Slide 1

Slide 1 text

  / Yoshinori Matsumoto @ym405nm

Slide 2

Slide 2 text

 , , lc t C JB KA SO rm ids P e  1, 2 a N phoc Wnk  1 6 05 2 6 , 20 , 

Slide 3

Slide 3 text

&#\-A ] (5 (2018/10/8 !) @8C89 RNWK 0No Security No Life1A<6C89 ,89GWordPress 'HA0,+1J $@QVZXZ.E → 5*DI=7)@*4A?3 WordPress A @39[

Slide 4

Slide 4 text

OWASP

Slide 5

Slide 5 text

OWASP(, • OWASP (Open Web Application Security Project) – Web@;HLA:84 8#5$. +)GL?B-$IO=+ JN*24*'5 " 6$8 

Slide 6

Slide 6 text

OWASP • OWASP Foundation – 2001  –   NPO – 200  Chapter

Slide 7

Slide 7 text

Japan : OWASP Local Chapters                                                   

Slide 8

Slide 8 text

WORDPRESS

Slide 9

Slide 9 text

WordPress"%&# $"%&#&!    WordPress   $"%&#&!   

Slide 10

Slide 10 text

WordPress    WordPress    OWASP TOP 10 WordPress  OWASP WordPress Security Implementa:on Guideline

Slide 11

Slide 11 text

OWASP TOP 10 Web8AD;? :BD@9 +*,3$7( 6 ,3$7( 6 OWASP JAPAN https://www.owasp.org/index.php/Japan

Slide 12

Slide 12 text

WordPress 209:3/ WordPress.org -,209:3/ .&!(5098;4%   #209:3/*WordPress% 17963/%209:3/$%+ '#")-, OWASP TOP 10 (2013 ) % WordPress %  -,   + WordPress 209:3/ h6ps://ja.wordpress.org/security/

Slide 13

Slide 13 text

OWASP WordPress Security Implementation Guideline OWASP $"' WordPress  (#,+-' +-&)-%! WordPress $.*DB  !  OWASP WordPress Security Implementation Guideline https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline

Slide 14

Slide 14 text

WordPress'",-(  • WordPress.$!/ •   • WordPress  -&# 1*",+/)2  *",+/) WordPress  %!)0

Slide 15

Slide 15 text

WordPress    XML RPC wp-login.php TOP10 : A2( ) WP :  

Slide 16

Slide 16 text

P=6R ,A;KMD5 :B:B EI8NF wp-login.php,4-*!!$3"+%0 (1 IP4GO@% $V A;KMD5.,””TU3# )&1$V ., -*2'0  )&1$V

Slide 17

Slide 17 text

JETPACK

Slide 18

Slide 18 text

 A /@ $3 3,@& '7/@ .2)6)UYID\9#/@_39 ` •  • N]W • UYID\  WordPress8LGXZNCBMUO]PA3!/@ OTF[P3%>1:58-4+)"?);.=*^ TOP10 : A9(8 8(@ J\V]R\P8) WP :LGXZNCZZ]K80<8 SMHIYE\Q

Slide 19

Slide 19 text

WordPress ! SQL$:+&'*6: XSS='9,;)$1;,'73/#:(> 0<-4<,  0<-4<,    JavaScript  )$1 )$1 58%&".%:9<2 TOP10 : A1($:+&'*6:)  A7('9,)$1,'73/#:()

Slide 20

Slide 20 text

WordPress + ,+ The WordPress Codex Is Your Friend… $wpdb->prepare ;@B4& wp_kses esc_html / esc_attr %*+JavaScript& How to Prevent File Upload Vulnerabilities https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/ current_user_can('upload_files') &=B3 ,)! #'.8;AB9 ,)!$ wp_check_filetype :-/?5/;,7082+ MINE5/;,("7082+ +

Slide 21

Slide 21 text

   

Slide 22

Slide 22 text

OWASP ZAP • OWASP),.14>?;> • ?D58* ) %$.& 16:9) $. -+$

Slide 23

Slide 23 text

WPScan • WordPress3+- C>MSETQ • KO@=S$FTL$4ITBNS;#+.$" ,:  21(#/): • WordPress4!216#/): •  4JCRTHPCG'84 -96/): &21 WPSCan37:WordPress h.ps://www.slideshare.net/owaspnagoya/wpscanwordpress4  C>MS *4ETQ;4A=G3/,:0 

Slide 24

Slide 24 text

WPScan9E/C3: • ID*UN\_S>% → %VGI[0' " • WordPress>*WZKI]^Q_X>T_MY] → )F-2C! <; • "T_MY]9? readme.html /AT_MY]0.8,C 3>P_[F>LIR=95C: HJON= #5C 0+B@5 3D72$916A ,,>9?`

Slide 25

Slide 25 text

   

Slide 26

Slide 26 text



Slide 27

Slide 27 text

$ % • WordPress!%0+215/ OWASP TOP10 WordPress-+23.) OWASP WordPress Security Implementation Guideline •  WordPress"4,*5(&  (& WordPress" ( -+23.)'#6(& #twpm1019