secure coding with wordpress - wordcamp sf 2008
TRANSCRIPT
![Page 1: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/1.jpg)
Secure Coding with WordPress
Mark Jaquithmarkjaquith.com
![Page 2: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/2.jpg)
Secure Coding with WordPress
Mark Jaquithmarkjaquith.com
" onmouseover="pwnage();';?><a href="#wordcamp"title="<?php echo $title ?>">link</a>
<?php$title = '
![Page 3: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/3.jpg)
$ sudo wp-plugin
![Page 4: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/4.jpg)
That thing that the Uncle dude told the
Spiderman dude
![Page 5: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/5.jpg)
XSSCSRF
SQL injection
privilege escalation
![Page 6: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/6.jpg)
SQL Injection
![Page 7: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/7.jpg)
I CAN HAZ REFUND?
![Page 8: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/8.jpg)
<?php$wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" );?>
![Page 9: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/9.jpg)
<?php$newtitle = $wpdb->escape( $newtitle );$my_id = absint( $my_id );
$wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" );?>
![Page 10: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/10.jpg)
$wpdb->update( )
![Page 11: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/11.jpg)
<?php$wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle ), array( 'ID' => $my_id ) );?>
![Page 12: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/12.jpg)
$wpdb->insert( )
![Page 13: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/13.jpg)
<?php$wpdb->insert( $wpdb->posts, array( 'post_title' => $newtitle ) );?>
![Page 14: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/14.jpg)
<?php$wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle, 'post_content' => $newcontent ), array( 'ID' => $my_id, 'post_title' => $old_title ) );?>
![Page 15: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/15.jpg)
<?php$post_title = 'New Title';$wheres['ID'] = 123;$wheres['post_title'] = 'Old Title';$wpdb->update( $wpdb->posts, compact( 'post_title' ), $wheres );?>
![Page 16: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/16.jpg)
$wpdb->prepare( )
![Page 17: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/17.jpg)
<?php$title = 'Post Title';$ID = 123;$content = $wpdb->get_var( $wpdb->prepare( "SELECT post_content FROM $wpdb->posts WHERE post_title = %s AND ID = %d", $title, $ID ) );?>
![Page 18: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/18.jpg)
• Uses sprintf() formatting
• %s for strings
• %d for integers
• You should not quote or escape
![Page 19: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/19.jpg)
Escape late
![Page 20: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/20.jpg)
XSS
![Page 21: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/21.jpg)
<h1><?php echo $title;?></h1>
![Page 22: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/22.jpg)
<?php $title = '<script> pwnage(); </script>'?><h1><?php echo $title;?></h1>
![Page 23: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/23.jpg)
Anything that isn't hardcoded is suspect
![Page 24: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/24.jpg)
Better:Everything is suspect
![Page 25: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/25.jpg)
wp_specialchars( )
![Page 26: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/26.jpg)
<?php $title = '<script> pwnage(); </script>'?><h1><?php echo wp_specialchars( $title );?></h1>
![Page 27: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/27.jpg)
<?php$title = '" onmouseover="pwnd();';?><a href="#wordcamp" title="<?php echo wp_specialchars( $title );?>">Link Text</a>
![Page 28: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/28.jpg)
attribute_escape( )
![Page 29: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/29.jpg)
<?php$title = '" onmouseover="pwnd();';?><a href="#wordcamp" title="<?php echo attribute_escape( $title );?>">Link Text</a>
![Page 30: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/30.jpg)
<?php $url = 'javascript:pwnage();';?><a href="<?php echo attribute_escape( $url );?>">Link Text</a>
![Page 31: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/31.jpg)
clean_url( )
![Page 32: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/32.jpg)
<?php $url = 'javascript:pwnage();';?><a href="<?php echo clean_url( $url );?>">Link Text</a>
![Page 33: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/33.jpg)
sanitize_url( ), sister of clean_url( )
![Page 34: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/34.jpg)
js_escape( )
![Page 35: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/35.jpg)
CSRF
![Page 36: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/36.jpg)
Authorizationvs.
Intention
![Page 37: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/37.jpg)
![Page 38: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/38.jpg)
Nonces
![Page 39: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/39.jpg)
![Page 40: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/40.jpg)
Number used once
![Page 41: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/41.jpg)
Specific to
• WordPress user
• Action attempted
• Object of attempted action
• Time window
![Page 42: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/42.jpg)
wp_nonce_field( )
![Page 43: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/43.jpg)
<form action="process.php" method="post"><?php wp_nonce_field('plugin-action_object');?>
...</form>
![Page 44: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/44.jpg)
check_admin_referer( )
![Page 45: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/45.jpg)
<?php// before output goes to browsercheck_admin_referer('plugin- action_object');?>
![Page 46: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/46.jpg)
Still need to usecurrent_user_can( )
![Page 47: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/47.jpg)
AJAX CSRF
![Page 48: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/48.jpg)
Privilege Escalation
![Page 49: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/49.jpg)
current_user_can( )
![Page 50: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/50.jpg)
Challenges
![Page 51: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/51.jpg)
Inconsistent naming system
![Page 52: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/52.jpg)
Security sediment
![Page 53: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/53.jpg)
Education
![Page 54: Secure Coding with WordPress - WordCamp SF 2008](https://reader034.vdocuments.site/reader034/viewer/2022052619/555ac61bd8b42ab1128b5056/html5/thumbnails/54.jpg)
Thank you!