = sanitize_email( $_POST[‘email’] ); removes characters that are not valid in an e-mail address.
Escaping Text @shawnhooper - shawnhooper.ca esc_html( $string ); esc_html__( $string, $domain ); ex:
 
 Hello <?php echo esc_html( $string ); ?> !
Escaping Text @shawnhooper - shawnhooper.ca esc_attr( $text ); esc_attr__( $text, $domain );
 
 Escaping a string for use in an HTML attribute tag.
 
 <div data-value=“<?php echo esc_attr( $value ); ?>”>
Escaping Text @shawnhooper - shawnhooper.ca esc_js( $text );
 
 Escaping a string for echoing in JavaScript. 

Escaping URLs @shawnhooper - shawnhooper.ca esc_url ($url );
 esc_url_raw ( $url );
 urlencode ( $string ); 
 urlencode_deep ( $array );
Escaping HTML @shawnhooper - shawnhooper.ca wp_kses( $fragment, $allowed_html, $protocols); array(
 'a' => array(
 'href' => array(),
 'title' => array() 
 ), 'br' => array(),
 'em' => array(),
 'strong' => array()
 );
Escaping HTML @shawnhooper - shawnhooper.ca wp_rel_nofollow( $html ) ! Adds rel=“nofollow” to every link in the HTML fragment.
Database Sanitization @shawnhooper - shawnhooper.ca
$wpdb Is Your Friend! Database Sanitization @shawnhooper - shawnhooper.ca
$wpdb->insert( ‘table_name’, array( 'column1' => 'value1', 'column2' => 123 ), array( '%s', '%d' ) ); Database Sanitization @shawnhooper - shawnhooper.ca
$wpdb->update( 'table', array( 'column1' => 'value1', // string 'column2' => 'value2' // integer (number) ), array( 'ID' => 1 ), array( '%s', // value1 '%d' // value2 ), array( '%d' ) ); Database Sanitization @shawnhooper - shawnhooper.ca
$wpdb->delete( 'table', array( 'ID' => 1 ), array( '%d' ) ); Database Sanitization @shawnhooper - shawnhooper.ca
What about other general queries? ! Statements that include joins? 
 ! $wpdb->query() Database Sanitization @shawnhooper - shawnhooper.ca
$wpdb->prepare() to make sure query is safe: ! ! $wpdb->prepare(SQL Code with Placeholders, variable 1, variable 2, etc.); Database Sanitization @shawnhooper - shawnhooper.ca
Database Sanitization @shawnhooper - shawnhooper.ca $safeSQL = $wpdb->prepare(“SELECT * FROM mytable 



WHERE col1 = ‘%s’AND col2 = %d”, $sParam, $iParam); ! $wpdb->query($safeSQL);
Database Sanitization @shawnhooper - shawnhooper.ca Valid Placeholders are: ! %s for strings ! %d for integers ! %f for floats
Database Sanitization @shawnhooper - shawnhooper.ca If your query includes a LIKE statement in the WHERE clause, use 
 
 esc_like() 
 
 to properly escape %, _ and characters, 
 which have special meanings.
 
 Still requires $wpdb->prepare()
Database Sanitization @shawnhooper - shawnhooper.ca $likeValue = ‘value_’; $safeSQL = $wpdb->prepare(“SELECT * FROM table 
 WHERE col1 LIKE ‘%s’", esc_like($likeValue) . '%' );
Input Sanitization @shawnhooper - shawnhooper.ca
Input Sanitization @shawnhooper - shawnhooper.ca There are a pile of functions to do input sanitization: sanitize_title() sanitize_user() balance_tags() tag_escape() is_email() sanitize_html_class() array_map() sanitize_email() sanitize_file_name() sanitize_term() sanitize_term_field() sanitize_html_class() sanitize_key() sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_text_field() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user() sanitize_meta()
Nonces @shawnhooper - shawnhooper.ca
Nonces @shawnhooper - shawnhooper.ca A “number used once” to help protect URLs from malicious use (Cross Site Request Forgery)
Nonces @shawnhooper - shawnhooper.ca NOTE: In WordPress, a nonce is not a number, and it is not used once. ! ! !
Nonces @shawnhooper - shawnhooper.ca Create a Nonce for a URL: $complete_url = 
 wp_nonce_url( $bare_url, 'trash-post_'.$post- >ID );
 

Nonces @shawnhooper - shawnhooper.ca Create a Nonce for a Form: wp_nonce_field( 'delete-comment_'.$comment_id );

Nonces @shawnhooper - shawnhooper.ca Generates code like this: <input type="hidden" id="_wpnonce" name="_wpnonce" value="796c7766b1" /> <input type="hidden" name="_wp_http_referer" value="/wp-admin/edit-comments.php" />

Nonces @shawnhooper - shawnhooper.ca Generic Nonce: ! $nonce = wp_create_nonce( 'my-action_'.$post->ID );
Validate Nonces @shawnhooper - shawnhooper.ca To verify a nonce that was passed in a URL or a form in an admin screen: ! check_admin_referer( 'delete-comment_'.$comment_id );
Validate Nonces @shawnhooper - shawnhooper.ca To verify a nonce that was passed in an AJAX request:
 (parameter is the action sent via AJAX) ! check_ajax_referer( 'process-comment' );
Validate Nonces @shawnhooper - shawnhooper.ca To verify a generic nonce: ! wp_verify_nonce( $_REQUEST['my_nonce'], 'process- comment'.$comment_id ); ! Returns false if the nonce fails
Nonces @shawnhooper - shawnhooper.ca ! To learn more about nonces, see the WordPress Codex: ! https://codex.wordpress.org/WordPress_Nonces
Brain Full ? @shawnhooper - shawnhooper.ca Good, because we’re almost done.
Redirecting @shawnhooper - shawnhooper.ca wp_redirect( $url, $status ); exit; wp_safe_redirect( $url, $status ); exit; ! $status defaults to 302 (temporary) safe_redirect only allows redirects to a specified set of hostnames, which can be set using the allowed_redirect_hosts filter
Now you should get this… @shawnhooper - shawnhooper.ca XKCD # 327
Responsible Disclosure @shawnhooper - shawnhooper.ca If you find what you think may be a security vulnerability in WordPress’ code, be responsible. Send an e-mail with as much detail to:
 
 security@wordpress.org
 
 Don’t blog about it, Facebook it, put it in Trac, Tweet it, etc. Allow the team time to confirm and fix the bug before letting all the hackers out there know it exists.
General WP Security @shawnhooper - shawnhooper.ca
Backups @shawnhooper - shawnhooper.ca • Make Them • Make Them Regularly • Test Them
Keep WordPress Updated @shawnhooper - shawnhooper.ca • Updates to Core • Updates to Themes • Updates to Plugins
Keep WordPress Updated @shawnhooper - shawnhooper.ca • Automatic Updates to Core for all minor releases • Manual Updates via wp-admin dashboard
@shawnhooper - shawnhooper.ca
File Permissions @shawnhooper - shawnhooper.ca • Make sure files & directories have only the permissions required. 
 • Allowing files in your uploads folder to be executed leads to ugly phishing attacks.
“Admin” Username @shawnhooper - shawnhooper.ca • This was the default in old versions of WordPress.
 • Most commonly attacked username when attempting logins.
Enable Two-Factor Authentication @shawnhooper - shawnhooper.ca • Clef • https://wordpress.org/plugins/search.php? q=two+factor • Feature Plugin underway for core
Least Privilege @shawnhooper - shawnhooper.ca • Only grant users the appropriate roles they need in wp-admin.
Change Keys @shawnhooper - shawnhooper.ca define('AUTH_KEY', '[w$u#*IL-lLtigU?Un)DY>DSbE}C -<d*+Z{gzc}Qw~p%o%g+INE3MiLBsT@%fjf'); define('SECURE_AUTH_KEY', '+=fttecyOK0jVI/~Q}f+|QMKo0H:}iV9C*koL@ci#L|ERr7i[J`>VDz{qd@zX2rq'); define('LOGGED_IN_KEY', ';5+<dNW?)zzrm*6zb+7-dB IRY%{D0;P2H|^v5BJYh]E[blAUU-n49Hgw0S@#nR-'); define('NONCE_KEY', 'R^@%&qAN$;t;<OTq$<Sm(447Rio}c<2,ts)+bVq1BE-?$Cw+a_@i7!*<`7?K4ne2'); define('AUTH_SALT', '@`Z-(+4Aq}{Y|*ow!OWSe&UNK4v^)hpi|}v)Xe-j14UN|lombcE}pv7#|/]VeG#U'); define('SECURE_AUTH_SALT', 'y9wF-&[!<PzrU]bII>RL0+OiI)D)]juvkojz$40l<Wbejx|xnvn5P,DI9816X-(]'); define('LOGGED_IN_SALT', 'l5&&8omK=~.},&!1w3VyVqFSF}edd7ldN,Y7cI)]XKq7+GUGQKfxjq<%6;v5|v|r'); define('NONCE_SALT', '?vsQ>D>oYiX_g=FnGHU%Sv-f?DuNCD@%1RGeTAL~|%,n(=+-Wr?~1uzmXlw? QW9N'); wp-config.php
Disable XML-RPC @shawnhooper - shawnhooper.ca • Used for remote blogging, tracebacks, pingbacks, etc. • Also a great way to DDoS
Remove Version Number @shawnhooper - shawnhooper.ca <meta name="generator" content="WordPress 4.3.1”>
 
 
 remove_action('wp_head', 'wp_generator');
Security Plugins @shawnhooper - shawnhooper.ca • WordFence (Plugin) • iThemes Security (Plugin) • Sucuri (Plugin)
Limit Login Attempts @shawnhooper - shawnhooper.ca • JetPack Brute Force • iThemes Security
Hosting @shawnhooper - shawnhooper.ca • WordPress Managed Hosting • Manages Updates • Custom Firewall Configurations
Thank you!
 Slides: www.shawnhooper.ca
 E-Mail: shawn@actionablebooks.com
 Twitter: @shawnhooper
 WordPress Slack: shooper @shawnhooper - shawnhooper.ca

Recommended

Writing Secure Code for WordPress
Writing Secure Code for WordPressWriting Secure Code for WordPress
Writing Secure Code for WordPressShawn Hooper
 
secure php
secure phpsecure php
secure phpRiyad Bin Zaman
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyStormpath
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Balázs Tatár
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Website Security
Website SecurityWebsite Security
Website SecurityMODxpo
 

Recommended

Writing Secure Code for WordPress
Writing Secure Code for WordPressWriting Secure Code for WordPress
Writing Secure Code for WordPressShawn Hooper
 
secure php
secure phpsecure php
secure phpRiyad Bin Zaman
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyStormpath
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Balázs Tatár
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Website Security
Website SecurityWebsite Security
Website SecurityMODxpo
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007Aung Khant
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST APISiddharth Bezalwar
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress CodeBrad Williams
 
Caching in WordPress
Caching in WordPressCaching in WordPress
Caching in WordPressTareq Hasan
 
Intro to PAS REST API
Intro to PAS REST APIIntro to PAS REST API
Intro to PAS REST APIJoe Garcia
 
Advanced Json
Advanced JsonAdvanced Json
Advanced Jsonguestfd7d7c
 
HTML 5 & CSS 3
HTML 5 & CSS 3HTML 5 & CSS 3
HTML 5 & CSS 3Kevin van Dijk
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
 
WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011Tareq Hasan
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Ams adapters
Ams adaptersAms adapters
Ams adaptersBruno Alló Bacarini
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
php $_GET / $_POST / $_SESSION
php $_GET / $_POST / $_SESSIONphp $_GET / $_POST / $_SESSION
php $_GET / $_POST / $_SESSIONtumetr1
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
External Data Access with jQuery
External Data Access with jQueryExternal Data Access with jQuery
External Data Access with jQueryDoncho Minkov
 
Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Subhajit Bhuiya
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 

More Related Content

What's hot

Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007Aung Khant
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress CodeBrad Williams
 
Caching in WordPress
Caching in WordPressCaching in WordPress
Caching in WordPressTareq Hasan
 
Intro to PAS REST API
Intro to PAS REST APIIntro to PAS REST API
Intro to PAS REST APIJoe Garcia
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
 
WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011Tareq Hasan
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
php $_GET / $_POST / $_SESSION
php $_GET / $_POST / $_SESSIONphp $_GET / $_POST / $_SESSION
php $_GET / $_POST / $_SESSIONtumetr1
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
External Data Access with jQuery
External Data Access with jQueryExternal Data Access with jQuery
External Data Access with jQueryDoncho Minkov
 
Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Subhajit Bhuiya
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 

What's hot (20)

Web application security
Web application securityWeb application security
Web application security
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress Code
 
Caching in WordPress
Caching in WordPressCaching in WordPress
Caching in WordPress
 
Intro to PAS REST API
Intro to PAS REST APIIntro to PAS REST API
Intro to PAS REST API
 
Advanced Json
Advanced JsonAdvanced Json
Advanced Json
 
HTML 5 & CSS 3
HTML 5 & CSS 3HTML 5 & CSS 3
HTML 5 & CSS 3
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.
 
WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Ams adapters
Ams adaptersAms adapters
Ams adapters
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
 
php $_GET / $_POST / $_SESSION
php $_GET / $_POST / $_SESSIONphp $_GET / $_POST / $_SESSION
php $_GET / $_POST / $_SESSION
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
External Data Access with jQuery
External Data Access with jQueryExternal Data Access with jQuery
External Data Access with jQuery
 
Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 

Similar to Securing WordPress: OWASP Ottawa October 2015 Meetup

Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)johnwilander
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAsjohnwilander
 
Intro to php
Intro to phpIntro to php
Intro to phpSp Singh
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityShawn Hooper
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Raleigh Web Design Meetup Group - Sass Presentation
Raleigh Web Design Meetup Group - Sass PresentationRaleigh Web Design Meetup Group - Sass Presentation
Raleigh Web Design Meetup Group - Sass PresentationDaniel Yuschick
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyEoin Keary
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development PracticesBrandon Dove
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyFrancois Marier
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 

Similar to Securing WordPress: OWASP Ottawa October 2015 Meetup (20)

Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
 
Intro to php
Intro to phpIntro to php
Intro to php
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
php.pdf
php.pdfphp.pdf
php.pdf
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Raleigh Web Design Meetup Group - Sass Presentation
Raleigh Web Design Meetup Group - Sass PresentationRaleigh Web Design Meetup Group - Sass Presentation
Raleigh Web Design Meetup Group - Sass Presentation
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Week 1
Week 1Week 1
Week 1
 
Week 1
Week 1Week 1
Week 1
 
Week 1 (v3)
Week 1 (v3)Week 1 (v3)
Week 1 (v3)
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkeary
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development Practices
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security Policy
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 

More from Shawn Hooper

WP REST API: Actionable.co
WP REST API: Actionable.coWP REST API: Actionable.co
WP REST API: Actionable.coShawn Hooper
 
Database Considerations for SaaS Products
Database Considerations for SaaS ProductsDatabase Considerations for SaaS Products
Database Considerations for SaaS ProductsShawn Hooper
 
Payments Made Easy with Stripe
Payments Made Easy with StripePayments Made Easy with Stripe
Payments Made Easy with StripeShawn Hooper
 
WordPress Coding Standards & Best Practices
WordPress Coding Standards & Best PracticesWordPress Coding Standards & Best Practices
WordPress Coding Standards & Best PracticesShawn Hooper
 
Save Time By Manging WordPress from the Command Line
Save Time By Manging WordPress from the Command LineSave Time By Manging WordPress from the Command Line
Save Time By Manging WordPress from the Command LineShawn Hooper
 
Writing Clean, Standards Compliant, Testable Code for WordPress
Writing Clean, Standards Compliant, Testable Code for WordPressWriting Clean, Standards Compliant, Testable Code for WordPress
Writing Clean, Standards Compliant, Testable Code for WordPressShawn Hooper
 
Creating Multilingual WordPress Websites
Creating Multilingual WordPress WebsitesCreating Multilingual WordPress Websites
Creating Multilingual WordPress WebsitesShawn Hooper
 
Creating Multilingual WordPress Websites
Creating Multilingual WordPress WebsitesCreating Multilingual WordPress Websites
Creating Multilingual WordPress WebsitesShawn Hooper
 
WP-CLI Presentation from WordCamp NYC 2015
WP-CLI Presentation from WordCamp NYC 2015WP-CLI Presentation from WordCamp NYC 2015
WP-CLI Presentation from WordCamp NYC 2015Shawn Hooper
 
Manage WordPress From the Command Line with WP-CLI
Manage WordPress From the Command Line with WP-CLIManage WordPress From the Command Line with WP-CLI
Manage WordPress From the Command Line with WP-CLIShawn Hooper
 
Hooked on WordPress: WordCamp Columbus
Hooked on WordPress: WordCamp ColumbusHooked on WordPress: WordCamp Columbus
Hooked on WordPress: WordCamp ColumbusShawn Hooper
 
WP-CLI Talk from WordCamp Montreal
WP-CLI Talk from WordCamp MontrealWP-CLI Talk from WordCamp Montreal
WP-CLI Talk from WordCamp MontrealShawn Hooper
 
WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015Shawn Hooper
 
Save Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command LineSave Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command LineShawn Hooper
 
Time Code: Automating Tasks in WordPress with WP-Cron
Time Code: Automating Tasks in WordPress with WP-CronTime Code: Automating Tasks in WordPress with WP-Cron
Time Code: Automating Tasks in WordPress with WP-CronShawn Hooper
 

More from Shawn Hooper (15)

WP REST API: Actionable.co
WP REST API: Actionable.coWP REST API: Actionable.co
WP REST API: Actionable.co
 
Database Considerations for SaaS Products
Database Considerations for SaaS ProductsDatabase Considerations for SaaS Products
Database Considerations for SaaS Products
 
Payments Made Easy with Stripe
Payments Made Easy with StripePayments Made Easy with Stripe
Payments Made Easy with Stripe
 
WordPress Coding Standards & Best Practices
WordPress Coding Standards & Best PracticesWordPress Coding Standards & Best Practices
WordPress Coding Standards & Best Practices
 
Save Time By Manging WordPress from the Command Line
Save Time By Manging WordPress from the Command LineSave Time By Manging WordPress from the Command Line
Save Time By Manging WordPress from the Command Line
 
Writing Clean, Standards Compliant, Testable Code for WordPress
Writing Clean, Standards Compliant, Testable Code for WordPressWriting Clean, Standards Compliant, Testable Code for WordPress
Writing Clean, Standards Compliant, Testable Code for WordPress
 
Creating Multilingual WordPress Websites
Creating Multilingual WordPress WebsitesCreating Multilingual WordPress Websites
Creating Multilingual WordPress Websites
 
Creating Multilingual WordPress Websites
Creating Multilingual WordPress WebsitesCreating Multilingual WordPress Websites
Creating Multilingual WordPress Websites
 
WP-CLI Presentation from WordCamp NYC 2015
WP-CLI Presentation from WordCamp NYC 2015WP-CLI Presentation from WordCamp NYC 2015
WP-CLI Presentation from WordCamp NYC 2015
 
Manage WordPress From the Command Line with WP-CLI
Manage WordPress From the Command Line with WP-CLIManage WordPress From the Command Line with WP-CLI
Manage WordPress From the Command Line with WP-CLI
 
Hooked on WordPress: WordCamp Columbus
Hooked on WordPress: WordCamp ColumbusHooked on WordPress: WordCamp Columbus
Hooked on WordPress: WordCamp Columbus
 
WP-CLI Talk from WordCamp Montreal
WP-CLI Talk from WordCamp MontrealWP-CLI Talk from WordCamp Montreal
WP-CLI Talk from WordCamp Montreal
 
WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015
 
Save Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command LineSave Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command Line
 
Time Code: Automating Tasks in WordPress with WP-Cron
Time Code: Automating Tasks in WordPress with WP-CronTime Code: Automating Tasks in WordPress with WP-Cron
Time Code: Automating Tasks in WordPress with WP-Cron
 

Recently uploaded

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Securing WordPress: OWASP Ottawa October 2015 Meetup

  • 1. Securing WordPress OWASP Ottawa October 2015 Meetup ! Shawn Hooper
 Chief Technology Officer,Actionable Books @shawnhooper - shawnhooper.ca
  • 2. • I’m Shawn Hooper, CTO at Actionable Books. Former Freelance Developer • WordPress Core Contributor • GIAC Certified .NET Secure Software Programmer Hi! @shawnhooper - shawnhooper.ca
  • 3. • Open Source Content Management System (CMS) • PHP, MySQL, jQuery, BackboneJS • Runs 24.7% of all web sites • Has a 58.7% share of the CMS space WordPress @shawnhooper - shawnhooper.ca http://w3techs.com/technologies/overview/content_management/all
  • 4. • WordPress.com is a hosted WordPress service run by Automattic • WordPress.org is the downloadable, self-hosted version of WordPress • A huge ecosystem of themes (2K just in .org repo) and plugins (40K) that take advantage of the hook and filter system WordPress @shawnhooper - shawnhooper.ca
  • 5. WordPress @shawnhooper - shawnhooper.ca This market share makes it a big target for hackers!
  • 7. We are going to look at a couple of different types of attacks and how to avoid them: 
 * SQL Injection * Cross Site Scripting (XSS) * Cross Site Request Forgery (CSRF) * Unvalidated Redirects and Forwards We’re Under Attack! @shawnhooper - shawnhooper.ca
  • 8. ! ! ! on the
 Open Web Application Security Project (OWASP) Top Ten List Injection Attacks @shawnhooper - shawnhooper.ca
  • 9. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). - Wikipedia SQL Injection Attacks @shawnhooper - shawnhooper.ca
  • 10. Without protecting against injection attacks, what would happen if a 
 login form allowed this: ! ' OR '1'='1' -- SQL Injection Attacks @shawnhooper - shawnhooper.ca
  • 11. SELECT * FROM wp_users 
 WHERE user_pass = '' OR '1'='1' --' SQL Injection Attacks @shawnhooper - shawnhooper.ca
  • 12. '; DROP TABLE wp_users; -- SQL Injection Attacks @shawnhooper - shawnhooper.ca
  • 13. SELECT * FROM wp_users 
 WHERE user_pass = ''; DROP TABLE wp_users; -- SQL Injection Attacks @shawnhooper - shawnhooper.ca
  • 14. ! ! ! on the
 Open Web Application Security Project (OWASP) Top Ten List Cross Site Scripting (XSS) @shawnhooper - shawnhooper.ca
  • 15. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client- side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. - Wikipedia Cross Site Scripting (XSS) @shawnhooper - shawnhooper.ca
  • 16. Cross Site Scripting can be used to capture a user’s authentication / session cookie and then impersonate them on a trusted website. ! Reflected (ex, delivered by e-mail)
 vs. Persistant (ex, return by DB in a forum) Cross Site Scripting (XSS) @shawnhooper - shawnhooper.ca
  • 17. ! ! ! on the
 Open Web Application Security Project (OWASP) Top Ten List Cross Site Request Forgery @shawnhooper - shawnhooper.ca
  • 18. Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. -Wikipedia Cross Site Request Forgery @shawnhooper - shawnhooper.ca
  • 19. An example of a simple CSRF attack would be getting you to visit a link that would change your password to something the attacker knows. Cross Site Request Forgery @shawnhooper - shawnhooper.ca
  • 20. ! ! ! on the
 Open Web Application Security Project (OWASP) Top Ten List Unvalidated Forwards & Redirects @shawnhooper - shawnhooper.ca
  • 21. Could allow code in your website to forward the user to a malicious (ex: phishing) website. Unvalidated Forwards & Redirects @shawnhooper - shawnhooper.ca
  • 23. @shawnhooper - shawnhooper.ca Scared Yet? Let’s figure out how to stop all this stuff from happening…..
  • 26. Validation @shawnhooper - shawnhooper.ca * Are values of the correct type? * Are values in range?
  • 27. Validation @shawnhooper - shawnhooper.ca Is an input supposed to be an integer? 
 
 intval($_POST[‘quantity’])
 
 or
 
 absint($_POST[‘quantity’])
  • 28. Validation @shawnhooper - shawnhooper.ca Is it in range? 
 $quantity = absint($_POST[‘quantity’]) ! if ( $quantity > 10 ) { die(‘Quantity Out of Range’); }
  • 29. Validation @shawnhooper - shawnhooper.ca Should it be an e-mail address? 
 $email = is_email( $_POST[‘email’] ); returns false if invalid
  • 30. Sanitization @shawnhooper - shawnhooper.ca Should it be an e-mail address? 
 $email = sanitize_email( $_POST[‘email’] ); removes characters that are not valid in an e-mail address.
  • 31. Escaping Text @shawnhooper - shawnhooper.ca esc_html( $string ); esc_html__( $string, $domain ); ex:
 
 Hello <?php echo esc_html( $string ); ?> !
  • 32. Escaping Text @shawnhooper - shawnhooper.ca esc_attr( $text ); esc_attr__( $text, $domain );
 
 Escaping a string for use in an HTML attribute tag.
 
 <div data-value=“<?php echo esc_attr( $value ); ?>”>
  • 33. Escaping Text @shawnhooper - shawnhooper.ca esc_js( $text );
 
 Escaping a string for echoing in JavaScript. 

  • 34. Escaping URLs @shawnhooper - shawnhooper.ca esc_url ($url );
 esc_url_raw ( $url );
 urlencode ( $string ); 
 urlencode_deep ( $array );
  • 35. Escaping HTML @shawnhooper - shawnhooper.ca wp_kses( $fragment, $allowed_html, $protocols); array(
 'a' => array(
 'href' => array(),
 'title' => array() 
 ), 'br' => array(),
 'em' => array(),
 'strong' => array()
 );
  • 36. Escaping HTML @shawnhooper - shawnhooper.ca wp_rel_nofollow( $html ) ! Adds rel=“nofollow” to every link in the HTML fragment.
  • 38. $wpdb Is Your Friend! Database Sanitization @shawnhooper - shawnhooper.ca
  • 39. $wpdb->insert( ‘table_name’, array( 'column1' => 'value1', 'column2' => 123 ), array( '%s', '%d' ) ); Database Sanitization @shawnhooper - shawnhooper.ca
  • 40. $wpdb->update( 'table', array( 'column1' => 'value1', // string 'column2' => 'value2' // integer (number) ), array( 'ID' => 1 ), array( '%s', // value1 '%d' // value2 ), array( '%d' ) ); Database Sanitization @shawnhooper - shawnhooper.ca
  • 41. $wpdb->delete( 'table', array( 'ID' => 1 ), array( '%d' ) ); Database Sanitization @shawnhooper - shawnhooper.ca
  • 42. What about other general queries? ! Statements that include joins? 
 ! $wpdb->query() Database Sanitization @shawnhooper - shawnhooper.ca
  • 43. $wpdb->prepare() to make sure query is safe: ! ! $wpdb->prepare(SQL Code with Placeholders, variable 1, variable 2, etc.); Database Sanitization @shawnhooper - shawnhooper.ca
  • 44. Database Sanitization @shawnhooper - shawnhooper.ca $safeSQL = $wpdb->prepare(“SELECT * FROM mytable 



WHERE col1 = ‘%s’AND col2 = %d”, $sParam, $iParam); ! $wpdb->query($safeSQL);
  • 45. Database Sanitization @shawnhooper - shawnhooper.ca Valid Placeholders are: ! %s for strings ! %d for integers ! %f for floats
  • 46. Database Sanitization @shawnhooper - shawnhooper.ca If your query includes a LIKE statement in the WHERE clause, use 
 
 esc_like() 
 
 to properly escape %, _ and characters, 
 which have special meanings.
 
 Still requires $wpdb->prepare()
  • 47. Database Sanitization @shawnhooper - shawnhooper.ca $likeValue = ‘value_’; $safeSQL = $wpdb->prepare(“SELECT * FROM table 
 WHERE col1 LIKE ‘%s’", esc_like($likeValue) . '%' );
  • 49. Input Sanitization @shawnhooper - shawnhooper.ca There are a pile of functions to do input sanitization: sanitize_title() sanitize_user() balance_tags() tag_escape() is_email() sanitize_html_class() array_map() sanitize_email() sanitize_file_name() sanitize_term() sanitize_term_field() sanitize_html_class() sanitize_key() sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_text_field() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user() sanitize_meta()
  • 51. Nonces @shawnhooper - shawnhooper.ca A “number used once” to help protect URLs from malicious use (Cross Site Request Forgery)
  • 52. Nonces @shawnhooper - shawnhooper.ca NOTE: In WordPress, a nonce is not a number, and it is not used once. ! ! !
  • 53. Nonces @shawnhooper - shawnhooper.ca Create a Nonce for a URL: $complete_url = 
 wp_nonce_url( $bare_url, 'trash-post_'.$post- >ID );
 

  • 54. Nonces @shawnhooper - shawnhooper.ca Create a Nonce for a Form: wp_nonce_field( 'delete-comment_'.$comment_id );

  • 55. Nonces @shawnhooper - shawnhooper.ca Generates code like this: <input type="hidden" id="_wpnonce" name="_wpnonce" value="796c7766b1" /> <input type="hidden" name="_wp_http_referer" value="/wp-admin/edit-comments.php" />

  • 56. Nonces @shawnhooper - shawnhooper.ca Generic Nonce: ! $nonce = wp_create_nonce( 'my-action_'.$post->ID );
  • 57. Validate Nonces @shawnhooper - shawnhooper.ca To verify a nonce that was passed in a URL or a form in an admin screen: ! check_admin_referer( 'delete-comment_'.$comment_id );
  • 58. Validate Nonces @shawnhooper - shawnhooper.ca To verify a nonce that was passed in an AJAX request:
 (parameter is the action sent via AJAX) ! check_ajax_referer( 'process-comment' );
  • 59. Validate Nonces @shawnhooper - shawnhooper.ca To verify a generic nonce: ! wp_verify_nonce( $_REQUEST['my_nonce'], 'process- comment'.$comment_id ); ! Returns false if the nonce fails
  • 60. Nonces @shawnhooper - shawnhooper.ca ! To learn more about nonces, see the WordPress Codex: ! https://codex.wordpress.org/WordPress_Nonces
  • 61. Brain Full ? @shawnhooper - shawnhooper.ca Good, because we’re almost done.
  • 62. Redirecting @shawnhooper - shawnhooper.ca wp_redirect( $url, $status ); exit; wp_safe_redirect( $url, $status ); exit; ! $status defaults to 302 (temporary) safe_redirect only allows redirects to a specified set of hostnames, which can be set using the allowed_redirect_hosts filter
  • 63. Now you should get this… @shawnhooper - shawnhooper.ca XKCD # 327
  • 64. Responsible Disclosure @shawnhooper - shawnhooper.ca If you find what you think may be a security vulnerability in WordPress’ code, be responsible. Send an e-mail with as much detail to:
 
 security@wordpress.org
 
 Don’t blog about it, Facebook it, put it in Trac, Tweet it, etc. Allow the team time to confirm and fix the bug before letting all the hackers out there know it exists.
  • 66. Backups @shawnhooper - shawnhooper.ca • Make Them • Make Them Regularly • Test Them
  • 67. Keep WordPress Updated @shawnhooper - shawnhooper.ca • Updates to Core • Updates to Themes • Updates to Plugins
  • 68. Keep WordPress Updated @shawnhooper - shawnhooper.ca • Automatic Updates to Core for all minor releases • Manual Updates via wp-admin dashboard
  • 70. File Permissions @shawnhooper - shawnhooper.ca • Make sure files & directories have only the permissions required. 
 • Allowing files in your uploads folder to be executed leads to ugly phishing attacks.
  • 71. “Admin” Username @shawnhooper - shawnhooper.ca • This was the default in old versions of WordPress.
 • Most commonly attacked username when attempting logins.
  • 72. Enable Two-Factor Authentication @shawnhooper - shawnhooper.ca • Clef • https://wordpress.org/plugins/search.php? q=two+factor • Feature Plugin underway for core
  • 73. Least Privilege @shawnhooper - shawnhooper.ca • Only grant users the appropriate roles they need in wp-admin.
  • 74. Change Keys @shawnhooper - shawnhooper.ca define('AUTH_KEY', '[w$u#*IL-lLtigU?Un)DY>DSbE}C -<d*+Z{gzc}Qw~p%o%g+INE3MiLBsT@%fjf'); define('SECURE_AUTH_KEY', '+=fttecyOK0jVI/~Q}f+|QMKo0H:}iV9C*koL@ci#L|ERr7i[J`>VDz{qd@zX2rq'); define('LOGGED_IN_KEY', ';5+<dNW?)zzrm*6zb+7-dB IRY%{D0;P2H|^v5BJYh]E[blAUU-n49Hgw0S@#nR-'); define('NONCE_KEY', 'R^@%&qAN$;t;<OTq$<Sm(447Rio}c<2,ts)+bVq1BE-?$Cw+a_@i7!*<`7?K4ne2'); define('AUTH_SALT', '@`Z-(+4Aq}{Y|*ow!OWSe&UNK4v^)hpi|}v)Xe-j14UN|lombcE}pv7#|/]VeG#U'); define('SECURE_AUTH_SALT', 'y9wF-&[!<PzrU]bII>RL0+OiI)D)]juvkojz$40l<Wbejx|xnvn5P,DI9816X-(]'); define('LOGGED_IN_SALT', 'l5&&8omK=~.},&!1w3VyVqFSF}edd7ldN,Y7cI)]XKq7+GUGQKfxjq<%6;v5|v|r'); define('NONCE_SALT', '?vsQ>D>oYiX_g=FnGHU%Sv-f?DuNCD@%1RGeTAL~|%,n(=+-Wr?~1uzmXlw? QW9N'); wp-config.php
  • 75. Disable XML-RPC @shawnhooper - shawnhooper.ca • Used for remote blogging, tracebacks, pingbacks, etc. • Also a great way to DDoS
  • 76. Remove Version Number @shawnhooper - shawnhooper.ca <meta name="generator" content="WordPress 4.3.1”>
 
 
 remove_action('wp_head', 'wp_generator');
  • 77. Security Plugins @shawnhooper - shawnhooper.ca • WordFence (Plugin) • iThemes Security (Plugin) • Sucuri (Plugin)
  • 78. Limit Login Attempts @shawnhooper - shawnhooper.ca • JetPack Brute Force • iThemes Security
  • 79. Hosting @shawnhooper - shawnhooper.ca • WordPress Managed Hosting • Manages Updates • Custom Firewall Configurations
  • 80. Thank you!
 Slides: www.shawnhooper.ca
 E-Mail: shawn@actionablebooks.com
 Twitter: @shawnhooper
 WordPress Slack: shooper @shawnhooper - shawnhooper.ca