Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Snakes in a plugin - WordPress plugin security

13,132 views

Published on

A talk on WordPress plugin security given at Big Media & Enterprise WordPress London Meetup, including a live demo of exploiting a plugin vulnerability.

Video available here: https://vip.wordpress.com/2015/03/11/snakes-in-a-plugin-wordpress-plugin-security/

Meetup: http://www.meetup.com/Big-Media-Enterprise-WordPress-London-Meetup/events/220408317/

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Snakes in a plugin - WordPress plugin security

  1. 1. Duncan Stuart @dgmstuart
  2. 2. @dgmstuart “You can't defend. You can't prevent. The only thing you can do is detect and respond.” Bruce Schneier
  3. 3. @dgmstuart WordPress dev for the public sector Secure hosting Plugin security reviews www.dxw.com
  4. 4. @dgmstuart The internet is a terrifying place
  5. 5. Demo
  6. 6. @dgmstuart You can’t trust the ‘from’ field You can’t trust the address bar The internet is a terrifying place What did we learn?
  7. 7. @dgmstuart It’s much, much worse @dgmstuart
  8. 8. @dgmstuart
  9. 9. @dgmstuart It’s not unusual... It’s the most common vulnerability 25% of plugins we review are unsafe over 25% are conditionally safe
  10. 10. @dgmstuart “I am regularly asked what the average Internet user can do to ensure his security. Bruce Schneier
  11. 11. @dgmstuart “I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually 'Nothing; you're screwed'” Bruce Schneier
  12. 12. @dgmstuart
  13. 13. @dgmstuart What can you do? 1. Update! 2. Pen test! 3. Mongoose!
  14. 14. @dgmstuart Security alerts for WordPress plugins www.mongoosewp.com
  15. 15. @dgmstuart @thedxw www.dxw.com Thank You
  16. 16. Questions? @dgmstuart

×