Security Ruins everything on the Internet since 1920*
WordPress Security @ Vienna WordPress + Drupal Meetup
Jul 15, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SecurityRuins everything on the Internet since 1920*
About me
● Veselin Nikolov
● Automattic
● WP since 1.2
● PHP + MySQL since 3.0
About me
● Veselin Nikolov
● Automattic
● WP since 1.2
● PHP + MySQL since 3.0
● IRC since 1998
Acid Burn
● Controls traffic lights
● Owns 686
90s
● mIRC, ircops
● MSIE hacks
● Malware
● DoS, botnets
● Proxies, shells, bots, irc servers
● Confidentiality
● Integrity
● Availability
Security
● Prevention
● Identification
● Reaction
Security
● Hardware
● Internet
● Servers
● Passwords and Private Keys
● Plugins & Themes
● Our code
● Meatware
It's not about WordPress
● Evil Maid, Trojans
● Antivirus
Hardware
● MITM, routers, Wi-Fi, Poodle, http
● VPN, Proxy, Software Update
Internet
Passwords
Your password is OK, as long as it's 6 caracters and ends with 123.
I recommend qwe123 :D
● 30%+ of the services use plain texthttp://plaintextoffenders.com/about/
● Phishing, Social Engineering, Brute Force, MITM, keyloggers, human errors, password databases
Passwords
Somebody somewhere knows many of your passwords.
Passwords
Password Manager
Unfortunately, many of your clients will have their accounts compromised.
The Super Admin
The Super Admin
'my secret password' ->
● phpass:
● $P$BXT7cDEtQXkAVarv7mh8WZux1euzwI/
md5:
● a7303f3eee5f3ff1942bfbb1797ea0af
Storing Passwords
● Use strong hashing algorythms. Phpass is ok, md5 is not.
● Be careful with logs and emails, they might contain sensitive information
Storing Passwords
2FA
● https://wordpress.org/plugins/two-factor-auth/
● 2FA everything!
Plugins and Themes
● Use reputable sources
● Don't use free versions of paid plugins
Detection
● VaultPress
● Sucuri
● ?
You need between 0 and 1
Response
● You need proper backups
● Logs
● Stay calm, it happens.
Code Review
Reverse Q & A.
Topics covered:
XSS, Open Redirect, XXE, SQL Injection, Remote Code Execution
What's wrong with that?
<?php
echo $_GET['hi'];
Cross Site Scripting - XSS
GET ?hi=<script>alert('hi')</script>
<?php
echo $_GET['hi'];
Must be
echo esc_html( $_GET['hi'] );
...let's fix it.
<?php
echo esc_html( printf( 'hi, %s', $_GET['name'] ) );
Typo :(
<?php
echo esc_html( printf( 'hi, %s', $_GET['name'] ) );
Late escaping OR sprintf!
What's wrong?
<?php
$youtube_widget = $_REQUEST['src'];
?>
<script src="<?php
echo esc_url( $youtube_widget ); ?>">
</script>
XSS
<?php
$youtube_widget = $_REQUEST['src'];
?>
<script src="<?php
echo esc_url( $youtube_widget ); ?>">
</script>
GET ?src=http://my-evil-site.com/hack.js
Let's add validation...
<?php
$src = $_REQUEST['src'];
if ( ! preg_match( '#https?://youtube.com/#', $src ) ) {
die( 'Invalid Source!' );
}
?>
<script src="<?php echo esc_url( $src ); ?>">
</script>
Wrong REGEXP.
'#https?://youtube.com/#'
Will match
http://dzver.com/js?http://youtube.com/
Let's fix it.
<?php
$src = $_REQUEST['src'];
if ( ! preg_match( '!^https?://(www.)?youtube.com/!', $src ) ) {
die( 'Invalid Source!' );
}
?>
<script src="<?php echo esc_url( $src ); ?>">
</script>
'.' is a wilcard
'!^https?://(www.)?youtube.com/!'
Will match
'http://wwwayoutube.com/'
?
<?php
$domain = esc_url( $_GET['domain'] );
$user_host = `host $domain`;
echo esc_html( $user_host );
Remote Code Execution
<?php
$domain = esc_url( $_GET['domain'] );
$user_host = `host $domain`;
echo esc_html( $user_host );
What if
$_GET['domain'] = '| echo "hi!"';
Remote Code Execution
● eval();
● assert();
● ``; //backticks
● system()
● create_function()
● preg_replace( '.../e', $_GET )
?
<?php
// @mdawaffe's example
$xml = simplexml_load_file( $uploaded_file );
?>
<h1><?php printf(
"%s Uploaded!",
esc_html( $xml->title )
); ?></h1>
XML External Entity XXE
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE something
[<!ENTITY awesome SYSTEM
"file:///home/www/public_html/db-config.php"
>]
>
<something>
<title>&awesome;</title>
</something>
XML External Entity XXE
Missing:
libxml_disable_entity_loader(true);
Be careful with XML parsers, careless use is associated with many vulnerabilities.
?
<?php
$id = $_GET['id'];
if ( intval( $id ) ) {
$result = $wpdb->query(
"DELETE FROM wp_usermeta WHERE user_id = $id"
);
}
SQL Injection
<?php
$id = $_GET['id'];
if ( intval( $id ) ) {
$result = $wpdb->query(
"DELETE FROM wp_usermeta WHERE user_id = $id"
);
}
$id = '5 or 1 = 1'; ->
DELETE FROM wp_usermeta WHERE user_id = 5 or 1 = 1
SQL Injection
<?php
$id = (int) $_GET['id'];
$result = $wpdb->query( $wpdb->prepare(
"DELETE FROM wp_usermeta WHERE user_id = %d",
$id )
);
Or use $wpdb->delete();
?
<?php
$url = $_GET['url'];
if ( preg_match( '!^https?://[^\.]+\.whatever\.com/.+$!i', $url ) ) {
wp_redirect( $url );
} else {
wp_die( 'hacker :(' );
}
Open Redirect
<?php
// http://3254656436/or.whatever.com/spam
if ( preg_match( '!^https?://[^\.]+\.whatever\.com/.+$!i', $url ) ) {
wp_redirect( $url );
} else {
wp_die( 'hacker :(' );
}
Thanks
AMA :-)
Related Documents
