2. WHO IS BRAD?
Brad Williams
@williamsba
Brad
Williams
Co-‐Founder
WebDevStudios.com
Co-‐Author
Professional
WordPress
&
Professional
WordPress
Plugin
Development
Co-‐Organizer
WordCamp
Philly
Co-‐Host
DradCast
3. TODAY’S TOPICS
Brad Williams
@williamsba
• Cover
the
big
three
exploits
• SQL
InjecLon
-‐
SQLi
• Cross-‐Site
ScripLng
-‐
XSS
• Cross-‐Site
Request
Forgery
–
CSRF
• Hack
Examples
• Data
ValidaLon
and
SaniLzaLon
• Resources
4. TRUST NO ONE
Brad Williams
@williamsba
Golden
Rule
of
Code
Trust
No
One
5. TRUST NO ONE
Brad Williams
@williamsba
Consider
all
data
invalid
unless
it
can
be
proven
valid
7. SQL INJECTION - SQLI
Brad Williams
@williamsba
SQL
injec*on
is
a
code
injecLon
technique,
used
to
aYack
data
driven
applicaLons,
in
which
malicious
SQL
statements
are
inserted
into
an
entry
field
for
execuLon
8. SQL INJECTION - SQLI
Brad Williams
@williamsba
SQL
InjecLon
Example
global $wpdb;
$ID = $_GET['ID'];
$sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';";
SELECT
post_Ltle
FROM
wp_posts
WHERE
ID
=
'5';
9. SQL INJECTION - SQLI
Brad Williams
@williamsba
SQL
InjecLon
Example
SELECT
post_Ltle
FROM
wp_posts
WHERE
ID
=
'';
SELECT
*
FROM
wp_users
WHERE
1
=
'1';
global $wpdb;
$ID = "'; SELECT * FROM wp_users WHERE 1 = '1";
$sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';";
10. SQL INJECTION - SQLI
Brad Williams
@williamsba
hYp://www.sitepoint.com/forums/showthread.php?83772-‐web-‐site-‐hacked
My
IntroducLon
to
SQLi
11. SQL INJECTION - SQLI
Brad Williams
@williamsba
hYp://www.sitepoint.com/forums/showthread.php?83772-‐web-‐site-‐hacked
My
IntroducLon
to
SQLi
12. SQL INJECTION - SQLI
Brad Williams
@williamsba
$wpdb->insert()
18. SQL INJECTION - SQLI
Brad Williams
@williamsba
$wpdb->prepare()
19. SQL INJECTION - SQLI
Brad Williams
@williamsba
• Handles
strings
(%s)
and
integers
(%d)
• Does
the
escaping
for
you
• No
need
to
quote
%s
$wpdb->prepare( " SELECT post_title FROM $wpdb->posts WHERE ID = %d ", $ID );
$wpdb->prepare()
20. SQL INJECTION - SQLI
Brad Williams
@williamsba
• Handles
strings
(%s)
and
integers
(%d)
• Does
the
escaping
for
you
• No
need
to
quote
%s
$wpdb->prepare( " DELETE FROM $wpdb->postmeta
WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' );
$wpdb->prepare()
21. SQL INJECTION - SQLI
Brad Williams
@williamsba
$wpdb-‐>prepare()
only
prepares
the
query,
it
does
not
execute
it.
$wpdb->query(
$wpdb->prepare( " DELETE FROM $wpdb->postmeta
WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' )
);
$wpdb->prepare()
echo $wpdb->prepare( " DELETE FROM $wpdb->postmeta
WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' );
To
view
the
fully
prepared
query
simply
echo
it
22. SQL INJECTION - SQLI
Brad Williams
@williamsba
hYp://xkcd.com/327/
Don’t
be
LiYle
Bobby
Tables
24. CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
What
is
Cross-‐Site
ScripLng?
AYacker
injects
client-‐side
scripts
into
your
web
pages
25. CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
Escaping
To
escape
is
to
take
the
data
you
may
already
have
and
help
secure
it
prior
to
rendering
it
for
the
end
user
26. CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
1. esc_
is
the
prefix
for
all
escaping
funcLons
2. aYr
is
the
context
being
escaped
3. _e
is
the
opLonal
translaLon
suffix
Props
to
Mark
Jaquith!
Escaping
30. CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<input type="text" name="name"
value="<?php echo esc_attr( $text ); ?>" />
esc_attr()
Used
whenever
you
need
to
display
data
inside
an
HTML
element
hYp://codex.wordpress.org/FuncLon_Reference/esc_aYr
31. CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<textarea name="bio">
<?php echo esc_textarea( $bio); ?>
</textarea>
esc_textarea()
Used
to
encode
text
for
use
in
a
<textarea>
form
element
hYp://codex.wordpress.org/FuncLon_Reference/esc_textarea
32. CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<a href="<?php echo esc_url( $url); ?>">Link</a>
esc_url()
Used
for
validaLng
and
saniLzing
URLs
hYp://codex.wordpress.org/FuncLon_Reference/esc_url
33. CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<?php
$url = 'http://wordpress.org';
$response = wp_remote_get( esc_url_raw( $url ) );
?>
esc_url_raw()
Used
for
escaping
a
URL
for
database
queries,
redirects,
and
HTTP
requests
Similar
to
esc_url(),
but
does
not
replace
enLLes
for
display
hYp://codex.wordpress.org/FuncLon_Reference/esc_url_raw
34. CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<script>
var bwar='<?php echo esc_js( $text ); ?>';
</script>
esc_js()
Used
to
escape
text
strings
in
JavaScript
hYp://codex.wordpress.org/FuncLon_Reference/esc_js
41. CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
sanitize_email()
Strip
out
all
characters
not
allowed
in
an
email
address
hYp://codex.wordpress.org/FuncLon_Reference/saniLze_email
<?php
update_post_meta(
34,
'_email_address',
sanitize_email( $_POST['email'] )
);
?>
43. CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
wp_kses()
Filters
content
and
keeps
only
allowable
HTML
elements.
hYp://codex.wordpress.org/FuncLon_Reference/wp_kses
<a
href="#">link</a>.
This
is
bold
and
<strong>strong</strong>
44. CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
wp_kses_post()
Filters
post
content
and
keeps
only
allowable
HTML
elements.
hYp://codex.wordpress.org/FuncLon_Reference/wp_kses_post
HTML
tags
allowed
to
be
put
into
Posts
by
non-‐admin
users
46. CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
Exploit
of
a
website
whereby
unauthorized
commands
are
transmiYed
from
a
user
that
the
website
trusts.
Cross-‐site
Request
Forgery
(CSRF)
47. CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
Nonces
AcLon,
object,
&
user
specific
Lme-‐
limited
secret
keys
48. CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
<?php
if ( isset( $_POST['email'] ) ) {
//process form data
}
?>
<form method="post">
<input type="text" name="email /><br />
<input type="submit" name="submit" value="Submit" />
</form>
Example
There
is
no
way
to
know
where
$_POST[‘email’]
is
being
posted
from
58. CONTACT BRAD
Brad Williams
@williamsba
Brad
Williams
brad@webdevstudios.com
Blog:
strangework.com
TwiYer:
@williamsba
Professional
WordPress
Second
EdiLon
is
OUT!
hYp://bit.ly/prowp2