secure wordpress development practices
DESCRIPTION
I gave this talk at the September OCWP developer meetup.TRANSCRIPT
So you’re writing code for the masses, huh?Are you being responsible and protecting them from
getting pwned?
Watch This.http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
That guy pwned a plugin I wrote live on stage at
WordCamp New York.It changed my life.
Read This.http://wp.tutsplus.com/tutorials/creative-coding/data-sanitization-and-validation-with-wordpress/
tl;dr
• Keep your dev environment clean
• Escape your data output
• Sanitize your data inputs
• Validate referrers
• Core functionality should always trump your super awesome functionality
Keep Your Dev Environment Clean
Don’t think that just because you’re on a mac you’re safe from viruses.
If you’re on a PC, you should assume you’re already pwned.
Kaspersky Anti-Virus
• I use it.
• Dre uses it.
• Tony uses it.
• You should be using it.
Trust No One,Trust Nothing
XSS: Cross-site Scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
http://en.wikipedia.org/wiki/Cross-site_scripting
Escape All The Things On Outputhttp://codex.wordpress.org/Data_Validation#Output_Sanitation
• Bad data will be tamed
• esc_{context}
• esc_js - Escape single quotes, htmlspecialchar " < > &, and fix line endings.
• esc_html - Escaping for HTML blocks.
• esc_attr - Escaping for HTML attributes.
• esc_sql - Escapes data for use in a MySQL query.
• esc_url - Checks and cleans a URL.
• esc_textarea - Escaping for textarea values.
Sanitize All The Things On Inputhttp://codex.wordpress.org/Data_Validation#Input_Validation
• sanitize_* and similar functions help for most things
• $_POST = array(‘e’=>‘<script src=‘http://pwnd.com/u.js’></script>’)
• BAD: update_post_meta($id, ‘e’, $_POST[‘e’])
• GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))
• Note: Might unintentionally change data and give unexpected results
Whitelisting Datahttp://codex.wordpress.org/Data_Validation#Whitelist
• Whitelisting data - Only accept known data
• $_POST = array(‘pwn’=>‘<script src=‘http://pwnd.com/u.js’></script>’,‘e’=‘[email protected]’);
• BAD:
• foreach( $_POST as $key => $val ) :update_post_meta($id, $key, $val);endforeach;
• GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))
Blacklisting Datahttp://codex.wordpress.org/Data_Validation#Blacklist
• Blacklisting data - Only accept data if it’s in the proper format
• $_POST = array(‘e’=‘me@domain.’);
• if( is_email($_POST[‘e’]) )update_post_meta( $id, ‘e’, sanitize_email($_POST[‘e’]) );
CSRF: Cross-site Request Forgery
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Sweet, this might lead to my next big deal! ACCEPT!
zOMG WTF?!
http://mysite.com/wp-admin/post.php?post=307&action=trash
Nonces FTW!(http://codex.wordpress.org/WordPress_Nonces)
• Before the Request
• wp_nonce_url
• wp_create_nonce
• wp_nonce_field
• Verify the Request
• wp_verify_nonce
• check_admin_referer
Is there an API for that?
Professional WordPressPlugin Developmenthttp://amzn.to/plugindevbook