WordPress Security - WordCamp Phoenix

Secure Coding with WordPress @markjaquithMark Jaquith m@rkj.me “JAKE-with” markjaquith.com

The state ofWordPress plugin security is...

Problem #1 Lack ofawareness

Problem #2Apathy

Goals I want you to learn the following:1. How to thwart the three mostcommon attacks2. Two useful principles3. Common mistakes to avoid

Attack #1 SQLInjection

$wpdb->query( "UPDATE $wpdb->posts SET post_title = $newtitle WHERE ID = $my_id");

$wpdb->update()

$wpdb->update( $wpdb->posts, array( post_title => $newtitle ), array( ID => $my_id ));

$sets = array( post_title => $newtitle, post_content => $newcontent);$wheres = array( post_type => post, post_name => $my_name);$wpdb->update( $wpdb->posts, $sets, $wheres );

$wpdb->insert( $table, $data )

$wpdb->prepare()

$wpdb->prepare( "SELECT * FROM $wpdb->postsWHERE post_name = %s OR ID = %d", $some_name, $some_id);

• Powered by sprintf(), but only %sand %d are supported right now• Do not quote %s — use %s, NOT %s• Does the escaping for you

Rule #1Escape Late

Attack #2 XSS(Cross-Site Scripting)

$title = <script>pwnage();</script>;

Rule #2 Anything thatisn’t hardcoded is suspect

Rule #2 (revised)Everything is suspect

Easy as...

esc_html()

<?php $title = " onmouseover="pwnd();; ?><a href="#wordcamp" title="<?php echo$title; ?>">Link Text</a>

esc_attr()

<?php $title = " onmouseover="pwnd();; ?><a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>">Link Text</a>

<?php $url = javascript:pwnd(); ?><a href="<?php echo $url; ?>">Link Text</a>

esc_url()

esc_url_raw()

esc_js()

esc_textarea()

wp_filter_kses()

Attack #3 CSRFCross-site Request Forgery

Authorization vs.Intention

Noncesaction-, object-, & user-specific time-limited secret keys

Specific to• WordPress user• Action attempted• Object of attempted action• Time window

wp_nonce_field( plugin-action_object )

check_admin_referer( plugin-action_object );

Still need to usecurrent_user_can()

CSRF forAjax/XHR

// 1. On the front end$nonce = wp_create_nonce( your_action );// 2. add &_ajax_nonce=$nonce to your// post/get vars// 3. On the backendcheck_ajax_referer( your_action );

Stupid shit Isee all the time

eval()

<a href="<?php echo $home; ?>" title="<?php echo $title; ?>"><?php echo $text; ?></a><script>var foo = <?php echo $var; ?>;</script>

<a href="<?php echo esc_url( $home ); ?>" title="<?phpecho esc_attr( $title ); ?>"><?php echo esc_html( $text ); ?></a><script>var foo = <?php echo esc_js( $var ); ?>;</script>

Thanks! @markjaquithMark Jaquith m@rkj.me “JAKE-with” markjaquith.com

http://yoav.wordpress.com	180
http://phxwordcamp.com	16
http://edicolaeuropea.blogspot.com	4
http://paper.li	1

WordPress Security - WordCamp Phoenix

by Mark Jaquith

Accessibility

Categories

Upload Details

Usage Rights

4 Embeds 201

Statistics

WordPress Security - WordCamp Phoenix Presentation Transcript