![SELECT ... LIMIT $args[4]](https://image.slidesharecdn.com/wordpresstalk21-131026115442-phpapp02/85/Anatomy-of-a-WordPress-Hack-67-320.jpg)
![SELECT ... LIMIT $args[4]
}
select categories from database](https://image.slidesharecdn.com/wordpresstalk21-131026115442-phpapp02/85/Anatomy-of-a-WordPress-Hack-68-320.jpg)
![SELECT ... LIMIT $args[4]
}
limit number of categories selected](https://image.slidesharecdn.com/wordpresstalk21-131026115442-phpapp02/85/Anatomy-of-a-WordPress-Hack-69-320.jpg)
![SELECT ... LIMIT $args[4]
}
unsanitized user input](https://image.slidesharecdn.com/wordpresstalk21-131026115442-phpapp02/85/Anatomy-of-a-WordPress-Hack-70-320.jpg)
![SELECT ... LIMIT $args[4]
}
unsanitized user input](https://image.slidesharecdn.com/wordpresstalk21-131026115442-phpapp02/85/Anatomy-of-a-WordPress-Hack-71-320.jpg)
![$args[4] =
1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users](https://image.slidesharecdn.com/wordpresstalk21-131026115442-phpapp02/85/Anatomy-of-a-WordPress-Hack-74-320.jpg)
![(int) $args[4]](https://image.slidesharecdn.com/wordpresstalk21-131026115442-phpapp02/85/Anatomy-of-a-WordPress-Hack-79-320.jpg)
![(int) $args[4]
}
sanitize user input by
coercing it to an integer](https://image.slidesharecdn.com/wordpresstalk21-131026115442-phpapp02/85/Anatomy-of-a-WordPress-Hack-80-320.jpg)
Anatomy of a WordPress Hack
- 2. ANATOMY OF A WORDPRESS HACK
- 6. but probably NOT for the reasons you’re thinking
- 7. that’s because security is all about the details
- 8. 3 hacks that broke wordpress sqli xss clickjacking (and how they were fixed)
- 9. this talk is probably for you
- 10. this talk is probably for you (it’s a really good talk)
- 11. you might be wondering “ if these have already been fixed, why are we still talking about them?
- 12. almost 20% of the web runs on wordpress
- 13. almost 20% of the web runs on wordpress lots of attacks on wordpress sites
- 14. almost 20% of the web runs on wordpress lots of attacks on wordpress sites they’ll happen again
- 15. almost 20% of the web runs on wordpress lots of attacks on wordpress sites they’ll happen again it’s fun and interesting
- 16. hello, my name is brennen @brennenbyrne
- 17. I’m a founder of Clef (getclef.com)
- 18. anatomy of a wordpress hack
- 20. XSS cross site scripting when a hacker is able to run arbitrary code in every user’s browser
- 21. let’s hack
- 22. how
- 23. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>
- 24. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> begin html open tag
- 25. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } unsanitized user input
- 26. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } end html open tag
- 27. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> begin html close tag
- 28. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } unsanitized user input
- 29. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> end html close tag
- 30. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } } unsanitized user input
- 31. <{$icontag} class=‘gallery-icon’> ... </{$icontag}> } } unsanitized user input
- 35. $icontag = script src=‘hack.js’ } create a script tag
- 36. $icontag = script src=‘hack.js’ } load an evil script
- 37. how bad is this?
- 39. one line fix!
- 41. $icontag = tag_escape($icontag) } removes potentially malicious code
- 42. Clickjacking
- 43. clickjacking when a hacker tricks you into clicking something you don’t want to click
- 44. let’s hack
- 45. how
- 46. this is your site
- 47. this is your site with an iframe www.another-site.com
- 48. now imagine the green is the article and the red is “delete post”
- 49. now imagine the green is the article and the red is “delete post”
- 50. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>
- 51. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe> } } embedding site in another site
- 52. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe> } embedding admin page S
- 53. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe> } admin page is fully transparent S
- 54. <iframe src=“admin_url” style=“opacity: 0; z-index: 100”></iframe> } admin page is above another page
- 55. delete post
- 56. allow embedding of valuable pages
- 57. how bad is this?
- 59. one line fix!
- 61. @header( 'X-Frame-Options: SAMEORIGIN' ); } add header to requests for valuable pages
- 62. @header( 'X-Frame-Options: SAMEORIGIN' ); } tell browser to only allow iframe embed when it’s on the same domain
- 63. SQL injection
- 64. SQL injection when bad people access your database in bad ways
- 65. let’s hack
- 66. how
- 67. SELECT ... LIMIT $args[4]
- 68. SELECT ... LIMIT $args[4] } select categories from database
- 69. SELECT ... LIMIT $args[4] } limit number of categories selected
- 70. SELECT ... LIMIT $args[4] } unsanitized user input
- 71. SELECT ... LIMIT $args[4] } unsanitized user input
- 74. $args[4] = 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users
- 75. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users } embed a second SQL query
- 76. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users } limit to 1 category and offset by 1
- 77. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users } steal usernames and passwords
- 78. 5 character fix!
- 79. (int) $args[4]
- 80. (int) $args[4] } sanitize user input by coercing it to an integer
- 81. how bad is this?
- 84. how does this happen?
- 85. security is in the details
- 86. security is hard
- 87. so what should you do?
- 88. 1 you cannot know everything
- 89. 1 you cannot know everything
- 90. 1 you can always learn more
- 91. 1 education
- 92. 2 you will always make mistakes
- 93. 2 you will always make mistakes
- 94. 2 you must learn from your mistakes
- 95. 2 experience
- 96. 3 you cannot write secure code
- 97. 3 you cannot write secure code
- 98. 3 we can write secure code
- 99. 3 we can write secure code
- 100. 3 community
- 101. closing thoughts
- 102. thanks
- 103. XSS Jon Cave
- 104. XSS Jon Cave Clickjacking Andrew Horton
- 105. XSS Jon Cave Clickjacking Andrew Horton SQLi Alexander Concha
- 106. XSS Jon Cave Clickjacking Andrew Horton SQLi Alexander Concha WordPress Security Team
- 107. XSS Jon Cave CSRF Alexander Concha SQLi Alexander Concha WordPress Security Team WordPress Community
- 108. what if I find a security issue?
- 109. DO 1. verify that it is a real issue 2. email security@wordpress.org DON’T 1. maliciously exploit other wordpress sites 2. publish details of the vulnerability before it has been fixed
- 110. upgrade to 3.7
- 111. SELECT * FROM questions