2. • I’m Shawn Hooper, CTO at Actionable
Books. Former Freelance Developer
• GIAC Certified .NET Secure Software
Programmer
• Love Auditing Code (I’m Strange)
Hi!
@shawnhooper - shawnhooper.ca
3. We are going to look at a couple of different
types of attacks and how to avoid them:
* SQL Injection
* Cross Site Scripting (XSS)
* Cross Site Request Forgery (CSRF)
* Unvalidated Redirects and Forwards
We’re Under Attack!
@shawnhooper - shawnhooper.ca
4. !
!
!
on the
Open Web Application Security Project
(OWASP) Top Ten List
Injection Attacks
@shawnhooper - shawnhooper.ca
5. SQL injection is a code injection technique,
used to attack data-driven applications, in
which malicious SQL statements are inserted
into an entry field for execution (e.g. to dump
the database contents to the attacker).
- Wikipedia
SQL Injection Attacks
@shawnhooper - shawnhooper.ca
6. Without protecting against injection attacks,
what would happen if a
login form allowed this:
!
' OR '1'='1' --
SQL Injection Attacks
@shawnhooper - shawnhooper.ca
7. SELECT * FROM wp_users
WHERE user_pass = '' OR '1'='1' --'
SQL Injection Attacks
@shawnhooper - shawnhooper.ca
9. SELECT * FROM wp_users
WHERE user_pass = ''; DROP TABLE
wp_users; --
SQL Injection Attacks
@shawnhooper - shawnhooper.ca
10. !
!
!
on the
Open Web Application Security Project
(OWASP) Top Ten List
Cross Site Scripting (XSS)
@shawnhooper - shawnhooper.ca
11. Cross-site scripting (XSS) is a type of computer
security vulnerability typically found in web
applications. XSS enables attackers to inject client-
side script into web pages viewed by other users. A
cross-site scripting vulnerability may be used by
attackers to bypass access controls such as the
same-origin policy.
- Wikipedia
Cross Site Scripting (XSS)
@shawnhooper - shawnhooper.ca
12. Cross Site Scripting can be used to capture a user’s
authentication / session cookie and then
impersonate them on a trusted website.
!
Reflected (ex, delivered by e-mail)
vs. Persistant (ex, return by DB in a forum)
Cross Site Scripting (XSS)
@shawnhooper - shawnhooper.ca
13. !
!
!
on the
Open Web Application Security Project
(OWASP) Top Ten List
Cross Site Request Forgery
@shawnhooper - shawnhooper.ca
14. Cross-site request forgery, also known as a one-click
attack or session riding and abbreviated as CSRF
(sometimes pronounced sea-surf) or XSRF, is a type
of malicious exploit of a website whereby
unauthorized commands are transmitted from a
user that the website trusts.
-Wikipedia
Cross Site Request Forgery
@shawnhooper - shawnhooper.ca
15. An example of a simple CSRF attack would be
getting you to visit a link that would change your
password to something the attacker knows.
Cross Site Request Forgery
@shawnhooper - shawnhooper.ca
16. !
!
!
on the
Open Web Application Security Project
(OWASP) Top Ten List
Unvalidated Forwards &
Redirects
@shawnhooper - shawnhooper.ca
17. Could allow code in your website to forward the
user to a malicious (ex: phishing) website.
Unvalidated Forwards &
Redirects
@shawnhooper - shawnhooper.ca
28. Escaping Text
@shawnhooper - shawnhooper.ca
esc_attr( $text );
esc_attr__( $text, $domain );
Escaping a string for use in an HTML attribute tag.
<div data-value=“<?php echo esc_attr( $value ); ?>”>
42. Database Sanitization
@shawnhooper - shawnhooper.ca
If your query includes a LIKE statement in the WHERE
clause, use
esc_like()
to properly escape %, _ and characters,
which have special meanings.
Still requires $wpdb->prepare()
43. Database Sanitization
@shawnhooper - shawnhooper.ca
$likeValue = ‘value_’;
$safeSQL = $wpdb->prepare(“SELECT * FROM table
WHERE col1 LIKE ‘%s’", esc_like($likeValue) . '%' );
53. Validate Nonces
@shawnhooper - shawnhooper.ca
To verify a nonce that was passed in a URL or
a form in an admin screen:
!
check_admin_referer( 'delete-comment_'.$comment_id );
54. Validate Nonces
@shawnhooper - shawnhooper.ca
To verify a nonce that was passed in an AJAX
request:
(parameter is the action sent via AJAX)
!
check_ajax_referer( 'process-comment' );
55. Validate Nonces
@shawnhooper - shawnhooper.ca
To verify a generic nonce:
!
wp_verify_nonce( $_REQUEST['my_nonce'], 'process-
comment'.$comment_id );
!
Returns false if the nonce fails
58. Redirecting
@shawnhooper - shawnhooper.ca
wp_redirect( $url, $status ); exit;
wp_safe_redirect( $url, $status ); exit;
!
$status defaults to 302 (temporary)
safe_redirect only allows redirects to a specified set of
hostnames, which can be set using the
allowed_redirect_hosts filter
59. Now you should get this…
@shawnhooper - shawnhooper.ca
XKCD # 327
60. Responsible Disclosure
@shawnhooper - shawnhooper.ca
If you find what you think may be a security
vulnerability in WordPress’ code, be responsible. Send an
e-mail with as much detail to:
security@wordpress.org
Don’t blog about it, Facebook it, put it in Trac, Tweet it,
etc. Allow the team time to confirm and fix the bug
before letting all the hackers out there know it exists.