Transcript
Page 1: Secure Coding with WordPress - WordCamp SF 2008

Secure Coding with WordPress

Mark Jaquithmarkjaquith.com

Page 2: Secure Coding with WordPress - WordCamp SF 2008

Secure Coding with WordPress

Mark Jaquithmarkjaquith.com

" onmouseover="pwnage();';?><a href="#wordcamp"title="<?php echo $title ?>">link</a>

<?php$title = '

Page 3: Secure Coding with WordPress - WordCamp SF 2008

$ sudo wp-plugin

Page 4: Secure Coding with WordPress - WordCamp SF 2008

That thing that the Uncle dude told the

Spiderman dude

Page 5: Secure Coding with WordPress - WordCamp SF 2008

XSSCSRF

SQL injection

privilege escalation

Page 6: Secure Coding with WordPress - WordCamp SF 2008

SQL Injection

Page 7: Secure Coding with WordPress - WordCamp SF 2008

I CAN HAZ REFUND?

Page 8: Secure Coding with WordPress - WordCamp SF 2008

<?php$wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" );?>

Page 9: Secure Coding with WordPress - WordCamp SF 2008

<?php$newtitle = $wpdb->escape( $newtitle );$my_id = absint( $my_id );

$wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" );?>

Page 10: Secure Coding with WordPress - WordCamp SF 2008

$wpdb->update( )

Page 11: Secure Coding with WordPress - WordCamp SF 2008

<?php$wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle ), array( 'ID' => $my_id ) );?>

Page 12: Secure Coding with WordPress - WordCamp SF 2008

$wpdb->insert( )

Page 13: Secure Coding with WordPress - WordCamp SF 2008

<?php$wpdb->insert( $wpdb->posts, array( 'post_title' => $newtitle ) );?>

Page 14: Secure Coding with WordPress - WordCamp SF 2008

<?php$wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle, 'post_content' => $newcontent ), array( 'ID' => $my_id, 'post_title' => $old_title ) );?>

Page 15: Secure Coding with WordPress - WordCamp SF 2008

<?php$post_title = 'New Title';$wheres['ID'] = 123;$wheres['post_title'] = 'Old Title';$wpdb->update( $wpdb->posts, compact( 'post_title' ), $wheres );?>

Page 16: Secure Coding with WordPress - WordCamp SF 2008

$wpdb->prepare( )

Page 17: Secure Coding with WordPress - WordCamp SF 2008

<?php$title = 'Post Title';$ID = 123;$content = $wpdb->get_var( $wpdb->prepare( "SELECT post_content FROM $wpdb->posts WHERE post_title = %s AND ID = %d", $title, $ID ) );?>

Page 18: Secure Coding with WordPress - WordCamp SF 2008

• Uses sprintf() formatting

• %s for strings

• %d for integers

• You should not quote or escape

Page 19: Secure Coding with WordPress - WordCamp SF 2008

Escape late

Page 20: Secure Coding with WordPress - WordCamp SF 2008

XSS

Page 21: Secure Coding with WordPress - WordCamp SF 2008

<h1><?php echo $title;?></h1>

Page 22: Secure Coding with WordPress - WordCamp SF 2008

<?php $title = '<script> pwnage(); </script>'?><h1><?php echo $title;?></h1>

Page 23: Secure Coding with WordPress - WordCamp SF 2008

Anything that isn't hardcoded is suspect

Page 24: Secure Coding with WordPress - WordCamp SF 2008

Better:Everything is suspect

Page 25: Secure Coding with WordPress - WordCamp SF 2008

wp_specialchars( )

Page 26: Secure Coding with WordPress - WordCamp SF 2008

<?php $title = '<script> pwnage(); </script>'?><h1><?php echo wp_specialchars( $title );?></h1>

Page 27: Secure Coding with WordPress - WordCamp SF 2008

<?php$title = '" onmouseover="pwnd();';?><a href="#wordcamp" title="<?php echo wp_specialchars( $title );?>">Link Text</a>

Page 28: Secure Coding with WordPress - WordCamp SF 2008

attribute_escape( )

Page 29: Secure Coding with WordPress - WordCamp SF 2008

<?php$title = '" onmouseover="pwnd();';?><a href="#wordcamp" title="<?php echo attribute_escape( $title );?>">Link Text</a>

Page 30: Secure Coding with WordPress - WordCamp SF 2008

<?php $url = 'javascript:pwnage();';?><a href="<?php echo attribute_escape( $url );?>">Link Text</a>

Page 31: Secure Coding with WordPress - WordCamp SF 2008

clean_url( )

Page 32: Secure Coding with WordPress - WordCamp SF 2008

<?php $url = 'javascript:pwnage();';?><a href="<?php echo clean_url( $url );?>">Link Text</a>

Page 33: Secure Coding with WordPress - WordCamp SF 2008

sanitize_url( ), sister of clean_url( )

Page 34: Secure Coding with WordPress - WordCamp SF 2008

js_escape( )

Page 35: Secure Coding with WordPress - WordCamp SF 2008

CSRF

Page 36: Secure Coding with WordPress - WordCamp SF 2008

Authorizationvs.

Intention

Page 37: Secure Coding with WordPress - WordCamp SF 2008
Page 38: Secure Coding with WordPress - WordCamp SF 2008

Nonces

Page 39: Secure Coding with WordPress - WordCamp SF 2008
Page 40: Secure Coding with WordPress - WordCamp SF 2008

Number used once

Page 41: Secure Coding with WordPress - WordCamp SF 2008

Specific to

• WordPress user

• Action attempted

• Object of attempted action

• Time window

Page 42: Secure Coding with WordPress - WordCamp SF 2008

wp_nonce_field( )

Page 43: Secure Coding with WordPress - WordCamp SF 2008

<form action="process.php" method="post"><?php wp_nonce_field('plugin-action_object');?>

...</form>

Page 44: Secure Coding with WordPress - WordCamp SF 2008

check_admin_referer( )

Page 45: Secure Coding with WordPress - WordCamp SF 2008

<?php// before output goes to browsercheck_admin_referer('plugin- action_object');?>

Page 46: Secure Coding with WordPress - WordCamp SF 2008

Still need to usecurrent_user_can( )

Page 47: Secure Coding with WordPress - WordCamp SF 2008

AJAX CSRF

Page 48: Secure Coding with WordPress - WordCamp SF 2008

Privilege Escalation

Page 49: Secure Coding with WordPress - WordCamp SF 2008

current_user_can( )

Page 50: Secure Coding with WordPress - WordCamp SF 2008

Challenges

Page 51: Secure Coding with WordPress - WordCamp SF 2008

Inconsistent naming system

Page 52: Secure Coding with WordPress - WordCamp SF 2008

Security sediment

Page 53: Secure Coding with WordPress - WordCamp SF 2008

Education

Page 54: Secure Coding with WordPress - WordCamp SF 2008

Thank you!