@brennenbyrne
ANATOMY OF A
WORDPRESS HACK
security is

hard
security is

REALLY
hard
security is

REALLY

REALLY
hard
but probably

NOT
for the reasons
you’re thinking
that’s because security
is all about the

details
3 hacks
that broke wordpress

sqli
xss
clickjacking
(and how they were fixed)
this talk is probably for you
this talk is probably for you
(it’s a really good talk)
you might be wondering

“

if these have already been fixed,
why are we still talking about them?
almost 20% of the web runs on wordpress
almost 20% of the web runs on wordpress
lots of attacks on wordpress sites
almost 20% of the web runs on wordpress
lots of attacks on wordpress sites
they’ll happen again
almost 20% of the web runs on wordpress
lots of attacks on wordpress sites
they’ll happen again
it’s fun and interesting
hello, my name is brennen

@brennenbyrne
I’m a founder of Clef
(getclef.com)
anatomy of a wordpress hack
XSS
cross site scripting
XSS

cross site scripting

when a hacker is able to run
arbitrary code in every user’s browser
let’s hack
how
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

begin html open tag
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

}
unsanitized user input
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

}
end html open tag
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

begin html close tag
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

}
unsanitized user input
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

end html close tag
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

}

}

unsanitized user input
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

}

}

unsanitized user input
unsanitized user input
exploit
unsanitized user input
$icontag =
script src=‘hack.js’
$icontag =
script src=‘hack.js’

}
create a script tag
$icontag =
script src=‘hack.js’

}
load an evil script
how bad is this?
full site compromise
one line fix!
$icontag = tag_escape($icontag)
$icontag = tag_escape($icontag)

}
removes potentially
malicious code
Clickjacking
clickjacking
when a hacker tricks you into clicking
something you don’t want to click
let’s hack
how
this is your site
this is your site with an iframe

www.another-site.com
now imagine the green is the article

and the red is “delete post”
now imagine the green is the article

and the red is “delete post”
<iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>
<iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>

}

}

embedding site in another site
<iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>

}
embedding admin page

S
<iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>

}
admin page is fully transparent

S
<iframe src=“admin_url” style=“opacity: 0; z-index: 100”></iframe>

}
admin page is above another page
delete post
allow embedding of valuable pages
how bad is this?
full site compromise
one line fix!
@header( 'X-Frame-Options: SAMEORIGIN' );
@header( 'X-Frame-Options: SAMEORIGIN' );

}
add header to requests
for valuable pages
@header( 'X-Frame-Options: SAMEORIGIN' );

}
tell browser to only allow
iframe embed when it’s on
the same domain
SQL injection
SQL injection
when bad people access your
database in bad ways
let’s hack
how
SELECT ... LIMIT $args[4]
SELECT ... LIMIT $args[4]

}
select categories from database
SELECT ... LIMIT $args[4]

}
limit number of categories selected
SELECT ... LIMIT $args[4]

}
unsanitized user input
SELECT ... LIMIT $args[4]

}
unsanitized user input
unsanitized user input
exploit
unsanitized user input
$args[4] =
1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users
1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users

}
embed a second SQL query
1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users

}
limit to 1 category and offset by 1
1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users

}
steal usernames and passwords
5 character fix!
(int) $args[4]
(int) $args[4]

}
sanitize user input by
coercing it to an integer
how bad is this?
full site compromise
how does this happen?
security is in the details
security is hard
so what should you do?
1
you cannot know everything
1
you cannot know everything
1
you can always learn more
1
education
2
you will always make mistakes
2
you will always make mistakes
2
you must learn from your mistakes
2
experience
3
you cannot write secure code
3
you cannot write secure code
3
we can write secure code
3
we can write secure code
3
community
closing thoughts
thanks
XSS

Jon Cave
XSS Jon Cave
Clickjacking Andrew Horton
XSS Jon Cave
Clickjacking Andrew Horton
SQLi Alexander Concha
XSS Jon Cave
Clickjacking Andrew Horton
SQLi Alexander Concha
WordPress Security Team
XSS Jon Cave
CSRF Alexander Concha
SQLi Alexander Concha
WordPress Security Team
WordPress Community
what if I find a security issue?
DO

1. verify that it is a real issue
2. email security@wordpress.org

DON’T
1. maliciously exploit other wordpress sites
...
upgrade to

3.7
SELECT * FROM questions
Anatomy of a WordPress Hack
Upcoming SlideShare
Loading in …5
×

Anatomy of a WordPress Hack

1,971 views

Published on

Slides for Brennen Byrne's talk, Anatomy of a WordPress Hack, given at WordCamp Boston.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,971
On SlideShare
0
From Embeds
0
Number of Embeds
601
Actions
Shares
0
Downloads
25
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Anatomy of a WordPress Hack

  1. 1. @brennenbyrne
  2. 2. ANATOMY OF A WORDPRESS HACK
  3. 3. security is hard
  4. 4. security is REALLY hard
  5. 5. security is REALLY REALLY hard
  6. 6. but probably NOT for the reasons you’re thinking
  7. 7. that’s because security is all about the details
  8. 8. 3 hacks that broke wordpress sqli xss clickjacking (and how they were fixed)
  9. 9. this talk is probably for you
  10. 10. this talk is probably for you (it’s a really good talk)
  11. 11. you might be wondering “ if these have already been fixed, why are we still talking about them?
  12. 12. almost 20% of the web runs on wordpress
  13. 13. almost 20% of the web runs on wordpress lots of attacks on wordpress sites
  14. 14. almost 20% of the web runs on wordpress lots of attacks on wordpress sites they’ll happen again
  15. 15. almost 20% of the web runs on wordpress lots of attacks on wordpress sites they’ll happen again it’s fun and interesting
  16. 16. hello, my name is brennen @brennenbyrne
  17. 17. I’m a founder of Clef (getclef.com)
  18. 18. anatomy of a wordpress hack
  19. 19. XSS cross site scripting
  20. 20. XSS cross site scripting when a hacker is able to run arbitrary code in every user’s browser
  21. 21. let’s hack
  22. 22. how
  23. 23. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>
  24. 24. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> begin html open tag
  25. 25. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } unsanitized user input
  26. 26. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } end html open tag
  27. 27. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> begin html close tag
  28. 28. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } unsanitized user input
  29. 29. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> end html close tag
  30. 30. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } } unsanitized user input
  31. 31. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } } unsanitized user input
  32. 32. unsanitized user input
  33. 33. exploit unsanitized user input
  34. 34. $icontag = script src=‘hack.js’
  35. 35. $icontag = script src=‘hack.js’ } create a script tag
  36. 36. $icontag = script src=‘hack.js’ } load an evil script
  37. 37. how bad is this?
  38. 38. full site compromise
  39. 39. one line fix!
  40. 40. $icontag = tag_escape($icontag)
  41. 41. $icontag = tag_escape($icontag) } removes potentially malicious code
  42. 42. Clickjacking
  43. 43. clickjacking when a hacker tricks you into clicking something you don’t want to click
  44. 44. let’s hack
  45. 45. how
  46. 46. this is your site
  47. 47. this is your site with an iframe www.another-site.com
  48. 48. now imagine the green is the article and the red is “delete post”
  49. 49. now imagine the green is the article and the red is “delete post”
  50. 50. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>
  51. 51. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe> } } embedding site in another site
  52. 52. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe> } embedding admin page S
  53. 53. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe> } admin page is fully transparent S
  54. 54. <iframe src=“admin_url” style=“opacity: 0; z-index: 100”></iframe> } admin page is above another page
  55. 55. delete post
  56. 56. allow embedding of valuable pages
  57. 57. how bad is this?
  58. 58. full site compromise
  59. 59. one line fix!
  60. 60. @header( 'X-Frame-Options: SAMEORIGIN' );
  61. 61. @header( 'X-Frame-Options: SAMEORIGIN' ); } add header to requests for valuable pages
  62. 62. @header( 'X-Frame-Options: SAMEORIGIN' ); } tell browser to only allow iframe embed when it’s on the same domain
  63. 63. SQL injection
  64. 64. SQL injection when bad people access your database in bad ways
  65. 65. let’s hack
  66. 66. how
  67. 67. SELECT ... LIMIT $args[4]
  68. 68. SELECT ... LIMIT $args[4] } select categories from database
  69. 69. SELECT ... LIMIT $args[4] } limit number of categories selected
  70. 70. SELECT ... LIMIT $args[4] } unsanitized user input
  71. 71. SELECT ... LIMIT $args[4] } unsanitized user input
  72. 72. unsanitized user input
  73. 73. exploit unsanitized user input
  74. 74. $args[4] = 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users
  75. 75. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users } embed a second SQL query
  76. 76. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users } limit to 1 category and offset by 1
  77. 77. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users } steal usernames and passwords
  78. 78. 5 character fix!
  79. 79. (int) $args[4]
  80. 80. (int) $args[4] } sanitize user input by coercing it to an integer
  81. 81. how bad is this?
  82. 82. full site compromise
  83. 83. how does this happen?
  84. 84. security is in the details
  85. 85. security is hard
  86. 86. so what should you do?
  87. 87. 1 you cannot know everything
  88. 88. 1 you cannot know everything
  89. 89. 1 you can always learn more
  90. 90. 1 education
  91. 91. 2 you will always make mistakes
  92. 92. 2 you will always make mistakes
  93. 93. 2 you must learn from your mistakes
  94. 94. 2 experience
  95. 95. 3 you cannot write secure code
  96. 96. 3 you cannot write secure code
  97. 97. 3 we can write secure code
  98. 98. 3 we can write secure code
  99. 99. 3 community
  100. 100. closing thoughts
  101. 101. thanks
  102. 102. XSS Jon Cave
  103. 103. XSS Jon Cave Clickjacking Andrew Horton
  104. 104. XSS Jon Cave Clickjacking Andrew Horton SQLi Alexander Concha
  105. 105. XSS Jon Cave Clickjacking Andrew Horton SQLi Alexander Concha WordPress Security Team
  106. 106. XSS Jon Cave CSRF Alexander Concha SQLi Alexander Concha WordPress Security Team WordPress Community
  107. 107. what if I find a security issue?
  108. 108. DO 1. verify that it is a real issue 2. email security@wordpress.org DON’T 1. maliciously exploit other wordpress sites 2. publish details of the vulnerability before it has been fixed
  109. 109. upgrade to 3.7
  110. 110. SELECT * FROM questions

×