Anatomy of a WordPress Hack

1,816 views
1,656 views

Published on

Slides for Brennen Byrne's talk, Anatomy of a WordPress Hack, given at WordCamp Boston.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,816
On SlideShare
0
From Embeds
0
Number of Embeds
578
Actions
Shares
0
Downloads
23
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Anatomy of a WordPress Hack

  1. 1. @brennenbyrne
  2. 2. ANATOMY OF A WORDPRESS HACK
  3. 3. security is hard
  4. 4. security is REALLY hard
  5. 5. security is REALLY REALLY hard
  6. 6. but probably NOT for the reasons you’re thinking
  7. 7. that’s because security is all about the details
  8. 8. 3 hacks that broke wordpress sqli xss clickjacking (and how they were fixed)
  9. 9. this talk is probably for you
  10. 10. this talk is probably for you (it’s a really good talk)
  11. 11. you might be wondering “ if these have already been fixed, why are we still talking about them?
  12. 12. almost 20% of the web runs on wordpress
  13. 13. almost 20% of the web runs on wordpress lots of attacks on wordpress sites
  14. 14. almost 20% of the web runs on wordpress lots of attacks on wordpress sites they’ll happen again
  15. 15. almost 20% of the web runs on wordpress lots of attacks on wordpress sites they’ll happen again it’s fun and interesting
  16. 16. hello, my name is brennen @brennenbyrne
  17. 17. I’m a founder of Clef (getclef.com)
  18. 18. anatomy of a wordpress hack
  19. 19. XSS cross site scripting
  20. 20. XSS cross site scripting when a hacker is able to run arbitrary code in every user’s browser
  21. 21. let’s hack
  22. 22. how
  23. 23. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>
  24. 24. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> begin html open tag
  25. 25. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } unsanitized user input
  26. 26. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } end html open tag
  27. 27. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> begin html close tag
  28. 28. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } unsanitized user input
  29. 29. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> end html close tag
  30. 30. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } } unsanitized user input
  31. 31. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } } unsanitized user input
  32. 32. unsanitized user input
  33. 33. exploit unsanitized user input
  34. 34. $icontag = script src=‘hack.js’
  35. 35. $icontag = script src=‘hack.js’ } create a script tag
  36. 36. $icontag = script src=‘hack.js’ } load an evil script
  37. 37. how bad is this?
  38. 38. full site compromise
  39. 39. one line fix!
  40. 40. $icontag = tag_escape($icontag)
  41. 41. $icontag = tag_escape($icontag) } removes potentially malicious code
  42. 42. Clickjacking
  43. 43. clickjacking when a hacker tricks you into clicking something you don’t want to click
  44. 44. let’s hack
  45. 45. how
  46. 46. this is your site
  47. 47. this is your site with an iframe www.another-site.com
  48. 48. now imagine the green is the article and the red is “delete post”
  49. 49. now imagine the green is the article and the red is “delete post”
  50. 50. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>
  51. 51. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe> } } embedding site in another site
  52. 52. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe> } embedding admin page S
  53. 53. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe> } admin page is fully transparent S
  54. 54. <iframe src=“admin_url” style=“opacity: 0; z-index: 100”></iframe> } admin page is above another page
  55. 55. delete post
  56. 56. allow embedding of valuable pages
  57. 57. how bad is this?
  58. 58. full site compromise
  59. 59. one line fix!
  60. 60. @header( 'X-Frame-Options: SAMEORIGIN' );
  61. 61. @header( 'X-Frame-Options: SAMEORIGIN' ); } add header to requests for valuable pages
  62. 62. @header( 'X-Frame-Options: SAMEORIGIN' ); } tell browser to only allow iframe embed when it’s on the same domain
  63. 63. SQL injection
  64. 64. SQL injection when bad people access your database in bad ways
  65. 65. let’s hack
  66. 66. how
  67. 67. SELECT ... LIMIT $args[4]
  68. 68. SELECT ... LIMIT $args[4] } select categories from database
  69. 69. SELECT ... LIMIT $args[4] } limit number of categories selected
  70. 70. SELECT ... LIMIT $args[4] } unsanitized user input
  71. 71. SELECT ... LIMIT $args[4] } unsanitized user input
  72. 72. unsanitized user input
  73. 73. exploit unsanitized user input
  74. 74. $args[4] = 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users
  75. 75. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users } embed a second SQL query
  76. 76. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users } limit to 1 category and offset by 1
  77. 77. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users } steal usernames and passwords
  78. 78. 5 character fix!
  79. 79. (int) $args[4]
  80. 80. (int) $args[4] } sanitize user input by coercing it to an integer
  81. 81. how bad is this?
  82. 82. full site compromise
  83. 83. how does this happen?
  84. 84. security is in the details
  85. 85. security is hard
  86. 86. so what should you do?
  87. 87. 1 you cannot know everything
  88. 88. 1 you cannot know everything
  89. 89. 1 you can always learn more
  90. 90. 1 education
  91. 91. 2 you will always make mistakes
  92. 92. 2 you will always make mistakes
  93. 93. 2 you must learn from your mistakes
  94. 94. 2 experience
  95. 95. 3 you cannot write secure code
  96. 96. 3 you cannot write secure code
  97. 97. 3 we can write secure code
  98. 98. 3 we can write secure code
  99. 99. 3 community
  100. 100. closing thoughts
  101. 101. thanks
  102. 102. XSS Jon Cave
  103. 103. XSS Jon Cave Clickjacking Andrew Horton
  104. 104. XSS Jon Cave Clickjacking Andrew Horton SQLi Alexander Concha
  105. 105. XSS Jon Cave Clickjacking Andrew Horton SQLi Alexander Concha WordPress Security Team
  106. 106. XSS Jon Cave CSRF Alexander Concha SQLi Alexander Concha WordPress Security Team WordPress Community
  107. 107. what if I find a security issue?
  108. 108. DO 1. verify that it is a real issue 2. email security@wordpress.org DON’T 1. maliciously exploit other wordpress sites 2. publish details of the vulnerability before it has been fixed
  109. 109. upgrade to 3.7
  110. 110. SELECT * FROM questions

×