SecurityRuins everything on the Internet since 1920*

About me

● Veselin Nikolov

● Automattic

● WP since 1.2

● PHP + MySQL since 3.0

About me

● Veselin Nikolov

● Automattic

● WP since 1.2

● PHP + MySQL since 3.0

● IRC since 1998

Acid Burn

● Controls traffic lights

● Owns 686

90s

● mIRC, ircops

● MSIE hacks

● Malware

● DoS, botnets

● Proxies, shells, bots, irc servers

● Confidentiality

● Integrity

● Availability

Security

● Prevention

● Identification

● Reaction

Security

● Hardware

● Internet

● Servers

● Passwords and Private Keys

● Plugins & Themes

● Our code

● Meatware

It's not about WordPress

● Evil Maid, Trojans

● Antivirus

Hardware

● MITM, routers, Wi-Fi, Poodle, http

● VPN, Proxy, Software Update

Internet

Passwords

Your password is OK, as long as it's 6 caracters and ends with 123.

I recommend qwe123 :D

● 30%+ of the services use plain texthttp://plaintextoffenders.com/about/

● Phishing, Social Engineering, Brute Force, MITM, keyloggers, human errors, password databases

Passwords

Somebody somewhere knows many of your passwords.

Passwords

Password Manager

Unfortunately, many of your clients will have their accounts compromised.

The Super Admin

The Super Admin

'my secret password' ->

● phpass:

● $P$BXT7cDEtQXkAVarv7mh8WZux1euzwI/

md5:

● a7303f3eee5f3ff1942bfbb1797ea0af

Storing Passwords

● Use strong hashing algorythms. Phpass is ok, md5 is not.

● Be careful with logs and emails, they might contain sensitive information

Storing Passwords

2FA

● https://wordpress.org/plugins/two-factor-auth/

● 2FA everything!

Plugins and Themes

● Use reputable sources

● Don't use free versions of paid plugins

Detection

● VaultPress

● Sucuri

● ?

You need between 0 and 1

Response

● You need proper backups

● Logs

● Stay calm, it happens.

Code Review

Reverse Q & A.

Topics covered:

XSS, Open Redirect, XXE, SQL Injection, Remote Code Execution

What's wrong with that?

<?php

echo $_GET['hi'];

Cross Site Scripting - XSS

GET ?hi=<script>alert('hi')</script>

<?php

echo $_GET['hi'];

Must be

echo esc_html( $_GET['hi'] );

...let's fix it.

<?php

echo esc_html( printf( 'hi, %s', $_GET['name'] ) );

Typo :(

<?php

echo esc_html( printf( 'hi, %s', $_GET['name'] ) );

Late escaping OR sprintf!

What's wrong?

<?php

$youtube_widget = $_REQUEST['src'];

?>

<script src="<?php

echo esc_url( $youtube_widget ); ?>">

</script>

XSS

<?php

$youtube_widget = $_REQUEST['src'];

?>

<script src="<?php

echo esc_url( $youtube_widget ); ?>">

</script>

GET ?src=http://my-evil-site.com/hack.js

Let's add validation...

<?php

$src = $_REQUEST['src'];

if ( ! preg_match( '#https?://youtube.com/#', $src ) ) {

die( 'Invalid Source!' );

}

?>

<script src="<?php echo esc_url( $src ); ?>">

</script>

Wrong REGEXP.

'#https?://youtube.com/#'

Will match

http://dzver.com/js?http://youtube.com/

Let's fix it.

<?php

$src = $_REQUEST['src'];

if ( ! preg_match( '!^https?://(www.)?youtube.com/!', $src ) ) {

die( 'Invalid Source!' );

}

?>

<script src="<?php echo esc_url( $src ); ?>">

</script>

'.' is a wilcard

'!^https?://(www.)?youtube.com/!'

Will match

'http://wwwayoutube.com/'

?

<?php

$domain = esc_url( $_GET['domain'] );

$user_host = `host $domain`;

echo esc_html( $user_host );

Remote Code Execution

<?php

$domain = esc_url( $_GET['domain'] );

$user_host = `host $domain`;

echo esc_html( $user_host );

What if

$_GET['domain'] = '| echo "hi!"';

Remote Code Execution

● eval();

● assert();

● ``; //backticks

● system()

● create_function()

● preg_replace( '.../e', $_GET )

?

<?php

// @mdawaffe's example

$xml = simplexml_load_file( $uploaded_file );

?>

<h1><?php printf(

"%s Uploaded!",

esc_html( $xml->title )

); ?></h1>

XML External Entity XXE

<?xml version="1.0" encoding="UTF-8" ?>

<!DOCTYPE something

[<!ENTITY awesome SYSTEM

"file:///home/www/public_html/db-config.php"

>]

>

<something>

<title>&awesome;</title>

</something>

XML External Entity XXE

Missing:

libxml_disable_entity_loader(true);

Be careful with XML parsers, careless use is associated with many vulnerabilities.

?

<?php

$id = $_GET['id'];

if ( intval( $id ) ) {

$result = $wpdb->query(

"DELETE FROM wp_usermeta WHERE user_id = $id"

);

}

SQL Injection

<?php

$id = $_GET['id'];

if ( intval( $id ) ) {

$result = $wpdb->query(

"DELETE FROM wp_usermeta WHERE user_id = $id"

);

}

$id = '5 or 1 = 1'; ->

DELETE FROM wp_usermeta WHERE user_id = 5 or 1 = 1

SQL Injection

<?php

$id = (int) $_GET['id'];

$result = $wpdb->query( $wpdb->prepare(

"DELETE FROM wp_usermeta WHERE user_id = %d",

$id )

);

Or use $wpdb->delete();

?

<?php

$url = $_GET['url'];

if ( preg_match( '!^https?://[^\.]+\.whatever\.com/.+$!i', $url ) ) {

wp_redirect( $url );

} else {

wp_die( 'hacker :(' );

}

Open Redirect

<?php

// http://3254656436/or.whatever.com/spam

if ( preg_match( '!^https?://[^\.]+\.whatever\.com/.+$!i', $url ) ) {

wp_redirect( $url );

} else {

wp_die( 'hacker :(' );

}

Thanks

AMA :-)