Slides for Brennen Byrne's talk, Anatomy of a WordPress Hack, given at WordCamp Boston.

1. @brennenbyrne

2. ANATOMY OF A
WORDPRESS HACK

3. security is
hard

4. security is
REALLY
hard

5. security is
REALLY
REALLY
hard

6. but probably
NOT
for the reasons
you’re thinking

7. that’s because security
is all about the
details

8. 3 hacks
that broke wordpress
sqli
xss
clickjacking
(and how they were fixed)

9. this talk is probably for you

10. this talk is probably for you
(it’s a really good talk)

11. you might be wondering
“
if these have already been fixed,
why are we still talking about them?

12. almost 20% of the web runs on wordpress

13. almost 20% of the web runs on wordpress
lots of attacks on wordpress sites

14. almost 20% of the web runs on wordpress
lots of attacks on wordpress sites
they’ll happen again

15. almost 20% of the web runs on wordpress
lots of attacks on wordpress sites
they’ll happen again
it’s fun and interesting

16. hello, my name is brennen
@brennenbyrne

17. I’m a founder of Clef
(getclef.com)

18. anatomy of a wordpress hack

19. XSS
cross site scripting

20. XSS
cross site scripting
when a hacker is able to run
arbitrary code in every user’s browser

21. let’s hack

22. how

23. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>

24. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>
begin html open tag

25. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>
}
unsanitized user input

26. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>
}
end html open tag

27. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>
begin html close tag

28. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>
}
unsanitized user input

29. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>
end html close tag

30. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>
}
}
unsanitized user input

31. <{$icontag} class=‘gallery-icon’> ... </{$icontag}>
}
}
unsanitized user input

32. unsanitized user input

33. exploit
unsanitized user input

34. $icontag =
script src=‘hack.js’

35. $icontag =
script src=‘hack.js’
}
create a script tag

36. $icontag =
script src=‘hack.js’
}
load an evil script

37. how bad is this?

38. full site compromise

39. one line fix!

40. $icontag = tag_escape($icontag)

41. $icontag = tag_escape($icontag)
}
removes potentially
malicious code

42. Clickjacking

43. clickjacking
when a hacker tricks you into clicking
something you don’t want to click

44. let’s hack

45. how

46. this is your site

47. this is your site with an iframe
www.another-site.com

48. now imagine the green is the article
and the red is “delete post”

49. now imagine the green is the article
and the red is “delete post”

50. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>

51. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>
}
}
embedding site in another site

52. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>
}
embedding admin page
S

53. <iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>
}
admin page is fully transparent
S

54. <iframe src=“admin_url” style=“opacity: 0; z-index: 100”></iframe>
}
admin page is above another page

55. delete post

56. allow embedding of valuable pages

57. how bad is this?

58. full site compromise

59. one line fix!

60. @header( 'X-Frame-Options: SAMEORIGIN' );

61. @header( 'X-Frame-Options: SAMEORIGIN' );
}
add header to requests
for valuable pages

62. @header( 'X-Frame-Options: SAMEORIGIN' );
}
tell browser to only allow
iframe embed when it’s on
the same domain

63. SQL injection

64. SQL injection
when bad people access your
database in bad ways

65. let’s hack

66. how

67. SELECT ... LIMIT $args[4]

68. SELECT ... LIMIT $args[4]
}
select categories from database

69. SELECT ... LIMIT $args[4]
}
limit number of categories selected

70. SELECT ... LIMIT $args[4]
}
unsanitized user input

71. SELECT ... LIMIT $args[4]
}
unsanitized user input

72. unsanitized user input

73. exploit
unsanitized user input

74. $args[4] =
1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users

75. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users
}
embed a second SQL query

76. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users
}
limit to 1 category and offset by 1

77. 1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users
}
steal usernames and passwords

78. 5 character fix!

79. (int) $args[4]

80. (int) $args[4]
}
sanitize user input by
coercing it to an integer

81. how bad is this?

82. full site compromise

84. how does this happen?

85. security is in the details

86. security is hard

87. so what should you do?

88. 1
you cannot know everything

89. 1
you cannot know everything

90. 1
you can always learn more

91. 1
education

92. 2
you will always make mistakes

93. 2
you will always make mistakes

94. 2
you must learn from your mistakes

95. 2
experience

96. 3
you cannot write secure code

97. 3
you cannot write secure code

98. 3
we can write secure code

99. 3
we can write secure code

100. 3
community

101. closing thoughts

102. thanks

103. XSS
Jon Cave

104. XSS Jon Cave
Clickjacking Andrew Horton

105. XSS Jon Cave
Clickjacking Andrew Horton
SQLi Alexander Concha

106. XSS Jon Cave
Clickjacking Andrew Horton
SQLi Alexander Concha
WordPress Security Team

107. XSS Jon Cave
CSRF Alexander Concha
SQLi Alexander Concha
WordPress Security Team
WordPress Community

108. what if I find a security issue?

109. DO
1. verify that it is a real issue
2. email security@wordpress.org
DON’T
1. maliciously exploit other wordpress sites
2. publish details of the vulnerability before it has been fixed

110. upgrade to
3.7

111. SELECT * FROM questions