Slide 1

Slide 1 text

Code with Care Write Secure Plugins 
 and Themes Rachel Baker @rachelbaker

Slide 2

Slide 2 text

Follow Along https://github.com/ rachelbaker/wcstl-demo

Slide 3

Slide 3 text

In 2011…

Slide 4

Slide 4 text

I Work Here We are hiring talented designers, 
 project managers, and engineers!

Slide 5

Slide 5 text

XSS (Cross-Site Scripting) Cross-Site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Source: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Slide 6

Slide 6 text

CSRF (Cross-Site Request Forgery) CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/ chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. Source: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Slide 7

Slide 7 text

They Look Harmless

Slide 8

Slide 8 text

Back-end Attack

Slide 9

Slide 9 text

Front-end Attack

Slide 10

Slide 10 text

Step 1: Filter Input
 Step 2: Escape Output
 Step 3: Verify Data Source
 
 Step 4: Profit

Slide 11

Slide 11 text

Filter Input •Distrust data from any source (even yourself). •Understand the context of the data being input. •Validate your expectations, never assume. •Correct any formatting issues that may exist. •Process input filters before saving to the database. How?

Slide 12

Slide 12 text

Validate Input ensure the data you've requested of the user matches what they've submitted.

Slide 13

Slide 13 text

Sanitize Input

Slide 14

Slide 14 text

Location Name Input // sanitize the location name input to only allow a text string ! // and strip HTML tags.! $safe_name = sanitize_text_field( $_POST['_wcstl_name'] );
 update_post_meta( $post_id, '_wcstl_name', $safe_name );!

Slide 15

Slide 15 text

Location Email Input // filter then sanitize the email address input.! if ( is_email( $_POST['_wcstl_email'] ) ) {! ! $safe_email = sanitize_email( $_POST['_wcstl_email'] );
 ! update_post_meta( $post_id, '_wcstl_email', $safe_email );! }

Slide 16

Slide 16 text

Location Phone 
 Number Input // correct phone number input to remove any non-numerical characters.! $format_phone_input = preg_replace( "/\D+/","", $_POST['_wcstl_phone'] );! // filter any added numbers from the input.! if ( strlen( $format_phone_input ) > 10 ) {! ! $format_phone_input = substr( $format_phone_input, 0, 10 );! }! // sanitize phone number input.! $safe_phone = sanitize_text_field( $format_phone_input );
 update_post_meta( $post_id, '_wcstl_phone', $safe_phone );!

Slide 17

Slide 17 text

Location Address Input ! // sanitize the address text input based on $allowed_tags.! ! $safe_address = wp_filter_kses( $_POST['_wcstl_address'] );! ! ! ! update_post_meta( $post_id, '_wcstl_address', $safe_address );!

Slide 18

Slide 18 text

Location Description Input ! // sanitize the description HTML input based on post content HTML filter.! ! $safe_description = wp_filter_post_kses( $_POST['_wcstl_description'] );! ! ! ! update_post_meta( $post_id, '_wcstl_description', $safe_description );!

Slide 19

Slide 19 text

Location Map URL ! // filter any html tags then santize the url input.! ! $filter_map_url = wp_strip_all_tags( $_POST['_wcstl_map_url'] );! ! $safe_map_url = esc_url_raw( $filter_map_url );! ! ! ! update_post_meta( $post_id, '_wcstl_map_url', $safe_map_url );!

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

•Distrust data from any source (even yourself). •Understand the context of the data being displayed. •Correct any formatting issues that may exist. •Encode data before display. How? Escape Output

Slide 22

Slide 22 text

Decode Encoding From < > ( ) # & "
 
 <script> <
 >
 (
 )
 #
 & "
 
 To

Slide 23

Slide 23 text

Display Location Name
Name:

 !
Name:
! Washington University in St. Louis!

Slide 24

Slide 24 text

Display Location Email
Email:

 !
Email:
! stlouis@wor dcamp.org!

Slide 25

Slide 25 text

Display Location Phone Number
Phone:

 !
Phone:
! 8006380700!

Slide 26

Slide 26 text

Display Location 
 Address
Address:

 !

One Brookings Drive
! St. Louis, MO 63130

!

Slide 27

Slide 27 text

Display Location Description
Description:

 !
! !

WordCamp St. Louis 2014 will be hosted on the beautiful Danforth Campus of Washington University in the Laboratory Sciences Building (map).

!
!

Slide 28

Slide 28 text

Display Location 
 Map URL
Map:

 !
Map:
! https://www.google.com/maps/place/1+Brookings+Dr/ @38.652088,-90.3077647,16z/data=!4m2!3m1! 1s0x87d8cab20b777057:0xf54f7dc56315b57!

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Display Location Meta Boxes Source: https://github.com/rachelbaker/wcstl-demo/blob/ master/wcstl2014-secured.php#L37 function wcstl_display_location_meta_boxes( $post ) {! ! // Get all location meta values for the current post.! ! $name_value! ! = get_post_meta( $post->ID, '_wcstl_name', true );! ! $email_value! ! = get_post_meta( $post->ID, '_wcstl_email', true );! ! $phone_value! ! = get_post_meta( $post->ID, '_wcstl_phone', true );! ! $address_value! ! = get_post_meta( $post->ID, '_wcstl_address', true );! ! $description_value! = get_post_meta( $post->ID, '_wcstl_description', true );! ! $map_url_value! ! = get_post_meta( $post->ID, '_wcstl_map_url', true );! ! ! // encode text to display in rich text editor.! ! $address_value! ! = wp_richedit_pre( $address_value );! ! $description_value! = wp_richedit_pre( $description_value );! ! ! // display hidden nonce field for CSRF protection.! ! wp_nonce_field( 'wcstl_location_save_meta','wcstl_meta_nonce' );! ! ! // output Location Information meta form fields on "Edit Post" screen.! ! $location_meta_fields = '

Location Name (text string only)

! ! !

! ! ! Email Address (valid email address only)

! ! ! ! ! !

Phone Number (10 digit phone number only)

! ! ! ! ! !

Address (Basic HTML Allowed)

! ! ! ' . esc_html( $address_value ) . '! ! !

Description (Advanced HTML allowed)

! ! ! ' . esc_html( $description_value ) . ' textarea>! ! !

Map URL (url only)

! ! ! ';! ! ! echo $location_meta_fields;! }!

Slide 31

Slide 31 text

Verify Data Source •Create a nonce field or value anytime data will be processed from a form, AJAX request, or URL. •Check the referring source of a processing request. •Confirm the presence and validity of a nonce before processing data from a form, AJAX request, or URL. How?

Slide 32

Slide 32 text

Create Nonce Field Source: https://github.com/rachelbaker/wcstl-demo/blob/ master/wcstl2014-secured.php#L51 // display hidden nonce field for CSRF protection.! wp_nonce_field( 'wcstl_location_save_meta','wcstl_meta_nonce' );!

Slide 33

Slide 33 text

Verify Referrer and Nonce Value Source: https://github.com/rachelbaker/wcstl-demo/blob/ master/wcstl2014-secured.php#L84 // return early if nonce doesn't match.! if ( ! check_admin_referer( 'wcstl_location_save_meta', 'wcstl_meta_nonce' ) ) {! ! 
 ! return $post_id;! }!

Slide 34

Slide 34 text

Unsure of What to Do? Do as WP Core does! https://core.trac.wordpress.org/browser/ tags/3.8.1/src/wp-includes/default- filters.php ! https://core.trac.wordpress.org/browser/ tags/3.8.1/src/wp-includes/ formatting.php
 
 https://core.trac.wordpress.org/browser/ tags/3.8.1/src/wp-includes/kses.php

Slide 35

Slide 35 text

http://codex.wordpress.org/ Validating_Sanitizing_and_Escaping_User_Data
 
 http://codex.wordpress.org/Data_Validation ! https://codex.wordpress.org/WordPress_Nonces ! http://www.cgisecurity.com/xss-faq.html
 
 https://core.trac.wordpress.org/browser/tags/3.8.1/src/wp- includes/formatting.php#L0
 https://www.owasp.org/index.php/ Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)
 http://ottopress.com/2010/wp-quickie-kses/ 
 https://codex.wordpress.org/Class_Reference/ wpdb#Protect_Queries_Against_SQL_Injection_Attacks Resources

Slide 36

Slide 36 text

Questions? Go Cubs Rachel Baker @rachelbaker https://github.com/rachelbaker/ wcstl-demo Demo Code Slide Deck https://speakerdeck.com/ rachelbaker/code-with-care-write- secure-themes-and-plugins