Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Secure Coding             with WordPress                    @markjaquithMark Jaquith        m@rkj.me     “JAKE-with”    ma...
The state ofWordPress plugin  security is...
Problem #1 Lack ofawareness
Problem #2Apathy
Goals   I want you to learn the following:1. How to thwart the three mostcommon attacks2. Two useful principles3. Common m...
Attack #1  SQLInjection
$wpdb->query(   "UPDATE $wpdb->posts    SET post_title = $newtitle    WHERE ID = $my_id");
$wpdb->update()
$wpdb->update(   $wpdb->posts,   array( post_title => $newtitle ),   array( ID => $my_id ));
$sets = array(   post_title   => $newtitle,   post_content => $newcontent);$wheres = array(   post_type => post,   post_na...
$wpdb->insert( $table, $data )
$wpdb->prepare()
$wpdb->prepare(   "SELECT * FROM $wpdb->postsWHERE post_name = %s OR ID = %d",   $some_name,   $some_id);
• Powered by sprintf(), but only %sand %d are supported right now• Do not quote %s — use %s, NOT %s• Does the escaping for...
Rule #1Escape Late
Attack #2   XSS(Cross-Site Scripting)
<h1><?php echo $title ?><h1>
$title = <script>pwnage();</script>;
Rule #2 Anything thatisn’t hardcoded   is suspect
Rule #2 (revised)Everything is suspect
Easy as...
esc_html()
<h1><?php echo esc_html( $title ); ?></h1>
<?php $title = " onmouseover="pwnd();; ?><a href="#wordcamp" title="<?php echo$title; ?>">Link Text</a>
esc_attr()
<?php $title = " onmouseover="pwnd();; ?><a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>">Link Text</a>
<?php $url = javascript:pwnd(); ?><a href="<?php echo $url; ?>">Link Text</a>
esc_url()
esc_url_raw()
esc_js()
<script>var foo = <?php echo esc_js( $unsafe ); ?>;</script>
esc_textarea()
wp_filter_kses()
Attack #3 CSRFCross-site Request Forgery
Authorization     vs.Intention
Noncesaction-, object-, & user-specific    time-limited secret keys
Specific to• WordPress user• Action attempted• Object of attempted action• Time window
wp_nonce_field( plugin-action_object )
<form action="process.php" method="post"><?phpwp_nonce_field(plugin-action_object);?>...</form>
check_admin_referer( plugin-action_object );
Still need to usecurrent_user_can()
CSRF forAjax/XHR
// 1. On the front end$nonce = wp_create_nonce( your_action );// 2. add &_ajax_nonce=$nonce to your//    post/get vars// 3...
Stupid shit Isee all the time
eval()
<form action="<?php echo $_SERVER[REQUEST_URI]; ?>">
<a href="<?php echo $home; ?>" title="<?php echo $title; ?>"><?php echo $text; ?></a><script>var foo = <?php echo $var; ?>...
<a href="<?php echo esc_url( $home ); ?>" title="<?phpecho esc_attr( $title ); ?>"><?php echo esc_html( $text ); ?></a><sc...
Thanks!                   @markjaquithMark Jaquith       m@rkj.me     “JAKE-with”   markjaquith.com
WordPress Security - WordCamp Phoenix
WordPress Security - WordCamp Phoenix
Upcoming SlideShare
Loading in …5
×

WordPress Security - WordCamp Phoenix

9,813 views

Published on

Published in: Technology, Business
  • Be the first to comment

WordPress Security - WordCamp Phoenix

  1. Secure Coding with WordPress @markjaquithMark Jaquith m@rkj.me “JAKE-with” markjaquith.com
  2. The state ofWordPress plugin security is...
  3. Problem #1 Lack ofawareness
  4. Problem #2Apathy
  5. Goals I want you to learn the following:1. How to thwart the three mostcommon attacks2. Two useful principles3. Common mistakes to avoid
  6. Attack #1 SQLInjection
  7. $wpdb->query( "UPDATE $wpdb->posts SET post_title = $newtitle WHERE ID = $my_id");
  8. $wpdb->update()
  9. $wpdb->update( $wpdb->posts, array( post_title => $newtitle ), array( ID => $my_id ));
  10. $sets = array( post_title => $newtitle, post_content => $newcontent);$wheres = array( post_type => post, post_name => $my_name);$wpdb->update( $wpdb->posts, $sets, $wheres );
  11. $wpdb->insert( $table, $data )
  12. $wpdb->prepare()
  13. $wpdb->prepare( "SELECT * FROM $wpdb->postsWHERE post_name = %s OR ID = %d", $some_name, $some_id);
  14. • Powered by sprintf(), but only %sand %d are supported right now• Do not quote %s — use %s, NOT %s• Does the escaping for you
  15. Rule #1Escape Late
  16. Attack #2 XSS(Cross-Site Scripting)
  17. <h1><?php echo $title ?><h1>
  18. $title = <script>pwnage();</script>;
  19. Rule #2 Anything thatisn’t hardcoded is suspect
  20. Rule #2 (revised)Everything is suspect
  21. Easy as...
  22. esc_html()
  23. <h1><?php echo esc_html( $title ); ?></h1>
  24. <?php $title = " onmouseover="pwnd();; ?><a href="#wordcamp" title="<?php echo$title; ?>">Link Text</a>
  25. esc_attr()
  26. <?php $title = " onmouseover="pwnd();; ?><a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>">Link Text</a>
  27. <?php $url = javascript:pwnd(); ?><a href="<?php echo $url; ?>">Link Text</a>
  28. esc_url()
  29. esc_url_raw()
  30. esc_js()
  31. <script>var foo = <?php echo esc_js( $unsafe ); ?>;</script>
  32. esc_textarea()
  33. wp_filter_kses()
  34. Attack #3 CSRFCross-site Request Forgery
  35. Authorization vs.Intention
  36. Noncesaction-, object-, & user-specific time-limited secret keys
  37. Specific to• WordPress user• Action attempted• Object of attempted action• Time window
  38. wp_nonce_field( plugin-action_object )
  39. <form action="process.php" method="post"><?phpwp_nonce_field(plugin-action_object);?>...</form>
  40. check_admin_referer( plugin-action_object );
  41. Still need to usecurrent_user_can()
  42. CSRF forAjax/XHR
  43. // 1. On the front end$nonce = wp_create_nonce( your_action );// 2. add &_ajax_nonce=$nonce to your// post/get vars// 3. On the backendcheck_ajax_referer( your_action );
  44. Stupid shit Isee all the time
  45. eval()
  46. <form action="<?php echo $_SERVER[REQUEST_URI]; ?>">
  47. <a href="<?php echo $home; ?>" title="<?php echo $title; ?>"><?php echo $text; ?></a><script>var foo = <?php echo $var; ?>;</script>
  48. <a href="<?php echo esc_url( $home ); ?>" title="<?phpecho esc_attr( $title ); ?>"><?php echo esc_html( $text ); ?></a><script>var foo = <?php echo esc_js( $var ); ?>;</script>
  49. Thanks! @markjaquithMark Jaquith m@rkj.me “JAKE-with” markjaquith.com

×