Slide 1
Slide 1 text
/ Yoshinori Matsumoto
@ym405nm
Slide 2
Slide 2 text
, ,
lc t C JB KA
SO rm ids P e
1, 2 a N phoc
Wnk
1
6 05 2 6 , 20 ,
Slide 3
Slide 3 text
&#\-A ]
(5 (2018/10/8 !)
@8C89
RNWK
0No Security No Life1A<6C89
,
89GWordPress
'HA0,
+1J
$@QVZXZ.E
→ 5*DI=7)@*4A?3 WordPress A
@39[
Slide 4
Slide 4 text
OWASP
Slide 5
Slide 5 text
OWASP(,
• OWASP
(Open Web Application Security Project)
– Web@;HLA:84
8#5$.
+)GL?B
-$IO=+
JN*24
*' 5
"
6$8
Slide 6
Slide 6 text
OWASP
• OWASP Foundation
– 2001
–
NPO
– 200
Chapter
Slide 7
Slide 7 text
Japan : OWASP Local Chapters
Slide 8
Slide 8 text
WORDPRESS
Slide 9
Slide 9 text
WordPress"
%&#
$"
%&#
&!
WordPress
$"
%&#
&!
Slide 10
Slide 10 text
WordPress
WordPress
OWASP TOP 10
WordPress
OWASP WordPress Security
Implementa:on Guideline
Slide 11
Slide 11 text
OWASP TOP 10
Web8AD; ?
:BD@9
+*,3$7( 6
,3$7( 6
OWASP JAPAN
https://www.owasp.org/index.php/Japan
Slide 12
Slide 12 text
WordPress 209:3/
WordPress.org
- ,209:3/
.&!(
5098;4%
#209:3/*WordPress%
17963/%209:3/$
%+
'#")
- ,
OWASP TOP 10 (2013
) % WordPress
%
- ,
+
WordPress 209:3/
h6ps://ja.wordpress.org/security/
Slide 13
Slide 13 text
OWASP WordPress Security Implementation Guideline
OWASP $"' WordPress
(#,+-'
+-&)-%!
WordPress
$.*
DB
!
OWASP WordPress Security Implementation Guideline
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline
Slide 14
Slide 14 text
WordPress'",-(
• WordPress.$!/
•
• WordPress
-&#
1*",+/)2
*",+/)
WordPress
%!)
0
Slide 15
Slide 15 text
WordPress
XML RPC
wp-login.php
TOP10 : A2(
)
WP :
Slide 16
Slide 16 text
P=6R
,A;KMD5
:B:B
EI8NF
wp-login.php,4-*!!$3"+%0 (1
IP4GO@% $V
A;KMD5.,””T
U3#
)&1$V
.,
-*2'0
)&1$V
Slide 17
Slide 17 text
JETPACK
Slide 18
Slide 18 text
A /@
$3 3,@&
'7/@
.2)6)UYID\9#/@_39 `
•
• N]W
• UYID\
WordPress8LGXZNCBMUO]PA 3!/@
OTF[P3%>1:58-4+)"?);.=*^
TOP10 : A9(8
8(@
J\V]R\P8)
WP :LGXZNCZZ]K80<8
SMHIYE\Q
Slide 19
Slide 19 text
WordPress
!
SQL$:+&'*6:
XSS='9,;)$1;,'73/#:(>
0<-4<,
0<-4<,
JavaScript
)$1
)$1
58%&".%:9<2
TOP10 : A1($:+&'*6:)
A7('9,)$1,'73/#:()
Slide 20
Slide 20 text
WordPress
+
,+
The WordPress Codex Is Your Friend…
$wpdb->prepare ;@B4&
wp_kses
esc_html / esc_attr
%*+JavaScript&
How to Prevent File Upload Vulnerabilities
https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/
current_user_can('upload_files')
&=B3
,)!
#'.8;AB9
,)!
$
wp_check_filetype
:-/?5/;,7082
+
MINE5/;,("7082
+
+
Slide 21
Slide 21 text
Slide 22
Slide 22 text
OWASP ZAP
• OWASP),.14>?;>
• ?D58*
)
%$.&
16:9) $.
-+$
Slide 23
Slide 23 text
WPScan
• WordPress3+-
C>MSETQ
• KO@=S$FTL$4ITBNS;#+.$"
,:
21(#/):
• WordPress4!216#/):
•
4JCRTHPCG'84
-96/):
&21
WPSCan37:WordPress
h.ps://www.slideshare.net/owaspnagoya/wpscanwordpress4
C>MS
*4ETQ;
4A=G3/,:0
Slide 24
Slide 24 text
WPScan9E/C3:
• ID*UN\_S>%
→ %VGI[0'
"
• WordPress>*WZKI]^Q_X>T_MY]
→
)F-2C!
<;
• "T_MY]9? readme.html /AT_MY]0.8,C
3>P_[F
>LIR=95C:
HJON
=
#5C
0+B@5
3D72$916A
,,>9?`
Slide 25
Slide 25 text
Slide 26
Slide 26 text
Slide 27
Slide 27 text
$ %
• WordPress!
%
0+215/
OWASP TOP10
WordPress-+23.)
OWASP WordPress Security Implementation Guideline
•
WordPress"4,*5(&
(
&
WordPress"
(
-+23.)'#6(&
#twpm1019