SlideShare a Scribd company logo
1 of 25
Download to read offline
SAFELY HANDLING DATA SO YOU DON’T GET PWND
DEVELOPER SECURITY
SUCURI SECURITY
TONY “LIVE HACK” PEREZ
BRO. IF YOU DON’T ESCAPE YOUR DATA,
YOU’LL NEVER ESCAPE THE HURT I’M
GOING TO PUT ON YOU.
Tony Perez (probably said that)
IN CASE YOU NEEDED MORE REASONS…
SUCURI SECURITY
DRE “I’LL CHOKE YOU” ARMEDA
LOOK, THERE ARE BAD PEOPLE OUT THERE TRYING ALL
SORTS OF SALTY STUFF TO PWN YOUR SITE. YOU’RE NOT
GOING TO BE READY FOR THAT? COME ON NOW…DON’T LET
THEM MAKE YOU LOOK SILLY. ALSO, DON’T TOUCH MY HAT.
Dre Armeda (might have said that)
IN CASE YOU NEEDED MORE REASONS…
SO HOW DO YOU PROTECT YOURSELF?
WATCH THIS. IT’S AN
OLDIE, BUT A GOODIE.
http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
THAT GUY, MARK JAQUITH, PWNED A PLUGIN I WROTE LIVE
ON STAGE DURING A PLUGIN COMPETITION AT WORDCAMP
NYC IN 2009, AND IT WOKE ME UP.
READ THIS
HTTP://WP.TUTSPLUS.COM/TUTORIALS/CREATIVE-CODING/DATA-SANITIZATION-AND-VALIDATION-WITH-WORDPRESS/
IF YOU’RE GOING TO CHECK OUT NOW, HERE’S THE TL;DR
6 THINGS TO KEEP IN MIND WHEN WRITING CODE, NUMBER 2 WILL SHOCK YOU!
▸ Keep your dev environment clean
▸ Use WordPress Core code instead of custom code whenever possible
▸ Validate referrers
▸ Validate data inputs
▸ Sanitize data inputs
▸ Escape data outputs
KEEP YOUR DEV ENVIRONMENT CLEAN
MAC, LINUX, OR PC – IT DOESN’T MATTER
▸ Don’t think that just because you’re on a mac you’re safe from viruses.
▸ If you’re running linux, a lot of the responsibility of security is on you. Make
sure all of your system software is patched and up to date.
▸ If you’re on a PC, you should assume you’re already pwned.
KEEP YOUR DEV ENVIRONMENT CLEAN
KASPERSKY ANTI-VIRUS
▸ I use it.
▸ Dre uses it.
▸ Tony uses it.
▸ You should be using it.
WORDPRESS CORE CODE VS. YOUR CODE
WORDPRESS CORE
$request = wp_remote_get( $url );
$data = wp_remote_retrieve_body( $request );
YOUR CODE
$ch = curl_init();

$timeout = 5;

curl_setopt( $ch, CURLOPT_URL, $url );

curl_setopt( $ch,
CURLOPT_RETURNTRANSFER, 1 );
curl_setopt( $ch,
CURLOPT_CONNECTTIMEOUT, $timeout );
$data = curl_exec( $ch );

curl_close( $ch );
TRUST NO ONE, TRUST NOTHING
CSRF: CROSS-SITE REQUEST FORGERY
HTTP://EN.WIKIPEDIA.ORG/WIKI/CROSS-SITE_REQUEST_FORGERY
▸ Cross-site request forgery, also known as a one-click attack or session riding
and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a
type of malicious exploit of a website whereby unauthorized commands are
transmitted from a user that the website trusts.[2] Unlike cross-site scripting
(XSS), which exploits the trust a user has for a particular site, CSRF exploits the
trust that a site has in a user's browser.
SWEET, THIS COULD LEAD TO MY NEXT BIG DEAL! CONFIRM!
ZOMG…WTF?!
http://mysite.com/wp-admin/post.php?post=307&action=trash
NONCES FTW!
▸ Create the nonce
▸ wp_nonce_url() - for links
▸ wp_create_nonce() - generates just the nonce value
▸ wp_nonce_field() - generates entire html hidden element
▸ Verify the request
▸ wp_verify_nonce() - validates the nonce for correctness and expiration
▸ check_admin_referer() - also checks if request came from another admin screen
XSS: CROSS-SITE SCRIPTING
HTTP://EN.WIKIPEDIA.ORG/WIKI/CROSS-SITE_SCRIPTING
▸ Cross-site scripting (XSS) is a type of computer security vulnerability typically
found in Web applications. XSS enables attackers to inject client-side script into
Web pages viewed by other users. A cross-site scripting vulnerability may be
used by attackers to bypass access controls such as the same origin policy.
Cross-site scripting carried out on websites accounted for roughly 84% of all
security vulnerabilities documented by Symantec as of 2007.[1] Their effect
may range from a petty nuisance to a significant security risk, depending on
the sensitivity of the data handled by the vulnerable site and the nature of any
security mitigation implemented by the site's owner.
HOW TO MAINTAIN SAFE DATA
▸ Validate user input – verify data entered is in the proper format
▸ Sanitize data before saving – remove evil content in your data
▸ Escape dynamic data before output – the data can’t be used against a user
WHITELIST DATA – ONLY ACCEPT KNOWN DATA
$_POST = array(
'pwn' => '<script src="http://pwn.me/u.js"></script>',
'e' => 'email@domain.com'
);
// bad
foreach( $_POST as $key => $val ) {
update_post_meta( $id, $key, $val );
}
// good
update_post_meta( $id, 'e', sanitize_email( $_POST['e'] ) );
BLACKLIST DATA – ONLY ACCEPT DATA IF IT’S IN THE PROPER FORMAT
$_POST = array(
'e' => 'email@domain.com'
);
// bad
update_post_meta( $id, 'e', $_POST['e'] );
// good
if ( is_email( $_POST['e'] ) ) {
update_post_meta( $id, 'e', sanitize_email( $_POST['e'] ) );
}
SANITIZE USER GENERATED DATA - CAN CHANGE DATA AND CAUSE UNEXPECTED RESULTS
// bad
update_post_meta( $id, 'data', $_POST['name'] );
// good
$safe_text_field = sanitize_text_field( $_POST['name'] );
update_post_meta( $id, 'data', $safe_text_field );
ESCAPE DYNAMIC DATA ON OUTPUT – BAD DATA WILL BE TAMED IN A CONTEXT FRIENDLY WAY
$dynamic_data = get_post_meta( $id, 'data', true );
// bad
echo $dynamic_data;
// good
echo esc_html( $dynamic_data );
HELPFUL LINKS
▸ http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
▸ http://wp.tutsplus.com/tutorials/creative-coding/data-sanitization-and-validation-with-wordpress/
▸ https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data
▸ http://codex.wordpress.org/Data_Validation
▸ http://codex.wordpress.org/WordPress_Nonces
▸ https://developer.wordpress.org/plugins/security/
▸ https://wordpress.org/about/security/
▸ http://en.wikipedia.org/wiki/Cross-site_scripting
▸ http://en.wikipedia.org/wiki/Cross-site_request_forgery

More Related Content

Similar to Developer Security for WordPress

Dip Your Toes in the Sea of Security (PHP Cambridge)
Dip Your Toes in the Sea of Security (PHP Cambridge)Dip Your Toes in the Sea of Security (PHP Cambridge)
Dip Your Toes in the Sea of Security (PHP Cambridge)James Titcumb
 
Security and Mobility - WordCamp Porto 2016
Security and Mobility - WordCamp Porto 2016Security and Mobility - WordCamp Porto 2016
Security and Mobility - WordCamp Porto 2016Marcel Schmitz
 
Dip Your Toes in the Sea of Security (DPC 2015)
Dip Your Toes in the Sea of Security (DPC 2015)Dip Your Toes in the Sea of Security (DPC 2015)
Dip Your Toes in the Sea of Security (DPC 2015)James Titcumb
 
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...Arc & Codementor
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityMediacurrent
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Dip Your Toes in the Sea of Security (PHP UK 2016)
Dip Your Toes in the Sea of Security (PHP UK 2016)Dip Your Toes in the Sea of Security (PHP UK 2016)
Dip Your Toes in the Sea of Security (PHP UK 2016)James Titcumb
 
Security in cloud
Security in cloudSecurity in cloud
Security in cloudvikash4225
 
Adversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-myAdversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-myJesse Moore
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainJames Wickett
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville   Web Security 1012009 Barcamp Nashville   Web Security 101
2009 Barcamp Nashville Web Security 101brian_dailey
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011Dre Armeda
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 

Similar to Developer Security for WordPress (20)

Dip Your Toes in the Sea of Security (PHP Cambridge)
Dip Your Toes in the Sea of Security (PHP Cambridge)Dip Your Toes in the Sea of Security (PHP Cambridge)
Dip Your Toes in the Sea of Security (PHP Cambridge)
 
Security and Mobility - WordCamp Porto 2016
Security and Mobility - WordCamp Porto 2016Security and Mobility - WordCamp Porto 2016
Security and Mobility - WordCamp Porto 2016
 
Dip Your Toes in the Sea of Security (DPC 2015)
Dip Your Toes in the Sea of Security (DPC 2015)Dip Your Toes in the Sea of Security (DPC 2015)
Dip Your Toes in the Sea of Security (DPC 2015)
 
H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hack
 
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
 
Web application security
Web application securityWeb application security
Web application security
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Php Security
Php SecurityPhp Security
Php Security
 
Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal Security
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
Dip Your Toes in the Sea of Security (PHP UK 2016)
Dip Your Toes in the Sea of Security (PHP UK 2016)Dip Your Toes in the Sea of Security (PHP UK 2016)
Dip Your Toes in the Sea of Security (PHP UK 2016)
 
Security in cloud
Security in cloudSecurity in cloud
Security in cloud
 
Adversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-myAdversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-my
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville   Web Security 1012009 Barcamp Nashville   Web Security 101
2009 Barcamp Nashville Web Security 101
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 

Recently uploaded

US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingSystem Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingBootNeck1
 
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxInternet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxVelmuruganTECE
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...Amil Baba Dawood bangali
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substationstephanwindworld
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgsaravananr517913
 
The SRE Report 2024 - Great Findings for the teams
The SRE Report 2024 - Great Findings for the teamsThe SRE Report 2024 - Great Findings for the teams
The SRE Report 2024 - Great Findings for the teamsDILIPKUMARMONDAL6
 
Industrial Safety Unit-I SAFETY TERMINOLOGIES
Industrial Safety Unit-I SAFETY TERMINOLOGIESIndustrial Safety Unit-I SAFETY TERMINOLOGIES
Industrial Safety Unit-I SAFETY TERMINOLOGIESNarmatha D
 
Virtual memory management in Operating System
Virtual memory management in Operating SystemVirtual memory management in Operating System
Virtual memory management in Operating SystemRashmi Bhat
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - GuideGOPINATHS437943
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
home automation using Arduino by Aditya Prasad
home automation using Arduino by Aditya Prasadhome automation using Arduino by Aditya Prasad
home automation using Arduino by Aditya Prasadaditya806802
 

Recently uploaded (20)

US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingSystem Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event Scheduling
 
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxInternet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptx
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substation
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
The SRE Report 2024 - Great Findings for the teams
The SRE Report 2024 - Great Findings for the teamsThe SRE Report 2024 - Great Findings for the teams
The SRE Report 2024 - Great Findings for the teams
 
Industrial Safety Unit-I SAFETY TERMINOLOGIES
Industrial Safety Unit-I SAFETY TERMINOLOGIESIndustrial Safety Unit-I SAFETY TERMINOLOGIES
Industrial Safety Unit-I SAFETY TERMINOLOGIES
 
Virtual memory management in Operating System
Virtual memory management in Operating SystemVirtual memory management in Operating System
Virtual memory management in Operating System
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - Guide
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
home automation using Arduino by Aditya Prasad
home automation using Arduino by Aditya Prasadhome automation using Arduino by Aditya Prasad
home automation using Arduino by Aditya Prasad
 

Developer Security for WordPress

  • 1. SAFELY HANDLING DATA SO YOU DON’T GET PWND DEVELOPER SECURITY
  • 3. BRO. IF YOU DON’T ESCAPE YOUR DATA, YOU’LL NEVER ESCAPE THE HURT I’M GOING TO PUT ON YOU. Tony Perez (probably said that) IN CASE YOU NEEDED MORE REASONS…
  • 4. SUCURI SECURITY DRE “I’LL CHOKE YOU” ARMEDA
  • 5. LOOK, THERE ARE BAD PEOPLE OUT THERE TRYING ALL SORTS OF SALTY STUFF TO PWN YOUR SITE. YOU’RE NOT GOING TO BE READY FOR THAT? COME ON NOW…DON’T LET THEM MAKE YOU LOOK SILLY. ALSO, DON’T TOUCH MY HAT. Dre Armeda (might have said that) IN CASE YOU NEEDED MORE REASONS…
  • 6. SO HOW DO YOU PROTECT YOURSELF?
  • 7. WATCH THIS. IT’S AN OLDIE, BUT A GOODIE. http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
  • 8. THAT GUY, MARK JAQUITH, PWNED A PLUGIN I WROTE LIVE ON STAGE DURING A PLUGIN COMPETITION AT WORDCAMP NYC IN 2009, AND IT WOKE ME UP.
  • 10. IF YOU’RE GOING TO CHECK OUT NOW, HERE’S THE TL;DR 6 THINGS TO KEEP IN MIND WHEN WRITING CODE, NUMBER 2 WILL SHOCK YOU! ▸ Keep your dev environment clean ▸ Use WordPress Core code instead of custom code whenever possible ▸ Validate referrers ▸ Validate data inputs ▸ Sanitize data inputs ▸ Escape data outputs
  • 11. KEEP YOUR DEV ENVIRONMENT CLEAN MAC, LINUX, OR PC – IT DOESN’T MATTER ▸ Don’t think that just because you’re on a mac you’re safe from viruses. ▸ If you’re running linux, a lot of the responsibility of security is on you. Make sure all of your system software is patched and up to date. ▸ If you’re on a PC, you should assume you’re already pwned.
  • 12. KEEP YOUR DEV ENVIRONMENT CLEAN KASPERSKY ANTI-VIRUS ▸ I use it. ▸ Dre uses it. ▸ Tony uses it. ▸ You should be using it.
  • 13. WORDPRESS CORE CODE VS. YOUR CODE WORDPRESS CORE $request = wp_remote_get( $url ); $data = wp_remote_retrieve_body( $request ); YOUR CODE $ch = curl_init();
 $timeout = 5;
 curl_setopt( $ch, CURLOPT_URL, $url );
 curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 ); curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout ); $data = curl_exec( $ch );
 curl_close( $ch );
  • 14. TRUST NO ONE, TRUST NOTHING
  • 15. CSRF: CROSS-SITE REQUEST FORGERY HTTP://EN.WIKIPEDIA.ORG/WIKI/CROSS-SITE_REQUEST_FORGERY ▸ Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
  • 16. SWEET, THIS COULD LEAD TO MY NEXT BIG DEAL! CONFIRM!
  • 18. NONCES FTW! ▸ Create the nonce ▸ wp_nonce_url() - for links ▸ wp_create_nonce() - generates just the nonce value ▸ wp_nonce_field() - generates entire html hidden element ▸ Verify the request ▸ wp_verify_nonce() - validates the nonce for correctness and expiration ▸ check_admin_referer() - also checks if request came from another admin screen
  • 19. XSS: CROSS-SITE SCRIPTING HTTP://EN.WIKIPEDIA.ORG/WIKI/CROSS-SITE_SCRIPTING ▸ Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
  • 20. HOW TO MAINTAIN SAFE DATA ▸ Validate user input – verify data entered is in the proper format ▸ Sanitize data before saving – remove evil content in your data ▸ Escape dynamic data before output – the data can’t be used against a user
  • 21. WHITELIST DATA – ONLY ACCEPT KNOWN DATA $_POST = array( 'pwn' => '<script src="http://pwn.me/u.js"></script>', 'e' => 'email@domain.com' ); // bad foreach( $_POST as $key => $val ) { update_post_meta( $id, $key, $val ); } // good update_post_meta( $id, 'e', sanitize_email( $_POST['e'] ) );
  • 22. BLACKLIST DATA – ONLY ACCEPT DATA IF IT’S IN THE PROPER FORMAT $_POST = array( 'e' => 'email@domain.com' ); // bad update_post_meta( $id, 'e', $_POST['e'] ); // good if ( is_email( $_POST['e'] ) ) { update_post_meta( $id, 'e', sanitize_email( $_POST['e'] ) ); }
  • 23. SANITIZE USER GENERATED DATA - CAN CHANGE DATA AND CAUSE UNEXPECTED RESULTS // bad update_post_meta( $id, 'data', $_POST['name'] ); // good $safe_text_field = sanitize_text_field( $_POST['name'] ); update_post_meta( $id, 'data', $safe_text_field );
  • 24. ESCAPE DYNAMIC DATA ON OUTPUT – BAD DATA WILL BE TAMED IN A CONTEXT FRIENDLY WAY $dynamic_data = get_post_meta( $id, 'data', true ); // bad echo $dynamic_data; // good echo esc_html( $dynamic_data );
  • 25. HELPFUL LINKS ▸ http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/ ▸ http://wp.tutsplus.com/tutorials/creative-coding/data-sanitization-and-validation-with-wordpress/ ▸ https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data ▸ http://codex.wordpress.org/Data_Validation ▸ http://codex.wordpress.org/WordPress_Nonces ▸ https://developer.wordpress.org/plugins/security/ ▸ https://wordpress.org/about/security/ ▸ http://en.wikipedia.org/wiki/Cross-site_scripting ▸ http://en.wikipedia.org/wiki/Cross-site_request_forgery