The document discusses various security vulnerabilities in WordPress, including XSS, CSRF, and SQL injection. It highlights specific examples of vulnerable plugins and emphasizes the importance of input validation, sanitization, and regular updates. Additionally, it provides resources and tips for enhancing WordPress security.

1. WordPress Security
‫רן‬‫בר‬-‫זיק‬

2. Ran Bar-Zik @barzik
1. MEAN LAMP developer at HPE HPLN product.
2. Author @ internet-israel.com.
3. Connect me via Facebook or Twitter!

3. Hackers in the news:

4. The Movie “Hackers”
1995 rulz!!!

5. Picture of real hacker!
Source: http://www.israelnationalnews.com/News/News.aspx/179572

6. XSS
Cross side Scripting

7. Sample XSS volnurable WordPress Plugin
User send message to admin
admin can view all messages

8. Sample XSS volnurable WordPress Plugin
User send message with JS to admin
JS run when admin view the message

9. WordPress Data Validation

10. Input Validation Sanitization and Output
escaping
User input
Validatation
Sanitization
Output
Escaping

11. XSS issues coming from unexpected places
<?php
//404 page
Print “You came from {$_SERVER['HTTP_REFERER']}, but you
got 404.”;
die;

12. XSS found!
Open URL:
wordpress.com/<script>alert(1)</script>
Output will be:

13. XSS breach safe
<?php
//404 page
$safe_output = echo esc_url( $_SERVER['HTTP_REFERER'] );
Print “You came from $safe_output, but you got 404.”;
die;

14. HTML 5 XSS Vulnerability
<video onerror="alert(1)"><source></source></video>
More Info at: https://html5sec.org/

15. Sanitization Validation Functions
esc_html
esc_textarea
esc_url
urlencode
is_email
sanitize_email()
sanitize_file_name()
sanitize_html_class()
etc...

16. CSRF - Cross Site Request Forgery

17. CSRF vulnerable plugin
Click on delete sends GET
request to:
wp-
admin/myuser?uid=number
&op=delete

18. CSRF activation
<a href=”wordpress.com/wp-admin/myuser?uid=1&op=delete”>
<img src=”See_bar_naked.png” />
</a>

19. WordPress Nonce
https://codex.wordpress.org/WordPress_Nonces

20. SQL Injection example
Code at site:
$account_id = $ _GET[‘uid’];
$myrows =
$wpdb->get_results("SELECT * FROM users WHERE uid =
$account_id”);
//Display users

21. SQL Injection exploitation
URL:
wordpress.com/user_profile/?uid=”1'; DROP TABLE users; –'/”
Actual query:
SELECT * FROM users WHERE uid = 1'; DROP TABLE users; –
'’”);

22. Malicious code at Plugins Themes

23. PHP Obscufation
Before:
<?php
Print "Hello world!";
After:
<?php
Printbase64_decode('SGVsbG8gd29ybGQh');
Using http://www.gaijin.at/en/olsphpobfuscator.php

24. TAC Plugin
https://wordpress.org/plugins/tac/

25. App code that cause server changes:
function _avatar_uploader_view() {
$filename = $_GET['file'];
$filename = drupal_basename($filename);
$upload_dir = _avatar_uploader_tmp_path();
$file = $upload_dir . '/' . $filename;
$type = file_get_mimetype($file); //php 5.2
header("Content-Type: $type");
echo file_get_contents($file);
exit;
}

26. More tips:
1. Update, Update, Update - Everything, anytime.
2. Backup often.

27. Thank you!
Connect me via Facebook:
https://www.facebook.com/rbarzik
Twitter: @barzik
LinkedIn:
https://www.linkedin.com/in/barzik
Site:
internet-israel.com