SlideShare a Scribd company logo

Writing Secure WordPress Code

Brad Williams
Brad Williams

My WordCamp Europe 2013 presentation on writing secure WordPress code.

Technology
1 of 58
Download to read offline
WRITING SECURE WORDPRESS CODE BY  BRAD  WILLIAMS   Brad Williams @williamsba
WHO IS BRAD? Brad Williams @williamsba Brad  Williams     Co-­‐Founder  WebDevStudios.com       Co-­‐Author  Professional  WordPress      &  Professional  WordPress        Plugin  Development       Co-­‐Organizer  WordCamp  Philly       Co-­‐Host  DradCast  
TODAY’S TOPICS Brad Williams @williamsba   • Cover  the  big  three  exploits   •  SQL  InjecLon  -­‐  SQLi   •  Cross-­‐Site  ScripLng  -­‐  XSS   •  Cross-­‐Site  Request  Forgery  –  CSRF   • Hack  Examples   • Data  ValidaLon  and  SaniLzaLon   • Resources  
TRUST NO ONE Brad Williams @williamsba Golden  Rule  of  Code   Trust  No  One  
TRUST NO ONE Brad Williams @williamsba Consider  all  data  invalid   unless  it  can  be  proven  valid  
SQL INJECTION - SQLI Brad Williams @williamsba SQL  InjecLon  (SQLi)  
SQL INJECTION - SQLI Brad Williams @williamsba SQL  injec*on  is  a  code  injecLon  technique,   used  to  aYack  data  driven  applicaLons,  in   which  malicious  SQL  statements  are   inserted  into  an  entry  field  for  execuLon  
SQL INJECTION - SQLI Brad Williams @williamsba SQL  InjecLon  Example     global $wpdb; $ID = $_GET['ID']; $sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';"; SELECT  post_Ltle  FROM  wp_posts  WHERE  ID  =  '5';  
SQL INJECTION - SQLI Brad Williams @williamsba SQL  InjecLon  Example     SELECT  post_Ltle  FROM  wp_posts  WHERE  ID  =  '';     SELECT  *  FROM  wp_users  WHERE  1  =  '1';   global $wpdb; $ID = "'; SELECT * FROM wp_users WHERE 1 = '1"; $sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';";
SQL INJECTION - SQLI Brad Williams @williamsba hYp://www.sitepoint.com/forums/showthread.php?83772-­‐web-­‐site-­‐hacked   My  IntroducLon  to  SQLi  
SQL INJECTION - SQLI Brad Williams @williamsba hYp://www.sitepoint.com/forums/showthread.php?83772-­‐web-­‐site-­‐hacked   My  IntroducLon  to  SQLi  
SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->insert()
SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->insert( $wpdb->postmeta, array( 'post_id' => '5', 'meta_key' => '_custom_meta_key', 'meta_value' => 'true' ), array( '%d', '%s', '%s' ) ); $wpdb->insert() $wpdb->insert( $table, $data, $format ) Example:  
SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->update()
SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->update( $wpdb->postmeta', array( 'meta_value' => 'false' ), array( 'post_id' => 5, 'meta_key' => '_custom_meta_key' ), array( '%s' ), array( '%d', '%s' ) ); $wpdb->update() $wpdb->update( $table, $data, $where, $format, $where_format ) Example:  
SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->delete()
SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->delete( $wpdb->posts, array( 'ID' => 5 ), array( '%d' ) ); $wpdb->delete() $wpdb->delete( $table, $where, $where_format ) Example:  
SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->prepare()
SQL INJECTION - SQLI Brad Williams @williamsba •  Handles  strings  (%s)  and   integers  (%d)   •  Does  the  escaping  for  you   •  No  need  to  quote  %s   $wpdb->prepare( " SELECT post_title FROM $wpdb->posts WHERE ID = %d ", $ID ); $wpdb->prepare()
SQL INJECTION - SQLI Brad Williams @williamsba •  Handles  strings  (%s)  and   integers  (%d)   •  Does  the  escaping  for  you   •  No  need  to  quote  %s   $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ); $wpdb->prepare()
SQL INJECTION - SQLI Brad Williams @williamsba $wpdb-­‐>prepare()  only  prepares  the  query,  it  does  not  execute  it.   $wpdb->query( $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ) ); $wpdb->prepare() echo $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ); To  view  the  fully  prepared  query  simply  echo  it  
SQL INJECTION - SQLI Brad Williams @williamsba hYp://xkcd.com/327/   Don’t  be  LiYle  Bobby  Tables  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Cross-­‐Site  ScripLng     (XSS)  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba   What  is  Cross-­‐Site  ScripLng?     AYacker  injects  client-­‐side  scripts  into  your  web  pages  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Escaping   To  escape  is  to  take  the  data  you  may   already  have  and  help  secure  it  prior  to   rendering  it  for  the  end  user  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba 1.  esc_  is  the  prefix  for  all  escaping  funcLons   2.  aYr  is  the  context  being  escaped   3.  _e  is  the  opLonal  translaLon  suffix   Props  to  Mark  Jaquith!   Escaping  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <h1><?php echo $title; ?></h1> BAD  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <?php $title = "<script>alert('Hello Europe!');</script>"; ?> <h1><?php echo $title; ?></h1> BAD  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <?php $title = "<script>alert('Hello Europe!');</script>"; ?> <h1><?php echo esc_html( $title ); ?></h1> View  Source:   <h1>&lt;script&gt;alert(&#039;Hello Europe!&#039;);&lt;/script&gt;</h1> GOOD  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <input type="text" name="name" value="<?php echo esc_attr( $text ); ?>" /> esc_attr() Used  whenever  you  need  to  display  data  inside  an  HTML  element   hYp://codex.wordpress.org/FuncLon_Reference/esc_aYr  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <textarea name="bio"> <?php echo esc_textarea( $bio); ?> </textarea> esc_textarea() Used  to  encode  text  for  use  in  a  <textarea>  form  element   hYp://codex.wordpress.org/FuncLon_Reference/esc_textarea  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <a href="<?php echo esc_url( $url); ?>">Link</a> esc_url()  Used  for  validaLng  and  saniLzing  URLs   hYp://codex.wordpress.org/FuncLon_Reference/esc_url  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <?php $url = 'http://wordpress.org'; $response = wp_remote_get( esc_url_raw( $url ) ); ?> esc_url_raw()  Used  for  escaping  a  URL  for  database  queries,  redirects,  and  HTTP  requests   Similar  to  esc_url(),  but  does  not  replace  enLLes  for  display   hYp://codex.wordpress.org/FuncLon_Reference/esc_url_raw  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <script> var bwar='<?php echo esc_js( $text ); ?>'; </script> esc_js()  Used  to  escape  text  strings  in  JavaScript   hYp://codex.wordpress.org/FuncLon_Reference/esc_js  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Integers  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba $ID = absint( $_GET['ID'] ); absint() Coverts  a  value  to  a  non-­‐negaLve  integer   hYp://codex.wordpress.org/FuncLon_Reference/absint   <input type="text" name="number_posts" value="<?php echo absint( $number ); ?>" />
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba $ID = intval( $_GET['ID'] ); intval() Returns  the  integer  value.    Works  with  negaLve  values   hYp://php.net/manual/en/funcLon.intval.php   <input type="text" name="number_posts" value="<?php echo intval( $number ); ?>" />
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba SaniLzing   To  saniLze  is  to  take  the  data  and  clean   to  make  safe  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <?php update_post_meta( 420, '_post_meta_key', $_POST['new_meta_value'] ); ?> BAD  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_text_field() SaniLze  a  string   hYp://codex.wordpress.org/FuncLon_Reference/saniLze_text_field   <?php update_post_meta( 34, '_post_meta_key', sanitize_text_field( $_POST['new_meta_value'] ) ); ?>
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_email() Strip  out  all  characters  not  allowed  in  an  email  address   hYp://codex.wordpress.org/FuncLon_Reference/saniLze_email   <?php update_post_meta( 34, '_email_address', sanitize_email( $_POST['email'] ) ); ?>
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_user() SaniLze  username  stripping  out  unsafe  characters   hYp://codex.wordpress.org/FuncLon_Reference/saniLze_user   <?php update_post_meta( 34, '_custom_username', sanitize_user( $_POST['username'] ) ); ?>
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba wp_kses() Filters  content  and  keeps  only  allowable  HTML  elements.   hYp://codex.wordpress.org/FuncLon_Reference/wp_kses   <a  href="#">link</a>.  This  is  bold  and  <strong>strong</strong>  
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba wp_kses_post() Filters  post  content  and  keeps  only  allowable  HTML  elements.   hYp://codex.wordpress.org/FuncLon_Reference/wp_kses_post   HTML  tags  allowed  to  be  put  into  Posts  by  non-­‐admin  users  
CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba Cross-­‐site  Request   Forgery   (CSRF)  
CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba Exploit  of  a  website  whereby  unauthorized  commands   are  transmiYed  from  a  user  that  the  website  trusts.   Cross-­‐site  Request   Forgery   (CSRF)  
CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba Nonces   AcLon,  object,  &  user  specific  Lme-­‐ limited  secret  keys  
CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba <?php if ( isset( $_POST['email'] ) ) { //process form data } ?> <form method="post"> <input type="text" name="email /><br /> <input type="submit" name="submit" value="Submit" /> </form> Example   There  is  no  way  to  know  where  $_POST[‘email’]  is  being  posted  from  
CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba <form method="post"> <?php wp_nonce_field( 'bw_process_email_action', 'bw_newsletter' ); ?> <input type="text" name="email" /><br /> <input type="submit" name="submit" value="Submit" /> </form> wp_nonce_field() <form method="post"> <input type="hidden" id="bw_newsletter" name="bw_newsletter" value="287de957e8" /> <input type="hidden" name="_wp_http_referer" value="/x/sample-page/" /> <input type="text" name="email" /><br /> <input type="submit" name="submit" value="Submit" /> </form> View  Source:   Form  Code:   hYp://codex.wordpress.org/FuncLon_Reference/wp_nonce_field   wp_nonce_field( $action, $name, $referer, $echo );
CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba if ( isset( $_POST['email'] ) ) { check_admin_referer( 'bw_process_email_action', 'bw_newsletter' ); //process form data } check_admin_referer() Processing  Code:   check_admin_referer( $action, $query_arg ); hYp://codex.wordpress.org/FuncLon_Reference/check_admin_referer  
CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba <?php if ( isset( $_POST['email'] ) ) { check_admin_referer( 'bw_process_email_action', 'bw_newsletter' ); //process form data } ?> <form method="post"> <?php wp_nonce_field( 'bw_process_email_action', 'bw_newsletter' ); ?> <input type="text" name="email" /><br /> <input type="submit" name="submit" value="Submit" /> </form> Fixed  Example  
CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba $url = 'http://example.com/wp-admin/?ID=5'; $url = wp_nonce_url( $url, 'bw_process_email_action', 'bw_newsletter' ); wp_nonce_url() http://example.com/wp-admin/?ID=5&bw_newsletter=287de957e8 New  URL:   URL  Code:   hYp://codex.wordpress.org/FuncLon_Reference/wp_nonce_url   wp_nonce_url( $actionurl, $action, $name );
CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba if ( isset( $_GET[ID'] ) ) { check_admin_referer( 'bw_process_email_action', 'bw_newsletter' ); //process data } wp_nonce_url() Processing  Code:   hYp://codex.wordpress.org/FuncLon_Reference/check_admin_referer  
CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba Nonces   Specific  to   • WordPress  User   • AcLon  AYempted   • Object  of  aYempted  acLon   • Time  Window  
RESOURCES Brad Williams @williamsba •  Security  ArLcles   •  hYp://codex.wordpress.org/Data_ValidaLon   •  hYp://codex.wordpress.org/ValidaLng_SaniLzing_and_Escaping_User_Data   •  hYp://wp.tutsplus.com/tutorials/7-­‐simple-­‐rules-­‐wordpress-­‐plugin-­‐development-­‐best-­‐ pracLces/   •  hYp://wpengine.com/2013/05/brad-­‐williams-­‐on-­‐secure-­‐wordpress-­‐development/   •  Security  PresentaLons   •  hYp://wordpress.tv/2013/08/09/mike-­‐adams-­‐three-­‐security-­‐issues-­‐you-­‐thought-­‐youd-­‐fixed/   •  hYp://wordpress.tv/2013/09/26/brennen-­‐byrne-­‐employing-­‐best-­‐security-­‐pracLces-­‐for-­‐ wordpress-­‐sites-­‐3/   •  hYp://wordpress.tv/2011/01/29/mark-­‐jaquith-­‐theme-­‐plugin-­‐security/    
DRADCAST PLUG Brad Williams @williamsba Listen  to  the  DradCast  WordPress  Podcast                                            LIVE  every  Wednesday  @  8pm  EDT     DradCast.com  
RESOURCES Brad Williams @williamsba #wceu after party Drink  Time!  
CONTACT BRAD Brad Williams @williamsba Brad  Williams   brad@webdevstudios.com     Blog:    strangework.com   TwiYer:  @williamsba       Professional  WordPress   Second  EdiLon  is  OUT!   hYp://bit.ly/prowp2  

Recommended

Writing Secure Code for WordPress
Writing Secure Code for WordPressWriting Secure Code for WordPress
Writing Secure Code for WordPressShawn Hooper
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPressShawn Hooper
 
Things you should know about WordPress (but were always too afraid to ask): W...
Things you should know about WordPress (but were always too afraid to ask): W...Things you should know about WordPress (but were always too afraid to ask): W...
Things you should know about WordPress (but were always too afraid to ask): W...Michael McNeill
 
Even faster web sites presentation 3
Even faster web sites presentation 3Even faster web sites presentation 3
Even faster web sites presentation 3Felipe Lavín
 
Sq li
Sq liSq li
Sq liAshok kumar sandhyala
 
TOSSUG HTML5 讀書會 新標籤與表單
TOSSUG HTML5 讀書會 新標籤與表單TOSSUG HTML5 讀書會 新標籤與表單
TOSSUG HTML5 讀書會 新標籤與表單偉格 高
 
HTML 5 & CSS 3
HTML 5 & CSS 3HTML 5 & CSS 3
HTML 5 & CSS 3Kevin van Dijk
 
Even faster web sites
Even faster web sitesEven faster web sites
Even faster web sitesFelipe Lavín
 

Recommended

Writing Secure Code for WordPress
Writing Secure Code for WordPressWriting Secure Code for WordPress
Writing Secure Code for WordPressShawn Hooper
 
Securing WordPress
Securing WordPressSecuring WordPress
Securing WordPressShawn Hooper
 
Things you should know about WordPress (but were always too afraid to ask): W...
Things you should know about WordPress (but were always too afraid to ask): W...Things you should know about WordPress (but were always too afraid to ask): W...
Things you should know about WordPress (but were always too afraid to ask): W...Michael McNeill
 
Even faster web sites presentation 3
Even faster web sites presentation 3Even faster web sites presentation 3
Even faster web sites presentation 3Felipe Lavín
 
Sq li
Sq liSq li
Sq liAshok kumar sandhyala
 
TOSSUG HTML5 讀書會 新標籤與表單
TOSSUG HTML5 讀書會 新標籤與表單TOSSUG HTML5 讀書會 新標籤與表單
TOSSUG HTML5 讀書會 新標籤與表單偉格 高
 
HTML 5 & CSS 3
HTML 5 & CSS 3HTML 5 & CSS 3
HTML 5 & CSS 3Kevin van Dijk
 
Even faster web sites
Even faster web sitesEven faster web sites
Even faster web sitesFelipe Lavín
 
Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Brad Williams
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
Brakeman
BrakemanBrakeman
BrakemanRomain Sempé
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in RailsUri Nativ
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG PresentationDamon Cortesi
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthroughAhmed Elhady Mohamed
 
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Mark Jaquith
 
Designer's Favorite New Features in SQLServer
Designer's Favorite New Features in SQLServerDesigner's Favorite New Features in SQLServer
Designer's Favorite New Features in SQLServerKaren Lopez
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011John Ford
 
Laravel Security Standards
Laravel Security Standards Laravel Security Standards
Laravel Security Standards Singsys Pte Ltd
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
You're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp AtlantaYou're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp AtlantaChris Scott
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...Karen Lopez
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Drupal Security
Drupal SecurityDrupal Security
Drupal SecurityRan Bar-Zik
 
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015Brad Williams
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyBrad Williams
 

More Related Content

Similar to Writing Secure WordPress Code

Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Brad Williams
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in RailsUri Nativ
 
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Mark Jaquith
 
Designer's Favorite New Features in SQLServer
Designer's Favorite New Features in SQLServerDesigner's Favorite New Features in SQLServer
Designer's Favorite New Features in SQLServerKaren Lopez
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011John Ford
 
Laravel Security Standards
Laravel Security Standards Laravel Security Standards
Laravel Security Standards Singsys Pte Ltd
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
You're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp AtlantaYou're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp AtlantaChris Scott
 
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...Karen Lopez
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 

Similar to Writing Secure WordPress Code (20)

Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
 
Brakeman
BrakemanBrakeman
Brakeman
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008
 
Designer's Favorite New Features in SQLServer
Designer's Favorite New Features in SQLServerDesigner's Favorite New Features in SQLServer
Designer's Favorite New Features in SQLServer
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
 
Laravel Security Standards
Laravel Security Standards Laravel Security Standards
Laravel Security Standards
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
You're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp AtlantaYou're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp Atlanta
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Drupal Security
Drupal SecurityDrupal Security
Drupal Security
 

More from Brad Williams

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015Brad Williams
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyBrad Williams
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressBrad Williams
 
Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application FrameworkBrad Williams
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012Brad Williams
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for BeginnersBrad Williams
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress PluginBrad Williams
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesBrad Williams
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentBrad Williams
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPBrad Williams
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityBrad Williams
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressBrad Williams
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfBrad Williams
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010Brad Williams
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceWebsite Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceBrad Williams
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 

More from Brad Williams (20)

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to Agency
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPress
 
Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application Framework
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012
 
WordPress Multisite
WordPress MultisiteWordPress Multisite
WordPress Multisite
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for Beginners
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress Plugin
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WP
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPress
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard Of
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceWebsite Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online Presence
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
 

Recently uploaded

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

Writing Secure WordPress Code

  • 1. WRITING SECURE WORDPRESS CODE BY  BRAD  WILLIAMS   Brad Williams @williamsba
  • 2. WHO IS BRAD? Brad Williams @williamsba Brad  Williams     Co-­‐Founder  WebDevStudios.com       Co-­‐Author  Professional  WordPress      &  Professional  WordPress        Plugin  Development       Co-­‐Organizer  WordCamp  Philly       Co-­‐Host  DradCast  
  • 3. TODAY’S TOPICS Brad Williams @williamsba   • Cover  the  big  three  exploits   •  SQL  InjecLon  -­‐  SQLi   •  Cross-­‐Site  ScripLng  -­‐  XSS   •  Cross-­‐Site  Request  Forgery  –  CSRF   • Hack  Examples   • Data  ValidaLon  and  SaniLzaLon   • Resources  
  • 4. TRUST NO ONE Brad Williams @williamsba Golden  Rule  of  Code   Trust  No  One  
  • 5. TRUST NO ONE Brad Williams @williamsba Consider  all  data  invalid   unless  it  can  be  proven  valid  
  • 6. SQL INJECTION - SQLI Brad Williams @williamsba SQL  InjecLon  (SQLi)  
  • 7. SQL INJECTION - SQLI Brad Williams @williamsba SQL  injec*on  is  a  code  injecLon  technique,   used  to  aYack  data  driven  applicaLons,  in   which  malicious  SQL  statements  are   inserted  into  an  entry  field  for  execuLon  
  • 8. SQL INJECTION - SQLI Brad Williams @williamsba SQL  InjecLon  Example     global $wpdb; $ID = $_GET['ID']; $sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';"; SELECT  post_Ltle  FROM  wp_posts  WHERE  ID  =  '5';  
  • 9. SQL INJECTION - SQLI Brad Williams @williamsba SQL  InjecLon  Example     SELECT  post_Ltle  FROM  wp_posts  WHERE  ID  =  '';     SELECT  *  FROM  wp_users  WHERE  1  =  '1';   global $wpdb; $ID = "'; SELECT * FROM wp_users WHERE 1 = '1"; $sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';";
  • 10. SQL INJECTION - SQLI Brad Williams @williamsba hYp://www.sitepoint.com/forums/showthread.php?83772-­‐web-­‐site-­‐hacked   My  IntroducLon  to  SQLi  
  • 11. SQL INJECTION - SQLI Brad Williams @williamsba hYp://www.sitepoint.com/forums/showthread.php?83772-­‐web-­‐site-­‐hacked   My  IntroducLon  to  SQLi  
  • 12. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->insert()
  • 13. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->insert( $wpdb->postmeta, array( 'post_id' => '5', 'meta_key' => '_custom_meta_key', 'meta_value' => 'true' ), array( '%d', '%s', '%s' ) ); $wpdb->insert() $wpdb->insert( $table, $data, $format ) Example:  
  • 14. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->update()
  • 15. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->update( $wpdb->postmeta', array( 'meta_value' => 'false' ), array( 'post_id' => 5, 'meta_key' => '_custom_meta_key' ), array( '%s' ), array( '%d', '%s' ) ); $wpdb->update() $wpdb->update( $table, $data, $where, $format, $where_format ) Example:  
  • 16. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->delete()
  • 17. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->delete( $wpdb->posts, array( 'ID' => 5 ), array( '%d' ) ); $wpdb->delete() $wpdb->delete( $table, $where, $where_format ) Example:  
  • 18. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->prepare()
  • 19. SQL INJECTION - SQLI Brad Williams @williamsba •  Handles  strings  (%s)  and   integers  (%d)   •  Does  the  escaping  for  you   •  No  need  to  quote  %s   $wpdb->prepare( " SELECT post_title FROM $wpdb->posts WHERE ID = %d ", $ID ); $wpdb->prepare()
  • 20. SQL INJECTION - SQLI Brad Williams @williamsba •  Handles  strings  (%s)  and   integers  (%d)   •  Does  the  escaping  for  you   •  No  need  to  quote  %s   $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ); $wpdb->prepare()
  • 21. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb-­‐>prepare()  only  prepares  the  query,  it  does  not  execute  it.   $wpdb->query( $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ) ); $wpdb->prepare() echo $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ); To  view  the  fully  prepared  query  simply  echo  it  
  • 22. SQL INJECTION - SQLI Brad Williams @williamsba hYp://xkcd.com/327/   Don’t  be  LiYle  Bobby  Tables  
  • 23. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Cross-­‐Site  ScripLng     (XSS)  
  • 24. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba   What  is  Cross-­‐Site  ScripLng?     AYacker  injects  client-­‐side  scripts  into  your  web  pages  
  • 25. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Escaping   To  escape  is  to  take  the  data  you  may   already  have  and  help  secure  it  prior  to   rendering  it  for  the  end  user  
  • 26. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba 1.  esc_  is  the  prefix  for  all  escaping  funcLons   2.  aYr  is  the  context  being  escaped   3.  _e  is  the  opLonal  translaLon  suffix   Props  to  Mark  Jaquith!   Escaping  
  • 27. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <h1><?php echo $title; ?></h1> BAD  
  • 28. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <?php $title = "<script>alert('Hello Europe!');</script>"; ?> <h1><?php echo $title; ?></h1> BAD  
  • 29. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <?php $title = "<script>alert('Hello Europe!');</script>"; ?> <h1><?php echo esc_html( $title ); ?></h1> View  Source:   <h1>&lt;script&gt;alert(&#039;Hello Europe!&#039;);&lt;/script&gt;</h1> GOOD  
  • 30. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <input type="text" name="name" value="<?php echo esc_attr( $text ); ?>" /> esc_attr() Used  whenever  you  need  to  display  data  inside  an  HTML  element   hYp://codex.wordpress.org/FuncLon_Reference/esc_aYr  
  • 31. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <textarea name="bio"> <?php echo esc_textarea( $bio); ?> </textarea> esc_textarea() Used  to  encode  text  for  use  in  a  <textarea>  form  element   hYp://codex.wordpress.org/FuncLon_Reference/esc_textarea  
  • 32. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <a href="<?php echo esc_url( $url); ?>">Link</a> esc_url()  Used  for  validaLng  and  saniLzing  URLs   hYp://codex.wordpress.org/FuncLon_Reference/esc_url  
  • 33. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <?php $url = 'http://wordpress.org'; $response = wp_remote_get( esc_url_raw( $url ) ); ?> esc_url_raw()  Used  for  escaping  a  URL  for  database  queries,  redirects,  and  HTTP  requests   Similar  to  esc_url(),  but  does  not  replace  enLLes  for  display   hYp://codex.wordpress.org/FuncLon_Reference/esc_url_raw  
  • 34. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <script> var bwar='<?php echo esc_js( $text ); ?>'; </script> esc_js()  Used  to  escape  text  strings  in  JavaScript   hYp://codex.wordpress.org/FuncLon_Reference/esc_js  
  • 35. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Integers  
  • 36. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba $ID = absint( $_GET['ID'] ); absint() Coverts  a  value  to  a  non-­‐negaLve  integer   hYp://codex.wordpress.org/FuncLon_Reference/absint   <input type="text" name="number_posts" value="<?php echo absint( $number ); ?>" />
  • 37. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba $ID = intval( $_GET['ID'] ); intval() Returns  the  integer  value.    Works  with  negaLve  values   hYp://php.net/manual/en/funcLon.intval.php   <input type="text" name="number_posts" value="<?php echo intval( $number ); ?>" />
  • 38. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba SaniLzing   To  saniLze  is  to  take  the  data  and  clean   to  make  safe  
  • 39. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <?php update_post_meta( 420, '_post_meta_key', $_POST['new_meta_value'] ); ?> BAD  
  • 40. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_text_field() SaniLze  a  string   hYp://codex.wordpress.org/FuncLon_Reference/saniLze_text_field   <?php update_post_meta( 34, '_post_meta_key', sanitize_text_field( $_POST['new_meta_value'] ) ); ?>
  • 41. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_email() Strip  out  all  characters  not  allowed  in  an  email  address   hYp://codex.wordpress.org/FuncLon_Reference/saniLze_email   <?php update_post_meta( 34, '_email_address', sanitize_email( $_POST['email'] ) ); ?>
  • 42. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_user() SaniLze  username  stripping  out  unsafe  characters   hYp://codex.wordpress.org/FuncLon_Reference/saniLze_user   <?php update_post_meta( 34, '_custom_username', sanitize_user( $_POST['username'] ) ); ?>
  • 43. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba wp_kses() Filters  content  and  keeps  only  allowable  HTML  elements.   hYp://codex.wordpress.org/FuncLon_Reference/wp_kses   <a  href="#">link</a>.  This  is  bold  and  <strong>strong</strong>  
  • 44. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba wp_kses_post() Filters  post  content  and  keeps  only  allowable  HTML  elements.   hYp://codex.wordpress.org/FuncLon_Reference/wp_kses_post   HTML  tags  allowed  to  be  put  into  Posts  by  non-­‐admin  users  
  • 45. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba Cross-­‐site  Request   Forgery   (CSRF)  
  • 46. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba Exploit  of  a  website  whereby  unauthorized  commands   are  transmiYed  from  a  user  that  the  website  trusts.   Cross-­‐site  Request   Forgery   (CSRF)  
  • 47. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba Nonces   AcLon,  object,  &  user  specific  Lme-­‐ limited  secret  keys  
  • 48. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba <?php if ( isset( $_POST['email'] ) ) { //process form data } ?> <form method="post"> <input type="text" name="email /><br /> <input type="submit" name="submit" value="Submit" /> </form> Example   There  is  no  way  to  know  where  $_POST[‘email’]  is  being  posted  from  
  • 49. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba <form method="post"> <?php wp_nonce_field( 'bw_process_email_action', 'bw_newsletter' ); ?> <input type="text" name="email" /><br /> <input type="submit" name="submit" value="Submit" /> </form> wp_nonce_field() <form method="post"> <input type="hidden" id="bw_newsletter" name="bw_newsletter" value="287de957e8" /> <input type="hidden" name="_wp_http_referer" value="/x/sample-page/" /> <input type="text" name="email" /><br /> <input type="submit" name="submit" value="Submit" /> </form> View  Source:   Form  Code:   hYp://codex.wordpress.org/FuncLon_Reference/wp_nonce_field   wp_nonce_field( $action, $name, $referer, $echo );
  • 50. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba if ( isset( $_POST['email'] ) ) { check_admin_referer( 'bw_process_email_action', 'bw_newsletter' ); //process form data } check_admin_referer() Processing  Code:   check_admin_referer( $action, $query_arg ); hYp://codex.wordpress.org/FuncLon_Reference/check_admin_referer  
  • 51. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba <?php if ( isset( $_POST['email'] ) ) { check_admin_referer( 'bw_process_email_action', 'bw_newsletter' ); //process form data } ?> <form method="post"> <?php wp_nonce_field( 'bw_process_email_action', 'bw_newsletter' ); ?> <input type="text" name="email" /><br /> <input type="submit" name="submit" value="Submit" /> </form> Fixed  Example  
  • 52. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba $url = 'http://example.com/wp-admin/?ID=5'; $url = wp_nonce_url( $url, 'bw_process_email_action', 'bw_newsletter' ); wp_nonce_url() http://example.com/wp-admin/?ID=5&bw_newsletter=287de957e8 New  URL:   URL  Code:   hYp://codex.wordpress.org/FuncLon_Reference/wp_nonce_url   wp_nonce_url( $actionurl, $action, $name );
  • 53. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba if ( isset( $_GET[ID'] ) ) { check_admin_referer( 'bw_process_email_action', 'bw_newsletter' ); //process data } wp_nonce_url() Processing  Code:   hYp://codex.wordpress.org/FuncLon_Reference/check_admin_referer  
  • 54. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba Nonces   Specific  to   • WordPress  User   • AcLon  AYempted   • Object  of  aYempted  acLon   • Time  Window  
  • 55. RESOURCES Brad Williams @williamsba •  Security  ArLcles   •  hYp://codex.wordpress.org/Data_ValidaLon   •  hYp://codex.wordpress.org/ValidaLng_SaniLzing_and_Escaping_User_Data   •  hYp://wp.tutsplus.com/tutorials/7-­‐simple-­‐rules-­‐wordpress-­‐plugin-­‐development-­‐best-­‐ pracLces/   •  hYp://wpengine.com/2013/05/brad-­‐williams-­‐on-­‐secure-­‐wordpress-­‐development/   •  Security  PresentaLons   •  hYp://wordpress.tv/2013/08/09/mike-­‐adams-­‐three-­‐security-­‐issues-­‐you-­‐thought-­‐youd-­‐fixed/   •  hYp://wordpress.tv/2013/09/26/brennen-­‐byrne-­‐employing-­‐best-­‐security-­‐pracLces-­‐for-­‐ wordpress-­‐sites-­‐3/   •  hYp://wordpress.tv/2011/01/29/mark-­‐jaquith-­‐theme-­‐plugin-­‐security/    
  • 56. DRADCAST PLUG Brad Williams @williamsba Listen  to  the  DradCast  WordPress  Podcast                                            LIVE  every  Wednesday  @  8pm  EDT     DradCast.com  
  • 58. CONTACT BRAD Brad Williams @williamsba Brad  Williams   brad@webdevstudios.com     Blog:    strangework.com   TwiYer:  @williamsba       Professional  WordPress   Second  EdiLon  is  OUT!   hYp://bit.ly/prowp2