building security into your development projects
TRANSCRIPT
@ S I T E L O C K @ S I T E L O C K
Beyond the Basics Bui ld ing Secur i ty In to Your
Deve lopment P ro jects
@ S I T E L O C K
XSS
“Cross-s i te scr ip t ing (XSS) i s a t ype o f compute r s e c u r i t y v u l n e r a b i l i t y t y p i c a l l y f o u n d i n w e b a p p l i c a t i o n s . X S S e n a b l e s a t t a c k e r s t o i n j e c t c l i en t -s ide sc r ip t i n to web pages v iewed by o ther users . ”
- Wik iped ia
@ S I T E L O C K
XSS The S i teLock Research Team p icks up poss ib le XSS vu lnerab i l i t y i n p lug in dur ing rou t ine SAST scan . § Fi le : set t ings .php § Argument : $curr
@ S I T E L O C K
XSS Found $curr se t a t l i ne 195 /196 , where i t ’s se t to De fau l t i f $cntr i s empty, o r the va lue o f $cntr i f no t . Var iab le $cntr se t a t l i nes 91 /92 . I f $_GET[ ‘scounter ’ ] se t , i nher i t s va lue . Cou ld th i s be a re f lec t i ve XSS vu lnerab i l i t y?
@ S I T E L O C K
XSS Let ’s f ind out . We s imply need to pass a harmless XSS st r ing in the $_GET[‘scounter ’ ] var iable to get a proof of concept , l ike a document .cookie a ler t . Something l ike: ?page=sl ider-set t ings&scounter=<scr ipt>aler t (document .cookie)</scr ip t>
@ S I T E L O C K
Recent Research Free WordPress P lugin - - “Tango”
§ Fi le Management • View & Edit • Zip & Unzip
§ Database Management • Easy backups
@ S I T E L O C K
Vulnerability Example: TANGO
What would happen i f we renamed the readme.tx t then?
@ S I T E L O C K
Vulnerability Example: TANGO What else could we do here? Anything.
§ Grab external f i les . § Dump the f i le s t ructure. § Trash everyth ing.
$dd i f=/dev/random of=/dev/sda
@ S I T E L O C K
Code Becomes Complex
T H E M E S +
C O M P O N E N T S +
F R A M E W O R K +
P L U G I N S +
@ S I T E L O C K
Built-In WordPress Functions
§ Always use WordPress bui l t - in funct ions:
• esc_html() • sanitize_text_field() • update_option()
@ S I T E L O C K
SQL Injection Fixed Use WordPress santize_text_field() to prevent SQL injection
Use WordPress update_option() for db access
@ S I T E L O C K
Logan Kipp P r o d u c t E v a n g e l i s t – Wo r d P r e s s
W P D i s t r i c t . S i t e L o c k . c o m
@LoganKipp • Used WordPress since 1.5 in 2005
• Eight years experience in hosting and security industry
• Previously worked at GoDaddy.com
• Most recently served as Lead Security Analyst for SiteLock
Thank You!