Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Panagiotis Vagenas - WordPress security doing it wrong, Top 10 9+1 common mistakes developers do - WordCamp Athens 2016

Panagiotis Vagenas - WordPress security doing it wrong, Top 10 9+1 common mistakes developers do - WordCamp Athens 2016

WordPress Greek Community

November 19, 2016
Tweet

More Decks by WordPress Greek Community

Other Decks in Programming

Transcript

  1. Doing it Wrong, Top 10
    9+1 common mistakes developers do
    Panagiotis Vagenas
    WordCamp Athens 2016

    View Slide

  2. Validating Input
    Panagiotis Vagenas WordCamp Athens 2016 2
    Goal: prevent processing malformed data
    How:

    Whitelist (good)

    Blacklist (bad)

    Type check (weak)
    Helper functions:

    `is_` family (e.g. is_int())

    `sanitize_` family (e.g. sanitize_email())

    View Slide

  3. Sanitizing Input
    Panagiotis Vagenas WordCamp Athens 2016 3
    Goal: clean input from unwanted data
    Why:

    validation is not enough when the range of
    acceptable input is pretty big

    malformed input can lead to a successful
    attack
    Helper functions:

    `sanitize_` family (e.g. sanitize_email())

    `esc_` family (e.g. esc_html())

    `wp_kses`

    type casting

    View Slide

  4. Escaping Output
    Goal: clean output from unwanted characters or
    sequence of characters
    Why:

    prevent XSS

    prevent SEO Spam
    How:

    Use a template engine that auto-escapes
    output

    `esc_` family (e.g. esc_html())

    `wp_kses()`, `wp_kses_post()` &
    `wp_kses_allowed_html()`
    Panagiotis Vagenas WordCamp Athens 2016 4

    View Slide

  5. is_admin()

    Belongs to family of functions known as
    conditional tags

    checks if the dashboard or the administration
    panel is attempting to be displayed

    Does NOT check current user capabilities

    Will return true for all requests to an admin page,
    regardless if the user has the rights to access it

    Will return true for requests to
    wp-admin/admin-ajax.php or wp-admin/admin-
    post.php etc.

    Use `current_user_can()` whenever you want
    to check for current user capabilities
    Panagiotis Vagenas WordCamp Athens 2016 5

    View Slide

  6. wp_ajax_nopriv

    Used to handle AJAX requests on the front-end
    for unauthenticated users

    Do NOT use this function for actions that were
    supposed for logged in users

    Always implement strict security checks in
    functions called by this hook

    Be aware that authenticated users can also call
    this action using the `nopriv_` prefix
    Panagiotis Vagenas WordCamp Athens 2016 6

    View Slide

  7. admin_init || init

    admin_init is triggered before any other hook
    when a user accesses the admin area

    requests to wp-admin/admin-post.php

    AJAX requests as long as an action is
    specified

    Requests to wp-admin/admin.php as long as
    user is authenticated

    init action is called in both backend and
    frontend

    Do NOT use these hooks without implementing
    security checks
    Panagiotis Vagenas WordCamp Athens 2016 7

    View Slide

  8. Missing or Insufficient Capabilities Checks

    WordPress implements a role-based access
    control system

    Each role has a predefined set of capabilities

    WordPress provides an API for both role-based
    and capability-based checks

    Study the authentication and authorization
    system, learn the roles and capabilties

    Always implement access controls when
    performing a user requested action

    Use the principle of least privilege

    Use a single endpoint, if possible

    Always protect endpoints
    Panagiotis Vagenas WordCamp Athens 2016 8

    View Slide

  9. Missing or Globally Available Nonces

    They are used to help protect specific actions
    from certain types of misuse, malicious or
    otherwise

    They have a limited TTL

    Given a specific action and user, nonce stays the
    same during that period of time

    Always use nonces

    Never use the same nonce action for two distinct
    actions

    Do NOT use nonces for authorizing access

    Make nonces available ONLY in the page they
    are required
    Panagiotis Vagenas WordCamp Athens 2016 9

    View Slide

  10. Doing it Outside of WordPress
    Panagiotis Vagenas WordCamp Athens 2016 10
    source: https://www.wordfence.com/blog/2016/08/top-20-attacked-themes-and-who/

    View Slide

  11. Trust the User
    Panagiotis Vagenas WordCamp Athens 2016 11

    Actually, never ever trust the user

    Make UI as simple as possible

    Document, especially options

    Try to avoid options that could have a critical
    security impact

    If you have to include such settings, make as clear
    as possible what impact could have each option
    on their website’s security

    Validate, sanitize & escape for all input & output,
    even it’s something only admins can set or see

    View Slide

  12. References - Contact

    https://www.owasp.org/

    https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

    https://www.wordfence.com/learn

    https://www.wordfence.com/blog/2016/08/top-20-attacked-themes-and-who/

    https://codex.wordpress.org

    https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data

    https://codex.wordpress.org/Data_Validation

    https://codex.wordpress.org/Roles_and_Capabilities

    https://codex.wordpress.org/WordPress_Nonces

    https://en.wikipedia.org/wiki/Principle_of_least_privilege

    http://twig.sensiolabs.org/
    Panagiotis Vagenas WordCamp Athens 2016 12
    Contact information
    [email protected]
     https://gr.linkedin.com/in/panvagenas
     https://twitter.com/panVagenas

    View Slide