Secure Coding with WordPress - WordCamp SF 2008

Secure Coding with WordPress

Mark Jaquithmarkjaquith.com

Secure Coding with WordPress

Mark Jaquithmarkjaquith.com

" onmouseover="pwnage();';?><a href="#wordcamp"title="<?php echo $title ?>">link</a>

<?php$title = '

$ sudo wp-plugin

That thing that the Uncle dude told the

Spiderman dude

XSSCSRF

SQL injection

privilege escalation

SQL Injection

I CAN HAZ REFUND?

<?php$wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" );?>

<?php$newtitle = $wpdb->escape( $newtitle );$my_id = absint( $my_id );

$wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" );?>

$wpdb->update( )

<?php$wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle ), array( 'ID' => $my_id ) );?>

$wpdb->insert( )

<?php$wpdb->insert( $wpdb->posts, array( 'post_title' => $newtitle ) );?>

<?php$wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle, 'post_content' => $newcontent ), array( 'ID' => $my_id, 'post_title' => $old_title ) );?>

<?php$post_title = 'New Title';$wheres['ID'] = 123;$wheres['post_title'] = 'Old Title';$wpdb->update( $wpdb->posts, compact( 'post_title' ), $wheres );?>

$wpdb->prepare( )

<?php$title = 'Post Title';$ID = 123;$content = $wpdb->get_var( $wpdb->prepare( "SELECT post_content FROM $wpdb->posts WHERE post_title = %s AND ID = %d", $title, $ID ) );?>

• Uses sprintf() formatting

• %s for strings

• %d for integers

• You should not quote or escape

Escape late

XSS

<h1><?php echo $title;?></h1>

<?php $title = '<script> pwnage(); </script>'?><h1><?php echo $title;?></h1>

Anything that isn't hardcoded is suspect

Better:Everything is suspect

wp_specialchars( )

<?php $title = '<script> pwnage(); </script>'?><h1><?php echo wp_specialchars( $title );?></h1>

<?php$title = '" onmouseover="pwnd();';?><a href="#wordcamp" title="<?php echo wp_specialchars( $title );?>">Link Text</a>

attribute_escape( )

<?php$title = '" onmouseover="pwnd();';?><a href="#wordcamp" title="<?php echo attribute_escape( $title );?>">Link Text</a>

<?php $url = 'javascript:pwnage();';?><a href="<?php echo attribute_escape( $url );?>">Link Text</a>

clean_url( )

<?php $url = 'javascript:pwnage();';?><a href="<?php echo clean_url( $url );?>">Link Text</a>

sanitize_url( ), sister of clean_url( )

js_escape( )

CSRF

Authorizationvs.

Intention

Nonces

Number used once

Specific to

• WordPress user

• Action attempted

• Object of attempted action

• Time window

wp_nonce_field( )

<form action="process.php" method="post"><?php wp_nonce_field('plugin-action_object');?>

...</form>

check_admin_referer( )

<?php// before output goes to browsercheck_admin_referer('plugin- action_object');?>

Still need to usecurrent_user_can( )

AJAX CSRF

Privilege Escalation

current_user_can( )

Challenges

Inconsistent naming system

Security sediment

Education

Thank you!