Your SlideShare is downloading. ×

Anatomy of a WordPress Hack

1,045

Published on

Slides for Brennen Byrne's talk, Anatomy of a WordPress Hack, given at WordCamp Boston.

Slides for Brennen Byrne's talk, Anatomy of a WordPress Hack, given at WordCamp Boston.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,045
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. @brennenbyrne
  • 2. ANATOMY OF A WORDPRESS HACK
  • 3. security is hard
  • 4. security is REALLY hard
  • 5. security is REALLY REALLY hard
  • 6. but probably NOT for the reasons you’re thinking
  • 7. that’s because security is all about the details
  • 8. 3 hacks that broke wordpress sqli xss clickjacking (and how they were fixed)
  • 9. this talk is probably for you
  • 10. this talk is probably for you (it’s a really good talk)
  • 11. you might be wondering “ if these have already been fixed, why are we still talking about them?
  • 12. almost 20% of the web runs on wordpress
  • 13. almost 20% of the web runs on wordpress lots of attacks on wordpress sites
  • 14. almost 20% of the web runs on wordpress lots of attacks on wordpress sites they’ll happen again
  • 15. almost 20% of the web runs on wordpress lots of attacks on wordpress sites they’ll happen again it’s fun and interesting
  • 16. hello, my name is brennen @brennenbyrne
  • 17. I’m a founder of Clef (getclef.com)
  • 18. anatomy of a wordpress hack
  • 19. XSS cross site scripting
  • 20. XSS cross site scripting when a hacker is able to run arbitrary code in every user’s browser
  • 21. let’s hack
  • 22. how
  • 23. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>
  • 24. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> begin html open tag
  • 25. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } unsanitized user input
  • 26. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } end html open tag
  • 27. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> begin html close tag
  • 28. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } unsanitized user input
  • 29. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> end html close tag
  • 30. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } } unsanitized user input
  • 31. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } } unsanitized user input
  • 32. unsanitized user input
  • 33. exploit unsanitized user input
  • 34. $icontag = script src=‘hack.js’
  • 35. $icontag = script src=‘hack.js’ } create a script tag
  • 36. $icontag = script src=‘hack.js’ } load an evil script
  • 37. how bad is this?
  • 38. full site compromise
  • 39. one line fix!
  • 40. $icontag = tag_escape($icontag)
  • 41. $icontag = tag_escape($icontag) } removes potentially malicious code
  • 42. Clickjacking
  • 43. clickjacking when a hacker tricks you into clicking something you don’t want to click
  • 44. let’s hack
  • 45. how
  • 46. this is your site
  • 47. this is your site with an iframe www.another-site.com
  • 48. now imagine the green is the article and the red is “delete post”
  • 49. now imagine the green is the article and the red is “delete post”
  • 50. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>
  • 51. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe> } } embedding site in another site
  • 52. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe> } embedding admin page S
  • 53. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe> } admin page is fully transparent S
  • 54. <iframe src=“admin_url” style=“opacity: 0; z-index: 100”></iframe> } admin page is above another page
  • 55. delete post
  • 56. allow embedding of valuable pages
  • 57. how bad is this?
  • 58. full site compromise
  • 59. one line fix!
  • 60. @header( 'X-Frame-Options: SAMEORIGIN' );
  • 61. @header( 'X-Frame-Options: SAMEORIGIN' ); } add header to requests for valuable pages
  • 62. @header( 'X-Frame-Options: SAMEORIGIN' ); } tell browser to only allow iframe embed when it’s on the same domain
  • 63. SQL injection
  • 64. SQL injection when bad people access your database in bad ways
  • 65. let’s hack
  • 66. how
  • 67. SELECT ... LIMIT $args[4]
  • 68. SELECT ... LIMIT $args[4] } select categories from database
  • 69. SELECT ... LIMIT $args[4] } limit number of categories selected
  • 70. SELECT ... LIMIT $args[4] } unsanitized user input
  • 71. SELECT ... LIMIT $args[4] } unsanitized user input
  • 72. unsanitized user input
  • 73. exploit unsanitized user input
  • 74. $args[4] = 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users
  • 75. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users } embed a second SQL query
  • 76. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users } limit to 1 category and offset by 1
  • 77. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users } steal usernames and passwords
  • 78. 5 character fix!
  • 79. (int) $args[4]
  • 80. (int) $args[4] } sanitize user input by coercing it to an integer
  • 81. how bad is this?
  • 82. full site compromise
  • 83. how does this happen?
  • 84. security is in the details
  • 85. security is hard
  • 86. so what should you do?
  • 87. 1 you cannot know everything
  • 88. 1 you cannot know everything
  • 89. 1 you can always learn more
  • 90. 1 education
  • 91. 2 you will always make mistakes
  • 92. 2 you will always make mistakes
  • 93. 2 you must learn from your mistakes
  • 94. 2 experience
  • 95. 3 you cannot write secure code
  • 96. 3 you cannot write secure code
  • 97. 3 we can write secure code
  • 98. 3 we can write secure code
  • 99. 3 community
  • 100. closing thoughts
  • 101. thanks
  • 102. XSS Jon Cave
  • 103. XSS Jon Cave Clickjacking Andrew Horton
  • 104. XSS Jon Cave Clickjacking Andrew Horton SQLi Alexander Concha
  • 105. XSS Jon Cave Clickjacking Andrew Horton SQLi Alexander Concha WordPress Security Team
  • 106. XSS Jon Cave CSRF Alexander Concha SQLi Alexander Concha WordPress Security Team WordPress Community
  • 107. what if I find a security issue?
  • 108. DO 1. verify that it is a real issue 2. email security@wordpress.org DON’T 1. maliciously exploit other wordpress sites 2. publish details of the vulnerability before it has been fixed
  • 109. upgrade to 3.7
  • 110. SELECT * FROM questions

×