WordPress Security - WordCamp Phoenix

8,327 views

Published on

Published in: Technology, Business
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
8,327
On SlideShare
0
From Embeds
0
Number of Embeds
320
Actions
Shares
0
Downloads
59
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

WordPress Security - WordCamp Phoenix

  1. Secure Coding with WordPress @markjaquithMark Jaquith m@rkj.me “JAKE-with” markjaquith.com
  2. The state ofWordPress plugin security is...
  3. Problem #1 Lack ofawareness
  4. Problem #2Apathy
  5. Goals I want you to learn the following:1. How to thwart the three mostcommon attacks2. Two useful principles3. Common mistakes to avoid
  6. Attack #1 SQLInjection
  7. $wpdb->query( "UPDATE $wpdb->posts SET post_title = $newtitle WHERE ID = $my_id");
  8. $wpdb->update()
  9. $wpdb->update( $wpdb->posts, array( post_title => $newtitle ), array( ID => $my_id ));
  10. $sets = array( post_title => $newtitle, post_content => $newcontent);$wheres = array( post_type => post, post_name => $my_name);$wpdb->update( $wpdb->posts, $sets, $wheres );
  11. $wpdb->insert( $table, $data )
  12. $wpdb->prepare()
  13. $wpdb->prepare( "SELECT * FROM $wpdb->postsWHERE post_name = %s OR ID = %d", $some_name, $some_id);
  14. • Powered by sprintf(), but only %sand %d are supported right now• Do not quote %s — use %s, NOT %s• Does the escaping for you
  15. Rule #1Escape Late
  16. Attack #2 XSS(Cross-Site Scripting)
  17. <h1><?php echo $title ?><h1>
  18. $title = <script>pwnage();</script>;
  19. Rule #2 Anything thatisn’t hardcoded is suspect
  20. Rule #2 (revised)Everything is suspect
  21. Easy as...
  22. esc_html()
  23. <h1><?php echo esc_html( $title ); ?></h1>
  24. <?php $title = " onmouseover="pwnd();; ?><a href="#wordcamp" title="<?php echo$title; ?>">Link Text</a>
  25. esc_attr()
  26. <?php $title = " onmouseover="pwnd();; ?><a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>">Link Text</a>
  27. <?php $url = javascript:pwnd(); ?><a href="<?php echo $url; ?>">Link Text</a>
  28. esc_url()
  29. esc_url_raw()
  30. esc_js()
  31. <script>var foo = <?php echo esc_js( $unsafe ); ?>;</script>
  32. esc_textarea()
  33. wp_filter_kses()
  34. Attack #3 CSRFCross-site Request Forgery
  35. Authorization vs.Intention
  36. Noncesaction-, object-, & user-specific time-limited secret keys
  37. Specific to• WordPress user• Action attempted• Object of attempted action• Time window
  38. wp_nonce_field( plugin-action_object )
  39. <form action="process.php" method="post"><?phpwp_nonce_field(plugin-action_object);?>...</form>
  40. check_admin_referer( plugin-action_object );
  41. Still need to usecurrent_user_can()
  42. CSRF forAjax/XHR
  43. // 1. On the front end$nonce = wp_create_nonce( your_action );// 2. add &_ajax_nonce=$nonce to your// post/get vars// 3. On the backendcheck_ajax_referer( your_action );
  44. Stupid shit Isee all the time
  45. eval()
  46. <form action="<?php echo $_SERVER[REQUEST_URI]; ?>">
  47. <a href="<?php echo $home; ?>" title="<?php echo $title; ?>"><?php echo $text; ?></a><script>var foo = <?php echo $var; ?>;</script>
  48. <a href="<?php echo esc_url( $home ); ?>" title="<?phpecho esc_attr( $title ); ?>"><?php echo esc_html( $text ); ?></a><script>var foo = <?php echo esc_js( $var ); ?>;</script>
  49. Thanks! @markjaquithMark Jaquith m@rkj.me “JAKE-with” markjaquith.com

×