Writing Secure WordPress Code WordCamp NYC 2014

  • View
    299

  • Download
    1

Embed Size (px)

DESCRIPTION

Learn the proper way to write the most secure code in WordPress. Whether youre a plugin developer or build themes, its extremely important to understand how to secure your code from hacks and exploits. Overlooking some very easy to follow techniques can expose your website to the hackers everywhere. WordPress features a number of built-in methods to help make sure your code is safe and secure, and well cover each and every one in detail.

Transcript

  • WRITING SECURE WORDPRESS CODE BY BRAD WILLIAMS Brad Williams @williamsba h-p://www.slideshare.net/williamsba/wri>ng-secure-wordpress-code-wordcamp-nyc-2014
  • WHO IS BRAD? Brad Williams @williamsba Brad Williams
  • CO-HOST DRADCAST Brad Williams @williamsba
  • TODAYS TOPICS Brad Williams @williamsba Cover the big three exploits SQL Injec>on - SQLi Cross-Site Scrip>ng - XSS Cross-Site Request Forgery CSRF Hack Examples Data Valida>on and Sani>za>on Resources
  • TRUST NO ONE Brad Williams @williamsba Golden Rule of Code Trust No One
  • TRUST NO ONE Brad Williams @williamsba Consider all data invalid unless it can be proven valid
  • SQL INJECTION - SQLI Brad Williams @williamsba SQL Injec>on (SQLi)
  • SQL INJECTION - SQLI Brad Williams @williamsba SQL injec*on is a code injec>on technique in which malicious SQL statements are inserted into an entry eld for execu>on
  • SQL INJECTION - SQLI Brad Williams @williamsba SQL Injec>on Example global $wpdb; $ID = $_GET['ID']; $sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';"; SELECT post_>tle FROM wp_posts WHERE ID = '5';
  • SQL INJECTION - SQLI Brad Williams @williamsba SQL Injec>on Example SELECT post_>tle FROM wp_posts WHERE ID = ''; SELECT * FROM wp_users WHERE 1 = '1'; global $wpdb; $ID = "'; SELECT * FROM wp_users WHERE 1 = '1"; $sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';";
  • SQL INJECTION - SQLI Brad Williams @williamsba h-p://www.sitepoint.com/forums/showthread.php?83772-web-site-hacked My Introduc>on to SQLi
  • SQL INJECTION - SQLI Brad Williams @williamsba h-p://www.sitepoint.com/forums/showthread.php?83772-web-site-hacked My Introduc>on to SQLi
  • SQL INJECTION - SQLI Brad Williams @williamsba WordPress Database Class
  • SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->insert()
  • SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->insert( $wpdb->postmeta, array( 'post_id' => '5', 'meta_key' => '_custom_meta_key', 'meta_value' => 'true' ), array( '%d', '%s', '%s' ) ); $wpdb->insert() $wpdb->insert( $table, $data, $format ) Example: %s handles strings %d handles integers %f handles oats
  • SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->update()
  • SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->update( $wpdb->postmeta', array( 'meta_value' => 'false' ), array( 'post_id' => 5, 'meta_key' => '_custom_meta_key' ), array( '%s' ), array( '%d', '%s' ) ); $wpdb->update() $wpdb->update( $table, $data, $where, $format, $where_format ) Example:
  • SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->delete()
  • SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->delete( $wpdb->posts, array( 'ID' => 5 ), array( '%d' ) ); $wpdb->delete() $wpdb->delete( $table, $where, $where_format ) Example:
  • SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->prepare()
  • SQL INJECTION - SQLI Brad Williams @williamsba Handles strings (%s) and integers (%d) Does the escaping for you No need to quote %s $wpdb->prepare( " SELECT post_title FROM $wpdb->posts WHERE ID = %d ", $ID ); $wpdb->prepare()
  • SQL INJECTION - SQLI Brad Williams @williamsba Handles strings (%s) and integers (%d) Does the escaping for you No need to quote %s $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ); $wpdb->prepare()
  • SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->prepare() only prepares the query, it does not execute it. $wpdb->query( $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ) ); $wpdb->prepare() echo $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ); To view the fully prepared query simply echo it
  • SQL INJECTION - SQLI Brad Williams @williamsba h-p://xkcd.com/327/ Dont be Li-le Bobby Tables
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Cross-Site Scrip>ng (XSS)
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba What is Cross-Site Scrip>ng? A-acker injects client-side scripts into your web pages
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Escaping To escape is to take the data you may already have and help secure it prior to rendering it for the end user
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba 1. esc_ is the prex for all escaping func>ons 2. a-r is the context being escaped 3. _e is the op>onal transla>on sux Props to Mark Jaquith! Escaping
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba BAD
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba BAD
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba View Source: alert('Hello Europe!'); GOOD
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba esc_attr() Used whenever you need to display data inside an HTML element h-p://codex.wordpress.org/Func>on_Reference/esc_a-r
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba esc_textarea() Used to encode text for use in a form element h-p://codex.wordpress.org/Func>on_Reference/esc_textarea
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Link esc_url() Used for valida>ng and sani>zing URLs h-p://codex.wordpress.org/Func>on_Reference/esc_url
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba esc_url_raw() Used for escaping a URL for database queries, redirects, and HTTP requests Similar to esc_url(), but does not replace en>>es for display h-p://codex.wordpress.org/Func>on_Reference/esc_url_raw
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba esc_js() Used to escape text strings in JavaScript h-p://codex.wordpress.org/Func>on_Reference/esc_js
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Integers
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba $ID = absint( $_GET['ID'] ); absint() Coverts a value to a non-nega>ve integer h-p://codex.wordpress.org/Func>on_Reference/absint
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba $ID = intval( $_GET['ID'] ); intval() Returns the integer value. Works with nega>ve values h-p://php.net/manual/en/func>on.intval.php
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Sani>zing To sani>ze is to take the data and clean to make safe
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba BAD
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_text_field() Sani>ze a string h-p://codex.wordpress.org/Func>on_Reference/sani>ze_text_eld
  • CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_email() Strip out all characters not allowed in an email address h-p://codex.wordpress.org/Func>on_Reference/sani>z