Plugin & ThemeSecurity http://johnford.is/   @iamjohnford
SQLInjection
$wpdb->query(	 "UPDATE $wpdb->posts	 SET post_title = $new_title	 WHERE ID = $id");              BAD
$wpdb->query(	 "SELECT * FROM $wpdb->users	 	 WHERE user_login = $username	 	 AND user_pass = $password");               BAD
$username = " OR 1 -- ";$wpdb->query(	 "SELECT * FROM $wpdb->users	 WHERE user_login = $username	 AND user_pass = $passwor...
$wpdb->query(	 "SELECT * FROM $wpdb->users	 	 WHERE user_login = 	 	 OR 1 --  AND user_pass =	 $password");              BAD
$wpdb->update()      GOOD
$wpdb->update(	 $wpdb->posts,	 array( post_title => $new_title ),	 array( ID => $id ));                GOOD
$wpdb->insert( $table, $data );             GOOD
$wpdb->prepare()      GOOD
$wpdb->prepare( "SELECT * FROM $wpdb->posts   WHERE post_name = %s OR ID = %d",   $some_name,   $some_id);               G...
http://codex.wordpress.org/   Function_Reference/        wpdb_Class
XSSCross-siteScripting
<h1>    <?php echo $title; ?></h1>           BAD
$title = <script>jsCode();</script>;<h1>     <?php echo $title; ?></h1>                 BAD
<h1>    <?php echo esc_html( $title ); ?></h1>                GOOD
esc_attr_e()
<a href="#wordcamp" title="<?php echo $title; ?>">	 Link Text</a>                       BAD
<?php $title = " onmouseover="jsCode();; ?><a href="#wordcamp" title="<?php echo $title; ?>">	 Link Text</a>              ...
<a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>">	 Link Text</a>                           GOOD
esc_textarea()     GOOD
<a href="<?php echo $url; ?>">	Link Text</a>             BAD
<?php $url = javascript:jsCode();; ?><a href="<?php echo $url; ?>">   Link Text</a>                 BAD
<a href="<?php echo esc_url( $url ); ?>">	 Link Text</a>                 GOOD
<form action="<?php echo $_SERVER[REQUEST_URI]; ?>">                        BAD
<form action="<?php echo esc_url( $_SERVER[REQUEST_URI] ); ?>">                           GOOD
<script>   var foo = <?php echo $unsafe; ?>;</script>                 BAD
<script>   var foo = <?php echo esc_js( $unsafe ); ?>;</script>                    GOOD
wp_filter_kses( $data )         GOOD
http://codex.wordpress.org/      Data_Validation
CSRFCross-site Request Forgery
Noncesaction-, object-, & user-specific    time-limited secret keys
wp_nonce_field( plugin-action_object )                 GOOD
check_admin_referer( plugin-action_object )                   GOOD
http://codex.wordpress.org/    WordPress_Nonces
eval() = evil
Thank you!  http://johnford.is/    @iamjohnford
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
Upcoming SlideShare
Loading in …5
×

WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011

4,914 views

Published on

The WordPress Plugin & Theme Security presentation at WordCamp Melbourne February 2011.

Published in: Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
4,914
On SlideShare
0
From Embeds
0
Number of Embeds
398
Actions
Shares
0
Downloads
25
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011

  1. Plugin & ThemeSecurity http://johnford.is/ @iamjohnford
  2. SQLInjection
  3. $wpdb->query( "UPDATE $wpdb->posts SET post_title = $new_title WHERE ID = $id"); BAD
  4. $wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = $username AND user_pass = $password"); BAD
  5. $username = " OR 1 -- ";$wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = $username AND user_pass = $password"); BAD
  6. $wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = OR 1 -- AND user_pass = $password"); BAD
  7. $wpdb->update() GOOD
  8. $wpdb->update( $wpdb->posts, array( post_title => $new_title ), array( ID => $id )); GOOD
  9. $wpdb->insert( $table, $data ); GOOD
  10. $wpdb->prepare() GOOD
  11. $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_name = %s OR ID = %d", $some_name, $some_id); GOOD
  12. http://codex.wordpress.org/ Function_Reference/ wpdb_Class
  13. XSSCross-siteScripting
  14. <h1> <?php echo $title; ?></h1> BAD
  15. $title = <script>jsCode();</script>;<h1> <?php echo $title; ?></h1> BAD
  16. <h1> <?php echo esc_html( $title ); ?></h1> GOOD
  17. esc_attr_e()
  18. <a href="#wordcamp" title="<?php echo $title; ?>"> Link Text</a> BAD
  19. <?php $title = " onmouseover="jsCode();; ?><a href="#wordcamp" title="<?php echo $title; ?>"> Link Text</a> BAD
  20. <a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>"> Link Text</a> GOOD
  21. esc_textarea() GOOD
  22. <a href="<?php echo $url; ?>"> Link Text</a> BAD
  23. <?php $url = javascript:jsCode();; ?><a href="<?php echo $url; ?>"> Link Text</a> BAD
  24. <a href="<?php echo esc_url( $url ); ?>"> Link Text</a> GOOD
  25. <form action="<?php echo $_SERVER[REQUEST_URI]; ?>"> BAD
  26. <form action="<?php echo esc_url( $_SERVER[REQUEST_URI] ); ?>"> GOOD
  27. <script> var foo = <?php echo $unsafe; ?>;</script> BAD
  28. <script> var foo = <?php echo esc_js( $unsafe ); ?>;</script> GOOD
  29. wp_filter_kses( $data ) GOOD
  30. http://codex.wordpress.org/ Data_Validation
  31. CSRFCross-site Request Forgery
  32. Noncesaction-, object-, & user-specific time-limited secret keys
  33. wp_nonce_field( plugin-action_object ) GOOD
  34. check_admin_referer( plugin-action_object ) GOOD
  35. http://codex.wordpress.org/ WordPress_Nonces
  36. eval() = evil
  37. Thank you! http://johnford.is/ @iamjohnford

×