BEYOND THE BASICS: Building security into your development projects WORDCAMP MIAMI 2016
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
BEYOND THE BASICS:
Building security into your development projects
W O R D C A M P M I A M I 2 0 1 6
BIO Binod Purushothaman Director, Product & Technology @SiteLock § Heads the product development team. § Lead several technology startups in the
manufacturing and finance sectors in India and the United States.
BIO Logan Kipp Lead Security Analyst @SiteLock § Provides SiteLock's Partners and Support
Services Division with information and training on emerging technologies and threats.
§ Has seven years experience in the website hosting and security technology field, previously working at GoDaddy.
INTRODUCTION
§ Malware: Things Get Ugly
§ XSS: A WordPress Story
§ Plugins: Dance the Tango
MALWARE
MALWARE
MALWARE
MALWARE
MALWARE
MALWARE
MALWARE
MALWARE
MALWARE
MALWARE
MALWARE
MALWARE
MALWARE
MALWARE
MALWARE
MALWARE
ANOTHER REASON FILE MONITORING IS IMPORTANT!
XSS
“Cross-site scripting (XSS) is a type of computer security vulnerability t y p i c a l l y f o u n d i n w e b applications. XSS enables attackers to inject client-side script into web pages viewed by other users.”
- Wikipedia
XSS SiteLock Research Team picks up possible XSS vulnerability in plugin during routine SAST scan. § File: settings.php § Argument: $curr
XSS
Found $curr set at line 195/196, where it’s set to Default if $cntr is empty, or the value of $cntr if not. Variable $cntr set at lines 91/92. If $_GET[‘scounter’] set, inherits value. Could this be a reflective XSS vulnerability?
XSS
Let’s find out. We simply need to pass a harmless XSS string in the $_GET[‘scounter’] variable to get a proof of concept, like a document.cookie alert. Something like: ?page=slider-settings&scounter=<script>alert(document.cookie)</script>
XSS
Great success.
BUT IF YOU USE A WEB APPLICATION FIREWALL…
These types of attacks are blocked.
RECENT RESEARCH
Free WordPress Plugin -- “Tango”
§ File Management – View & Edit – Zip & Unzip
§ Database Management – Easy backups
VULNERABILITY EXAMPLE: TANGO
VULNERABILITY EXAMPLE: TANGO
VULNERABILITY EXAMPLE: TANGO
The plugin consists of four files.
VULNERABILITY EXAMPLE: TANGO
Curious. Startup relies on a file existing.
VULNERABILITY EXAMPLE: TANGO
What would happen if we renamed the readme.txt then?
VULNERABILITY EXAMPLE: TANGO
VULNERABILITY EXAMPLE: TANGO
VULNERABILITY EXAMPLE: TANGO
$ls /
VULNERABILITY EXAMPLE: TANGO
What else could we do here? Anything.
§ Grab external files. § Dump the file structure. § Trash everything.
$dd if=/dev/random of=/dev/sda
VULNERABILITY EXAMPLE: TANGO
CODE STARTS SIMPLE
MY CODE
C O D E B E C O M E S C O M P L E X
T H E M E S +
C O M P O N E N T S +
F R A M E W O R K +
P L U G I N S +
ATTACKERS INCREASE THEIR COMPLEXITY
M YPLUGIN
XSS VULNERABIL ITY
No escaping or sani-za-on used.
STATIC CODE ANALYSIS RESULTS: TRUECODE
CODE ANALYSIS
XSS FIXED
Use WordPress esc_html() to remove the vulnerability
BUILT- IN WORDPRESS FUNCTIONS
§ Always use WP built-in functions – esc_html() – sanitize_text_field() – update_option()
UPDATED SCAN RESULTS
INSECURE SDLC
SECURE SDLC
-END-
Related Documents
