Understanding WordPress Vulnerabilities (XSS, CSRF, WTF)

https://slides.chriswiegman.com/swfl0218

Chris Wiegman / @chris

About me

Who identifies what is important?

The OWASP Top 10

• OWASP = Open Web Application Security Project
• Top 10 web application security risks
• Updated evey 3 years (sort of)
• Not specific to language or application (applies to them all)
• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

The OWASP Top 10

• Deals with
  • Code
  • Server configuration
  • General vulnerabilities

Vulnerability Targets

• Server and application
  • Targets the site itself
• User
  • Targets the computer or browser of a user visiting the site

OWASP Vulnerabilities in WordPress

Major WordPress Vulnerabilities

• Sensitive Data Exposure
• Security Misconfiguration
• Injection
• Cross-site Scripting (XSS)
• Insecure Direct Object Reference
• Missing Function Level Access Control
• Cross Site Request Forgery
• Insecure Deserialization
• Using Componenets with Known Vulnerabilities

Sensitive Data Exposure

• Most common outcome of many attacks
• Failure to properly encrypt (or otherwise protect) sensitive data

Sensitive Data Exposer

• Primary Target
  • Application and server
• Potential risk
  • Severe
• Difficulty to exploit
  • Difficult ^*
• Outcomes
  Sensitive data exposure

Security Misconfiguration

• A misconfiguration at any level of the stack (server/application/etc) that can lead to a compromise

Security Misconfiguration

• Primary Target
  • Application and server
• Potential risk
  • Moderate
• Difficulty to exploit
  • Easy ^*
• Outcomes
  Data corruption, sensitive data exposure

Injection

• Injection vulnerabilities occur when the application sends untrusted data to an interpreter

Injection

• Primary Target
  • Application and server
• Potential risk
  • Severe
• Difficulty to exploit
  • Easy ^*
• Outcomes
  Data corruption, sensitive data exposure, host pwned

Injection Code Example

					$my_variable = 'variable_name;
					$x = $_GET['arg'];
					eval("\$my_variable = \$x;");
				 

					/index.php?arg=1; phpinfo();
				 

Cross-Site Scripting (XSS)

• User supplied data is sent to the browser without validation
• Most common vulnerability

Cross-Site Scripting (XSS)

• Primary Target
  • User
• Potential risk
  • Moderate ^*
• Difficulty to exploit
  • Average ^*
• Outcomes
  Browser hijack, deface website, redirect user, etc

XSS Code Example

					if ( isset( $_GET['my_secret_key'] ) ) {
						echo $_GET['my_secret_key'];
					}
				 

or

					__( 'Some text to translate', 'my-awesome-plugin' );
				 

Insecure Direct Object Reference

• Use of a key or name to request an object whereas the target object does not verify the requester's access permission.

Insecure Direct Object Reference

• Primary Target
  • Application and server
• Potential risk
  • Moderate
• Difficulty to exploit
  • Easy ^*
• Outcomes
  Sensitive data exposure

Insecure Direct Object Reference Code Example

					echo esc_html( $my_wp_user->$_GET['user-key'] );
				 

Missing Function Level Access Control

• Failure to verify access rights upon access to a specific function.

Missing Function Level Access Control

• Primary Target
  • Application and server
• Potential risk
  • Moderate
• Difficulty to exploit
  • Easy ^*
• Outcomes
  Data corruption, sensitive data exposure

Missing Function Level Access Control Code Example

					if ( is_admin() ) {
						echo $user_list;
					}
				 

Cross Site Request Forgery (CSRF)

• Forces a logged-on victim's browser to send a forged HTTP request to a vulnerable application.
• My include session cooke and other authentication information.

Cross Site Request Forgery (CSRF)

• Primary Target
  • User
• Potential risk
  • Moderate
• Difficulty to exploit
  • Average ^*
• Outcomes
  Data corruption, sensitive data exposure

CSRF Code Example

					<img src="http://mysite.com/password=get_my_password" width="0" height="0" />
				 

Insecure Deserialization

• Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized.

Insecure Deserialization

• Primary Target
  • Application and Server
• Potential risk
  • Severe
• Difficulty to exploit
  • Difficult ^*
• Outcomes
  Data corruption, sensitive data exposure, host pwned

Insecure Deserialization Example

					unserialize( $_POST['data'] );
				 

Using Components with Known Vulnerabilities

• Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

Using Components with Known Vulnerabilities

• Primary Target
  • User, application and Server
• Potential risk
  • Severe
• Difficulty to exploit
  • Easy ^*
• Outcomes
  Data corruption, sensitive data exposure, host pwned

General Protection Strategies

Keep Up To Date

Review Your WordPress Dashboard Regularly

Use Coding Standards

Making Coding Standards Easier

• https://github.com/squizlabs/PHP_CodeSniffer
  • A linter for PHP
• https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards
  • WordPress Coding Standards for PHP_CodeSniffer
• https://github.com/stevegrunwell/wp-enforcer
  • Enforces WordPress Coding Standards compliance on GIT commit

Know Your Code Editor

Use Appropriate Tools

Important WordPress Security Tools

• https://jetpack.com/
• https://www.fail2ban.org
• https://sucuri.net/
• https://www.google.com/webmasters/
• https://letsencrypt.org/
• https://www.ssllabs.com/ssltest/
• https://observatory.mozilla.org/

Have (and Verify) a Backup

Have a Plan

Questions?

Thank You

https://slides.chriswiegman.com/swfl0218

Chris Wiegman / @chris