SlideShare a Scribd company logo
Writing Secure
                      Plugins

                                   Mark Jaquith

                                   @markjaquith
                                  markjaquith.com
                              coveredwebservices.com


Saturday, November 14, 2009
XSS                            privilege




                                           shell execution
                              escalation


   CSRF
   SQL injection
Saturday, November 14, 2009
Plugin
      security is
      hit-or-miss
Saturday, November 14, 2009
Mostly
                miss
Saturday, November 14, 2009
SQL
     Injection
Saturday, November 14, 2009
<?php
    $wpdb->query(
    	 "UPDATE $wpdb->posts
    	 SET post_title = '$newtitle'
    	 WHERE ID = $my_id"
    	 );
    ?>




Saturday, November 14, 2009
<?php
    $newtitle =
    	 	 	 	 	 esc_sql( $newtitle );
    $my_id = absint( $my_id );

    $wpdb->query(
    	 "UPDATE $wpdb->posts
    	 SET post_title = '$newtitle'
    	 WHERE ID = $my_id"
    	 );
    ?>

Saturday, November 14, 2009
$wpdb->update()



Saturday, November 14, 2009
<?php
    $wpdb->update(
    	 $wpdb->posts,
    	 array( 'post_title' => $newtitle ),
    	 array( 'ID' => $my_id )
    	 );
    ?>




Saturday, November 14, 2009
$wpdb->insert()


Saturday, November 14, 2009
<?php
    $wpdb->insert(
    	 $wpdb->posts,
    	 array( 'post_title' => $newtitle )
    	 );
    ?>




Saturday, November 14, 2009
<?php
    $wpdb->update(
    	 $wpdb->posts,
    	 array(
    	 	 'post_title' => $newtitle,
    	 	 'post_content' => $newcontent ),
    	 array(
    	 	 'ID' => $my_id,
    	 	 'post_title' => $old_title )
    	 );
    ?>

Saturday, November 14, 2009
<?php
    $post_title = 'New Title';
    $wheres['ID'] = 123;
    $wheres['post_title'] = 'Old Title';
    $wpdb->update(
    	 $wpdb->posts,
    	 compact( 'post_title' ),
    	 $wheres
    	 );
    ?>

Saturday, November 14, 2009
$wpdb->prepare()



Saturday, November 14, 2009
<?php
    $title = 'Post Title';
    $ID = 123;
    $content = $wpdb->get_var(
    	 $wpdb->prepare(
    	 "SELECT post_content
    	    FROM  $wpdb->posts
    	    WHERE post_title = %s
    	    AND   ID = %d",
    	 $title, $ID )
    	 );
    ?>
Saturday, November 14, 2009
•Uses sprintf() formatting
                    •%s for strings
                    •%d for integers
                    •You should not quote or
                              escape

Saturday, November 14, 2009
Escape
      late
Saturday, November 14, 2009
XSS
Saturday, November 14, 2009
<h1>
    <?php
    	 echo $title;
    ?>
    </h1>




Saturday, November 14, 2009
<?php
    	 $title = '<script> pwnage(); </script>'
    ?>

    <h1>
    <?php
    	 echo $title;
    ?>
    </h1>




Saturday, November 14, 2009
Anything that
     isn’t hardcoded
        is suspect
Saturday, November 14, 2009
Better:
      Everything is suspect

Saturday, November 14, 2009
Saturday, November 14, 2009
esc_html()

Saturday, November 14, 2009
<?php
    	 $title =
    	 	 	 	 '<script> pwnage(); </script>'
    ?>
    <h1>
    <?php
    	 echo esc_html( $title );
    ?>
    </h1>


Saturday, November 14, 2009
<?php
    $title = '" onmouseover="pwnd();';
    ?>
    <a href="#wordcamp" title="
    <?php
    	 echo $title;
    ?>
    ">
    Link Text
    </a>

Saturday, November 14, 2009
esc_attr()



Saturday, November 14, 2009
<?php
    $title = '" onmouseover="pwnd();';
    ?>
    <a href="#wordcamp" title="
    <?php
    	 echo esc_attr( $title );
    ?>
    ">
    Link Text
    </a>

Saturday, November 14, 2009
<?php
     $url = 'javascript:pwnage();';
    ?>
    <a href="
    <?php
    	 echo esc_attr( $url );
    ?>
    ">
                       WRONG
    Link Text
    </a>

Saturday, November 14, 2009
esc_url()

Saturday, November 14, 2009
<?php
     $url = 'javascript:pwnage();';
    ?>
    <a href="
    <?php
    	 echo esc_url( $url );
    ?>
    ">
    Link Text
    </a>

Saturday, November 14, 2009
esc_url_raw(),
                       sister of esc_url()


Saturday, November 14, 2009
esc_ js()

Saturday, November 14, 2009
<script>
         var foo = '<?php echo esc_js( $bar ); ?>';
         </script>




Saturday, November 14, 2009
CSRF
Saturday, November 14, 2009
Authorization
                              vs.

     Intention
Saturday, November 14, 2009
Nonces
              action-, object-,
             user-specific time
            limited secret keys
Saturday, November 14, 2009
Specific to
                    •WordPress user
                    •Action attempted
                    •Object of attempted action
                    •Time window
Saturday, November 14, 2009
wp_nonce_field()



Saturday, November 14, 2009
<form action="process.php"
    method="post">
    <?php
    	 wp_nonce_field('plugin-action_object');
    ?>

    ...
    </form>



Saturday, November 14, 2009
check_admin_referer( )




Saturday, November 14, 2009
<?php
    // before output goes to browser
    check_admin_referer('plugin-
    	 action_object');
    ?>




Saturday, November 14, 2009
Still need to use
     current_user_can()


Saturday, November 14, 2009
AJAX
                CSRF
Saturday, November 14, 2009
• wp_create_nonce(   'your_action' );

                    • &_ajax_nonce=YOUR_NONCE
                    • check_ajax_referer(   'your_action' );




Saturday, November 14, 2009
Privilege
       Escalation
Saturday, November 14, 2009
current_user_can()



Saturday, November 14, 2009
Set your salts!
                http://api.wordpress.org/secret-key/1.1/




Saturday, November 14, 2009
Stupid shit
               I see all
               the time
Saturday, November 14, 2009
exec()

Saturday, November 14, 2009
<form action="<?php echo
           $_SERVER['REQUEST_URI']; ?>">




Saturday, November 14, 2009
<a href="<?php echo $url; ?>"
      title="<?php echo $title; ?>">
      <?php echo $text; ?>
      </a>

      <script>
      var foo = '<?php echo $js; ?>';
      </script>


Saturday, November 14, 2009
<a href="<?php echo esc_url( $url ); ?>"
      title="<?php echo esc_attr( $title ); ?>">
      <?php echo esc_html( $text ); ?>
      </a>

      <script>
      var foo = '<?php echo esc_js( $js ); ?>';
      </script>




Saturday, November 14, 2009
Discussion

Saturday, November 14, 2009

More Related Content

What's hot

Contributing to WordPress Core - Peter Wilson
Contributing to WordPress Core - Peter WilsonContributing to WordPress Core - Peter Wilson
Contributing to WordPress Core - Peter Wilson
WordCamp Sydney
 
jQuery Plugin Creation
jQuery Plugin CreationjQuery Plugin Creation
jQuery Plugin Creation
benalman
 
RESTful web services
RESTful web servicesRESTful web services
RESTful web services
Tudor Constantin
 
Keeping it small: Getting to know the Slim micro framework
Keeping it small: Getting to know the Slim micro frameworkKeeping it small: Getting to know the Slim micro framework
Keeping it small: Getting to know the Slim micro framework
Jeremy Kendall
 
Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919
Paul Bearne
 
Inside Bokete: Web Application with Mojolicious and others
Inside Bokete:  Web Application with Mojolicious and othersInside Bokete:  Web Application with Mojolicious and others
Inside Bokete: Web Application with Mojolicious and others
Yusuke Wada
 
Make your own wp cli command in 10min
Make your own wp cli command in 10minMake your own wp cli command in 10min
Make your own wp cli command in 10min
Ivelina Dimova
 
You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011
andrewnacin
 
Keeping it small - Getting to know the Slim PHP micro framework
Keeping it small - Getting to know the Slim PHP micro frameworkKeeping it small - Getting to know the Slim PHP micro framework
Keeping it small - Getting to know the Slim PHP micro framework
Jeremy Kendall
 
Avinash Kundaliya: Javascript and WordPress
Avinash Kundaliya: Javascript and WordPressAvinash Kundaliya: Javascript and WordPress
Avinash Kundaliya: Javascript and WordPress
wpnepal
 
Developing apps using Perl
Developing apps using PerlDeveloping apps using Perl
Developing apps using Perl
Anatoly Sharifulin
 
Mojolicious
MojoliciousMojolicious
Mojolicious
Marcus Ramberg
 
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Arc & Codementor
 
Keeping it Small: Getting to know the Slim Micro Framework
Keeping it Small: Getting to know the Slim Micro FrameworkKeeping it Small: Getting to know the Slim Micro Framework
Keeping it Small: Getting to know the Slim Micro Framework
Jeremy Kendall
 
You Don't Know Query (WordCamp Netherlands 2012)
You Don't Know Query (WordCamp Netherlands 2012)You Don't Know Query (WordCamp Netherlands 2012)
You Don't Know Query (WordCamp Netherlands 2012)
andrewnacin
 
Xmpp prebind
Xmpp prebindXmpp prebind
Xmpp prebind
Syed Arshad
 
Slim RedBeanPHP and Knockout
Slim RedBeanPHP and KnockoutSlim RedBeanPHP and Knockout
Slim RedBeanPHP and Knockout
Vic Metcalfe
 
How to learn j query
How to learn j queryHow to learn j query
How to learn j query
Baoyu Xu
 
Responsive Design with WordPress
Responsive Design with WordPressResponsive Design with WordPress
Responsive Design with WordPress
Joe Casabona
 
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Balázs Tatár
 

What's hot (20)

Contributing to WordPress Core - Peter Wilson
Contributing to WordPress Core - Peter WilsonContributing to WordPress Core - Peter Wilson
Contributing to WordPress Core - Peter Wilson
 
jQuery Plugin Creation
jQuery Plugin CreationjQuery Plugin Creation
jQuery Plugin Creation
 
RESTful web services
RESTful web servicesRESTful web services
RESTful web services
 
Keeping it small: Getting to know the Slim micro framework
Keeping it small: Getting to know the Slim micro frameworkKeeping it small: Getting to know the Slim micro framework
Keeping it small: Getting to know the Slim micro framework
 
Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919
 
Inside Bokete: Web Application with Mojolicious and others
Inside Bokete:  Web Application with Mojolicious and othersInside Bokete:  Web Application with Mojolicious and others
Inside Bokete: Web Application with Mojolicious and others
 
Make your own wp cli command in 10min
Make your own wp cli command in 10minMake your own wp cli command in 10min
Make your own wp cli command in 10min
 
You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011
 
Keeping it small - Getting to know the Slim PHP micro framework
Keeping it small - Getting to know the Slim PHP micro frameworkKeeping it small - Getting to know the Slim PHP micro framework
Keeping it small - Getting to know the Slim PHP micro framework
 
Avinash Kundaliya: Javascript and WordPress
Avinash Kundaliya: Javascript and WordPressAvinash Kundaliya: Javascript and WordPress
Avinash Kundaliya: Javascript and WordPress
 
Developing apps using Perl
Developing apps using PerlDeveloping apps using Perl
Developing apps using Perl
 
Mojolicious
MojoliciousMojolicious
Mojolicious
 
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
 
Keeping it Small: Getting to know the Slim Micro Framework
Keeping it Small: Getting to know the Slim Micro FrameworkKeeping it Small: Getting to know the Slim Micro Framework
Keeping it Small: Getting to know the Slim Micro Framework
 
You Don't Know Query (WordCamp Netherlands 2012)
You Don't Know Query (WordCamp Netherlands 2012)You Don't Know Query (WordCamp Netherlands 2012)
You Don't Know Query (WordCamp Netherlands 2012)
 
Xmpp prebind
Xmpp prebindXmpp prebind
Xmpp prebind
 
Slim RedBeanPHP and Knockout
Slim RedBeanPHP and KnockoutSlim RedBeanPHP and Knockout
Slim RedBeanPHP and Knockout
 
How to learn j query
How to learn j queryHow to learn j query
How to learn j query
 
Responsive Design with WordPress
Responsive Design with WordPressResponsive Design with WordPress
Responsive Design with WordPress
 
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019
 

Similar to Writing Secure Plugins — WordCamp New York 2009

Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQueryRemedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Tatsuhiko Miyagawa
 
mro-every.pdf
mro-every.pdfmro-every.pdf
mro-every.pdf
Workhorse Computing
 
Software livre e padrões abertos no desenvolvimento Web
Software livre e padrões abertos no desenvolvimento WebSoftware livre e padrões abertos no desenvolvimento Web
Software livre e padrões abertos no desenvolvimento Web
Felipe Ribeiro
 
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
Amazon Web Services
 
AnyMQ, Hippie, and the real-time web
AnyMQ, Hippie, and the real-time webAnyMQ, Hippie, and the real-time web
AnyMQ, Hippie, and the real-time web
clkao
 
Developing applications for performance
Developing applications for performanceDeveloping applications for performance
Developing applications for performance
Leon Fayer
 
Customizer-ing Theme Options: A Visual Playground
Customizer-ing Theme Options: A Visual PlaygroundCustomizer-ing Theme Options: A Visual Playground
Customizer-ing Theme Options: A Visual Playground
DrewAPicture
 
מ-antispambot ועד zeroise – עשר פונקציות וורדפרס שאתם כנראה לא מכירים
מ-antispambot ועד zeroise – עשר פונקציות וורדפרס שאתם כנראה לא מכיריםמ-antispambot ועד zeroise – עשר פונקציות וורדפרס שאתם כנראה לא מכירים
מ-antispambot ועד zeroise – עשר פונקציות וורדפרס שאתם כנראה לא מכירים
Miriam Schwab
 
WordPress: From Antispambot to Zeroize
WordPress: From Antispambot to ZeroizeWordPress: From Antispambot to Zeroize
WordPress: From Antispambot to Zeroize
Yoav Farhi
 
WCLV13 JavaScript
WCLV13 JavaScriptWCLV13 JavaScript
WCLV13 JavaScript
Jeffrey Zinn
 
Introduction To Moco
Introduction To MocoIntroduction To Moco
Introduction To Moco
Naoya Ito
 
Wp query
Wp queryWp query
Wp query
Savita Soni
 
Daily notes
Daily notesDaily notes
Daily notes
meghendra168
 
logic321
logic321logic321
logic321
logic321
 
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
John Ford
 
November Camp - Spec BDD with PHPSpec 2
November Camp - Spec BDD with PHPSpec 2November Camp - Spec BDD with PHPSpec 2
November Camp - Spec BDD with PHPSpec 2
Kacper Gunia
 
Building a desktop app with HTTP::Engine, SQLite and jQuery
Building a desktop app with HTTP::Engine, SQLite and jQueryBuilding a desktop app with HTTP::Engine, SQLite and jQuery
Building a desktop app with HTTP::Engine, SQLite and jQuery
Tatsuhiko Miyagawa
 
The History of PHPersistence
The History of PHPersistenceThe History of PHPersistence
The History of PHPersistence
Hugo Hamon
 
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
arcware
 
Perl Web Client
Perl Web ClientPerl Web Client
Perl Web Client
Flavio Poletti
 

Similar to Writing Secure Plugins — WordCamp New York 2009 (20)

Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQueryRemedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
 
mro-every.pdf
mro-every.pdfmro-every.pdf
mro-every.pdf
 
Software livre e padrões abertos no desenvolvimento Web
Software livre e padrões abertos no desenvolvimento WebSoftware livre e padrões abertos no desenvolvimento Web
Software livre e padrões abertos no desenvolvimento Web
 
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
 
AnyMQ, Hippie, and the real-time web
AnyMQ, Hippie, and the real-time webAnyMQ, Hippie, and the real-time web
AnyMQ, Hippie, and the real-time web
 
Developing applications for performance
Developing applications for performanceDeveloping applications for performance
Developing applications for performance
 
Customizer-ing Theme Options: A Visual Playground
Customizer-ing Theme Options: A Visual PlaygroundCustomizer-ing Theme Options: A Visual Playground
Customizer-ing Theme Options: A Visual Playground
 
מ-antispambot ועד zeroise – עשר פונקציות וורדפרס שאתם כנראה לא מכירים
מ-antispambot ועד zeroise – עשר פונקציות וורדפרס שאתם כנראה לא מכיריםמ-antispambot ועד zeroise – עשר פונקציות וורדפרס שאתם כנראה לא מכירים
מ-antispambot ועד zeroise – עשר פונקציות וורדפרס שאתם כנראה לא מכירים
 
WordPress: From Antispambot to Zeroize
WordPress: From Antispambot to ZeroizeWordPress: From Antispambot to Zeroize
WordPress: From Antispambot to Zeroize
 
WCLV13 JavaScript
WCLV13 JavaScriptWCLV13 JavaScript
WCLV13 JavaScript
 
Introduction To Moco
Introduction To MocoIntroduction To Moco
Introduction To Moco
 
Wp query
Wp queryWp query
Wp query
 
Daily notes
Daily notesDaily notes
Daily notes
 
logic321
logic321logic321
logic321
 
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
 
November Camp - Spec BDD with PHPSpec 2
November Camp - Spec BDD with PHPSpec 2November Camp - Spec BDD with PHPSpec 2
November Camp - Spec BDD with PHPSpec 2
 
Building a desktop app with HTTP::Engine, SQLite and jQuery
Building a desktop app with HTTP::Engine, SQLite and jQueryBuilding a desktop app with HTTP::Engine, SQLite and jQuery
Building a desktop app with HTTP::Engine, SQLite and jQuery
 
The History of PHPersistence
The History of PHPersistenceThe History of PHPersistence
The History of PHPersistence
 
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
 
Perl Web Client
Perl Web ClientPerl Web Client
Perl Web Client
 

More from Mark Jaquith

Cache Money Business
Cache Money BusinessCache Money Business
Cache Money Business
Mark Jaquith
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPress
Mark Jaquith
 
Creating and Maintaining WordPress Plugins
Creating and Maintaining WordPress PluginsCreating and Maintaining WordPress Plugins
Creating and Maintaining WordPress Plugins
Mark Jaquith
 
Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!
Mark Jaquith
 
WordPress Security - WordCamp Phoenix
WordPress Security - WordCamp PhoenixWordPress Security - WordCamp Phoenix
WordPress Security - WordCamp Phoenix
Mark Jaquith
 
WordPress Custom Post Types
WordPress Custom Post TypesWordPress Custom Post Types
WordPress Custom Post Types
Mark Jaquith
 
Writing Your First WordPress Plugin
Writing Your First WordPress PluginWriting Your First WordPress Plugin
Writing Your First WordPress Plugin
Mark Jaquith
 
What I Hate About Wordpress
What I Hate About WordpressWhat I Hate About Wordpress
What I Hate About Wordpress
Mark Jaquith
 
BuddyPress and the Future of WordPress Plugins
BuddyPress and the Future of WordPress PluginsBuddyPress and the Future of WordPress Plugins
BuddyPress and the Future of WordPress Plugins
Mark Jaquith
 
"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith
"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith
"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith
Mark Jaquith
 
Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)
Mark Jaquith
 
Wordcamp Charlotte: WordPress Today and Tomorrow
Wordcamp Charlotte: WordPress Today and TomorrowWordcamp Charlotte: WordPress Today and Tomorrow
Wordcamp Charlotte: WordPress Today and Tomorrow
Mark Jaquith
 
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008
Mark Jaquith
 
Amping up your WordPress Blog
Amping up your WordPress BlogAmping up your WordPress Blog
Amping up your WordPress Blog
Mark Jaquith
 
Contributing To WordPress
Contributing To WordPressContributing To WordPress
Contributing To WordPress
Mark Jaquith
 

More from Mark Jaquith (15)

Cache Money Business
Cache Money BusinessCache Money Business
Cache Money Business
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPress
 
Creating and Maintaining WordPress Plugins
Creating and Maintaining WordPress PluginsCreating and Maintaining WordPress Plugins
Creating and Maintaining WordPress Plugins
 
Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!
 
WordPress Security - WordCamp Phoenix
WordPress Security - WordCamp PhoenixWordPress Security - WordCamp Phoenix
WordPress Security - WordCamp Phoenix
 
WordPress Custom Post Types
WordPress Custom Post TypesWordPress Custom Post Types
WordPress Custom Post Types
 
Writing Your First WordPress Plugin
Writing Your First WordPress PluginWriting Your First WordPress Plugin
Writing Your First WordPress Plugin
 
What I Hate About Wordpress
What I Hate About WordpressWhat I Hate About Wordpress
What I Hate About Wordpress
 
BuddyPress and the Future of WordPress Plugins
BuddyPress and the Future of WordPress PluginsBuddyPress and the Future of WordPress Plugins
BuddyPress and the Future of WordPress Plugins
 
"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith
"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith
"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith
 
Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)
 
Wordcamp Charlotte: WordPress Today and Tomorrow
Wordcamp Charlotte: WordPress Today and TomorrowWordcamp Charlotte: WordPress Today and Tomorrow
Wordcamp Charlotte: WordPress Today and Tomorrow
 
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008
 
Amping up your WordPress Blog
Amping up your WordPress BlogAmping up your WordPress Blog
Amping up your WordPress Blog
 
Contributing To WordPress
Contributing To WordPressContributing To WordPress
Contributing To WordPress
 

Recently uploaded

High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
How to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdfHow to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdf
ChristopherTHyatt
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
Shiv Technolabs
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Mydbops
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
rajancomputerfbd
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
Lidia A.
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 

Recently uploaded (20)

High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
How to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdfHow to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdf
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 

Writing Secure Plugins — WordCamp New York 2009

  • 1. Writing Secure Plugins Mark Jaquith @markjaquith markjaquith.com coveredwebservices.com Saturday, November 14, 2009
  • 2. XSS privilege shell execution escalation CSRF SQL injection Saturday, November 14, 2009
  • 3. Plugin security is hit-or-miss Saturday, November 14, 2009
  • 4. Mostly miss Saturday, November 14, 2009
  • 5. SQL Injection Saturday, November 14, 2009
  • 6. <?php $wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" ); ?> Saturday, November 14, 2009
  • 7. <?php $newtitle = esc_sql( $newtitle ); $my_id = absint( $my_id ); $wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" ); ?> Saturday, November 14, 2009
  • 9. <?php $wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle ), array( 'ID' => $my_id ) ); ?> Saturday, November 14, 2009
  • 11. <?php $wpdb->insert( $wpdb->posts, array( 'post_title' => $newtitle ) ); ?> Saturday, November 14, 2009
  • 12. <?php $wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle, 'post_content' => $newcontent ), array( 'ID' => $my_id, 'post_title' => $old_title ) ); ?> Saturday, November 14, 2009
  • 13. <?php $post_title = 'New Title'; $wheres['ID'] = 123; $wheres['post_title'] = 'Old Title'; $wpdb->update( $wpdb->posts, compact( 'post_title' ), $wheres ); ?> Saturday, November 14, 2009
  • 15. <?php $title = 'Post Title'; $ID = 123; $content = $wpdb->get_var( $wpdb->prepare( "SELECT post_content FROM $wpdb->posts WHERE post_title = %s AND ID = %d", $title, $ID ) ); ?> Saturday, November 14, 2009
  • 16. •Uses sprintf() formatting •%s for strings •%d for integers •You should not quote or escape Saturday, November 14, 2009
  • 17. Escape late Saturday, November 14, 2009
  • 19. <h1> <?php echo $title; ?> </h1> Saturday, November 14, 2009
  • 20. <?php $title = '<script> pwnage(); </script>' ?> <h1> <?php echo $title; ?> </h1> Saturday, November 14, 2009
  • 21. Anything that isn’t hardcoded is suspect Saturday, November 14, 2009
  • 22. Better: Everything is suspect Saturday, November 14, 2009
  • 25. <?php $title = '<script> pwnage(); </script>' ?> <h1> <?php echo esc_html( $title ); ?> </h1> Saturday, November 14, 2009
  • 26. <?php $title = '" onmouseover="pwnd();'; ?> <a href="#wordcamp" title=" <?php echo $title; ?> "> Link Text </a> Saturday, November 14, 2009
  • 28. <?php $title = '" onmouseover="pwnd();'; ?> <a href="#wordcamp" title=" <?php echo esc_attr( $title ); ?> "> Link Text </a> Saturday, November 14, 2009
  • 29. <?php $url = 'javascript:pwnage();'; ?> <a href=" <?php echo esc_attr( $url ); ?> "> WRONG Link Text </a> Saturday, November 14, 2009
  • 31. <?php $url = 'javascript:pwnage();'; ?> <a href=" <?php echo esc_url( $url ); ?> "> Link Text </a> Saturday, November 14, 2009
  • 32. esc_url_raw(), sister of esc_url() Saturday, November 14, 2009
  • 34. <script> var foo = '<?php echo esc_js( $bar ); ?>'; </script> Saturday, November 14, 2009
  • 36. Authorization vs. Intention Saturday, November 14, 2009
  • 37. Nonces action-, object-, user-specific time limited secret keys Saturday, November 14, 2009
  • 38. Specific to •WordPress user •Action attempted •Object of attempted action •Time window Saturday, November 14, 2009
  • 40. <form action="process.php" method="post"> <?php wp_nonce_field('plugin-action_object'); ?> ... </form> Saturday, November 14, 2009
  • 42. <?php // before output goes to browser check_admin_referer('plugin- action_object'); ?> Saturday, November 14, 2009
  • 43. Still need to use current_user_can() Saturday, November 14, 2009
  • 44. AJAX CSRF Saturday, November 14, 2009
  • 45. • wp_create_nonce( 'your_action' ); • &_ajax_nonce=YOUR_NONCE • check_ajax_referer( 'your_action' ); Saturday, November 14, 2009
  • 46. Privilege Escalation Saturday, November 14, 2009
  • 48. Set your salts! http://api.wordpress.org/secret-key/1.1/ Saturday, November 14, 2009
  • 49. Stupid shit I see all the time Saturday, November 14, 2009
  • 51. <form action="<?php echo $_SERVER['REQUEST_URI']; ?>"> Saturday, November 14, 2009
  • 52. <a href="<?php echo $url; ?>" title="<?php echo $title; ?>"> <?php echo $text; ?> </a> <script> var foo = '<?php echo $js; ?>'; </script> Saturday, November 14, 2009
  • 53. <a href="<?php echo esc_url( $url ); ?>" title="<?php echo esc_attr( $title ); ?>"> <?php echo esc_html( $text ); ?> </a> <script> var foo = '<?php echo esc_js( $js ); ?>'; </script> Saturday, November 14, 2009