Secure Coding             with WordPress                    @markjaquithMark Jaquith        m@rkj.me     “JAKE-with”    ma...
The state ofWordPress plugin  security is...
Problem #1 Lack ofawareness
Problem #2Apathy
Goals   I want you to learn the following:1. How to thwart the three mostcommon attacks2. Two useful principles3. Common m...
Attack #1  SQLInjection
$wpdb->query(   "UPDATE $wpdb->posts    SET post_title = $newtitle    WHERE ID = $my_id");
$wpdb->update()
$wpdb->update(   $wpdb->posts,   array( post_title => $newtitle ),   array( ID => $my_id ));
$sets = array(   post_title   => $newtitle,   post_content => $newcontent);$wheres = array(   post_type => post,   post_na...
$wpdb->insert( $table, $data )
$wpdb->prepare()
$wpdb->prepare(   "SELECT * FROM $wpdb->postsWHERE post_name = %s OR ID = %d",   $some_name,   $some_id);
• Powered by sprintf(), but only %sand %d are supported right now• Do not quote %s — use %s, NOT %s• Does the escaping for...
Rule #1Escape Late
Attack #2   XSS(Cross-Site Scripting)
<h1><?php echo $title ?><h1>
$title = <script>pwnage();</script>;
Rule #2 Anything thatisn’t hardcoded   is suspect
Rule #2 (revised)Everything is suspect
Easy as...
esc_html()
<h1><?php echo esc_html( $title ); ?></h1>
<?php $title = " onmouseover="pwnd();; ?><a href="#wordcamp" title="<?php echo$title; ?>">Link Text</a>
esc_attr()
<?php $title = " onmouseover="pwnd();; ?><a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>">Link Text</a>
<?php $url = javascript:pwnd(); ?><a href="<?php echo $url; ?>">Link Text</a>
esc_url()
esc_url_raw()
esc_js()
<script>var foo = <?php echo esc_js( $unsafe ); ?>;</script>
esc_textarea()
wp_filter_kses()
Attack #3 CSRFCross-site Request Forgery
Authorization     vs.Intention
Noncesaction-, object-, & user-specific    time-limited secret keys
Specific to• WordPress user• Action attempted• Object of attempted action• Time window
wp_nonce_field( plugin-action_object )
<form action="process.php" method="post"><?phpwp_nonce_field(plugin-action_object);?>...</form>
check_admin_referer( plugin-action_object );
Still need to usecurrent_user_can()
CSRF forAjax/XHR
// 1. On the front end$nonce = wp_create_nonce( your_action );// 2. add &_ajax_nonce=$nonce to your//    post/get vars// 3...
Stupid shit Isee all the time
eval()
<form action="<?php echo $_SERVER[REQUEST_URI]; ?>">
<a href="<?php echo $home; ?>" title="<?php echo $title; ?>"><?php echo $text; ?></a><script>var foo = <?php echo $var; ?>...
<a href="<?php echo esc_url( $home ); ?>" title="<?phpecho esc_attr( $title ); ?>"><?php echo esc_html( $text ); ?></a><sc...
Thanks!                   @markjaquithMark Jaquith       m@rkj.me     “JAKE-with”   markjaquith.com
WordPress Security - WordCamp Phoenix
WordPress Security - WordCamp Phoenix
Upcoming SlideShare
Loading in …5
×

WordPress Security - WordCamp Phoenix

9,167 views

Published on

Published in: Technology, Business
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
9,167
On SlideShare
0
From Embeds
0
Number of Embeds
326
Actions
Shares
0
Downloads
59
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

WordPress Security - WordCamp Phoenix

  1. Secure Coding with WordPress @markjaquithMark Jaquith m@rkj.me “JAKE-with” markjaquith.com
  2. The state ofWordPress plugin security is...
  3. Problem #1 Lack ofawareness
  4. Problem #2Apathy
  5. Goals I want you to learn the following:1. How to thwart the three mostcommon attacks2. Two useful principles3. Common mistakes to avoid
  6. Attack #1 SQLInjection
  7. $wpdb->query( "UPDATE $wpdb->posts SET post_title = $newtitle WHERE ID = $my_id");
  8. $wpdb->update()
  9. $wpdb->update( $wpdb->posts, array( post_title => $newtitle ), array( ID => $my_id ));
  10. $sets = array( post_title => $newtitle, post_content => $newcontent);$wheres = array( post_type => post, post_name => $my_name);$wpdb->update( $wpdb->posts, $sets, $wheres );
  11. $wpdb->insert( $table, $data )
  12. $wpdb->prepare()
  13. $wpdb->prepare( "SELECT * FROM $wpdb->postsWHERE post_name = %s OR ID = %d", $some_name, $some_id);
  14. • Powered by sprintf(), but only %sand %d are supported right now• Do not quote %s — use %s, NOT %s• Does the escaping for you
  15. Rule #1Escape Late
  16. Attack #2 XSS(Cross-Site Scripting)
  17. <h1><?php echo $title ?><h1>
  18. $title = <script>pwnage();</script>;
  19. Rule #2 Anything thatisn’t hardcoded is suspect
  20. Rule #2 (revised)Everything is suspect
  21. Easy as...
  22. esc_html()
  23. <h1><?php echo esc_html( $title ); ?></h1>
  24. <?php $title = " onmouseover="pwnd();; ?><a href="#wordcamp" title="<?php echo$title; ?>">Link Text</a>
  25. esc_attr()
  26. <?php $title = " onmouseover="pwnd();; ?><a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>">Link Text</a>
  27. <?php $url = javascript:pwnd(); ?><a href="<?php echo $url; ?>">Link Text</a>
  28. esc_url()
  29. esc_url_raw()
  30. esc_js()
  31. <script>var foo = <?php echo esc_js( $unsafe ); ?>;</script>
  32. esc_textarea()
  33. wp_filter_kses()
  34. Attack #3 CSRFCross-site Request Forgery
  35. Authorization vs.Intention
  36. Noncesaction-, object-, & user-specific time-limited secret keys
  37. Specific to• WordPress user• Action attempted• Object of attempted action• Time window
  38. wp_nonce_field( plugin-action_object )
  39. <form action="process.php" method="post"><?phpwp_nonce_field(plugin-action_object);?>...</form>
  40. check_admin_referer( plugin-action_object );
  41. Still need to usecurrent_user_can()
  42. CSRF forAjax/XHR
  43. // 1. On the front end$nonce = wp_create_nonce( your_action );// 2. add &_ajax_nonce=$nonce to your// post/get vars// 3. On the backendcheck_ajax_referer( your_action );
  44. Stupid shit Isee all the time
  45. eval()
  46. <form action="<?php echo $_SERVER[REQUEST_URI]; ?>">
  47. <a href="<?php echo $home; ?>" title="<?php echo $title; ?>"><?php echo $text; ?></a><script>var foo = <?php echo $var; ?>;</script>
  48. <a href="<?php echo esc_url( $home ); ?>" title="<?phpecho esc_attr( $title ); ?>"><?php echo esc_html( $text ); ?></a><script>var foo = <?php echo esc_js( $var ); ?>;</script>
  49. Thanks! @markjaquithMark Jaquith m@rkj.me “JAKE-with” markjaquith.com

×