WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owasp-wordpress-meetup

/ Yoshinori Matsumoto
@ym405nm

View Slide

, ,
lc t C JB KA
SO rm ids P e

1, 2 a N phoc
Wnk

1
6 05 2 6 , 20 ,

View Slide

&#\-A ]
(5 (2018/10/8 !)
@8C89
RNWK0No Security No Life1A<6C89
,89GWordPress%:;9
WordPress RNWXTLMYPUYVAOZQQSUL
→F72IRNWXTLBA =/"?>
'HA0,+1J
[email protected]
→ 5*DI=7)@*4A?3 WordPress A
@39[

View Slide

OWASP

View Slide

OWASP(,
• OWASP
(Open Web Application Security Project)
– [email protected];HLA:84 8#5$.
+)– 0+ ,/%79+!(315

(8/&$?D>GL?B-$IO=+
JN*24*'5 "
6$8

View Slide

OWASP
• OWASP Foundation
– 2001
–
NPO
– 200 Chapter

View Slide

Japan : OWASP Local Chapters

View Slide

WORDPRESS

View Slide

WordPress"%
$"%&!

WordPress

$"%&!

View Slide

WordPress

WordPress

OWASP TOP 10
WordPress

OWASP WordPress Security
Implementa:on Guideline

View Slide

OWASP TOP 10
Web8AD &.#)"101)2
57( 6
/03!#, $7'-,$
76
?:[email protected]>;?
:[email protected]
+*,3$7( 6
,3$7( 6
OWASP JAPAN
https://www.owasp.org/index.php/Japan

View Slide

WordPress 209:3/
WordPress.org -,209:3/
.&!(5098;4%

#209:3/*WordPress%
17963/%209:3/$%+
'#")-,
OWASP TOP 10 (2013 ) % WordPress
%-,

+
WordPress 209:3/
h6ps://ja.wordpress.org/security/

View Slide

OWASP WordPress Security Implementation Guideline
OWASP $"' WordPress
(#,+-'
+-&)-%!
WordPress
$.*DB

!

https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline

View Slide

WordPress'",-(
• WordPress.$!/
•
• WordPress

-
1*",+/)2

*",+/)
WordPress %!)0

View Slide

WordPress

XML RPC
wp-login.php
TOP10 : A2(
)
WP :

View Slide

P=6R,A;KMD5
:B:B
EI8NF
wp-login.php,42497RFPC<
[email protected]?S,
LS>-*!!$3"+%0 (1
[email protected]% $V
A;KMD5.,””TU3# )&1$V
.,-*2'0
)&1$V

View Slide

JETPACK

View Slide

A /@
$3 3,@&
'7/@
.2)6)UYID\9#/@_39 `
•
• N]W
• UYID\

WordPress8LGXZNCBMUO]PA3!/@
OTF[P3%>1:58-4+)"?);.=*^
TOP10 : A9(88(@
J\V]R\P8)
WP :LGXZNCZZ]K80<8
SMHIYE\Q

View Slide

WordPress
!
SQL$:+&'*6:
XSS='9,;)$1;,'73/#:(>
0<-4<,
0<-4<,
JavaScript
)$1)$1
58%&".%:9<2
TOP10 : A1($:+&'*6:)
A7('9,)$1,'73/#:()

View Slide

WordPress
+,+
The WordPress Codex Is Your Friend…
$wpdb->prepare ;@B46B, 21>&
wp_kses
esc_html / esc_attr
%*+JavaScript&
How to Prevent File Upload Vulnerabilities
https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/
current_user_can('upload_files')
&=B3,)!
#'.8;AB9,)!$
wp_check_ﬁletype
:-/?5/;,7082+
MINE5/;,("7082+ +

View Slide

View Slide

OWASP ZAP
• OWASP),.14>?;>
• ?D58* • [email protected]('%
),. %!.
• :5AB=2 ('%#/.
('
OWASP ZAP Hands-on In Osaka (2015-02-10)
https://speakerdeck.com/ykame/owasp-zap-hands-on-in-osaka-
2015-02-10
"*) %$.&
16:9) $. -+$

View Slide

WPScan
• WordPress3+- C>MSETQ
• [email protected]=S$FTL$4ITBNS;#+.$"
,:
21(#/):
• WordPress4!216#/):
• 4JCRTHPCG'84
-96/):
&21
WPSCan37:WordPress
h.ps://www.slideshare.net/owaspnagoya/wpscanwordpress4
C>MS
*4ETQ;4A=G3/,:0

View Slide

WPScan9E/C3:
• ID*UN\_S>%
→ %VGI[0'"
• WordPress>*WZKI]^Q_X>T_MY]
→
)F-2C! <;
• "→ readme.html :/
&>T_MY]9? readme.html /AT_MY]0.8,C
3>P_[F>LIR=95C:
HJON= #5C [email protected]
3D72$916A
,,>9?`

View Slide

View Slide

$ %
• WordPress!%0+215/
OWASP TOP10
WordPress-+23.)
•
WordPress"4,*5(&
(&
WordPress"
(
-+23.)'#6(&
#twpm1019

View Slide

WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owasp-wordpress-meetup

WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owasp-wordpress-meetup

yoshinori matsumoto

More Decks by yoshinori matsumoto

Other Decks in Technology

Featured

Transcript