More Related Content
Similar to Writing Secure Plugins — WordCamp New York 2009 (20)
More from Mark Jaquith (15)
Writing Secure Plugins — WordCamp New York 2009
- 1. Writing Secure
Plugins
Mark Jaquith
@markjaquith
markjaquith.com
coveredwebservices.com
Saturday, November 14, 2009
- 2. XSS privilege
shell execution
escalation
CSRF
SQL injection
Saturday, November 14, 2009
- 3. Plugin
security is
hit-or-miss
Saturday, November 14, 2009
- 4. Mostly
miss
Saturday, November 14, 2009
- 5. SQL
Injection
Saturday, November 14, 2009
- 6. <?php
$wpdb->query(
"UPDATE $wpdb->posts
SET post_title = '$newtitle'
WHERE ID = $my_id"
);
?>
Saturday, November 14, 2009
- 7. <?php
$newtitle =
esc_sql( $newtitle );
$my_id = absint( $my_id );
$wpdb->query(
"UPDATE $wpdb->posts
SET post_title = '$newtitle'
WHERE ID = $my_id"
);
?>
Saturday, November 14, 2009
- 9. <?php
$wpdb->update(
$wpdb->posts,
array( 'post_title' => $newtitle ),
array( 'ID' => $my_id )
);
?>
Saturday, November 14, 2009
- 11. <?php
$wpdb->insert(
$wpdb->posts,
array( 'post_title' => $newtitle )
);
?>
Saturday, November 14, 2009
- 12. <?php
$wpdb->update(
$wpdb->posts,
array(
'post_title' => $newtitle,
'post_content' => $newcontent ),
array(
'ID' => $my_id,
'post_title' => $old_title )
);
?>
Saturday, November 14, 2009
- 13. <?php
$post_title = 'New Title';
$wheres['ID'] = 123;
$wheres['post_title'] = 'Old Title';
$wpdb->update(
$wpdb->posts,
compact( 'post_title' ),
$wheres
);
?>
Saturday, November 14, 2009
- 15. <?php
$title = 'Post Title';
$ID = 123;
$content = $wpdb->get_var(
$wpdb->prepare(
"SELECT post_content
FROM $wpdb->posts
WHERE post_title = %s
AND ID = %d",
$title, $ID )
);
?>
Saturday, November 14, 2009
- 17. Escape
late
Saturday, November 14, 2009
- 19. <h1>
<?php
echo $title;
?>
</h1>
Saturday, November 14, 2009
- 20. <?php
$title = '<script> pwnage(); </script>'
?>
<h1>
<?php
echo $title;
?>
</h1>
Saturday, November 14, 2009
- 21. Anything that
isn’t hardcoded
is suspect
Saturday, November 14, 2009
- 22. Better:
Everything is suspect
Saturday, November 14, 2009
- 25. <?php
$title =
'<script> pwnage(); </script>'
?>
<h1>
<?php
echo esc_html( $title );
?>
</h1>
Saturday, November 14, 2009
- 26. <?php
$title = '" onmouseover="pwnd();';
?>
<a href="#wordcamp" title="
<?php
echo $title;
?>
">
Link Text
</a>
Saturday, November 14, 2009
- 28. <?php
$title = '" onmouseover="pwnd();';
?>
<a href="#wordcamp" title="
<?php
echo esc_attr( $title );
?>
">
Link Text
</a>
Saturday, November 14, 2009
- 29. <?php
$url = 'javascript:pwnage();';
?>
<a href="
<?php
echo esc_attr( $url );
?>
">
WRONG
Link Text
</a>
Saturday, November 14, 2009
- 31. <?php
$url = 'javascript:pwnage();';
?>
<a href="
<?php
echo esc_url( $url );
?>
">
Link Text
</a>
Saturday, November 14, 2009
- 34. <script>
var foo = '<?php echo esc_js( $bar ); ?>';
</script>
Saturday, November 14, 2009
- 37. Nonces
action-, object-,
user-specific time
limited secret keys
Saturday, November 14, 2009
- 38. Specific to
•WordPress user
•Action attempted
•Object of attempted action
•Time window
Saturday, November 14, 2009
- 40. <form action="process.php"
method="post">
<?php
wp_nonce_field('plugin-action_object');
?>
...
</form>
Saturday, November 14, 2009
- 42. <?php
// before output goes to browser
check_admin_referer('plugin-
action_object');
?>
Saturday, November 14, 2009
- 43. Still need to use
current_user_can()
Saturday, November 14, 2009
- 44. AJAX
CSRF
Saturday, November 14, 2009
- 45. • wp_create_nonce( 'your_action' );
• &_ajax_nonce=YOUR_NONCE
• check_ajax_referer( 'your_action' );
Saturday, November 14, 2009
- 46. Privilege
Escalation
Saturday, November 14, 2009
- 48. Set your salts!
http://api.wordpress.org/secret-key/1.1/
Saturday, November 14, 2009
- 49. Stupid shit
I see all
the time
Saturday, November 14, 2009
- 52. <a href="<?php echo $url; ?>"
title="<?php echo $title; ?>">
<?php echo $text; ?>
</a>
<script>
var foo = '<?php echo $js; ?>';
</script>
Saturday, November 14, 2009
- 53. <a href="<?php echo esc_url( $url ); ?>"
title="<?php echo esc_attr( $title ); ?>">
<?php echo esc_html( $text ); ?>
</a>
<script>
var foo = '<?php echo esc_js( $js ); ?>';
</script>
Saturday, November 14, 2009