Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owasp-wordpress-meetup

WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owasp-wordpress-meetup

yoshinori matsumoto

October 19, 2018
Tweet

More Decks by yoshinori matsumoto

Other Decks in Technology

Transcript

  1. / Yoshinori Matsumoto
    @ym405nm

    View Slide


  2. , ,
    lc t C JB KA
    SO rm ids P e


    1, 2 a N phoc
    Wnk

    1
    6 05 2 6 , 20 ,

    View Slide

  3. &#\-A ]
    (5 (2018/10/8 !)
    @8C89
    RNWK0No Security No Life1A<6C89
    ,89GWordPress%:;9
    WordPress RNWXTLMYPUYVAOZQQSUL
    →F72IRNWXTLBA =/"?>
    'HA0,+1J
    [email protected]
    → 5*DI=7)@*4A?3 WordPress A
    @39[

    View Slide

  4. OWASP

    View Slide

  5. OWASP(,
    • OWASP
    (Open Web Application Security Project)
    [email protected];HLA:84 8#5$.
    +)– 0+ ,/%79+!(315

    (8/&$?D>GL?B-$IO=+
    JN*24*'5 "
    6$8

    View Slide

  6. OWASP
    • OWASP Foundation
    – 2001

    NPO
    – 200 Chapter

    View Slide

  7. Japan : OWASP Local Chapters






































    View Slide

  8. WORDPRESS

    View Slide

  9. WordPress"%
    $"%&!

    WordPress


    $"%&!

    View Slide

  10. WordPress

    WordPress

    OWASP TOP 10
    WordPress

    OWASP WordPress Security
    Implementa:on Guideline

    View Slide

  11. OWASP TOP 10
    Web8AD &.#)"101)2
    57( 6
    /03!#, $7'-,$
    76
    ?:[email protected]>;?
    :[email protected]
    +*,3$7( 6
    ,3$7( 6
    OWASP JAPAN
    https://www.owasp.org/index.php/Japan

    View Slide

  12. WordPress 209:3/
    WordPress.org -,209:3/
    .&!(5098;4%


    #209:3/*WordPress%
    17963/%209:3/$%+
    '#")-,
    OWASP TOP 10 (2013 ) % WordPress
    %-,

    +
    WordPress 209:3/
    h6ps://ja.wordpress.org/security/

    View Slide

  13. OWASP WordPress Security Implementation Guideline
    OWASP $"' WordPress
    (#,+-'
    +-&)-%!
    WordPress
    $.*DB

    !

    OWASP WordPress Security Implementation Guideline
    https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline

    View Slide

  14. WordPress'",-(
    • WordPress.$!/

    • WordPress

    -
    1*",+/)2

    *",+/)
    WordPress %!)0

    View Slide

  15. WordPress

    XML RPC
    wp-login.php
    TOP10 : A2(
    )
    WP :

    View Slide

  16. P=6R,A;KMD5
    :B:B
    EI8NF
    wp-login.php,42497RFPC<
    [email protected]?S,
    LS>-*!!$3"+%0 (1
    [email protected]% $V
    A;KMD5.,””TU3# )&1$V
    .,-*2'0
    )&1$V

    View Slide

  17. JETPACK

    View Slide


  18. A /@
    $3 3,@&
    '7/@
    .2)6)UYID\9#/@_39 `

    • N]W
    • UYID\

    WordPress8LGXZNCBMUO]PA3!/@
    OTF[P3%>1:58-4+)"?);.=*^
    TOP10 : A9(88(@
    J\V]R\P8)
    WP :LGXZNCZZ]K80<8
    SMHIYE\Q

    View Slide

  19. WordPress
    !
    SQL$:+&'*6:
    XSS='9,;)$1;,'73/#:(>
    0<-4<,
    0<-4<,
    JavaScript
    )$1)$1
    58%&".%:9<2
    TOP10 : A1($:+&'*6:)
    A7('9,)$1,'73/#:()

    View Slide

  20. WordPress
    +,+
    The WordPress Codex Is Your Friend…
    $wpdb->prepare ;@B46B, 21>&
    wp_kses
    esc_html / esc_attr
    %*+JavaScript&
    How to Prevent File Upload Vulnerabilities
    https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/
    current_user_can('upload_files')
    &=B3,)!
    #'.8;AB9,)!$
    wp_check_filetype
    :-/?5/;,7082+
    MINE5/;,("7082+ +

    View Slide




  21. View Slide

  22. OWASP ZAP
    • OWASP),.14>?;>
    • ?D58* • [email protected]('%
    ),. %!.
    • :5AB=2 ('%#/.
    ('
    OWASP ZAP Hands-on In Osaka (2015-02-10)
    https://speakerdeck.com/ykame/owasp-zap-hands-on-in-osaka-
    2015-02-10
    "*) %$.&
    16:9) $. -+$

    View Slide

  23. WPScan
    • WordPress3+- C>MSETQ
    [email protected]=S$FTL$4ITBNS;#+.$"
    ,:
    21(#/):
    • WordPress4!216#/):
    • 4JCRTHPCG'84
    -96/):
    &21
    WPSCan37:WordPress
    h.ps://www.slideshare.net/owaspnagoya/wpscanwordpress4
    C>MS
    *4ETQ;4A=G3/,:0

    View Slide

  24. WPScan9E/C3:
    • ID*UN\_S>%
    → %VGI[0'"
    • WordPress>*WZKI]^Q_X>T_MY]

    )F-2C! <;
    • "→ readme.html :/
    &>T_MY]9? readme.html /AT_MY]0.8,C
    3>P_[F>LIR=95C:
    HJON= #5C [email protected]
    3D72$916A
    ,,>9?`

    View Slide




  25. View Slide


  26. View Slide

  27. $ %
    • WordPress!%0+215/
    OWASP TOP10
    WordPress-+23.)
    OWASP WordPress Security Implementation Guideline

    WordPress"4,*5(&
    (&
    WordPress"
    (
    -+23.)'#6(&
    #twpm1019

    View Slide