Panagiotis Vagenas - WordPress security doing it wrong, Top 10 9+1 common mistakes developers do - WordCamp Athens 2016

Transcript

1. Doing it Wrong, Top 10
   9+1 common mistakes developers do
   Panagiotis Vagenas
   WordCamp Athens 2016
   

   View Slide

2. Validating Input
   Panagiotis Vagenas WordCamp Athens 2016 2
   Goal: prevent processing malformed data
   How:
   ●
   Whitelist (good)
   ●
   Blacklist (bad)
   ●
   Type check (weak)
   Helper functions:
   ●
   `is_` family (e.g. is_int())
   ●
   `sanitize_` family (e.g. sanitize_email())
   

   View Slide

3. Sanitizing Input
   Panagiotis Vagenas WordCamp Athens 2016 3
   Goal: clean input from unwanted data
   Why:
   ●
   validation is not enough when the range of
   acceptable input is pretty big
   ●
   malformed input can lead to a successful
   attack
   Helper functions:
   ●
   `sanitize_` family (e.g. sanitize_email())
   ●
   `esc_` family (e.g. esc_html())
   ●
   `wp_kses`
   ●
   type casting
   

   View Slide

4. Escaping Output
   Goal: clean output from unwanted characters or
   sequence of characters
   Why:
   ●
   prevent XSS
   ●
   prevent SEO Spam
   How:
   ●
   Use a template engine that auto-escapes
   output
   ●
   `esc_` family (e.g. esc_html())
   ●
   `wp_kses()`, `wp_kses_post()` &
   `wp_kses_allowed_html()`
   Panagiotis Vagenas WordCamp Athens 2016 4
   

   View Slide

5. is_admin()
   ●
   Belongs to family of functions known as
   conditional tags
   ●
   checks if the dashboard or the administration
   panel is attempting to be displayed
   ●
   Does NOT check current user capabilities
   ●
   Will return true for all requests to an admin page,
   regardless if the user has the rights to access it
   ●
   Will return true for requests to
   wp-admin/admin-ajax.php or wp-admin/admin-
   post.php etc.
   ●
   Use `current_user_can()` whenever you want
   to check for current user capabilities
   Panagiotis Vagenas WordCamp Athens 2016 5
   

   View Slide

6. wp_ajax_nopriv
   ●
   Used to handle AJAX requests on the front-end
   for unauthenticated users
   ●
   Do NOT use this function for actions that were
   supposed for logged in users
   ●
   Always implement strict security checks in
   functions called by this hook
   ●
   Be aware that authenticated users can also call
   this action using the `nopriv_` prefix
   Panagiotis Vagenas WordCamp Athens 2016 6
   

   View Slide

7. admin_init || init
   ●
   admin_init is triggered before any other hook
   when a user accesses the admin area
   •
   requests to wp-admin/admin-post.php
   •
   AJAX requests as long as an action is
   specified
   •
   Requests to wp-admin/admin.php as long as
   user is authenticated
   ●
   init action is called in both backend and
   frontend
   ●
   Do NOT use these hooks without implementing
   security checks
   Panagiotis Vagenas WordCamp Athens 2016 7
   

   View Slide

8. Missing or Insufficient Capabilities Checks
   ●
   WordPress implements a role-based access
   control system
   ●
   Each role has a predefined set of capabilities
   ●
   WordPress provides an API for both role-based
   and capability-based checks
   ●
   Study the authentication and authorization
   system, learn the roles and capabilties
   ●
   Always implement access controls when
   performing a user requested action
   ●
   Use the principle of least privilege
   ●
   Use a single endpoint, if possible
   ●
   Always protect endpoints
   Panagiotis Vagenas WordCamp Athens 2016 8
   

   View Slide

9. Missing or Globally Available Nonces
   ●
   They are used to help protect specific actions
   from certain types of misuse, malicious or
   otherwise
   ●
   They have a limited TTL
   ●
   Given a specific action and user, nonce stays the
   same during that period of time
   ●
   Always use nonces
   ●
   Never use the same nonce action for two distinct
   actions
   ●
   Do NOT use nonces for authorizing access
   ●
   Make nonces available ONLY in the page they
   are required
   Panagiotis Vagenas WordCamp Athens 2016 9
   

   View Slide

10. Doing it Outside of WordPress
    Panagiotis Vagenas WordCamp Athens 2016 10
    source: https://www.wordfence.com/blog/2016/08/top-20-attacked-themes-and-who/
    

    View Slide

11. Trust the User
    Panagiotis Vagenas WordCamp Athens 2016 11
    ●
    Actually, never ever trust the user
    ●
    Make UI as simple as possible
    ●
    Document, especially options
    ●
    Try to avoid options that could have a critical
    security impact
    ●
    If you have to include such settings, make as clear
    as possible what impact could have each option
    on their website’s security
    ●
    Validate, sanitize & escape for all input & output,
    even it’s something only admins can set or see
    

    View Slide

12. References - Contact
    ●
    https://www.owasp.org/
    ●
    https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
    ●
    https://www.wordfence.com/learn
    ●
    https://www.wordfence.com/blog/2016/08/top-20-attacked-themes-and-who/
    ●
    https://codex.wordpress.org
    ●
    https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data
    ●
    https://codex.wordpress.org/Data_Validation
    ●
    https://codex.wordpress.org/Roles_and_Capabilities
    ●
    https://codex.wordpress.org/WordPress_Nonces
    ●
    https://en.wikipedia.org/wiki/Principle_of_least_privilege
    ●
    http://twig.sensiolabs.org/
    Panagiotis Vagenas WordCamp Athens 2016 12
    Contact information
     [email protected]
     https://gr.linkedin.com/in/panvagenas
     https://twitter.com/panVagenas
    

    View Slide