Secure Coding With Wordpress (BarCamp Orlando 2009)
-
Upload
mark-jaquith -
Category
Technology
-
view
2.655 -
download
1
description
Transcript of Secure Coding With Wordpress (BarCamp Orlando 2009)
![Page 1: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/1.jpg)
Secure Coding with WordPress
Mark Jaquithmarkjaquith.com
coveredwebservices.com
![Page 2: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/2.jpg)
XSSCSRFSQL injection
privilege escalation
shell execution
![Page 3: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/3.jpg)
Plugin security is hit-or-miss
![Page 4: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/4.jpg)
Mostly miss
![Page 5: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/5.jpg)
SQL Injection
![Page 6: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/6.jpg)
<?php$wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" );?>
![Page 7: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/7.jpg)
<?php$newtitle = $wpdb->escape( $newtitle );$my_id = absint( $my_id );
$wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" );?>
![Page 8: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/8.jpg)
$wpdb->update()
![Page 9: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/9.jpg)
<?php$wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle ), array( 'ID' => $my_id ) );?>
![Page 10: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/10.jpg)
$wpdb->insert()
![Page 11: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/11.jpg)
<?php$wpdb->insert( $wpdb->posts, array( 'post_title' => $newtitle ) );?>
![Page 12: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/12.jpg)
<?php$wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle, 'post_content' => $newcontent ), array( 'ID' => $my_id, 'post_title' => $old_title ) );?>
![Page 13: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/13.jpg)
<?php$post_title = 'New Title';$wheres['ID'] = 123;$wheres['post_title'] = 'Old Title';$wpdb->update( $wpdb->posts, compact( 'post_title' ), $wheres );?>
![Page 14: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/14.jpg)
$wpdb->prepare()
![Page 15: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/15.jpg)
<?php$title = 'Post Title';$ID = 123;$content = $wpdb->get_var( $wpdb->prepare( "SELECT post_content FROM $wpdb->posts WHERE post_title = %s AND ID = %d", $title, $ID ) );?>
![Page 16: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/16.jpg)
•Uses sprintf() formatting
•%s for strings
•%d for integers
•You should not quote or escape
![Page 17: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/17.jpg)
Escapelate
![Page 18: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/18.jpg)
XSS
![Page 19: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/19.jpg)
<h1><?php echo $title;?></h1>
![Page 20: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/20.jpg)
<?php $title = '<script> pwnage(); </script>'?><h1><?php echo $title;?></h1>
![Page 21: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/21.jpg)
Anything that isn’t hardcoded
is suspect
![Page 22: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/22.jpg)
Better:Everything is suspect
![Page 23: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/23.jpg)
wp_specialchars()
![Page 24: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/24.jpg)
<?php $title = '<script> pwnage(); </script>'?><h1><?php echo wp_specialchars( $title );?></h1>
![Page 25: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/25.jpg)
<?php$title = '" onmouseover="pwnd();';?><a href="#wordcamp" title="<?php echo wp_specialchars( $title );?>">Link Text</a>
![Page 26: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/26.jpg)
attribute_escape()
![Page 27: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/27.jpg)
<?php$title = '" onmouseover="pwnd();';?><a href="#wordcamp" title="<?php echo attribute_escape( $title );?>">Link Text</a>
![Page 28: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/28.jpg)
<?php $url = 'javascript:pwnage();';?><a href="<?php echo attribute_escape( $url );?>">Link Text</a>
![Page 29: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/29.jpg)
clean_url()
![Page 30: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/30.jpg)
<?php $url = 'javascript:pwnage();';?><a href="<?php echo clean_url( $url );?>">Link Text</a>
![Page 31: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/31.jpg)
sanitize_url(), sister of clean_url()
![Page 32: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/32.jpg)
js_escape()
![Page 33: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/33.jpg)
CSRF
![Page 34: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/34.jpg)
Authorizationvs.
Intention
![Page 35: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/35.jpg)
![Page 36: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/36.jpg)
Noncesaction-, object-,
user-specific time limited secret keys
![Page 37: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/37.jpg)
Specific to •WordPress user
•Action attempted
•Object of attempted action
•Time window
![Page 38: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/38.jpg)
wp_nonce_field()
![Page 39: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/39.jpg)
<form action="process.php" method="post"><?php wp_nonce_field('plugin-action_object');?>
...</form>
![Page 40: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/40.jpg)
check_admin_referer( )
![Page 41: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/41.jpg)
<?php// before output goes to browsercheck_admin_referer('plugin- action_object');?>
![Page 42: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/42.jpg)
Still need to use current_user_can()
![Page 43: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/43.jpg)
AJAXCSRF
![Page 44: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/44.jpg)
• wp_create_nonce( 'your_action' );
• &_ajax_nonce=YOUR_NONCE
• check_ajax_referer( 'your_action' );
![Page 45: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/45.jpg)
Privilege Escalation
![Page 46: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/46.jpg)
current_user_can()
![Page 47: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/47.jpg)
Set your salts!http://api.wordpress.org/secret-key/1.1/
![Page 48: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/48.jpg)
Stupid shit I see all the time
![Page 49: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/49.jpg)
exec()
![Page 50: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/50.jpg)
<form action="<?php echo $_SERVER['REQUEST_URI']; ?>">
![Page 51: Secure Coding With Wordpress (BarCamp Orlando 2009)](https://reader033.fdocuments.us/reader033/viewer/2022042813/54b3bdd54a7959603d8b47b3/html5/thumbnails/51.jpg)
Thank you!