/ Yoshinori Matsumoto@ym405nm
View Slide
, ,lc t C JB KASO rm ids P e1, 2 a N phocWnk16 05 2 6 , 20 ,
&#\-A ](5 (2018/10/8 !)@8C89RNWK0No Security No Life1A<6C89,89GWordPress%:;9WordPress RNWXTLMYPUYVAOZQQSUL→F72IRNWXTLBA =/"?>'HA0,+1J[email protected]→ 5*DI=7)@*4A?3 WordPress A@39[
OWASP
OWASP(,• OWASP(Open Web Application Security Project)– Web@;HLA:84 8#5$.+)– 0+ ,/%79+!(315(8/&$?D>GL?B-$IO=+JN*24*'5 "6$8
OWASP• OWASP Foundation– 2001– NPO– 200 Chapter
Japan : OWASP Local Chapters
WORDPRESS
WordPress"%$"%&! WordPress $"%&!
WordPress WordPress OWASP TOP 10WordPressOWASP WordPress SecurityImplementa:on Guideline
OWASP TOP 10Web8AD &.#)"101)257( 6/03!#, $7'-,$76?:BD@9-D>;?:BD@9+*,3$7( 6,3$7( 6OWASP JAPANhttps://www.owasp.org/index.php/Japan
WordPress 209:3/WordPress.org -,209:3/.&!(5098;4% #209:3/*WordPress%17963/%209:3/$%+'#")-,OWASP TOP 10 (2013 ) % WordPress%-, +WordPress 209:3/h6ps://ja.wordpress.org/security/
OWASP WordPress Security Implementation GuidelineOWASP $"' WordPress (#,+-'+-&)-%!WordPress$.*DB!OWASP WordPress Security Implementation Guidelinehttps://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline
WordPress'",-( • WordPress.$!/• • WordPress-1*",+/)2*",+/)WordPress %!)0
WordPress XML RPCwp-login.phpTOP10 : A2()WP :
P=6R,A;KMD5:B:BEI8NFwp-login.php,42497RFPC<H@QSGJM?S, LS>-*!!$3"+%0 (1IP4GO@% $VA;KMD5.,””TU3# )&1$V.,-*2'0 )&1$V
JETPACK
A /@$3 3,@& '7/@.2)6)UYID\9#/@_39 `• • N]W• UYID\WordPress8LGXZNCBMUO]PA3!/@OTF[P3%>1:58-4+)"?);.=*^TOP10 : A9(88(@J\V]R\P8)WP :LGXZNCZZ]K80<8SMHIYE\Q
WordPress!SQL$:+&'*6:XSS='9,;)$1;,'73/#:(>0<-4<, 0<-4<, JavaScript )$1)$158%&".%:9<2TOP10 : A1($:+&'*6:) A7('9,)$1,'73/#:()
WordPress+,+The WordPress Codex Is Your Friend…$wpdb->prepare ;@B46B, 21>&wp_ksesesc_html / esc_attr%*+JavaScript& How to Prevent File Upload Vulnerabilitieshttps://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/current_user_can('upload_files')&=B3,)!#'.8;AB9,)!$wp_check_filetype:-/?5/;,7082+MINE5/;,("7082+ +
OWASP ZAP• OWASP),.14>?;>• ?D58* • 95@E('%),. %!.• :5AB=2 ('%#/.('OWASP ZAP Hands-on In Osaka (2015-02-10)https://speakerdeck.com/ykame/owasp-zap-hands-on-in-osaka-2015-02-10"*) %$.&16:9) $. -+$
WPScan• WordPress3+- C>MSETQ• KO@=S$FTL$4ITBNS;#+.$",: 21(#/):• WordPress4!216#/):• 4JCRTHPCG'84-96/):&21WPSCan37:WordPressh.ps://www.slideshare.net/owaspnagoya/wpscanwordpress4 C>MS*4ETQ;4A=G3/,:0
WPScan9E/C3:• ID*UN\_S>%→ %VGI[0'"• WordPress>*WZKI]^Q_X>T_MY]→ )F-2C! <;• "→ readme.html :/ &>T_MY]9? readme.html /AT_MY]0.8,C3>P_[F>LIR=95C:HJON= #5C 0+B@53D72$916A,,>9?`
$ %• WordPress!%0+215/OWASP TOP10WordPress-+23.)OWASP WordPress Security Implementation Guideline• WordPress"4,*5(& (&WordPress"(-+23.)'#6(&#twpm1019