SlideShare a Scribd company logo
1 of 61
Download to read offline
Writing Secure Code
for
WordPress
WordCamp Toronto 2015	

!
Shawn Hooper

Chief Technology Officer,Actionable Books	

@shawnhooper - shawnhooper.ca
• I’m Shawn Hooper, CTO at Actionable
Books. Former Freelance Developer
• GIAC Certified .NET Secure Software
Programmer
• Love Auditing Code (I’m Strange)
Hi!
@shawnhooper - shawnhooper.ca
We are going to look at a couple of different
types of attacks and how to avoid them:


* SQL Injection
* Cross Site Scripting (XSS)
* Cross Site Request Forgery (CSRF)
* Unvalidated Redirects and Forwards
We’re Under Attack!
@shawnhooper - shawnhooper.ca
!
!
!
on the

Open Web Application Security Project
(OWASP) Top Ten List
Injection Attacks
@shawnhooper - shawnhooper.ca
SQL injection is a code injection technique,
used to attack data-driven applications, in
which malicious SQL statements are inserted
into an entry field for execution (e.g. to dump
the database contents to the attacker).
- Wikipedia
SQL Injection Attacks
@shawnhooper - shawnhooper.ca
Without protecting against injection attacks,
what would happen if a 

login form allowed this:
!
' OR '1'='1' --
SQL Injection Attacks
@shawnhooper - shawnhooper.ca
SELECT * FROM wp_users 

WHERE user_pass = '' OR '1'='1' --'
SQL Injection Attacks
@shawnhooper - shawnhooper.ca
'; DROP TABLE wp_users; --
SQL Injection Attacks
@shawnhooper - shawnhooper.ca
SELECT * FROM wp_users 

WHERE user_pass = ''; DROP TABLE
wp_users; --
SQL Injection Attacks
@shawnhooper - shawnhooper.ca
!
!
!
on the

Open Web Application Security Project
(OWASP) Top Ten List
Cross Site Scripting (XSS)
@shawnhooper - shawnhooper.ca
Cross-site scripting (XSS) is a type of computer
security vulnerability typically found in web
applications. XSS enables attackers to inject client-
side script into web pages viewed by other users. A
cross-site scripting vulnerability may be used by
attackers to bypass access controls such as the
same-origin policy.
- Wikipedia
Cross Site Scripting (XSS)
@shawnhooper - shawnhooper.ca
Cross Site Scripting can be used to capture a user’s
authentication / session cookie and then
impersonate them on a trusted website.
!
Reflected (ex, delivered by e-mail)

vs. Persistant (ex, return by DB in a forum)
Cross Site Scripting (XSS)
@shawnhooper - shawnhooper.ca
!
!
!
on the

Open Web Application Security Project
(OWASP) Top Ten List
Cross Site Request Forgery
@shawnhooper - shawnhooper.ca
Cross-site request forgery, also known as a one-click
attack or session riding and abbreviated as CSRF
(sometimes pronounced sea-surf) or XSRF, is a type
of malicious exploit of a website whereby
unauthorized commands are transmitted from a
user that the website trusts.
-Wikipedia
Cross Site Request Forgery
@shawnhooper - shawnhooper.ca
An example of a simple CSRF attack would be
getting you to visit a link that would change your
password to something the attacker knows.
Cross Site Request Forgery
@shawnhooper - shawnhooper.ca
!
!
!
on the

Open Web Application Security Project
(OWASP) Top Ten List
Unvalidated Forwards &
Redirects
@shawnhooper - shawnhooper.ca
Could allow code in your website to forward the
user to a malicious (ex: phishing) website.
Unvalidated Forwards &
Redirects
@shawnhooper - shawnhooper.ca
@shawnhooper - shawnhooper.ca
Scared Yet?
@shawnhooper - shawnhooper.ca
Scared Yet?
Let’s figure out how to 	

stop all this stuff from happening…..
Sanitization & Validation
@shawnhooper - shawnhooper.ca
Output Validation and
Sanitization
@shawnhooper - shawnhooper.ca
Validation
@shawnhooper - shawnhooper.ca
* Are values of the correct type? 	

* Are values in range?
Validation
@shawnhooper - shawnhooper.ca
Is an input supposed to be an integer? 



intval($_POST[‘quantity’])



or



absint($_POST[‘quantity’])
Validation
@shawnhooper - shawnhooper.ca
Is it in range? 	



$quantity = absint($_POST[‘quantity’])	

!
if ( $quantity > 10 ) {	

	

 die(‘Quantity Out of Range’);	

}
Validation
@shawnhooper - shawnhooper.ca
Should it be an e-mail address? 	



$email = is_email( $_POST[‘email’] ); 	

returns false if invalid
Sanitization
@shawnhooper - shawnhooper.ca
Should it be an e-mail address? 	



$email = sanitize_email( $_POST[‘email’] ); 	

removes characters that are not valid	

in an e-mail address.
Escaping Text
@shawnhooper - shawnhooper.ca
esc_html( $string );	

esc_html__( $string, $attr );	

ex:



Hello <?php echo esc_html( $string ); ?> !
Escaping Text
@shawnhooper - shawnhooper.ca
esc_attr( $text );	

esc_attr__( $text, $domain );



Escaping a string for use in an HTML attribute tag.



<div data-value=“<?php echo esc_attr( $value ); ?>”>
Escaping Text
@shawnhooper - shawnhooper.ca
esc_js( $text );



Escaping a string for echoing in JavaScript.	



Escaping URLs
@shawnhooper - shawnhooper.ca
esc_url ($url );

esc_url_raw ( $url );

urlencode ( $string ); 

urlencode_deep ( $array );
Escaping HTML
@shawnhooper - shawnhooper.ca
wp_kses( $fragment, $allowed_html, $protocols);	

array(

'a' => array(

	

 'href' => array(),

	

 'title' => array() 

),	

	

'br' => array(),

	

 'em' => array(),

	

 'strong' => array()

);
Escaping HTML
@shawnhooper - shawnhooper.ca
wp_rel_nofollow( $html )	

!
Adds rel=“nofollow” to every link in the HTML fragment.
Database Sanitization
@shawnhooper - shawnhooper.ca
$wpdb Is Your Friend!
Database Sanitization
@shawnhooper - shawnhooper.ca
$wpdb->insert( 	

	

 ‘table_name’, 	

	

 array( 	

	

 	

 'column1' => 'value1', 	

	

 	

 'column2' => 123 	

	

 ), 	

	

 array( 	

	

 	

 '%s', 	

	

 	

 '%d' 	

	

 ) 	

);
Database Sanitization
@shawnhooper - shawnhooper.ca
$wpdb->update( 	

	

 'table', 	

	

 array( 	

	

 	

 'column1' => 'value1',	

 // string	

	

 	

 'column2' => 'value2'	

 // integer (number) 	

	

 ), 	

	

 array( 'ID' => 1 ), 	

	

 array( 	

	

 	

 '%s',	

 // value1	

	

 	

 '%d'	

 // value2	

	

 ), 	

	

 array( '%d' ) 	

);
Database Sanitization
@shawnhooper - shawnhooper.ca
$wpdb->delete( 	

	

 'table', 	

	

 array( 'ID' => 1 ), 	

	

 array( '%d' ) 	

);
Database Sanitization
@shawnhooper - shawnhooper.ca
What about other general queries? 	

!
Statements that include joins? 

!
$wpdb->query()
Database Sanitization
@shawnhooper - shawnhooper.ca
$wpdb->prepare() to make sure query is safe:	

!
!
$wpdb->prepare(SQL Code with Placeholders, variable 1, variable 2, etc.);
Database Sanitization
@shawnhooper - shawnhooper.ca
Database Sanitization
@shawnhooper - shawnhooper.ca
$safeSQL = $wpdb->prepare(“SELECT * FROM mytable 



WHERE col1 = ‘%s’AND col2 = %d”, $sParam, $iParam);	

!
$wpdb->query($safeSQL);
Database Sanitization
@shawnhooper - shawnhooper.ca
Valid Placeholders are:	

!
%s for strings	

!
%d for integers	

!
%f for floats
Database Sanitization
@shawnhooper - shawnhooper.ca
If your query includes a LIKE statement in the WHERE
clause, use 



esc_like() 



to properly escape %, _ and  characters, 

which have special meanings.



Still requires $wpdb->prepare()
Database Sanitization
@shawnhooper - shawnhooper.ca
$likeValue = ‘value_’;	

$safeSQL = $wpdb->prepare(“SELECT * FROM table 

WHERE col1 LIKE ‘%s’", esc_like($likeValue) . '%' );
Input Sanitization
@shawnhooper - shawnhooper.ca
Input Sanitization
@shawnhooper - shawnhooper.ca
There are a pile of functions to do input sanitization:	

sanitize_title()	

sanitize_user()	

balance_tags()	

tag_escape()	

is_email()	

sanitize_html_class()	

array_map()	

sanitize_email()	

sanitize_file_name()	

sanitize_term()	

sanitize_term_field()
sanitize_html_class()	

sanitize_key()	

sanitize_mime_type()	

sanitize_option()	

sanitize_sql_orderby()	

sanitize_text_field()	

sanitize_title_for_query()	

sanitize_title_with_dashes()	

sanitize_user()	

sanitize_meta()
Nonces
@shawnhooper - shawnhooper.ca
Nonces
@shawnhooper - shawnhooper.ca
A “number used once” to help protect URLs
from malicious use (Cross Site Request
Forgery)
Nonces
@shawnhooper - shawnhooper.ca
NOTE: In WordPress, a nonce is not a number,
and it is not used once.	

!
!
!
Nonces
@shawnhooper - shawnhooper.ca
Create a Nonce for a URL:	

$complete_url = 

wp_nonce_url( $bare_url, 'trash-post_'.$post-
>ID );



Nonces
@shawnhooper - shawnhooper.ca
Create a Nonce for a Form:	

wp_nonce_field( 'delete-comment_'.$comment_id );

Nonces
@shawnhooper - shawnhooper.ca
Generates code like this:	

<input type="hidden" id="_wpnonce"
name="_wpnonce" value="796c7766b1" />	

<input type="hidden" name="_wp_http_referer"
value="/wp-admin/edit-comments.php" />

Nonces
@shawnhooper - shawnhooper.ca
Generic Nonce:	

!
$nonce = wp_create_nonce( 'my-action_'.$post->ID );
Validate Nonces
@shawnhooper - shawnhooper.ca
To verify a nonce that was passed in a URL or
a form in an admin screen:	

!
check_admin_referer( 'delete-comment_'.$comment_id );
Validate Nonces
@shawnhooper - shawnhooper.ca
To verify a nonce that was passed in an AJAX
request:

(parameter is the action sent via AJAX)	

!
check_ajax_referer( 'process-comment' );
Validate Nonces
@shawnhooper - shawnhooper.ca
To verify a generic nonce:	

!
wp_verify_nonce( $_REQUEST['my_nonce'], 'process-
comment'.$comment_id );	

!
Returns false if the nonce fails
Nonces
@shawnhooper - shawnhooper.ca
!
To learn more about nonces, 	

see the WordPress Codex:	

!
https://codex.wordpress.org/WordPress_Nonces
Brain Full ?
@shawnhooper - shawnhooper.ca
Good, because we’re almost done.
Redirecting
@shawnhooper - shawnhooper.ca
wp_redirect( $url, $status ); exit;	

wp_safe_redirect( $url, $status ); exit;	

!
$status defaults to 302 (temporary)	

safe_redirect only allows redirects to a specified set of
hostnames, which can be set using the	

allowed_redirect_hosts filter
Now you should get this…
@shawnhooper - shawnhooper.ca
XKCD # 327
Responsible Disclosure
@shawnhooper - shawnhooper.ca
If you find what you think may be a security
vulnerability in WordPress’ code, be responsible. Send an
e-mail with as much detail to:



security@wordpress.org



Don’t blog about it, Facebook it, put it in Trac, Tweet it,
etc. Allow the team time to confirm and fix the bug
before letting all the hackers out there know it exists.
Thank you!

Slides: www.shawnhooper.ca

E-Mail: shawn@actionablebooks.com

Twitter: @shawnhooper

WordPress Slack: shooper
@shawnhooper - shawnhooper.ca

More Related Content

What's hot

REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyStormpath
 
Deep Dive into AWS CLI - the command line interface
Deep Dive into AWS CLI - the command line interfaceDeep Dive into AWS CLI - the command line interface
Deep Dive into AWS CLI - the command line interfaceJohn Varghese
 
Intro to PAS REST API
Intro to PAS REST APIIntro to PAS REST API
Intro to PAS REST APIJoe Garcia
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
Deep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceDeep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceAmazon Web Services
 
Raleigh Web Design Meetup Group - Sass Presentation
Raleigh Web Design Meetup Group - Sass PresentationRaleigh Web Design Meetup Group - Sass Presentation
Raleigh Web Design Meetup Group - Sass PresentationDaniel Yuschick
 
Terms of endearment - the ElasticSearch Query DSL explained
Terms of endearment - the ElasticSearch Query DSL explainedTerms of endearment - the ElasticSearch Query DSL explained
Terms of endearment - the ElasticSearch Query DSL explainedclintongormley
 
PHP Arrays - indexed and associative array.
PHP Arrays - indexed and associative array. PHP Arrays - indexed and associative array.
PHP Arrays - indexed and associative array. wahidullah mudaser
 
Schemaless Solr and the Solr Schema REST API
Schemaless Solr and the Solr Schema REST APISchemaless Solr and the Solr Schema REST API
Schemaless Solr and the Solr Schema REST APIlucenerevolution
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
 
自社サービスのAPIをOAuth2対応にして公開した
自社サービスのAPIをOAuth2対応にして公開した自社サービスのAPIをOAuth2対応にして公開した
自社サービスのAPIをOAuth2対応にして公開したMaki Toshio
 
Date difference[1]
Date difference[1]Date difference[1]
Date difference[1]shafiullas
 
Preparing a WordPress Plugin for Translation
Preparing a WordPress Plugin for TranslationPreparing a WordPress Plugin for Translation
Preparing a WordPress Plugin for TranslationBrian Hogg
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
New text document
New text documentNew text document
New text documentsingaqq
 
Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3makoto tsuyuki
 

What's hot (20)

REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And Jersey
 
Deep Dive into AWS CLI - the command line interface
Deep Dive into AWS CLI - the command line interfaceDeep Dive into AWS CLI - the command line interface
Deep Dive into AWS CLI - the command line interface
 
Intro to PAS REST API
Intro to PAS REST APIIntro to PAS REST API
Intro to PAS REST API
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...
 
Deep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line InterfaceDeep Dive: AWS Command Line Interface
Deep Dive: AWS Command Line Interface
 
Raleigh Web Design Meetup Group - Sass Presentation
Raleigh Web Design Meetup Group - Sass PresentationRaleigh Web Design Meetup Group - Sass Presentation
Raleigh Web Design Meetup Group - Sass Presentation
 
Wsomdp
WsomdpWsomdp
Wsomdp
 
PHP code examples
PHP code examplesPHP code examples
PHP code examples
 
HTML 5 & CSS 3
HTML 5 & CSS 3HTML 5 & CSS 3
HTML 5 & CSS 3
 
Terms of endearment - the ElasticSearch Query DSL explained
Terms of endearment - the ElasticSearch Query DSL explainedTerms of endearment - the ElasticSearch Query DSL explained
Terms of endearment - the ElasticSearch Query DSL explained
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
 
PHP Arrays - indexed and associative array.
PHP Arrays - indexed and associative array. PHP Arrays - indexed and associative array.
PHP Arrays - indexed and associative array.
 
Schemaless Solr and the Solr Schema REST API
Schemaless Solr and the Solr Schema REST APISchemaless Solr and the Solr Schema REST API
Schemaless Solr and the Solr Schema REST API
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.
 
自社サービスのAPIをOAuth2対応にして公開した
自社サービスのAPIをOAuth2対応にして公開した自社サービスのAPIをOAuth2対応にして公開した
自社サービスのAPIをOAuth2対応にして公開した
 
Date difference[1]
Date difference[1]Date difference[1]
Date difference[1]
 
Preparing a WordPress Plugin for Translation
Preparing a WordPress Plugin for TranslationPreparing a WordPress Plugin for Translation
Preparing a WordPress Plugin for Translation
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
New text document
New text documentNew text document
New text document
 
Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3Django - 次の一歩 gumiStudy#3
Django - 次の一歩 gumiStudy#3
 

Viewers also liked

Using Actions and Filters in WordPress to Make a Plugin Your Own
Using Actions and Filters in WordPress to Make a Plugin Your OwnUsing Actions and Filters in WordPress to Make a Plugin Your Own
Using Actions and Filters in WordPress to Make a Plugin Your OwnBrian Hogg
 
Community Consultation Creates Compelling Content
Community Consultation Creates Compelling Content  Community Consultation Creates Compelling Content
Community Consultation Creates Compelling Content Christine Pollock
 
WordCamp Toronto 2015- API Simple Talk
WordCamp Toronto 2015- API Simple TalkWordCamp Toronto 2015- API Simple Talk
WordCamp Toronto 2015- API Simple Talkting-y
 
Systematic Unit Testing
Systematic Unit TestingSystematic Unit Testing
Systematic Unit Testingscotchfield
 
You have 2 hands Toronto
You have 2 hands TorontoYou have 2 hands Toronto
You have 2 hands TorontoShayda Torabi
 
Here Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressHere Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressRami Sayar
 
How I Made a Career Using WordPress Without Knowing a Line of Code
How I Made a Career Using WordPress Without Knowing a Line of CodeHow I Made a Career Using WordPress Without Knowing a Line of Code
How I Made a Career Using WordPress Without Knowing a Line of CodeAndrea Zoellner
 
Help Me Help You: Practical Tips for Designers from A WordPress Developer
Help Me Help You: Practical Tips for Designers from A WordPress DeveloperHelp Me Help You: Practical Tips for Designers from A WordPress Developer
Help Me Help You: Practical Tips for Designers from A WordPress Developerdaraskolnick
 
A Noob's Journey to the Core
A Noob's Journey to the CoreA Noob's Journey to the Core
A Noob's Journey to the CoreRyan Welcher
 
Building and Maintaining A Remote Workforce - A Startup Story
Building and Maintaining A Remote Workforce - A Startup StoryBuilding and Maintaining A Remote Workforce - A Startup Story
Building and Maintaining A Remote Workforce - A Startup StorySucuri
 
Speeding up your WordPress Site - WordCamp Toronto 2015
Speeding up your WordPress Site - WordCamp Toronto 2015Speeding up your WordPress Site - WordCamp Toronto 2015
Speeding up your WordPress Site - WordCamp Toronto 2015Alan Lok
 
Best Friend || Worst Enemy: WordPress Multisite
Best Friend || Worst Enemy: WordPress MultisiteBest Friend || Worst Enemy: WordPress Multisite
Best Friend || Worst Enemy: WordPress MultisiteTaylor McCaslin
 
Delightful Design with the Kano Model (WordCamp Toronto 2015)
Delightful Design with the Kano Model (WordCamp Toronto 2015)Delightful Design with the Kano Model (WordCamp Toronto 2015)
Delightful Design with the Kano Model (WordCamp Toronto 2015)Jesse Emmanuel Rosario
 
How to use CSS3 in WordPress
How to use CSS3 in WordPressHow to use CSS3 in WordPress
How to use CSS3 in WordPressSuzette Franck
 
Multilingual content with WordPress
Multilingual content with WordPressMultilingual content with WordPress
Multilingual content with WordPressDesaulniers-Simard
 
Piecing Together the WordPress Puzzle
Piecing Together the WordPress PuzzlePiecing Together the WordPress Puzzle
Piecing Together the WordPress PuzzleBusiness Vitality LLC
 

Viewers also liked (20)

Using Actions and Filters in WordPress to Make a Plugin Your Own
Using Actions and Filters in WordPress to Make a Plugin Your OwnUsing Actions and Filters in WordPress to Make a Plugin Your Own
Using Actions and Filters in WordPress to Make a Plugin Your Own
 
Community Consultation Creates Compelling Content
Community Consultation Creates Compelling Content  Community Consultation Creates Compelling Content
Community Consultation Creates Compelling Content
 
WordCamp Toronto 2015- API Simple Talk
WordCamp Toronto 2015- API Simple TalkWordCamp Toronto 2015- API Simple Talk
WordCamp Toronto 2015- API Simple Talk
 
Systematic Unit Testing
Systematic Unit TestingSystematic Unit Testing
Systematic Unit Testing
 
Wordcamp_mcglade_ux_mashups
Wordcamp_mcglade_ux_mashupsWordcamp_mcglade_ux_mashups
Wordcamp_mcglade_ux_mashups
 
Ecomm 101
Ecomm 101Ecomm 101
Ecomm 101
 
You have 2 hands Toronto
You have 2 hands TorontoYou have 2 hands Toronto
You have 2 hands Toronto
 
Here Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressHere Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPress
 
How I Made a Career Using WordPress Without Knowing a Line of Code
How I Made a Career Using WordPress Without Knowing a Line of CodeHow I Made a Career Using WordPress Without Knowing a Line of Code
How I Made a Career Using WordPress Without Knowing a Line of Code
 
Help Me Help You: Practical Tips for Designers from A WordPress Developer
Help Me Help You: Practical Tips for Designers from A WordPress DeveloperHelp Me Help You: Practical Tips for Designers from A WordPress Developer
Help Me Help You: Practical Tips for Designers from A WordPress Developer
 
Mystery solved pages vs posts
Mystery solved pages vs postsMystery solved pages vs posts
Mystery solved pages vs posts
 
A Noob's Journey to the Core
A Noob's Journey to the CoreA Noob's Journey to the Core
A Noob's Journey to the Core
 
Building and Maintaining A Remote Workforce - A Startup Story
Building and Maintaining A Remote Workforce - A Startup StoryBuilding and Maintaining A Remote Workforce - A Startup Story
Building and Maintaining A Remote Workforce - A Startup Story
 
Speeding up your WordPress Site - WordCamp Toronto 2015
Speeding up your WordPress Site - WordCamp Toronto 2015Speeding up your WordPress Site - WordCamp Toronto 2015
Speeding up your WordPress Site - WordCamp Toronto 2015
 
Managed WordPress Demystified
Managed WordPress DemystifiedManaged WordPress Demystified
Managed WordPress Demystified
 
Best Friend || Worst Enemy: WordPress Multisite
Best Friend || Worst Enemy: WordPress MultisiteBest Friend || Worst Enemy: WordPress Multisite
Best Friend || Worst Enemy: WordPress Multisite
 
Delightful Design with the Kano Model (WordCamp Toronto 2015)
Delightful Design with the Kano Model (WordCamp Toronto 2015)Delightful Design with the Kano Model (WordCamp Toronto 2015)
Delightful Design with the Kano Model (WordCamp Toronto 2015)
 
How to use CSS3 in WordPress
How to use CSS3 in WordPressHow to use CSS3 in WordPress
How to use CSS3 in WordPress
 
Multilingual content with WordPress
Multilingual content with WordPressMultilingual content with WordPress
Multilingual content with WordPress
 
Piecing Together the WordPress Puzzle
Piecing Together the WordPress PuzzlePiecing Together the WordPress Puzzle
Piecing Together the WordPress Puzzle
 

Similar to Writing Secure Code for WordPress

Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Laravel Security Standards
Laravel Security Standards Laravel Security Standards
Laravel Security Standards Singsys Pte Ltd
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Intro to php
Intro to phpIntro to php
Intro to phpSp Singh
 
regular expressions and the world wide web
regular expressions and the world wide webregular expressions and the world wide web
regular expressions and the world wide webSergio Burdisso
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedDinis Cruz
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Susam Pal
 
04. xss and encoding
04.  xss and encoding04.  xss and encoding
04. xss and encodingEoin Keary
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggetsguestbd1cdca
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyFrancois Marier
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011John Ford
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development PracticesBrandon Dove
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAsjohnwilander
 

Similar to Writing Secure Code for WordPress (20)

Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Laravel Security Standards
Laravel Security Standards Laravel Security Standards
Laravel Security Standards
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Intro to php
Intro to phpIntro to php
Intro to php
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
regular expressions and the world wide web
regular expressions and the world wide webregular expressions and the world wide web
regular expressions and the world wide web
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
 
04. xss and encoding
04.  xss and encoding04.  xss and encoding
04. xss and encoding
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security Policy
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development Practices
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
XSS
XSSXSS
XSS
 

More from Shawn Hooper

Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityShawn Hooper
 
WP REST API: Actionable.co
WP REST API: Actionable.coWP REST API: Actionable.co
WP REST API: Actionable.coShawn Hooper
 
Database Considerations for SaaS Products
Database Considerations for SaaS ProductsDatabase Considerations for SaaS Products
Database Considerations for SaaS ProductsShawn Hooper
 
Payments Made Easy with Stripe
Payments Made Easy with StripePayments Made Easy with Stripe
Payments Made Easy with StripeShawn Hooper
 
WordPress Coding Standards & Best Practices
WordPress Coding Standards & Best PracticesWordPress Coding Standards & Best Practices
WordPress Coding Standards & Best PracticesShawn Hooper
 
Save Time By Manging WordPress from the Command Line
Save Time By Manging WordPress from the Command LineSave Time By Manging WordPress from the Command Line
Save Time By Manging WordPress from the Command LineShawn Hooper
 
Writing Clean, Standards Compliant, Testable Code for WordPress
Writing Clean, Standards Compliant, Testable Code for WordPressWriting Clean, Standards Compliant, Testable Code for WordPress
Writing Clean, Standards Compliant, Testable Code for WordPressShawn Hooper
 
Creating Multilingual WordPress Websites
Creating Multilingual WordPress WebsitesCreating Multilingual WordPress Websites
Creating Multilingual WordPress WebsitesShawn Hooper
 
Creating Multilingual WordPress Websites
Creating Multilingual WordPress WebsitesCreating Multilingual WordPress Websites
Creating Multilingual WordPress WebsitesShawn Hooper
 
WP-CLI Presentation from WordCamp NYC 2015
WP-CLI Presentation from WordCamp NYC 2015WP-CLI Presentation from WordCamp NYC 2015
WP-CLI Presentation from WordCamp NYC 2015Shawn Hooper
 
Manage WordPress From the Command Line with WP-CLI
Manage WordPress From the Command Line with WP-CLIManage WordPress From the Command Line with WP-CLI
Manage WordPress From the Command Line with WP-CLIShawn Hooper
 
Hooked on WordPress: WordCamp Columbus
Hooked on WordPress: WordCamp ColumbusHooked on WordPress: WordCamp Columbus
Hooked on WordPress: WordCamp ColumbusShawn Hooper
 
WP-CLI Talk from WordCamp Montreal
WP-CLI Talk from WordCamp MontrealWP-CLI Talk from WordCamp Montreal
WP-CLI Talk from WordCamp MontrealShawn Hooper
 
WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015Shawn Hooper
 
Save Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command LineSave Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command LineShawn Hooper
 
Time Code: Automating Tasks in WordPress with WP-Cron
Time Code: Automating Tasks in WordPress with WP-CronTime Code: Automating Tasks in WordPress with WP-Cron
Time Code: Automating Tasks in WordPress with WP-CronShawn Hooper
 

More from Shawn Hooper (16)

Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
WP REST API: Actionable.co
WP REST API: Actionable.coWP REST API: Actionable.co
WP REST API: Actionable.co
 
Database Considerations for SaaS Products
Database Considerations for SaaS ProductsDatabase Considerations for SaaS Products
Database Considerations for SaaS Products
 
Payments Made Easy with Stripe
Payments Made Easy with StripePayments Made Easy with Stripe
Payments Made Easy with Stripe
 
WordPress Coding Standards & Best Practices
WordPress Coding Standards & Best PracticesWordPress Coding Standards & Best Practices
WordPress Coding Standards & Best Practices
 
Save Time By Manging WordPress from the Command Line
Save Time By Manging WordPress from the Command LineSave Time By Manging WordPress from the Command Line
Save Time By Manging WordPress from the Command Line
 
Writing Clean, Standards Compliant, Testable Code for WordPress
Writing Clean, Standards Compliant, Testable Code for WordPressWriting Clean, Standards Compliant, Testable Code for WordPress
Writing Clean, Standards Compliant, Testable Code for WordPress
 
Creating Multilingual WordPress Websites
Creating Multilingual WordPress WebsitesCreating Multilingual WordPress Websites
Creating Multilingual WordPress Websites
 
Creating Multilingual WordPress Websites
Creating Multilingual WordPress WebsitesCreating Multilingual WordPress Websites
Creating Multilingual WordPress Websites
 
WP-CLI Presentation from WordCamp NYC 2015
WP-CLI Presentation from WordCamp NYC 2015WP-CLI Presentation from WordCamp NYC 2015
WP-CLI Presentation from WordCamp NYC 2015
 
Manage WordPress From the Command Line with WP-CLI
Manage WordPress From the Command Line with WP-CLIManage WordPress From the Command Line with WP-CLI
Manage WordPress From the Command Line with WP-CLI
 
Hooked on WordPress: WordCamp Columbus
Hooked on WordPress: WordCamp ColumbusHooked on WordPress: WordCamp Columbus
Hooked on WordPress: WordCamp Columbus
 
WP-CLI Talk from WordCamp Montreal
WP-CLI Talk from WordCamp MontrealWP-CLI Talk from WordCamp Montreal
WP-CLI Talk from WordCamp Montreal
 
WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015WP-CLI - WordCamp Miami 2015
WP-CLI - WordCamp Miami 2015
 
Save Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command LineSave Time by Managing WordPress from the Command Line
Save Time by Managing WordPress from the Command Line
 
Time Code: Automating Tasks in WordPress with WP-Cron
Time Code: Automating Tasks in WordPress with WP-CronTime Code: Automating Tasks in WordPress with WP-Cron
Time Code: Automating Tasks in WordPress with WP-Cron
 

Recently uploaded

COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 

Recently uploaded (20)

COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 

Writing Secure Code for WordPress

  • 1. Writing Secure Code for WordPress WordCamp Toronto 2015 ! Shawn Hooper
 Chief Technology Officer,Actionable Books @shawnhooper - shawnhooper.ca
  • 2. • I’m Shawn Hooper, CTO at Actionable Books. Former Freelance Developer • GIAC Certified .NET Secure Software Programmer • Love Auditing Code (I’m Strange) Hi! @shawnhooper - shawnhooper.ca
  • 3. We are going to look at a couple of different types of attacks and how to avoid them: 
 * SQL Injection * Cross Site Scripting (XSS) * Cross Site Request Forgery (CSRF) * Unvalidated Redirects and Forwards We’re Under Attack! @shawnhooper - shawnhooper.ca
  • 4. ! ! ! on the
 Open Web Application Security Project (OWASP) Top Ten List Injection Attacks @shawnhooper - shawnhooper.ca
  • 5. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). - Wikipedia SQL Injection Attacks @shawnhooper - shawnhooper.ca
  • 6. Without protecting against injection attacks, what would happen if a 
 login form allowed this: ! ' OR '1'='1' -- SQL Injection Attacks @shawnhooper - shawnhooper.ca
  • 7. SELECT * FROM wp_users 
 WHERE user_pass = '' OR '1'='1' --' SQL Injection Attacks @shawnhooper - shawnhooper.ca
  • 8. '; DROP TABLE wp_users; -- SQL Injection Attacks @shawnhooper - shawnhooper.ca
  • 9. SELECT * FROM wp_users 
 WHERE user_pass = ''; DROP TABLE wp_users; -- SQL Injection Attacks @shawnhooper - shawnhooper.ca
  • 10. ! ! ! on the
 Open Web Application Security Project (OWASP) Top Ten List Cross Site Scripting (XSS) @shawnhooper - shawnhooper.ca
  • 11. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client- side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. - Wikipedia Cross Site Scripting (XSS) @shawnhooper - shawnhooper.ca
  • 12. Cross Site Scripting can be used to capture a user’s authentication / session cookie and then impersonate them on a trusted website. ! Reflected (ex, delivered by e-mail)
 vs. Persistant (ex, return by DB in a forum) Cross Site Scripting (XSS) @shawnhooper - shawnhooper.ca
  • 13. ! ! ! on the
 Open Web Application Security Project (OWASP) Top Ten List Cross Site Request Forgery @shawnhooper - shawnhooper.ca
  • 14. Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. -Wikipedia Cross Site Request Forgery @shawnhooper - shawnhooper.ca
  • 15. An example of a simple CSRF attack would be getting you to visit a link that would change your password to something the attacker knows. Cross Site Request Forgery @shawnhooper - shawnhooper.ca
  • 16. ! ! ! on the
 Open Web Application Security Project (OWASP) Top Ten List Unvalidated Forwards & Redirects @shawnhooper - shawnhooper.ca
  • 17. Could allow code in your website to forward the user to a malicious (ex: phishing) website. Unvalidated Forwards & Redirects @shawnhooper - shawnhooper.ca
  • 19. @shawnhooper - shawnhooper.ca Scared Yet? Let’s figure out how to stop all this stuff from happening…..
  • 22. Validation @shawnhooper - shawnhooper.ca * Are values of the correct type? * Are values in range?
  • 23. Validation @shawnhooper - shawnhooper.ca Is an input supposed to be an integer? 
 
 intval($_POST[‘quantity’])
 
 or
 
 absint($_POST[‘quantity’])
  • 24. Validation @shawnhooper - shawnhooper.ca Is it in range? 
 $quantity = absint($_POST[‘quantity’]) ! if ( $quantity > 10 ) { die(‘Quantity Out of Range’); }
  • 25. Validation @shawnhooper - shawnhooper.ca Should it be an e-mail address? 
 $email = is_email( $_POST[‘email’] ); returns false if invalid
  • 26. Sanitization @shawnhooper - shawnhooper.ca Should it be an e-mail address? 
 $email = sanitize_email( $_POST[‘email’] ); removes characters that are not valid in an e-mail address.
  • 27. Escaping Text @shawnhooper - shawnhooper.ca esc_html( $string ); esc_html__( $string, $attr ); ex:
 
 Hello <?php echo esc_html( $string ); ?> !
  • 28. Escaping Text @shawnhooper - shawnhooper.ca esc_attr( $text ); esc_attr__( $text, $domain );
 
 Escaping a string for use in an HTML attribute tag.
 
 <div data-value=“<?php echo esc_attr( $value ); ?>”>
  • 29. Escaping Text @shawnhooper - shawnhooper.ca esc_js( $text );
 
 Escaping a string for echoing in JavaScript. 

  • 30. Escaping URLs @shawnhooper - shawnhooper.ca esc_url ($url );
 esc_url_raw ( $url );
 urlencode ( $string ); 
 urlencode_deep ( $array );
  • 31. Escaping HTML @shawnhooper - shawnhooper.ca wp_kses( $fragment, $allowed_html, $protocols); array(
 'a' => array(
 'href' => array(),
 'title' => array() 
 ), 'br' => array(),
 'em' => array(),
 'strong' => array()
 );
  • 32. Escaping HTML @shawnhooper - shawnhooper.ca wp_rel_nofollow( $html ) ! Adds rel=“nofollow” to every link in the HTML fragment.
  • 34. $wpdb Is Your Friend! Database Sanitization @shawnhooper - shawnhooper.ca
  • 35. $wpdb->insert( ‘table_name’, array( 'column1' => 'value1', 'column2' => 123 ), array( '%s', '%d' ) ); Database Sanitization @shawnhooper - shawnhooper.ca
  • 36. $wpdb->update( 'table', array( 'column1' => 'value1', // string 'column2' => 'value2' // integer (number) ), array( 'ID' => 1 ), array( '%s', // value1 '%d' // value2 ), array( '%d' ) ); Database Sanitization @shawnhooper - shawnhooper.ca
  • 37. $wpdb->delete( 'table', array( 'ID' => 1 ), array( '%d' ) ); Database Sanitization @shawnhooper - shawnhooper.ca
  • 38. What about other general queries? ! Statements that include joins? 
 ! $wpdb->query() Database Sanitization @shawnhooper - shawnhooper.ca
  • 39. $wpdb->prepare() to make sure query is safe: ! ! $wpdb->prepare(SQL Code with Placeholders, variable 1, variable 2, etc.); Database Sanitization @shawnhooper - shawnhooper.ca
  • 40. Database Sanitization @shawnhooper - shawnhooper.ca $safeSQL = $wpdb->prepare(“SELECT * FROM mytable 



WHERE col1 = ‘%s’AND col2 = %d”, $sParam, $iParam); ! $wpdb->query($safeSQL);
  • 41. Database Sanitization @shawnhooper - shawnhooper.ca Valid Placeholders are: ! %s for strings ! %d for integers ! %f for floats
  • 42. Database Sanitization @shawnhooper - shawnhooper.ca If your query includes a LIKE statement in the WHERE clause, use 
 
 esc_like() 
 
 to properly escape %, _ and characters, 
 which have special meanings.
 
 Still requires $wpdb->prepare()
  • 43. Database Sanitization @shawnhooper - shawnhooper.ca $likeValue = ‘value_’; $safeSQL = $wpdb->prepare(“SELECT * FROM table 
 WHERE col1 LIKE ‘%s’", esc_like($likeValue) . '%' );
  • 45. Input Sanitization @shawnhooper - shawnhooper.ca There are a pile of functions to do input sanitization: sanitize_title() sanitize_user() balance_tags() tag_escape() is_email() sanitize_html_class() array_map() sanitize_email() sanitize_file_name() sanitize_term() sanitize_term_field() sanitize_html_class() sanitize_key() sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_text_field() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user() sanitize_meta()
  • 47. Nonces @shawnhooper - shawnhooper.ca A “number used once” to help protect URLs from malicious use (Cross Site Request Forgery)
  • 48. Nonces @shawnhooper - shawnhooper.ca NOTE: In WordPress, a nonce is not a number, and it is not used once. ! ! !
  • 49. Nonces @shawnhooper - shawnhooper.ca Create a Nonce for a URL: $complete_url = 
 wp_nonce_url( $bare_url, 'trash-post_'.$post- >ID );
 

  • 50. Nonces @shawnhooper - shawnhooper.ca Create a Nonce for a Form: wp_nonce_field( 'delete-comment_'.$comment_id );

  • 51. Nonces @shawnhooper - shawnhooper.ca Generates code like this: <input type="hidden" id="_wpnonce" name="_wpnonce" value="796c7766b1" /> <input type="hidden" name="_wp_http_referer" value="/wp-admin/edit-comments.php" />

  • 52. Nonces @shawnhooper - shawnhooper.ca Generic Nonce: ! $nonce = wp_create_nonce( 'my-action_'.$post->ID );
  • 53. Validate Nonces @shawnhooper - shawnhooper.ca To verify a nonce that was passed in a URL or a form in an admin screen: ! check_admin_referer( 'delete-comment_'.$comment_id );
  • 54. Validate Nonces @shawnhooper - shawnhooper.ca To verify a nonce that was passed in an AJAX request:
 (parameter is the action sent via AJAX) ! check_ajax_referer( 'process-comment' );
  • 55. Validate Nonces @shawnhooper - shawnhooper.ca To verify a generic nonce: ! wp_verify_nonce( $_REQUEST['my_nonce'], 'process- comment'.$comment_id ); ! Returns false if the nonce fails
  • 56. Nonces @shawnhooper - shawnhooper.ca ! To learn more about nonces, see the WordPress Codex: ! https://codex.wordpress.org/WordPress_Nonces
  • 57. Brain Full ? @shawnhooper - shawnhooper.ca Good, because we’re almost done.
  • 58. Redirecting @shawnhooper - shawnhooper.ca wp_redirect( $url, $status ); exit; wp_safe_redirect( $url, $status ); exit; ! $status defaults to 302 (temporary) safe_redirect only allows redirects to a specified set of hostnames, which can be set using the allowed_redirect_hosts filter
  • 59. Now you should get this… @shawnhooper - shawnhooper.ca XKCD # 327
  • 60. Responsible Disclosure @shawnhooper - shawnhooper.ca If you find what you think may be a security vulnerability in WordPress’ code, be responsible. Send an e-mail with as much detail to:
 
 security@wordpress.org
 
 Don’t blog about it, Facebook it, put it in Trac, Tweet it, etc. Allow the team time to confirm and fix the bug before letting all the hackers out there know it exists.
  • 61. Thank you!
 Slides: www.shawnhooper.ca
 E-Mail: shawn@actionablebooks.com
 Twitter: @shawnhooper
 WordPress Slack: shooper @shawnhooper - shawnhooper.ca