SlideShare a Scribd company logo

Writing Secure Plugins — WordCamp New York 2009

Mark Jaquith, profile picture
Mark Jaquith

This document discusses best practices for writing secure WordPress plugins. It covers topics like SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and privilege escalation. The author provides examples of insecure code and explains how to fix them using functions like esc_sql(), esc_html(), esc_attr(), esc_url(), esc_js(), wp_nonce_field(), check_admin_referer(), and current_user_can(). The document emphasizes escaping data early, using nonces for authorization, and checking user privileges to prevent security issues in WordPress plugins.

TechnologyBusiness
1 of 54
Downloaded 54 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Writing Secure Plugins Mark Jaquith @markjaquith markjaquith.com coveredwebservices.com Saturday, November 14, 2009
XSS privilege shell execution escalation CSRF SQL injection Saturday, November 14, 2009
Plugin security is hit-or-miss Saturday, November 14, 2009
Mostly miss Saturday, November 14, 2009
SQL Injection Saturday, November 14, 2009
<?php $wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" ); ?> Saturday, November 14, 2009
<?php $newtitle = esc_sql( $newtitle ); $my_id = absint( $my_id ); $wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" ); ?> Saturday, November 14, 2009
$wpdb->update() Saturday, November 14, 2009
<?php $wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle ), array( 'ID' => $my_id ) ); ?> Saturday, November 14, 2009
$wpdb->insert() Saturday, November 14, 2009
<?php $wpdb->insert( $wpdb->posts, array( 'post_title' => $newtitle ) ); ?> Saturday, November 14, 2009
<?php $wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle, 'post_content' => $newcontent ), array( 'ID' => $my_id, 'post_title' => $old_title ) ); ?> Saturday, November 14, 2009
<?php $post_title = 'New Title'; $wheres['ID'] = 123; $wheres['post_title'] = 'Old Title'; $wpdb->update( $wpdb->posts, compact( 'post_title' ), $wheres ); ?> Saturday, November 14, 2009
$wpdb->prepare() Saturday, November 14, 2009
<?php $title = 'Post Title'; $ID = 123; $content = $wpdb->get_var( $wpdb->prepare( "SELECT post_content FROM $wpdb->posts WHERE post_title = %s AND ID = %d", $title, $ID ) ); ?> Saturday, November 14, 2009
•Uses sprintf() formatting •%s for strings •%d for integers •You should not quote or escape Saturday, November 14, 2009
Escape late Saturday, November 14, 2009
XSS Saturday, November 14, 2009
<h1> <?php echo $title; ?> </h1> Saturday, November 14, 2009
<?php $title = '<script> pwnage(); </script>' ?> <h1> <?php echo $title; ?> </h1> Saturday, November 14, 2009
Anything that isn’t hardcoded is suspect Saturday, November 14, 2009
Better: Everything is suspect Saturday, November 14, 2009
Saturday, November 14, 2009
esc_html() Saturday, November 14, 2009
<?php $title = '<script> pwnage(); </script>' ?> <h1> <?php echo esc_html( $title ); ?> </h1> Saturday, November 14, 2009
<?php $title = '" onmouseover="pwnd();'; ?> <a href="#wordcamp" title=" <?php echo $title; ?> "> Link Text </a> Saturday, November 14, 2009
esc_attr() Saturday, November 14, 2009
<?php $title = '" onmouseover="pwnd();'; ?> <a href="#wordcamp" title=" <?php echo esc_attr( $title ); ?> "> Link Text </a> Saturday, November 14, 2009
<?php $url = 'javascript:pwnage();'; ?> <a href=" <?php echo esc_attr( $url ); ?> "> WRONG Link Text </a> Saturday, November 14, 2009
esc_url() Saturday, November 14, 2009
<?php $url = 'javascript:pwnage();'; ?> <a href=" <?php echo esc_url( $url ); ?> "> Link Text </a> Saturday, November 14, 2009
esc_url_raw(), sister of esc_url() Saturday, November 14, 2009
esc_ js() Saturday, November 14, 2009
<script> var foo = '<?php echo esc_js( $bar ); ?>'; </script> Saturday, November 14, 2009
CSRF Saturday, November 14, 2009
Authorization vs. Intention Saturday, November 14, 2009
Nonces action-, object-, user-specific time limited secret keys Saturday, November 14, 2009
Specific to •WordPress user •Action attempted •Object of attempted action •Time window Saturday, November 14, 2009
wp_nonce_field() Saturday, November 14, 2009
<form action="process.php" method="post"> <?php wp_nonce_field('plugin-action_object'); ?> ... </form> Saturday, November 14, 2009
check_admin_referer( ) Saturday, November 14, 2009
<?php // before output goes to browser check_admin_referer('plugin- action_object'); ?> Saturday, November 14, 2009
Still need to use current_user_can() Saturday, November 14, 2009
AJAX CSRF Saturday, November 14, 2009
• wp_create_nonce( 'your_action' ); • &_ajax_nonce=YOUR_NONCE • check_ajax_referer( 'your_action' ); Saturday, November 14, 2009
Privilege Escalation Saturday, November 14, 2009
current_user_can() Saturday, November 14, 2009
Set your salts! http://api.wordpress.org/secret-key/1.1/ Saturday, November 14, 2009
Stupid shit I see all the time Saturday, November 14, 2009
exec() Saturday, November 14, 2009
<form action="<?php echo $_SERVER['REQUEST_URI']; ?>"> Saturday, November 14, 2009
<a href="<?php echo $url; ?>" title="<?php echo $title; ?>"> <?php echo $text; ?> </a> <script> var foo = '<?php echo $js; ?>'; </script> Saturday, November 14, 2009
<a href="<?php echo esc_url( $url ); ?>" title="<?php echo esc_attr( $title ); ?>"> <?php echo esc_html( $text ); ?> </a> <script> var foo = '<?php echo esc_js( $js ); ?>'; </script> Saturday, November 14, 2009
Discussion Saturday, November 14, 2009

More Related Content

PDF
Mojolicious, real-time web framework
taggg
 
PDF
Mojolicious: what works and what doesn't
Cosimo Streppone
 
ODP
Mojolicious on Steroids
Tudor Constantin
 
PPTX
Mojolicious - Perl Framework for the Real-Time Web (Lightning Talk)
Dotan Dimet
 
KEY
Mojolicious - A new hope
Marcus Ramberg
 
PDF
Mojolicious. Веб в коробке!
Anatoly Sharifulin
 
PDF
Plugin jQuery, Design Patterns
Robert Casanova
 
PDF
Mojolicious
Marcos Rebelo
 
Mojolicious, real-time web framework
taggg
 
Mojolicious: what works and what doesn't
Cosimo Streppone
 
Mojolicious on Steroids
Tudor Constantin
 
Mojolicious - Perl Framework for the Real-Time Web (Lightning Talk)
Dotan Dimet
 
Mojolicious - A new hope
Marcus Ramberg
 
Mojolicious. Веб в коробке!
Anatoly Sharifulin
 
Plugin jQuery, Design Patterns
Robert Casanova
 
Mojolicious
Marcos Rebelo
 

What's hot (20)

PDF
Contributing to WordPress Core - Peter Wilson
WordCamp Sydney
 
KEY
jQuery Plugin Creation
benalman
 
PDF
RESTful web services
Tudor Constantin
 
KEY
Keeping it small: Getting to know the Slim micro framework
Jeremy Kendall
 
PPTX
Childthemes ottawa-word camp-1919
Paul Bearne
 
PDF
Inside Bokete: Web Application with Mojolicious and others
Yusuke Wada
 
PDF
Make your own wp cli command in 10min
Ivelina Dimova
 
PDF
You Don't Know Query - WordCamp Portland 2011
andrewnacin
 
PDF
Keeping it small - Getting to know the Slim PHP micro framework
Jeremy Kendall
 
PDF
Avinash Kundaliya: Javascript and WordPress
wpnepal
 
PDF
Developing apps using Perl
Anatoly Sharifulin
 
ZIP
Mojolicious
Marcus Ramberg
 
PDF
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Arc & Codementor
 
PDF
Keeping it Small: Getting to know the Slim Micro Framework
Jeremy Kendall
 
PDF
You Don't Know Query (WordCamp Netherlands 2012)
andrewnacin
 
TXT
Xmpp prebind
Syed Arshad
 
PPT
Slim RedBeanPHP and Knockout
Vic Metcalfe
 
PPT
How to learn j query
Baoyu Xu
 
PDF
Responsive Design with WordPress
Joe Casabona
 
PPTX
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Balázs Tatár
 
Contributing to WordPress Core - Peter Wilson
WordCamp Sydney
 
jQuery Plugin Creation
benalman
 
RESTful web services
Tudor Constantin
 
Keeping it small: Getting to know the Slim micro framework
Jeremy Kendall
 
Childthemes ottawa-word camp-1919
Paul Bearne
 
Inside Bokete: Web Application with Mojolicious and others
Yusuke Wada
 
Make your own wp cli command in 10min
Ivelina Dimova
 
You Don't Know Query - WordCamp Portland 2011
andrewnacin
 
Keeping it small - Getting to know the Slim PHP micro framework
Jeremy Kendall
 
Avinash Kundaliya: Javascript and WordPress
wpnepal
 
Developing apps using Perl
Anatoly Sharifulin
 
Mojolicious
Marcus Ramberg
 
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Arc & Codementor
 
Keeping it Small: Getting to know the Slim Micro Framework
Jeremy Kendall
 
You Don't Know Query (WordCamp Netherlands 2012)
andrewnacin
 
Xmpp prebind
Syed Arshad
 
Slim RedBeanPHP and Knockout
Vic Metcalfe
 
How to learn j query
Baoyu Xu
 
Responsive Design with WordPress
Joe Casabona
 
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Balázs Tatár
 
Ad

Similar to Writing Secure Plugins — WordCamp New York 2009 (20)

PDF
Writing Your First WordPress Plugin
Mark Jaquith
 
PDF
Blogluck1
Drake Martinet
 
PDF
What I Hate About Wordpress
Mark Jaquith
 
PDF
Jason Tucker Wordpress 3rd Party Web Services
Jason Tucker
 
KEY
CSI: WordPress -- Getting Into the Guts
Dougal Campbell
 
PDF
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
John Ford
 
PDF
The WordPress Hacker's Guide to the \Galaxy() [@MidwestPHP]
Jason Rhodes
 
PDF
WordPress Security
Barry Abrahamson
 
PDF
What Is Security
Jason Ragsdale
 
PDF
The WordPress Hacker's Guide to the \Galaxy() [@Baltimore PHP]
Jason Rhodes
 
PDF
Wphackergalaxy
Jason Rhodes
 
PDF
WordPress Security - WordCamp Phoenix
Mark Jaquith
 
PDF
Drupal security - Configuration and process
Gábor Hojtsy
 
PDF
Web Application Security
Ynon Perek
 
PDF
The Ultimate IDS Smackdown
Mario Heiderich
 
PDF
Writing Secure WordPress Code WordCamp NYC 2014
Brad Williams
 
PDF
Web Application Firewalls Detection, Bypassing And Exploitation
Sandro Gauci
 
PDF
WordPress Development Tools and Best Practices
Danilo Ercoli
 
PDF
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
Aaron Saray
 
PPTX
Wordpress Meetup
Codal
 
Writing Your First WordPress Plugin
Mark Jaquith
 
Blogluck1
Drake Martinet
 
What I Hate About Wordpress
Mark Jaquith
 
Jason Tucker Wordpress 3rd Party Web Services
Jason Tucker
 
CSI: WordPress -- Getting Into the Guts
Dougal Campbell
 
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
John Ford
 
The WordPress Hacker's Guide to the \Galaxy() [@MidwestPHP]
Jason Rhodes
 
WordPress Security
Barry Abrahamson
 
What Is Security
Jason Ragsdale
 
The WordPress Hacker's Guide to the \Galaxy() [@Baltimore PHP]
Jason Rhodes
 
Wphackergalaxy
Jason Rhodes
 
WordPress Security - WordCamp Phoenix
Mark Jaquith
 
Drupal security - Configuration and process
Gábor Hojtsy
 
Web Application Security
Ynon Perek
 
The Ultimate IDS Smackdown
Mario Heiderich
 
Writing Secure WordPress Code WordCamp NYC 2014
Brad Williams
 
Web Application Firewalls Detection, Bypassing And Exploitation
Sandro Gauci
 
WordPress Development Tools and Best Practices
Danilo Ercoli
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
Aaron Saray
 
Wordpress Meetup
Codal
 
Ad

More from Mark Jaquith (12)

PDF
Cache Money Business
Mark Jaquith
 
PDF
Scaling WordPress
Mark Jaquith
 
PDF
Creating and Maintaining WordPress Plugins
Mark Jaquith
 
PDF
Coding, Scaling, and Deploys... Oh My!
Mark Jaquith
 
PDF
WordPress Custom Post Types
Mark Jaquith
 
PDF
BuddyPress and the Future of WordPress Plugins
Mark Jaquith
 
PDF
"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith
Mark Jaquith
 
PDF
Secure Coding With Wordpress (BarCamp Orlando 2009)
Mark Jaquith
 
PDF
Wordcamp Charlotte: WordPress Today and Tomorrow
Mark Jaquith
 
PDF
Secure Coding with WordPress - WordCamp SF 2008
Mark Jaquith
 
PPT
Amping up your WordPress Blog
Mark Jaquith
 
PDF
Contributing To WordPress
Mark Jaquith
 
Cache Money Business
Mark Jaquith
 
Scaling WordPress
Mark Jaquith
 
Creating and Maintaining WordPress Plugins
Mark Jaquith
 
Coding, Scaling, and Deploys... Oh My!
Mark Jaquith
 
WordPress Custom Post Types
Mark Jaquith
 
BuddyPress and the Future of WordPress Plugins
Mark Jaquith
 
"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith
Mark Jaquith
 
Secure Coding With Wordpress (BarCamp Orlando 2009)
Mark Jaquith
 
Wordcamp Charlotte: WordPress Today and Tomorrow
Mark Jaquith
 
Secure Coding with WordPress - WordCamp SF 2008
Mark Jaquith
 
Amping up your WordPress Blog
Mark Jaquith
 
Contributing To WordPress
Mark Jaquith
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Teaching material agriculture food technology
LiaRayya
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 

Writing Secure Plugins — WordCamp New York 2009

  • 1. Writing Secure Plugins Mark Jaquith @markjaquith markjaquith.com coveredwebservices.com Saturday, November 14, 2009
  • 2. XSS privilege shell execution escalation CSRF SQL injection Saturday, November 14, 2009
  • 3. Plugin security is hit-or-miss Saturday, November 14, 2009
  • 4. Mostly miss Saturday, November 14, 2009
  • 5. SQL Injection Saturday, November 14, 2009
  • 6. <?php $wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" ); ?> Saturday, November 14, 2009
  • 7. <?php $newtitle = esc_sql( $newtitle ); $my_id = absint( $my_id ); $wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" ); ?> Saturday, November 14, 2009
  • 9. <?php $wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle ), array( 'ID' => $my_id ) ); ?> Saturday, November 14, 2009
  • 11. <?php $wpdb->insert( $wpdb->posts, array( 'post_title' => $newtitle ) ); ?> Saturday, November 14, 2009
  • 12. <?php $wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle, 'post_content' => $newcontent ), array( 'ID' => $my_id, 'post_title' => $old_title ) ); ?> Saturday, November 14, 2009
  • 13. <?php $post_title = 'New Title'; $wheres['ID'] = 123; $wheres['post_title'] = 'Old Title'; $wpdb->update( $wpdb->posts, compact( 'post_title' ), $wheres ); ?> Saturday, November 14, 2009
  • 15. <?php $title = 'Post Title'; $ID = 123; $content = $wpdb->get_var( $wpdb->prepare( "SELECT post_content FROM $wpdb->posts WHERE post_title = %s AND ID = %d", $title, $ID ) ); ?> Saturday, November 14, 2009
  • 16. •Uses sprintf() formatting •%s for strings •%d for integers •You should not quote or escape Saturday, November 14, 2009
  • 17. Escape late Saturday, November 14, 2009
  • 19. <h1> <?php echo $title; ?> </h1> Saturday, November 14, 2009
  • 20. <?php $title = '<script> pwnage(); </script>' ?> <h1> <?php echo $title; ?> </h1> Saturday, November 14, 2009
  • 21. Anything that isn’t hardcoded is suspect Saturday, November 14, 2009
  • 22. Better: Everything is suspect Saturday, November 14, 2009
  • 25. <?php $title = '<script> pwnage(); </script>' ?> <h1> <?php echo esc_html( $title ); ?> </h1> Saturday, November 14, 2009
  • 26. <?php $title = '" onmouseover="pwnd();'; ?> <a href="#wordcamp" title=" <?php echo $title; ?> "> Link Text </a> Saturday, November 14, 2009
  • 28. <?php $title = '" onmouseover="pwnd();'; ?> <a href="#wordcamp" title=" <?php echo esc_attr( $title ); ?> "> Link Text </a> Saturday, November 14, 2009
  • 29. <?php $url = 'javascript:pwnage();'; ?> <a href=" <?php echo esc_attr( $url ); ?> "> WRONG Link Text </a> Saturday, November 14, 2009
  • 31. <?php $url = 'javascript:pwnage();'; ?> <a href=" <?php echo esc_url( $url ); ?> "> Link Text </a> Saturday, November 14, 2009
  • 32. esc_url_raw(), sister of esc_url() Saturday, November 14, 2009
  • 34. <script> var foo = '<?php echo esc_js( $bar ); ?>'; </script> Saturday, November 14, 2009
  • 36. Authorization vs. Intention Saturday, November 14, 2009
  • 37. Nonces action-, object-, user-specific time limited secret keys Saturday, November 14, 2009
  • 38. Specific to •WordPress user •Action attempted •Object of attempted action •Time window Saturday, November 14, 2009
  • 40. <form action="process.php" method="post"> <?php wp_nonce_field('plugin-action_object'); ?> ... </form> Saturday, November 14, 2009
  • 42. <?php // before output goes to browser check_admin_referer('plugin- action_object'); ?> Saturday, November 14, 2009
  • 43. Still need to use current_user_can() Saturday, November 14, 2009
  • 44. AJAX CSRF Saturday, November 14, 2009
  • 45. • wp_create_nonce( 'your_action' ); • &_ajax_nonce=YOUR_NONCE • check_ajax_referer( 'your_action' ); Saturday, November 14, 2009
  • 46. Privilege Escalation Saturday, November 14, 2009
  • 48. Set your salts! http://api.wordpress.org/secret-key/1.1/ Saturday, November 14, 2009
  • 49. Stupid shit I see all the time Saturday, November 14, 2009
  • 51. <form action="<?php echo $_SERVER['REQUEST_URI']; ?>"> Saturday, November 14, 2009
  • 52. <a href="<?php echo $url; ?>" title="<?php echo $title; ?>"> <?php echo $text; ?> </a> <script> var foo = '<?php echo $js; ?>'; </script> Saturday, November 14, 2009
  • 53. <a href="<?php echo esc_url( $url ); ?>" title="<?php echo esc_attr( $title ); ?>"> <?php echo esc_html( $text ); ?> </a> <script> var foo = '<?php echo esc_js( $js ); ?>'; </script> Saturday, November 14, 2009