Plugin & ThemeSecurity http://johnford.is/   @iamjohnford
SQLInjection
$wpdb->query(	 "UPDATE $wpdb->posts	 SET post_title = $new_title	 WHERE ID = $id");              BAD
$wpdb->query(	 "SELECT * FROM $wpdb->users	 	 WHERE user_login = $username	 	 AND user_pass = $password");               BAD
$username = " OR 1 -- ";$wpdb->query(	 "SELECT * FROM $wpdb->users	 WHERE user_login = $username	 AND user_pass = $passwor...
$wpdb->query(	 "SELECT * FROM $wpdb->users	 	 WHERE user_login = 	 	 OR 1 --  AND user_pass =	 $password");              BAD
$wpdb->update()      GOOD
$wpdb->update(	 $wpdb->posts,	 array( post_title => $new_title ),	 array( ID => $id ));                GOOD
$wpdb->insert( $table, $data );             GOOD
$wpdb->prepare()      GOOD
$wpdb->prepare( "SELECT * FROM $wpdb->posts   WHERE post_name = %s OR ID = %d",   $some_name,   $some_id);               G...
http://codex.wordpress.org/   Function_Reference/        wpdb_Class
XSSCross-siteScripting
<h1>    <?php echo $title; ?></h1>           BAD
$title = <script>jsCode();</script>;<h1>     <?php echo $title; ?></h1>                 BAD
<h1>    <?php echo esc_html( $title ); ?></h1>                GOOD
esc_attr_e()
<a href="#wordcamp" title="<?php echo $title; ?>">	 Link Text</a>                       BAD
<?php $title = " onmouseover="jsCode();; ?><a href="#wordcamp" title="<?php echo $title; ?>">	 Link Text</a>              ...
<a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>">	 Link Text</a>                           GOOD
esc_textarea()     GOOD
<a href="<?php echo $url; ?>">	Link Text</a>             BAD
<?php $url = javascript:jsCode();; ?><a href="<?php echo $url; ?>">   Link Text</a>                 BAD
<a href="<?php echo esc_url( $url ); ?>">	 Link Text</a>                 GOOD
<form action="<?php echo $_SERVER[REQUEST_URI]; ?>">                        BAD
<form action="<?php echo esc_url( $_SERVER[REQUEST_URI] ); ?>">                           GOOD
<script>   var foo = <?php echo $unsafe; ?>;</script>                 BAD
<script>   var foo = <?php echo esc_js( $unsafe ); ?>;</script>                    GOOD
wp_filter_kses( $data )         GOOD
http://codex.wordpress.org/      Data_Validation
CSRFCross-site Request Forgery
Noncesaction-, object-, & user-specific    time-limited secret keys
wp_nonce_field( plugin-action_object )                 GOOD
check_admin_referer( plugin-action_object )                   GOOD
http://codex.wordpress.org/    WordPress_Nonces
eval() = evil
Thank you!  http://johnford.is/    @iamjohnford
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
Upcoming SlideShare
Loading in...5
×

WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011

2,251

Published on

The WordPress Plugin & Theme Security presentation at WordCamp Melbourne February 2011.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,251
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
23
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011"

  1. 1. Plugin & ThemeSecurity http://johnford.is/ @iamjohnford
  2. 2. SQLInjection
  3. 3. $wpdb->query( "UPDATE $wpdb->posts SET post_title = $new_title WHERE ID = $id"); BAD
  4. 4. $wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = $username AND user_pass = $password"); BAD
  5. 5. $username = " OR 1 -- ";$wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = $username AND user_pass = $password"); BAD
  6. 6. $wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = OR 1 -- AND user_pass = $password"); BAD
  7. 7. $wpdb->update() GOOD
  8. 8. $wpdb->update( $wpdb->posts, array( post_title => $new_title ), array( ID => $id )); GOOD
  9. 9. $wpdb->insert( $table, $data ); GOOD
  10. 10. $wpdb->prepare() GOOD
  11. 11. $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_name = %s OR ID = %d", $some_name, $some_id); GOOD
  12. 12. http://codex.wordpress.org/ Function_Reference/ wpdb_Class
  13. 13. XSSCross-siteScripting
  14. 14. <h1> <?php echo $title; ?></h1> BAD
  15. 15. $title = <script>jsCode();</script>;<h1> <?php echo $title; ?></h1> BAD
  16. 16. <h1> <?php echo esc_html( $title ); ?></h1> GOOD
  17. 17. esc_attr_e()
  18. 18. <a href="#wordcamp" title="<?php echo $title; ?>"> Link Text</a> BAD
  19. 19. <?php $title = " onmouseover="jsCode();; ?><a href="#wordcamp" title="<?php echo $title; ?>"> Link Text</a> BAD
  20. 20. <a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>"> Link Text</a> GOOD
  21. 21. esc_textarea() GOOD
  22. 22. <a href="<?php echo $url; ?>"> Link Text</a> BAD
  23. 23. <?php $url = javascript:jsCode();; ?><a href="<?php echo $url; ?>"> Link Text</a> BAD
  24. 24. <a href="<?php echo esc_url( $url ); ?>"> Link Text</a> GOOD
  25. 25. <form action="<?php echo $_SERVER[REQUEST_URI]; ?>"> BAD
  26. 26. <form action="<?php echo esc_url( $_SERVER[REQUEST_URI] ); ?>"> GOOD
  27. 27. <script> var foo = <?php echo $unsafe; ?>;</script> BAD
  28. 28. <script> var foo = <?php echo esc_js( $unsafe ); ?>;</script> GOOD
  29. 29. wp_filter_kses( $data ) GOOD
  30. 30. http://codex.wordpress.org/ Data_Validation
  31. 31. CSRFCross-site Request Forgery
  32. 32. Noncesaction-, object-, & user-specific time-limited secret keys
  33. 33. wp_nonce_field( plugin-action_object ) GOOD
  34. 34. check_admin_referer( plugin-action_object ) GOOD
  35. 35. http://codex.wordpress.org/ WordPress_Nonces
  36. 36. eval() = evil
  37. 37. Thank you! http://johnford.is/ @iamjohnford
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×