WordPress Security @ Vienna WordPress + Drupal Meetup
•Download as ODP, PDF•
1 like•538 views
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to WordPress Security @ Vienna WordPress + Drupal Meetup
Similar to WordPress Security @ Vienna WordPress + Drupal Meetup (20)
More from Veselin Nikolov
More from Veselin Nikolov (8)
Recently uploaded
Recently uploaded (20)
WordPress Security @ Vienna WordPress + Drupal Meetup
- 1. Security Ruins everything on the Internet since 1920*
- 2. About me ● Veselin Nikolov ● Automattic ● WP since 1.2 ● PHP + MySQL since 3.0
- 3. About me ● Veselin Nikolov ● Automattic ● WP since 1.2 ● PHP + MySQL since 3.0 ● IRC since 1998
- 4. Acid Burn ● Controls traffic lights ● Owns 686
- 5. 90s ● mIRC, ircops ● MSIE hacks ● Malware ● DoS, botnets ● Proxies, shells, bots, irc servers
- 6. ● Confidentiality ● Integrity ● Availability Security
- 7. ● Prevention ● Identification ● Reaction Security
- 8. ● Hardware ● Internet ● Servers ● Passwords and Private Keys ● Plugins & Themes ● Our code ● Meatware It's not about WordPress
- 9. ● Evil Maid, Trojans ● Antivirus Hardware
- 10. ● MITM, routers, Wi-Fi, Poodle, http ● VPN, Proxy, Software Update Internet
- 11. Passwords Your password is OK, as long as it's 6 caracters and ends with 123. I recommend qwe123 :D
- 12. ● 30%+ of the services use plain text http://plaintextoffenders.com/about/ ● Phishing, Social Engineering, Brute Force, MITM, keyloggers, human errors, password databases Passwords
- 13. Somebody somewhere knows many of your passwords. Passwords
- 14. Password Manager Unfortunately, many of your clients will have their accounts compromised.
- 15. The Super Admin
- 16. The Super Admin
- 17. 'my secret password' -> ● phpass: ● $P$BXT7cDEtQXkAVarv7mh8WZux1euzwI/ md5: ● a7303f3eee5f3ff1942bfbb1797ea0af Storing Passwords
- 18. ● Use strong hashing algorythms. Phpass is ok, md5 is not. ● Be careful with logs and emails, they might contain sensitive information Storing Passwords
- 19. 2FA ● https://wordpress.org/plugins/two-fact ● 2FA everything!
- 20. Plugins and Themes ● Use reputable sources ● Don't use free versions of paid plugins
- 21. Detection ● VaultPress ● Sucuri ● ? You need between 0 and 1
- 22. Response ● You need proper backups ● Logs ● Stay calm, it happens.
- 23. Code Review Reverse Q & A. Topics covered: XSS, Open Redirect, XXE, SQL Injection, Remote Code Execution
- 24. What's wrong with that? <?php echo $_GET['hi'];
- 25. Cross Site Scripting - XSS GET ?hi=<script>alert('hi')</script> <?php echo $_GET['hi']; Must be echo esc_html( $_GET['hi'] );
- 26. ...let's fix it. <?php echo esc_html( printf( 'hi, %s', $_GET['name'] ) );
- 27. Typo :( <?php echo esc_html( printf( 'hi, %s', $_GET['name'] ) ); Late escaping OR sprintf!
- 28. What's wrong? <?php $youtube_widget = $_REQUEST['src']; ?> <script src="<?php echo esc_url( $youtube_widget ); ?>"> </script>
- 29. XSS <?php $youtube_widget = $_REQUEST['src']; ?> <script src="<?php echo esc_url( $youtube_widget ); ?>"> </script> GET ?src=http://my-evil-site.com/hack.js
- 30. Let's add validation... <?php $src = $_REQUEST['src']; if ( ! preg_match( '#https?://youtube.com/#', $src ) ) { die( 'Invalid Source!' ); } ?> <script src="<?php echo esc_url( $src ); ?>"> </script>
- 32. Let's fix it. <?php $src = $_REQUEST['src']; if ( ! preg_match( '!^https?://(www.)? youtube.com/!', $src ) ) { die( 'Invalid Source!' ); } ?> <script src="<?php echo esc_url( $src ); ?>"> </script>
- 33. '.' is a wilcard '!^https?://(www.)?youtube.com/!' Will match 'http://wwwayoutube.com/'
- 34. ? <?php $domain = esc_url( $_GET['domain'] ); $user_host = `host $domain`; echo esc_html( $user_host );
- 35. Remote Code Execution <?php $domain = esc_url( $_GET['domain'] ); $user_host = `host $domain`; echo esc_html( $user_host ); What if $_GET['domain'] = '| echo "hi!"';
- 36. Remote Code Execution ● eval(); ● assert(); ● ``; //backticks ● system() ● create_function() ● preg_replace( '.../e', $_GET )
- 37. ? <?php // @mdawaffe's example $xml = simplexml_load_file( $uploaded_file ); ?> <h1><?php printf( "%s Uploaded!", esc_html( $xml->title ) ); ?></h1>
- 38. XML External Entity XXE <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE something [<!ENTITY awesome SYSTEM "file:///home/www/public_html/db-config.php" >] > <something> <title>&awesome;</title> </something>
- 39. XML External Entity XXE Missing: libxml_disable_entity_loader(true); Be careful with XML parsers, careless use is associated with many vulnerabilities.
- 40. ? <?php $id = $_GET['id']; if ( intval( $id ) ) { $result = $wpdb->query( "DELETE FROM wp_usermeta WHERE user_id = $id" ); }
- 41. SQL Injection <?php $id = $_GET['id']; if ( intval( $id ) ) { $result = $wpdb->query( "DELETE FROM wp_usermeta WHERE user_id = $id" ); } $id = '5 or 1 = 1'; -> DELETE FROM wp_usermeta WHERE user_id = 5 or 1 = 1
- 42. SQL Injection <?php $id = (int) $_GET['id']; $result = $wpdb->query( $wpdb->prepare( "DELETE FROM wp_usermeta WHERE user_id = %d", $id ) ); Or use $wpdb->delete();
- 43. ? <?php $url = $_GET['url']; if ( preg_match( '!^https?://[^.]+.whatever.com/.+ $!i', $url ) ) { wp_redirect( $url ); } else { wp_die( 'hacker :(' ); }
- 44. Open Redirect <?php // http://3254656436/or.whatever.com/spam if ( preg_match( '!^https?://[^.]+.whatever.com/.+ $!i', $url ) ) { wp_redirect( $url ); } else { wp_die( 'hacker :(' ); }
- 45. Thanks AMA :-)