Submit Search
Upload
Anatomy of a WordPress Hack
•
1 like
•
2,451 views
J
jessepollak
Follow
Slides for Brennen Byrne's talk, Anatomy of a WordPress Hack, given at WordCamp Boston.
Read less
Read more
Technology
Business
Report
Share
Report
Share
1 of 111
Download now
Download to read offline
Recommended
Security testing for web developers
Security testing for web developers
matthewhughes
Developer Security for WordPress
Developer Security for WordPress
Brandon Dove
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
jessepollak
Passwords the weakest link in word press security
Passwords the weakest link in word press security
jessepollak
JTV.Worm
JTV.Worm
cinnamonbuns
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
SiteGround.com
Hackers vs developers
Hackers vs developers
Soumyasanto Sen
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
Recommended
Security testing for web developers
Security testing for web developers
matthewhughes
Developer Security for WordPress
Developer Security for WordPress
Brandon Dove
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
jessepollak
Passwords the weakest link in word press security
Passwords the weakest link in word press security
jessepollak
JTV.Worm
JTV.Worm
cinnamonbuns
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
SiteGround.com
Hackers vs developers
Hackers vs developers
Soumyasanto Sen
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
My app is secure... I think
My app is secure... I think
Wim Godden
PHPUG Presentation
PHPUG Presentation
Damon Cortesi
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
Peter Sabev
Sql Injection and XSS
Sql Injection and XSS
Mike Crabb
Web Application Security in Rails
Web Application Security in Rails
Uri Nativ
PHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
Xss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
Xss is more than a simple threat
Xss is more than a simple threat
Romanian Cyber Conference
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
vodQA
Ajax Security
Ajax Security
Joe Walker
.NET Security Topics
.NET Security Topics
Shawn Gorrell
Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T
Securing Your BBC Identity
Securing Your BBC Identity
Marc Littlemore
SQL Injection & Cross Site Scripting, by Stefano Santomauro
SQL Injection & Cross Site Scripting, by Stefano Santomauro
Codemotion
Securing Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
Web Application Security in front end
Web Application Security in front end
Erlend Oftedal
Web Security Horror Stories
Web Security Horror Stories
Simon Willison
Personal Internet Security System
Personal Internet Security System
Matthew Bricker
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
Application Security for RIAs
Application Security for RIAs
johnwilander
Building Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental Models
jessepollak
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
jessepollak
More Related Content
Similar to Anatomy of a WordPress Hack
My app is secure... I think
My app is secure... I think
Wim Godden
PHPUG Presentation
PHPUG Presentation
Damon Cortesi
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
Peter Sabev
Sql Injection and XSS
Sql Injection and XSS
Mike Crabb
Web Application Security in Rails
Web Application Security in Rails
Uri Nativ
PHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
Xss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
Xss is more than a simple threat
Xss is more than a simple threat
Romanian Cyber Conference
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
vodQA
Ajax Security
Ajax Security
Joe Walker
.NET Security Topics
.NET Security Topics
Shawn Gorrell
Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T
Securing Your BBC Identity
Securing Your BBC Identity
Marc Littlemore
SQL Injection & Cross Site Scripting, by Stefano Santomauro
SQL Injection & Cross Site Scripting, by Stefano Santomauro
Codemotion
Securing Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
Web Application Security in front end
Web Application Security in front end
Erlend Oftedal
Web Security Horror Stories
Web Security Horror Stories
Simon Willison
Personal Internet Security System
Personal Internet Security System
Matthew Bricker
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
Application Security for RIAs
Application Security for RIAs
johnwilander
Similar to Anatomy of a WordPress Hack
(20)
My app is secure... I think
My app is secure... I think
PHPUG Presentation
PHPUG Presentation
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
Sql Injection and XSS
Sql Injection and XSS
Web Application Security in Rails
Web Application Security in Rails
PHP Secure Programming
PHP Secure Programming
Xss is more than a simple threat
Xss is more than a simple threat
Xss is more than a simple threat
Xss is more than a simple threat
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
Ajax Security
Ajax Security
.NET Security Topics
.NET Security Topics
Clickjacking DevCon2011
Clickjacking DevCon2011
Securing Your BBC Identity
Securing Your BBC Identity
SQL Injection & Cross Site Scripting, by Stefano Santomauro
SQL Injection & Cross Site Scripting, by Stefano Santomauro
Securing Java EE Web Apps
Securing Java EE Web Apps
Web Application Security in front end
Web Application Security in front end
Web Security Horror Stories
Web Security Horror Stories
Personal Internet Security System
Personal Internet Security System
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
Application Security for RIAs
Application Security for RIAs
More from jessepollak
Building Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental Models
jessepollak
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
jessepollak
WordPress Security Update: How we're building the web's most secure platform ...
WordPress Security Update: How we're building the web's most secure platform ...
jessepollak
Cryptography 101 (with math)
Cryptography 101 (with math)
jessepollak
Cryptography 101
Cryptography 101
jessepollak
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
jessepollak
Clef security architecture
Clef security architecture
jessepollak
Passwords and Botnets and Zombies (oh my!)
Passwords and Botnets and Zombies (oh my!)
jessepollak
More from jessepollak
(8)
Building Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental Models
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
WordPress Security Update: How we're building the web's most secure platform ...
WordPress Security Update: How we're building the web's most secure platform ...
Cryptography 101 (with math)
Cryptography 101 (with math)
Cryptography 101
Cryptography 101
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
Clef security architecture
Clef security architecture
Passwords and Botnets and Zombies (oh my!)
Passwords and Botnets and Zombies (oh my!)
Recently uploaded
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
SeasiaInfotech2
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Florian Wilhelm
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Sergiu Bodiu
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
The Digital Insurer
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
NavinnSomaal
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Fwdays
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Addepto
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Dubai Multi Commodity Centre
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
Hervé Boutemy
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
hariprasad279825
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Mattias Andersson
Recently uploaded
(20)
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Anatomy of a WordPress Hack
1.
@brennenbyrne
2.
ANATOMY OF A WORDPRESS
HACK
3.
security is hard
4.
security is REALLY hard
5.
security is REALLY REALLY hard
6.
but probably NOT for the
reasons you’re thinking
7.
that’s because security is
all about the details
8.
3 hacks that broke
wordpress sqli xss clickjacking (and how they were fixed)
9.
this talk is
probably for you
10.
this talk is
probably for you (it’s a really good talk)
11.
you might be
wondering “ if these have already been fixed, why are we still talking about them?
12.
almost 20% of
the web runs on wordpress
13.
almost 20% of
the web runs on wordpress lots of attacks on wordpress sites
14.
almost 20% of
the web runs on wordpress lots of attacks on wordpress sites they’ll happen again
15.
almost 20% of
the web runs on wordpress lots of attacks on wordpress sites they’ll happen again it’s fun and interesting
16.
hello, my name
is brennen @brennenbyrne
17.
I’m a founder
of Clef (getclef.com)
18.
anatomy of a
wordpress hack
19.
XSS cross site scripting
20.
XSS cross site scripting when
a hacker is able to run arbitrary code in every user’s browser
21.
let’s hack
22.
how
23.
<{$icontag} class=‘gallery-icon’> ...
</{$icontag}>
24.
<{$icontag} class=‘gallery-icon’> ...
</{$icontag}> begin html open tag
25.
<{$icontag} class=‘gallery-icon’> ...
</{$icontag}> } unsanitized user input
26.
<{$icontag} class=‘gallery-icon’> ...
</{$icontag}> } end html open tag
27.
<{$icontag} class=‘gallery-icon’> ...
</{$icontag}> begin html close tag
28.
<{$icontag} class=‘gallery-icon’> ...
</{$icontag}> } unsanitized user input
29.
<{$icontag} class=‘gallery-icon’> ...
</{$icontag}> end html close tag
30.
<{$icontag} class=‘gallery-icon’> ...
</{$icontag}> } } unsanitized user input
31.
<{$icontag} class=‘gallery-icon’> ...
</{$icontag}> } } unsanitized user input
32.
unsanitized user input
33.
exploit unsanitized user input
34.
$icontag = script src=‘hack.js’
35.
$icontag = script src=‘hack.js’ } create
a script tag
36.
$icontag = script src=‘hack.js’ } load
an evil script
37.
how bad is
this?
38.
full site compromise
39.
one line fix!
40.
$icontag = tag_escape($icontag)
41.
$icontag = tag_escape($icontag) } removes
potentially malicious code
42.
Clickjacking
43.
clickjacking when a hacker
tricks you into clicking something you don’t want to click
44.
let’s hack
45.
how
46.
this is your
site
47.
this is your
site with an iframe www.another-site.com
48.
now imagine the
green is the article and the red is “delete post”
49.
now imagine the
green is the article and the red is “delete post”
50.
<iframe src=“admin_url” style=“opacity:
0; z-index: 100></iframe>
51.
<iframe src=“admin_url” style=“opacity:
0; z-index: 100></iframe> } } embedding site in another site
52.
<iframe src=“admin_url” style=“opacity:
0; z-index: 100></iframe> } embedding admin page S
53.
<iframe src=“admin_url” style=“opacity:
0; z-index: 100></iframe> } admin page is fully transparent S
54.
<iframe src=“admin_url” style=“opacity:
0; z-index: 100”></iframe> } admin page is above another page
55.
delete post
56.
allow embedding of
valuable pages
57.
how bad is
this?
58.
full site compromise
59.
one line fix!
60.
@header( 'X-Frame-Options: SAMEORIGIN'
);
61.
@header( 'X-Frame-Options: SAMEORIGIN'
); } add header to requests for valuable pages
62.
@header( 'X-Frame-Options: SAMEORIGIN'
); } tell browser to only allow iframe embed when it’s on the same domain
63.
SQL injection
64.
SQL injection when bad
people access your database in bad ways
65.
let’s hack
66.
how
67.
SELECT ... LIMIT
$args[4]
68.
SELECT ... LIMIT
$args[4] } select categories from database
69.
SELECT ... LIMIT
$args[4] } limit number of categories selected
70.
SELECT ... LIMIT
$args[4] } unsanitized user input
71.
SELECT ... LIMIT
$args[4] } unsanitized user input
72.
unsanitized user input
73.
exploit unsanitized user input
74.
$args[4] = 1 OFFSET
1 UNION ALL SELECT user_login, user_pass FROM wp_users
75.
1 OFFSET 1
UNION ALL SELECT user_login, user_pass FROM wp_users } embed a second SQL query
76.
1 OFFSET 1
UNION ALL SELECT user_login, user_pass FROM wp_users } limit to 1 category and offset by 1
77.
1 OFFSET 1
UNION ALL SELECT user_login, user_pass FROM wp_users } steal usernames and passwords
78.
5 character fix!
79.
(int) $args[4]
80.
(int) $args[4] } sanitize user
input by coercing it to an integer
81.
how bad is
this?
82.
full site compromise
83.
84.
how does this
happen?
85.
security is in
the details
86.
security is hard
87.
so what should
you do?
88.
1 you cannot know
everything
89.
1 you cannot know
everything
90.
1 you can always
learn more
91.
1 education
92.
2 you will always
make mistakes
93.
2 you will always
make mistakes
94.
2 you must learn
from your mistakes
95.
2 experience
96.
3 you cannot write
secure code
97.
3 you cannot write
secure code
98.
3 we can write
secure code
99.
3 we can write
secure code
100.
3 community
101.
closing thoughts
102.
thanks
103.
XSS Jon Cave
104.
XSS Jon Cave Clickjacking
Andrew Horton
105.
XSS Jon Cave Clickjacking
Andrew Horton SQLi Alexander Concha
106.
XSS Jon Cave Clickjacking
Andrew Horton SQLi Alexander Concha WordPress Security Team
107.
XSS Jon Cave CSRF
Alexander Concha SQLi Alexander Concha WordPress Security Team WordPress Community
108.
what if I
find a security issue?
109.
DO 1. verify that
it is a real issue 2. email security@wordpress.org DON’T 1. maliciously exploit other wordpress sites 2. publish details of the vulnerability before it has been fixed
110.
upgrade to 3.7
111.
SELECT * FROM
questions
Download now