Panagiotis Vagenas - WordPress security doing it wrong, Top 10 9+1 common mistakes developers do - WordCamp Athens 2016

Transcript

1. Doing it Wrong, Top 10 9+1 common mistakes developers do

   Panagiotis Vagenas WordCamp Athens 2016

2. Validating Input Panagiotis Vagenas WordCamp Athens 2016 2 Goal: prevent

   processing malformed data How: • Whitelist (good) • Blacklist (bad) • Type check (weak) Helper functions: • `is_` family (e.g. is_int()) • `sanitize_` family (e.g. sanitize_email())

3. Sanitizing Input Panagiotis Vagenas WordCamp Athens 2016 3 Goal: clean

   input from unwanted data Why: • validation is not enough when the range of acceptable input is pretty big • malformed input can lead to a successful attack Helper functions: • `sanitize_` family (e.g. sanitize_email()) • `esc_` family (e.g. esc_html()) • `wp_kses` • type casting

4. Escaping Output Goal: clean output from unwanted characters or sequence

   of characters Why: • prevent XSS • prevent SEO Spam How: • Use a template engine that auto-escapes output • `esc_` family (e.g. esc_html()) • `wp_kses()`, `wp_kses_post()` & `wp_kses_allowed_html()` Panagiotis Vagenas WordCamp Athens 2016 4

5. is_admin() • Belongs to family of functions known as conditional

   tags • checks if the dashboard or the administration panel is attempting to be displayed • Does NOT check current user capabilities • Will return true for all requests to an admin page, regardless if the user has the rights to access it • Will return true for requests to wp-admin/admin-ajax.php or wp-admin/admin- post.php etc. • Use `current_user_can()` whenever you want to check for current user capabilities Panagiotis Vagenas WordCamp Athens 2016 5

6. wp_ajax_nopriv • Used to handle AJAX requests on the front-end

   for unauthenticated users • Do NOT use this function for actions that were supposed for logged in users • Always implement strict security checks in functions called by this hook • Be aware that authenticated users can also call this action using the `nopriv_` prefix Panagiotis Vagenas WordCamp Athens 2016 6

7. admin_init || init • admin_init is triggered before any other

   hook when a user accesses the admin area • requests to wp-admin/admin-post.php • AJAX requests as long as an action is specified • Requests to wp-admin/admin.php as long as user is authenticated • init action is called in both backend and frontend • Do NOT use these hooks without implementing security checks Panagiotis Vagenas WordCamp Athens 2016 7

8. Missing or Insufficient Capabilities Checks • WordPress implements a role-based

   access control system • Each role has a predefined set of capabilities • WordPress provides an API for both role-based and capability-based checks • Study the authentication and authorization system, learn the roles and capabilties • Always implement access controls when performing a user requested action • Use the principle of least privilege • Use a single endpoint, if possible • Always protect endpoints Panagiotis Vagenas WordCamp Athens 2016 8

9. Missing or Globally Available Nonces • They are used to

   help protect specific actions from certain types of misuse, malicious or otherwise • They have a limited TTL • Given a specific action and user, nonce stays the same during that period of time • Always use nonces • Never use the same nonce action for two distinct actions • Do NOT use nonces for authorizing access • Make nonces available ONLY in the page they are required Panagiotis Vagenas WordCamp Athens 2016 9

10. Doing it Outside of WordPress Panagiotis Vagenas WordCamp Athens 2016

    10 source: https://www.wordfence.com/blog/2016/08/top-20-attacked-themes-and-who/

11. Trust the User Panagiotis Vagenas WordCamp Athens 2016 11 •

    Actually, never ever trust the user • Make UI as simple as possible • Document, especially options • Try to avoid options that could have a critical security impact • If you have to include such settings, make as clear as possible what impact could have each option on their website’s security • Validate, sanitize & escape for all input & output, even it’s something only admins can set or see

12. References - Contact • https://www.owasp.org/ • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet • https://www.wordfence.com/learn •

    https://www.wordfence.com/blog/2016/08/top-20-attacked-themes-and-who/ • https://codex.wordpress.org • https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data • https://codex.wordpress.org/Data_Validation • https://codex.wordpress.org/Roles_and_Capabilities • https://codex.wordpress.org/WordPress_Nonces • https://en.wikipedia.org/wiki/Principle_of_least_privilege • http://twig.sensiolabs.org/ Panagiotis Vagenas WordCamp Athens 2016 12 Contact information  [email protected]  https://gr.linkedin.com/in/panvagenas  https://twitter.com/panVagenas