SlideShare une entreprise Scribd logo
1  sur  58
Télécharger pour lire hors ligne
WRITING SECURE WORDPRESS CODE
BY	
  BRAD	
  WILLIAMS	
  
Brad Williams
@williamsba
WHO IS BRAD?
Brad Williams
@williamsba
Brad	
  Williams	
  
	
  
Co-­‐Founder	
  WebDevStudios.com	
  
	
  	
  
Co-­‐Author	
  Professional	
  WordPress	
  	
  
	
  &	
  Professional	
  WordPress	
  	
  
	
   	
  Plugin	
  Development	
  
	
  	
  
Co-­‐Organizer	
  WordCamp	
  Philly	
  
	
  	
  
Co-­‐Host	
  DradCast	
  
TODAY’S TOPICS
Brad Williams
@williamsba
	
  
• Cover	
  the	
  big	
  three	
  exploits	
  
•  SQL	
  InjecLon	
  -­‐	
  SQLi	
  
•  Cross-­‐Site	
  ScripLng	
  -­‐	
  XSS	
  
•  Cross-­‐Site	
  Request	
  Forgery	
  –	
  CSRF	
  
• Hack	
  Examples	
  
• Data	
  ValidaLon	
  and	
  SaniLzaLon	
  
• Resources	
  
TRUST NO ONE
Brad Williams
@williamsba
Golden	
  Rule	
  of	
  Code	
  
Trust	
  No	
  One	
  
TRUST NO ONE
Brad Williams
@williamsba
Consider	
  all	
  data	
  invalid	
  
unless	
  it	
  can	
  be	
  proven	
  valid	
  
SQL INJECTION - SQLI
Brad Williams
@williamsba
SQL	
  InjecLon	
  (SQLi)	
  
SQL INJECTION - SQLI
Brad Williams
@williamsba
SQL	
  injec*on	
  is	
  a	
  code	
  injecLon	
  technique,	
  
used	
  to	
  aYack	
  data	
  driven	
  applicaLons,	
  in	
  
which	
  malicious	
  SQL	
  statements	
  are	
  
inserted	
  into	
  an	
  entry	
  field	
  for	
  execuLon	
  
SQL INJECTION - SQLI
Brad Williams
@williamsba
SQL	
  InjecLon	
  Example	
  
	
  
global $wpdb;
$ID = $_GET['ID'];
$sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';";
SELECT	
  post_Ltle	
  FROM	
  wp_posts	
  WHERE	
  ID	
  =	
  '5';	
  
SQL INJECTION - SQLI
Brad Williams
@williamsba
SQL	
  InjecLon	
  Example	
  
	
  
SELECT	
  post_Ltle	
  FROM	
  wp_posts	
  WHERE	
  ID	
  =	
  '';	
  	
  
SELECT	
  *	
  FROM	
  wp_users	
  WHERE	
  1	
  =	
  '1';	
  
global $wpdb;
$ID = "'; SELECT * FROM wp_users WHERE 1 = '1";
$sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';";
SQL INJECTION - SQLI
Brad Williams
@williamsba
hYp://www.sitepoint.com/forums/showthread.php?83772-­‐web-­‐site-­‐hacked	
  
My	
  IntroducLon	
  to	
  SQLi	
  
SQL INJECTION - SQLI
Brad Williams
@williamsba
hYp://www.sitepoint.com/forums/showthread.php?83772-­‐web-­‐site-­‐hacked	
  
My	
  IntroducLon	
  to	
  SQLi	
  
SQL INJECTION - SQLI
Brad Williams
@williamsba
$wpdb->insert()
SQL INJECTION - SQLI
Brad Williams
@williamsba
$wpdb->insert(
$wpdb->postmeta,
array(
'post_id' => '5',
'meta_key' => '_custom_meta_key',
'meta_value' => 'true'
),
array(
'%d',
'%s',
'%s'
)
);
$wpdb->insert()
$wpdb->insert( $table, $data, $format )
Example:	
  
SQL INJECTION - SQLI
Brad Williams
@williamsba
$wpdb->update()
SQL INJECTION - SQLI
Brad Williams
@williamsba
$wpdb->update(
$wpdb->postmeta',
array(
'meta_value' => 'false'
),
array(
'post_id' => 5,
'meta_key' => '_custom_meta_key'
),
array(
'%s'
),
array(
'%d',
'%s'
)
);
$wpdb->update()
$wpdb->update( $table, $data, $where, $format, $where_format )
Example:	
  
SQL INJECTION - SQLI
Brad Williams
@williamsba
$wpdb->delete()
SQL INJECTION - SQLI
Brad Williams
@williamsba
$wpdb->delete(
$wpdb->posts,
array( 'ID' => 5 ),
array( '%d' )
);
$wpdb->delete()
$wpdb->delete( $table, $where, $where_format )
Example:	
  
SQL INJECTION - SQLI
Brad Williams
@williamsba
$wpdb->prepare()
SQL INJECTION - SQLI
Brad Williams
@williamsba
•  Handles	
  strings	
  (%s)	
  and	
  
integers	
  (%d)	
  
•  Does	
  the	
  escaping	
  for	
  you	
  
•  No	
  need	
  to	
  quote	
  %s	
  
$wpdb->prepare( " SELECT post_title FROM $wpdb->posts WHERE ID = %d ", $ID );
$wpdb->prepare()
SQL INJECTION - SQLI
Brad Williams
@williamsba
•  Handles	
  strings	
  (%s)	
  and	
  
integers	
  (%d)	
  
•  Does	
  the	
  escaping	
  for	
  you	
  
•  No	
  need	
  to	
  quote	
  %s	
  
$wpdb->prepare( " DELETE FROM $wpdb->postmeta
WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' );
$wpdb->prepare()
SQL INJECTION - SQLI
Brad Williams
@williamsba
$wpdb-­‐>prepare()	
  only	
  prepares	
  the	
  query,	
  it	
  does	
  not	
  execute	
  it.	
  
$wpdb->query(
$wpdb->prepare( " DELETE FROM $wpdb->postmeta
WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' )
);
$wpdb->prepare()
echo $wpdb->prepare( " DELETE FROM $wpdb->postmeta
WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' );
To	
  view	
  the	
  fully	
  prepared	
  query	
  simply	
  echo	
  it	
  
SQL INJECTION - SQLI
Brad Williams
@williamsba
hYp://xkcd.com/327/	
  
Don’t	
  be	
  LiYle	
  Bobby	
  Tables	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
Cross-­‐Site	
  ScripLng	
  	
  
(XSS)	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
	
  
What	
  is	
  Cross-­‐Site	
  ScripLng?	
  
	
  
AYacker	
  injects	
  client-­‐side	
  scripts	
  into	
  your	
  web	
  pages	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
Escaping	
  
To	
  escape	
  is	
  to	
  take	
  the	
  data	
  you	
  may	
  
already	
  have	
  and	
  help	
  secure	
  it	
  prior	
  to	
  
rendering	
  it	
  for	
  the	
  end	
  user	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
1.  esc_	
  is	
  the	
  prefix	
  for	
  all	
  escaping	
  funcLons	
  
2.  aYr	
  is	
  the	
  context	
  being	
  escaped	
  
3.  _e	
  is	
  the	
  opLonal	
  translaLon	
  suffix	
  
Props	
  to	
  Mark	
  Jaquith!	
  
Escaping	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<h1><?php echo $title; ?></h1>
BAD	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<?php
$title = "<script>alert('Hello Europe!');</script>";
?>
<h1><?php echo $title; ?></h1>
BAD	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<?php
$title = "<script>alert('Hello Europe!');</script>";
?>
<h1><?php echo esc_html( $title ); ?></h1>
View	
  Source:	
  
<h1>&lt;script&gt;alert(&#039;Hello Europe!&#039;);&lt;/script&gt;</h1>
GOOD	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<input type="text" name="name"
value="<?php echo esc_attr( $text ); ?>" />
esc_attr()
Used	
  whenever	
  you	
  need	
  to	
  display	
  data	
  inside	
  an	
  HTML	
  element	
  
hYp://codex.wordpress.org/FuncLon_Reference/esc_aYr	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<textarea name="bio">
<?php echo esc_textarea( $bio); ?>
</textarea>
esc_textarea()
Used	
  to	
  encode	
  text	
  for	
  use	
  in	
  a	
  <textarea>	
  form	
  element	
  
hYp://codex.wordpress.org/FuncLon_Reference/esc_textarea	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<a href="<?php echo esc_url( $url); ?>">Link</a>
esc_url()
	
  Used	
  for	
  validaLng	
  and	
  saniLzing	
  URLs	
  
hYp://codex.wordpress.org/FuncLon_Reference/esc_url	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<?php
$url = 'http://wordpress.org';
$response = wp_remote_get( esc_url_raw( $url ) );
?>
esc_url_raw()
	
  Used	
  for	
  escaping	
  a	
  URL	
  for	
  database	
  queries,	
  redirects,	
  and	
  HTTP	
  requests	
  
Similar	
  to	
  esc_url(),	
  but	
  does	
  not	
  replace	
  enLLes	
  for	
  display	
  
hYp://codex.wordpress.org/FuncLon_Reference/esc_url_raw	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<script>
var bwar='<?php echo esc_js( $text ); ?>';
</script>
esc_js()
	
  Used	
  to	
  escape	
  text	
  strings	
  in	
  JavaScript	
  
hYp://codex.wordpress.org/FuncLon_Reference/esc_js	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
Integers	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
$ID = absint( $_GET['ID'] );
absint()
Coverts	
  a	
  value	
  to	
  a	
  non-­‐negaLve	
  integer	
  
hYp://codex.wordpress.org/FuncLon_Reference/absint	
  
<input type="text" name="number_posts" value="<?php echo absint( $number ); ?>" />
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
$ID = intval( $_GET['ID'] );
intval()
Returns	
  the	
  integer	
  value.	
  	
  Works	
  with	
  negaLve	
  values	
  
hYp://php.net/manual/en/funcLon.intval.php	
  
<input type="text" name="number_posts" value="<?php echo intval( $number ); ?>" />
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
SaniLzing	
  
To	
  saniLze	
  is	
  to	
  take	
  the	
  data	
  and	
  clean	
  
to	
  make	
  safe	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
<?php
update_post_meta(
420,
'_post_meta_key',
$_POST['new_meta_value']
);
?>
BAD	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
sanitize_text_field()
SaniLze	
  a	
  string	
  
hYp://codex.wordpress.org/FuncLon_Reference/saniLze_text_field	
  
<?php
update_post_meta(
34,
'_post_meta_key',
sanitize_text_field( $_POST['new_meta_value'] )
);
?>
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
sanitize_email()
Strip	
  out	
  all	
  characters	
  not	
  allowed	
  in	
  an	
  email	
  address	
  
hYp://codex.wordpress.org/FuncLon_Reference/saniLze_email	
  
<?php
update_post_meta(
34,
'_email_address',
sanitize_email( $_POST['email'] )
);
?>
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
sanitize_user()
SaniLze	
  username	
  stripping	
  out	
  unsafe	
  characters	
  
hYp://codex.wordpress.org/FuncLon_Reference/saniLze_user	
  
<?php
update_post_meta(
34,
'_custom_username',
sanitize_user( $_POST['username'] )
);
?>
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
wp_kses()
Filters	
  content	
  and	
  keeps	
  only	
  allowable	
  HTML	
  elements.	
  
hYp://codex.wordpress.org/FuncLon_Reference/wp_kses	
  
<a	
  href="#">link</a>.	
  This	
  is	
  bold	
  and	
  <strong>strong</strong>	
  
CROSS-SITE SCRIPTING - XSS
Brad Williams
@williamsba
wp_kses_post()
Filters	
  post	
  content	
  and	
  keeps	
  only	
  allowable	
  HTML	
  elements.	
  
hYp://codex.wordpress.org/FuncLon_Reference/wp_kses_post	
  
HTML	
  tags	
  allowed	
  to	
  be	
  put	
  into	
  Posts	
  by	
  non-­‐admin	
  users	
  
CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
Cross-­‐site	
  Request	
  
Forgery	
  
(CSRF)	
  
CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
Exploit	
  of	
  a	
  website	
  whereby	
  unauthorized	
  commands	
  
are	
  transmiYed	
  from	
  a	
  user	
  that	
  the	
  website	
  trusts.	
  
Cross-­‐site	
  Request	
  
Forgery	
  
(CSRF)	
  
CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
Nonces	
  
AcLon,	
  object,	
  &	
  user	
  specific	
  Lme-­‐
limited	
  secret	
  keys	
  
CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
<?php
if ( isset( $_POST['email'] ) ) {
//process form data
}
?>
<form method="post">
<input type="text" name="email /><br />
<input type="submit" name="submit" value="Submit" />
</form>
Example	
  
There	
  is	
  no	
  way	
  to	
  know	
  where	
  $_POST[‘email’]	
  is	
  being	
  posted	
  from	
  
CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
<form method="post">
<?php wp_nonce_field( 'bw_process_email_action', 'bw_newsletter' ); ?>
<input type="text" name="email" /><br />
<input type="submit" name="submit" value="Submit" />
</form>
wp_nonce_field()
<form method="post">
<input type="hidden" id="bw_newsletter" name="bw_newsletter" value="287de957e8" />
<input type="hidden" name="_wp_http_referer" value="/x/sample-page/" />
<input type="text" name="email" /><br />
<input type="submit" name="submit" value="Submit" />
</form>
View	
  Source:	
  
Form	
  Code:	
  
hYp://codex.wordpress.org/FuncLon_Reference/wp_nonce_field	
  
wp_nonce_field( $action, $name, $referer, $echo );
CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
if ( isset( $_POST['email'] ) ) {
check_admin_referer( 'bw_process_email_action', 'bw_newsletter' );
//process form data
}
check_admin_referer()
Processing	
  Code:	
  
check_admin_referer( $action, $query_arg );
hYp://codex.wordpress.org/FuncLon_Reference/check_admin_referer	
  
CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
<?php
if ( isset( $_POST['email'] ) ) {
check_admin_referer( 'bw_process_email_action', 'bw_newsletter' );
//process form data
}
?>
<form method="post">
<?php wp_nonce_field( 'bw_process_email_action', 'bw_newsletter' ); ?>
<input type="text" name="email" /><br />
<input type="submit" name="submit" value="Submit" />
</form>
Fixed	
  Example	
  
CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
$url = 'http://example.com/wp-admin/?ID=5';
$url = wp_nonce_url( $url, 'bw_process_email_action', 'bw_newsletter' );
wp_nonce_url()
http://example.com/wp-admin/?ID=5&bw_newsletter=287de957e8
New	
  URL:	
  
URL	
  Code:	
  
hYp://codex.wordpress.org/FuncLon_Reference/wp_nonce_url	
  
wp_nonce_url( $actionurl, $action, $name );
CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
if ( isset( $_GET[ID'] ) ) {
check_admin_referer( 'bw_process_email_action', 'bw_newsletter' );
//process data
}
wp_nonce_url()
Processing	
  Code:	
  
hYp://codex.wordpress.org/FuncLon_Reference/check_admin_referer	
  
CROSS-SITE REQUEST FORGERY - CSRF
Brad Williams
@williamsba
Nonces	
  
Specific	
  to	
  
• WordPress	
  User	
  
• AcLon	
  AYempted	
  
• Object	
  of	
  aYempted	
  acLon	
  
• Time	
  Window	
  
RESOURCES
Brad Williams
@williamsba
•  Security	
  ArLcles	
  
•  hYp://codex.wordpress.org/Data_ValidaLon	
  
•  hYp://codex.wordpress.org/ValidaLng_SaniLzing_and_Escaping_User_Data	
  
•  hYp://wp.tutsplus.com/tutorials/7-­‐simple-­‐rules-­‐wordpress-­‐plugin-­‐development-­‐best-­‐
pracLces/	
  
•  hYp://wpengine.com/2013/05/brad-­‐williams-­‐on-­‐secure-­‐wordpress-­‐development/	
  
•  Security	
  PresentaLons	
  
•  hYp://wordpress.tv/2013/08/09/mike-­‐adams-­‐three-­‐security-­‐issues-­‐you-­‐thought-­‐youd-­‐fixed/	
  
•  hYp://wordpress.tv/2013/09/26/brennen-­‐byrne-­‐employing-­‐best-­‐security-­‐pracLces-­‐for-­‐
wordpress-­‐sites-­‐3/	
  
•  hYp://wordpress.tv/2011/01/29/mark-­‐jaquith-­‐theme-­‐plugin-­‐security/	
  
	
  
DRADCAST PLUG
Brad Williams
@williamsba
Listen	
  to	
  the	
  DradCast	
  WordPress	
  Podcast	
  
	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  LIVE	
  every	
  Wednesday	
  @	
  8pm	
  EDT	
  
	
  
DradCast.com	
  
RESOURCES
Brad Williams
@williamsba
#wceu after party
Drink	
  Time!	
  
CONTACT BRAD
Brad Williams
@williamsba
Brad	
  Williams	
  
brad@webdevstudios.com	
  
	
  
Blog:	
  	
  strangework.com	
  
TwiYer:	
  @williamsba	
  
	
  
	
  
Professional	
  WordPress	
  
Second	
  EdiLon	
  is	
  OUT!	
  
hYp://bit.ly/prowp2	
  

Contenu connexe

Similaire à Writing Secure WordPress Code

Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Brad Williams
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in RailsUri Nativ
 
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Mark Jaquith
 
Designer's Favorite New Features in SQLServer
Designer's Favorite New Features in SQLServerDesigner's Favorite New Features in SQLServer
Designer's Favorite New Features in SQLServerKaren Lopez
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011John Ford
 
Laravel Security Standards
Laravel Security Standards Laravel Security Standards
Laravel Security Standards Singsys Pte Ltd
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
You're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp AtlantaYou're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp AtlantaChris Scott
 
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...Karen Lopez
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 

Similaire à Writing Secure WordPress Code (20)

Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
 
Brakeman
BrakemanBrakeman
Brakeman
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008
 
Designer's Favorite New Features in SQLServer
Designer's Favorite New Features in SQLServerDesigner's Favorite New Features in SQLServer
Designer's Favorite New Features in SQLServer
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
 
Laravel Security Standards
Laravel Security Standards Laravel Security Standards
Laravel Security Standards
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
You're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp AtlantaYou're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp Atlanta
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Drupal Security
Drupal SecurityDrupal Security
Drupal Security
 

Plus de Brad Williams

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015Brad Williams
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyBrad Williams
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressBrad Williams
 
Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application FrameworkBrad Williams
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012Brad Williams
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for BeginnersBrad Williams
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress PluginBrad Williams
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesBrad Williams
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentBrad Williams
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPBrad Williams
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityBrad Williams
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressBrad Williams
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfBrad Williams
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010Brad Williams
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts  for a Successful Online PresenceWebsite Design Dos and Don’ts  for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceBrad Williams
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 

Plus de Brad Williams (20)

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to Agency
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPress
 
Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application Framework
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012
 
WordPress Multisite
WordPress MultisiteWordPress Multisite
WordPress Multisite
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for Beginners
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress Plugin
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WP
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPress
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard Of
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts  for a Successful Online PresenceWebsite Design Dos and Don’ts  for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online Presence
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
 

Dernier

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Dernier (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Writing Secure WordPress Code

  • 1. WRITING SECURE WORDPRESS CODE BY  BRAD  WILLIAMS   Brad Williams @williamsba
  • 2. WHO IS BRAD? Brad Williams @williamsba Brad  Williams     Co-­‐Founder  WebDevStudios.com       Co-­‐Author  Professional  WordPress      &  Professional  WordPress        Plugin  Development       Co-­‐Organizer  WordCamp  Philly       Co-­‐Host  DradCast  
  • 3. TODAY’S TOPICS Brad Williams @williamsba   • Cover  the  big  three  exploits   •  SQL  InjecLon  -­‐  SQLi   •  Cross-­‐Site  ScripLng  -­‐  XSS   •  Cross-­‐Site  Request  Forgery  –  CSRF   • Hack  Examples   • Data  ValidaLon  and  SaniLzaLon   • Resources  
  • 4. TRUST NO ONE Brad Williams @williamsba Golden  Rule  of  Code   Trust  No  One  
  • 5. TRUST NO ONE Brad Williams @williamsba Consider  all  data  invalid   unless  it  can  be  proven  valid  
  • 6. SQL INJECTION - SQLI Brad Williams @williamsba SQL  InjecLon  (SQLi)  
  • 7. SQL INJECTION - SQLI Brad Williams @williamsba SQL  injec*on  is  a  code  injecLon  technique,   used  to  aYack  data  driven  applicaLons,  in   which  malicious  SQL  statements  are   inserted  into  an  entry  field  for  execuLon  
  • 8. SQL INJECTION - SQLI Brad Williams @williamsba SQL  InjecLon  Example     global $wpdb; $ID = $_GET['ID']; $sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';"; SELECT  post_Ltle  FROM  wp_posts  WHERE  ID  =  '5';  
  • 9. SQL INJECTION - SQLI Brad Williams @williamsba SQL  InjecLon  Example     SELECT  post_Ltle  FROM  wp_posts  WHERE  ID  =  '';     SELECT  *  FROM  wp_users  WHERE  1  =  '1';   global $wpdb; $ID = "'; SELECT * FROM wp_users WHERE 1 = '1"; $sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';";
  • 10. SQL INJECTION - SQLI Brad Williams @williamsba hYp://www.sitepoint.com/forums/showthread.php?83772-­‐web-­‐site-­‐hacked   My  IntroducLon  to  SQLi  
  • 11. SQL INJECTION - SQLI Brad Williams @williamsba hYp://www.sitepoint.com/forums/showthread.php?83772-­‐web-­‐site-­‐hacked   My  IntroducLon  to  SQLi  
  • 12. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->insert()
  • 13. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->insert( $wpdb->postmeta, array( 'post_id' => '5', 'meta_key' => '_custom_meta_key', 'meta_value' => 'true' ), array( '%d', '%s', '%s' ) ); $wpdb->insert() $wpdb->insert( $table, $data, $format ) Example:  
  • 14. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->update()
  • 15. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->update( $wpdb->postmeta', array( 'meta_value' => 'false' ), array( 'post_id' => 5, 'meta_key' => '_custom_meta_key' ), array( '%s' ), array( '%d', '%s' ) ); $wpdb->update() $wpdb->update( $table, $data, $where, $format, $where_format ) Example:  
  • 16. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->delete()
  • 17. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->delete( $wpdb->posts, array( 'ID' => 5 ), array( '%d' ) ); $wpdb->delete() $wpdb->delete( $table, $where, $where_format ) Example:  
  • 18. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->prepare()
  • 19. SQL INJECTION - SQLI Brad Williams @williamsba •  Handles  strings  (%s)  and   integers  (%d)   •  Does  the  escaping  for  you   •  No  need  to  quote  %s   $wpdb->prepare( " SELECT post_title FROM $wpdb->posts WHERE ID = %d ", $ID ); $wpdb->prepare()
  • 20. SQL INJECTION - SQLI Brad Williams @williamsba •  Handles  strings  (%s)  and   integers  (%d)   •  Does  the  escaping  for  you   •  No  need  to  quote  %s   $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ); $wpdb->prepare()
  • 21. SQL INJECTION - SQLI Brad Williams @williamsba $wpdb-­‐>prepare()  only  prepares  the  query,  it  does  not  execute  it.   $wpdb->query( $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ) ); $wpdb->prepare() echo $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ); To  view  the  fully  prepared  query  simply  echo  it  
  • 22. SQL INJECTION - SQLI Brad Williams @williamsba hYp://xkcd.com/327/   Don’t  be  LiYle  Bobby  Tables  
  • 23. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Cross-­‐Site  ScripLng     (XSS)  
  • 24. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba   What  is  Cross-­‐Site  ScripLng?     AYacker  injects  client-­‐side  scripts  into  your  web  pages  
  • 25. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Escaping   To  escape  is  to  take  the  data  you  may   already  have  and  help  secure  it  prior  to   rendering  it  for  the  end  user  
  • 26. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba 1.  esc_  is  the  prefix  for  all  escaping  funcLons   2.  aYr  is  the  context  being  escaped   3.  _e  is  the  opLonal  translaLon  suffix   Props  to  Mark  Jaquith!   Escaping  
  • 27. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <h1><?php echo $title; ?></h1> BAD  
  • 28. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <?php $title = "<script>alert('Hello Europe!');</script>"; ?> <h1><?php echo $title; ?></h1> BAD  
  • 29. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <?php $title = "<script>alert('Hello Europe!');</script>"; ?> <h1><?php echo esc_html( $title ); ?></h1> View  Source:   <h1>&lt;script&gt;alert(&#039;Hello Europe!&#039;);&lt;/script&gt;</h1> GOOD  
  • 30. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <input type="text" name="name" value="<?php echo esc_attr( $text ); ?>" /> esc_attr() Used  whenever  you  need  to  display  data  inside  an  HTML  element   hYp://codex.wordpress.org/FuncLon_Reference/esc_aYr  
  • 31. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <textarea name="bio"> <?php echo esc_textarea( $bio); ?> </textarea> esc_textarea() Used  to  encode  text  for  use  in  a  <textarea>  form  element   hYp://codex.wordpress.org/FuncLon_Reference/esc_textarea  
  • 32. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <a href="<?php echo esc_url( $url); ?>">Link</a> esc_url()  Used  for  validaLng  and  saniLzing  URLs   hYp://codex.wordpress.org/FuncLon_Reference/esc_url  
  • 33. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <?php $url = 'http://wordpress.org'; $response = wp_remote_get( esc_url_raw( $url ) ); ?> esc_url_raw()  Used  for  escaping  a  URL  for  database  queries,  redirects,  and  HTTP  requests   Similar  to  esc_url(),  but  does  not  replace  enLLes  for  display   hYp://codex.wordpress.org/FuncLon_Reference/esc_url_raw  
  • 34. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <script> var bwar='<?php echo esc_js( $text ); ?>'; </script> esc_js()  Used  to  escape  text  strings  in  JavaScript   hYp://codex.wordpress.org/FuncLon_Reference/esc_js  
  • 35. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Integers  
  • 36. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba $ID = absint( $_GET['ID'] ); absint() Coverts  a  value  to  a  non-­‐negaLve  integer   hYp://codex.wordpress.org/FuncLon_Reference/absint   <input type="text" name="number_posts" value="<?php echo absint( $number ); ?>" />
  • 37. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba $ID = intval( $_GET['ID'] ); intval() Returns  the  integer  value.    Works  with  negaLve  values   hYp://php.net/manual/en/funcLon.intval.php   <input type="text" name="number_posts" value="<?php echo intval( $number ); ?>" />
  • 38. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba SaniLzing   To  saniLze  is  to  take  the  data  and  clean   to  make  safe  
  • 39. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba <?php update_post_meta( 420, '_post_meta_key', $_POST['new_meta_value'] ); ?> BAD  
  • 40. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_text_field() SaniLze  a  string   hYp://codex.wordpress.org/FuncLon_Reference/saniLze_text_field   <?php update_post_meta( 34, '_post_meta_key', sanitize_text_field( $_POST['new_meta_value'] ) ); ?>
  • 41. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_email() Strip  out  all  characters  not  allowed  in  an  email  address   hYp://codex.wordpress.org/FuncLon_Reference/saniLze_email   <?php update_post_meta( 34, '_email_address', sanitize_email( $_POST['email'] ) ); ?>
  • 42. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_user() SaniLze  username  stripping  out  unsafe  characters   hYp://codex.wordpress.org/FuncLon_Reference/saniLze_user   <?php update_post_meta( 34, '_custom_username', sanitize_user( $_POST['username'] ) ); ?>
  • 43. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba wp_kses() Filters  content  and  keeps  only  allowable  HTML  elements.   hYp://codex.wordpress.org/FuncLon_Reference/wp_kses   <a  href="#">link</a>.  This  is  bold  and  <strong>strong</strong>  
  • 44. CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba wp_kses_post() Filters  post  content  and  keeps  only  allowable  HTML  elements.   hYp://codex.wordpress.org/FuncLon_Reference/wp_kses_post   HTML  tags  allowed  to  be  put  into  Posts  by  non-­‐admin  users  
  • 45. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba Cross-­‐site  Request   Forgery   (CSRF)  
  • 46. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba Exploit  of  a  website  whereby  unauthorized  commands   are  transmiYed  from  a  user  that  the  website  trusts.   Cross-­‐site  Request   Forgery   (CSRF)  
  • 47. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba Nonces   AcLon,  object,  &  user  specific  Lme-­‐ limited  secret  keys  
  • 48. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba <?php if ( isset( $_POST['email'] ) ) { //process form data } ?> <form method="post"> <input type="text" name="email /><br /> <input type="submit" name="submit" value="Submit" /> </form> Example   There  is  no  way  to  know  where  $_POST[‘email’]  is  being  posted  from  
  • 49. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba <form method="post"> <?php wp_nonce_field( 'bw_process_email_action', 'bw_newsletter' ); ?> <input type="text" name="email" /><br /> <input type="submit" name="submit" value="Submit" /> </form> wp_nonce_field() <form method="post"> <input type="hidden" id="bw_newsletter" name="bw_newsletter" value="287de957e8" /> <input type="hidden" name="_wp_http_referer" value="/x/sample-page/" /> <input type="text" name="email" /><br /> <input type="submit" name="submit" value="Submit" /> </form> View  Source:   Form  Code:   hYp://codex.wordpress.org/FuncLon_Reference/wp_nonce_field   wp_nonce_field( $action, $name, $referer, $echo );
  • 50. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba if ( isset( $_POST['email'] ) ) { check_admin_referer( 'bw_process_email_action', 'bw_newsletter' ); //process form data } check_admin_referer() Processing  Code:   check_admin_referer( $action, $query_arg ); hYp://codex.wordpress.org/FuncLon_Reference/check_admin_referer  
  • 51. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba <?php if ( isset( $_POST['email'] ) ) { check_admin_referer( 'bw_process_email_action', 'bw_newsletter' ); //process form data } ?> <form method="post"> <?php wp_nonce_field( 'bw_process_email_action', 'bw_newsletter' ); ?> <input type="text" name="email" /><br /> <input type="submit" name="submit" value="Submit" /> </form> Fixed  Example  
  • 52. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba $url = 'http://example.com/wp-admin/?ID=5'; $url = wp_nonce_url( $url, 'bw_process_email_action', 'bw_newsletter' ); wp_nonce_url() http://example.com/wp-admin/?ID=5&bw_newsletter=287de957e8 New  URL:   URL  Code:   hYp://codex.wordpress.org/FuncLon_Reference/wp_nonce_url   wp_nonce_url( $actionurl, $action, $name );
  • 53. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba if ( isset( $_GET[ID'] ) ) { check_admin_referer( 'bw_process_email_action', 'bw_newsletter' ); //process data } wp_nonce_url() Processing  Code:   hYp://codex.wordpress.org/FuncLon_Reference/check_admin_referer  
  • 54. CROSS-SITE REQUEST FORGERY - CSRF Brad Williams @williamsba Nonces   Specific  to   • WordPress  User   • AcLon  AYempted   • Object  of  aYempted  acLon   • Time  Window  
  • 55. RESOURCES Brad Williams @williamsba •  Security  ArLcles   •  hYp://codex.wordpress.org/Data_ValidaLon   •  hYp://codex.wordpress.org/ValidaLng_SaniLzing_and_Escaping_User_Data   •  hYp://wp.tutsplus.com/tutorials/7-­‐simple-­‐rules-­‐wordpress-­‐plugin-­‐development-­‐best-­‐ pracLces/   •  hYp://wpengine.com/2013/05/brad-­‐williams-­‐on-­‐secure-­‐wordpress-­‐development/   •  Security  PresentaLons   •  hYp://wordpress.tv/2013/08/09/mike-­‐adams-­‐three-­‐security-­‐issues-­‐you-­‐thought-­‐youd-­‐fixed/   •  hYp://wordpress.tv/2013/09/26/brennen-­‐byrne-­‐employing-­‐best-­‐security-­‐pracLces-­‐for-­‐ wordpress-­‐sites-­‐3/   •  hYp://wordpress.tv/2011/01/29/mark-­‐jaquith-­‐theme-­‐plugin-­‐security/    
  • 56. DRADCAST PLUG Brad Williams @williamsba Listen  to  the  DradCast  WordPress  Podcast                                            LIVE  every  Wednesday  @  8pm  EDT     DradCast.com  
  • 58. CONTACT BRAD Brad Williams @williamsba Brad  Williams   brad@webdevstudios.com     Blog:    strangework.com   TwiYer:  @williamsba       Professional  WordPress   Second  EdiLon  is  OUT!   hYp://bit.ly/prowp2