WordPress Security @ Vienna WordPress + Drupal Meetup

Security
Ruins everything on the Internet since 1920*

About me
● Veselin Nikolov
● Automattic
● WP since 1.2
● PHP + MySQL since
3.0

About me
● Veselin Nikolov
● Automattic
● WP since 1.2
● PHP + MySQL since
3.0
● IRC since 1998

Acid Burn
● Controls traffic
lights
● Owns 686

90s
● mIRC, ircops
● MSIE hacks
● Malware
● DoS, botnets
● Proxies, shells,
bots, irc
servers

● Confidentiality
● Integrity
● Availability
Security

● Prevention
● Identification
● Reaction
Security

● Hardware
● Internet
● Servers
● Passwords and Private Keys
● Plugins & Themes
● Our code
● Meatware
It's not about WordPress

● Evil Maid, Trojans
● Antivirus
Hardware

● MITM, routers, Wi-Fi, Poodle, http
● VPN, Proxy, Software Update
Internet

Passwords
Your password is
OK, as long as
it's 6 caracters
and ends with
123.
I recommend
qwe123 :D

● 30%+ of the services use plain text
http://plaintextoffenders.com/about/
● Phishing, Social Engineering, Brute
Force, MITM, keyloggers, human
errors, password databases
Passwords

Somebody somewhere knows many of
your passwords.
Passwords

Password Manager
Unfortunately, many of your clients will have their
accounts compromised.

'my secret password' ->
● phpass:
● $P$BXT7cDEtQXkAVarv7mh8WZux1euzwI/
md5:
● a7303f3eee5f3ff1942bfbb1797ea0af
Storing Passwords

● Use strong hashing algorythms.
Phpass is ok, md5 is not.
● Be careful with logs and emails,
they might contain sensitive
information
Storing Passwords

2FA
● https://wordpress.org/plugins/two-fact
● 2FA everything!

Plugins and Themes
● Use reputable sources
● Don't use free versions of paid
plugins

Detection
● VaultPress
● Sucuri
● ?
You need between 0 and 1

Response
● You need proper backups
● Logs
● Stay calm, it happens.

Code Review
Reverse Q & A.
Topics covered:
XSS, Open Redirect, XXE, SQL
Injection, Remote Code Execution

What's wrong with that?
<?php
echo $_GET['hi'];

Cross Site Scripting - XSS
GET ?hi=<script>alert('hi')</script>
<?php
echo $_GET['hi'];
Must be
echo esc_html( $_GET['hi'] );

...let's fix it.
<?php
echo esc_html( printf( 'hi, %s',
$_GET['name'] ) );

Typo :(
<?php
echo esc_html( printf( 'hi, %s',
$_GET['name'] ) );
Late escaping OR sprintf!

What's wrong?
<?php
$youtube_widget = $_REQUEST['src'];
?>
<script src="<?php
echo esc_url( $youtube_widget ); ?>">
</script>

XSS
<?php
$youtube_widget = $_REQUEST['src'];
?>
<script src="<?php
echo esc_url( $youtube_widget ); ?>">
</script>
GET ?src=http://my-evil-site.com/hack.js

Let's add validation...
<?php
$src = $_REQUEST['src'];
if ( ! preg_match( '#https?://youtube.com/#',
$src ) ) {
die( 'Invalid Source!' );
}
?>
<script src="<?php echo esc_url( $src ); ?>">
</script>

Wrong REGEXP.
'#https?://youtube.com/#'
Will match
http://dzver.com/js?http://youtube.com/

Let's fix it.
<?php
$src = $_REQUEST['src'];
if ( ! preg_match( '!^https?://(www.)?
youtube.com/!', $src ) ) {
die( 'Invalid Source!' );
}
?>
<script src="<?php echo esc_url( $src ); ?>">
</script>

'.' is a wilcard
'!^https?://(www.)?youtube.com/!'
Will match
'http://wwwayoutube.com/'

?
<?php
$domain = esc_url( $_GET['domain'] );
$user_host = `host $domain`;
echo esc_html( $user_host );

Remote Code Execution
<?php
$domain = esc_url( $_GET['domain'] );
$user_host = `host $domain`;
echo esc_html( $user_host );
What if
$_GET['domain'] = '| echo "hi!"';

Remote Code Execution
● eval();
● assert();
● ``; //backticks
● system()
● create_function()
● preg_replace( '.../e', $_GET )

?
<?php
// @mdawaffe's example
$xml = simplexml_load_file( $uploaded_file );
?>
<h1><?php printf(
"%s Uploaded!",
esc_html( $xml->title )
); ?></h1>

XML External Entity XXE
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE something
[<!ENTITY awesome SYSTEM
"file:///home/www/public_html/db-config.php"
>]
>
<something>
<title>&awesome;</title>
</something>

XML External Entity XXE
Missing:
libxml_disable_entity_loader(true);
Be careful with XML parsers, careless use
is associated with many vulnerabilities.

?
<?php
$id = $_GET['id'];
if ( intval( $id ) ) {
$result = $wpdb->query(
"DELETE FROM wp_usermeta WHERE user_id = $id"
);
}

SQL Injection
<?php
$id = $_GET['id'];
if ( intval( $id ) ) {
$result = $wpdb->query(
"DELETE FROM wp_usermeta WHERE user_id = $id"
);
}
$id = '5 or 1 = 1'; ->
DELETE FROM wp_usermeta WHERE user_id = 5 or 1 = 1

SQL Injection
<?php
$id = (int) $_GET['id'];
$result = $wpdb->query( $wpdb->prepare(
"DELETE FROM wp_usermeta WHERE user_id = %d",
$id )
);
Or use $wpdb->delete();

?
<?php
$url = $_GET['url'];
if ( preg_match( '!^https?://[^.]+.whatever.com/.+
$!i', $url ) ) {
wp_redirect( $url );
} else {
wp_die( 'hacker :(' );
}

Open Redirect
<?php
// http://3254656436/or.whatever.com/spam
if ( preg_match( '!^https?://[^.]+.whatever.com/.+
$!i', $url ) ) {
wp_redirect( $url );
} else {
wp_die( 'hacker :(' );
}

WordPress Security @ Vienna WordPress + Drupal Meetup

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to WordPress Security @ Vienna WordPress + Drupal Meetup (20)

More from Veselin Nikolov (8)

Recently uploaded (20)

WordPress Security @ Vienna WordPress + Drupal Meetup