Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owasp-wordpress-meetup

WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owasp-wordpress-meetup

6e007aca86b0c0b0eabdebc33d81810d?s=128

yoshinori matsumoto

October 19, 2018
Tweet

Transcript

  1.   / Yoshinori Matsumoto @ym405nm

  2.  , , lc t C JB KA SO rm

    ids P e  1, 2 a N phoc Wnk  1 6 05 2 6 , 20 , 
  3. &#\-A ] (5 (2018/10/8 !) @8C89 RNWK 0No Security No

    Life1A<6C89 ,89GWordPress<MYPUYV A %:;9 WordPress RNWXTLMYPUYVAOZQQSUL →F72IRNWXTLBA =/"?> 'HA0,+1J $@QVZXZ.E → 5*DI=7)@*4A?3 WordPress A @39[
  4. OWASP

  5. OWASP(, • OWASP (Open Web Application Security Project) – Web@;HLA:84

    8#5$. +)<FHCA: – 0+ ,/%79+!(315  (8/&$?D>GL?B-$IO=+ <KEMO>JN*24*'5 " 6$8 
  6. OWASP • OWASP Foundation – 2001  –  

    NPO – 200  Chapter
  7. Japan : OWASP Local Chapters     

                                                 
  8. WORDPRESS

  9. WordPress"%&# $"%&#&!    WordPress   $"%&#&! 

     
  10. WordPress    WordPress    OWASP TOP

    10 WordPress  OWASP WordPress Security Implementa:on Guideline
  11. OWASP TOP 10 Web8AD<F=CE4API,%(3  &.#)"101)2 57( 6 /03!#, $7'-,$

    76 ?:BD@9-D>;? :BD@9 +*,3$7( 6 ,3$7( 6 OWASP JAPAN https://www.owasp.org/index.php/Japan
  12. WordPress 209:3/ WordPress.org -,209:3/ .&!(5098;4%   #209:3/*WordPress% 17963/%209:3/$%+ '#")-,

    OWASP TOP 10 (2013 ) % WordPress %  -,   + WordPress 209:3/ h6ps://ja.wordpress.org/security/
  13. OWASP WordPress Security Implementation Guideline OWASP $"' WordPress  (#,+-'

    +-&)-%! WordPress $.*DB  !  OWASP WordPress Security Implementation Guideline https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline
  14. WordPress'",-(  • WordPress.$!/ •   • WordPress 

    -&# 1*",+/)2  *",+/) WordPress  %!)0
  15. WordPress    XML RPC wp-login.php TOP10 : A2(

    ) WP :  
  16. P=6R ,A;KMD5 :B:B EI8NF wp-login.php,4<A@TXMLRPC/U 2497RFPC< H@QSGJM?S,  LS>-*!!$3"+%0 (1

    IP4GO@% $V A;KMD5.,””TU3# )&1$V ., -*2'0  )&1$V
  17. JETPACK

  18.  A /@ $3 3,@& '7/@ .2)6)UYID\9#/@_39 ` • 

    • N]W • UYID\  WordPress8LGXZNCBMUO]PA3!/@ OTF[P3%>1:58-4+)"?);.=*^ TOP10 : A9(8 8(@ J\V]R\P8) WP :LGXZNCZZ]K80<8 SMHIYE\Q
  19. WordPress ! SQL$:+&'*6: XSS='9,;)$1;,'73/#:(> 0<-4<,  0<-4<,   

    JavaScript  )$1 )$1 58%&".%:9<2 TOP10 : A1($:+&'*6:)  A7('9,)$1,'73/#:()
  20. WordPress + ,+ The WordPress Codex Is Your Friend… $wpdb->prepare

    ;@B4<?6B, 21>& wp_kses esc_html / esc_attr %*+JavaScript& How to Prevent File Upload Vulnerabilities https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/ current_user_can('upload_files') &=B3 ,)! #'.8;AB9 ,)!$ wp_check_filetype :-/?5/;,7082+ MINE5/;,("7082+ +
  21.    

  22. OWASP ZAP • OWASP),.14>?;> • ?D58* <FC • 95@E('% 

    ),. %!. • :5AB=2 ('%#/. (' OWASP ZAP Hands-on In Osaka (2015-02-10) https://speakerdeck.com/ykame/owasp-zap-hands-on-in-osaka- 2015-02-10 "*<FC0*73>) %$.& 16:9) $. -+$
  23. WPScan • WordPress3+- C>MSETQ • KO@=S$FTL$4ITBNS;#+.$" ,:  21(#/): •

    WordPress4!216#/): •  4JCRTHPCG'84 -96/): &21 WPSCan37:WordPress h.ps://www.slideshare.net/owaspnagoya/wpscanwordpress4  C>MS *4ETQ;4A=G3/,:0 <?DC3 ,: (%95,
  24. WPScan9E/C3: • ID*UN\_S>% → %VGI[0' " • WordPress>*WZKI]^Q_X>T_MY] → )F-2C!

    <; • "<VGI[<;0(4D8,<,/ → readme.html :/  &>T_MY]9? readme.html /AT_MY]0.8,C 3>P_[F>LIR=95C: HJON= #5C 0+B@5 3D72$916A ,,>9?`
  25.    

  26. 

  27. $ % • WordPress!%0+215/ OWASP TOP10 WordPress-+23.) OWASP WordPress Security

    Implementation Guideline •  WordPress"4,*5(&  (& WordPress" ( -+23.)'#6(& #twpm1019