anatomy of a wordpress hack
DESCRIPTION
Slides for Brennen Byrne's talk, Anatomy of a WordPress Hack, given at WordCamp Boston.TRANSCRIPT
@brennenbyrne
ANATOMY OF A WORDPRESS HACK
security is
hard
security is
REALLY
hard
security is
REALLY
REALLYhard
but probably
NOTfor the reasons you’re thinking
details
that’s because security is all about the
3 hacksthat broke wordpress
(and how they were fixed)
clickjacking
xss
sqli
this talk is probably for you
this talk is probably for you
(it’s a really good talk)
you might be wondering
“if these have already been fixed,why are we still talking about them?
almost 20% of the web runs on wordpress
almost 20% of the web runs on wordpress
lots of attacks on wordpress sites
almost 20% of the web runs on wordpress
they’ll happen again
lots of attacks on wordpress sites
almost 20% of the web runs on wordpress
lots of attacks on wordpress sites
they’ll happen again
it’s fun and interesting
hello, my name is brennen
@brennenbyrne
I’m a founder of Clef (getclef.com)
anatomy of a wordpress hack
XSScross site scripting
XSS cross site scripting
when a hacker is able to runarbitrary code in every user’s browser
let’s hack
how
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>
begin html open tag
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>
unsanitized user input
}
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>
end html open tag
}
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>
begin html close tag
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>
unsanitized user input
}
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>
end html close tag
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>
unsanitized user input
}}
<{$icontag} class=‘gallery-icon’> ... </{$icontag}>
unsanitized user input
}}
unsanitized user input
unsanitized user input
exploit
script src=‘hack.js’
$icontag =
script src=‘hack.js’}
create a script tag
$icontag =
script src=‘hack.js’}load an evil script
$icontag =
how bad is this?
full site compromise
one line fix!
$icontag = tag_escape($icontag)
$icontag = tag_escape($icontag)}removes potentially
malicious code
Clickjacking
clickjackingwhen a hacker tricks you into clicking something you don’t want to click
let’s hack
how
this is your site
this is your site with an iframe
www.another-site.com
now imagine the green is the article
and the red is “delete post”
now imagine the green is the article
and the red is “delete post”
<iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>
<iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>}
embedding site in another site
}
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
<iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>}
embedding admin page
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
<iframe src=“admin_url” style=“opacity: 0; z-index: 100></iframe>}admin page is fully transparent
<iframe src=“admin_url” style=“opacity: 0; z-index: 100”></iframe>}
admin page is above another page
delete post
allow embedding of valuable pages
how bad is this?
full site compromise
one line fix!
@header( 'X-Frame-Options: SAMEORIGIN' );
}
add header to requestsfor valuable pages
@header( 'X-Frame-Options: SAMEORIGIN' );
}tell browser to only allow
iframe embed when it’s on the same domain
@header( 'X-Frame-Options: SAMEORIGIN' );
SQL injection
SQL injectionwhen bad people access your database in bad ways
let’s hack
how
SELECT ... LIMIT $args[4]
SELECT ... LIMIT $args[4]}
select categories from database
SELECT ... LIMIT $args[4]}limit number of categories selected
SELECT ... LIMIT $args[4]}unsanitized user input
SELECT ... LIMIT $args[4]}unsanitized user input
unsanitized user input
exploitunsanitized user input
1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users
$args[4] =
1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users}
embed a second SQL query
1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users}
limit to 1 category and offset by 1
1 OFFSET 1 UNION ALL SELECT user_login, user_pass FROM wp_users
steal usernames and passwords
}
5 character fix!
(int) $args[4]
(int) $args[4]}sanitize user input by coercing it to an integer
how bad is this?
full site compromise
how does this happen?
security is in the details
security is hard
so what should you do?
you cannot know everything
1
you cannot know everything
1
1
you can always learn more
education
1
you will always make mistakes
2
you will always make mistakes
2
2
you must learn from your mistakes
experience
2
you cannot write secure code
3
you cannot write secure code
3
we can write secure code
3
we can write secure code
3
community
3
closing thoughts
thanks
XSS Jon Cave
XSS Jon Cave
Clickjacking Andrew Horton
XSS Jon Cave
SQLi Alexander Concha
Clickjacking Andrew Horton
XSS Jon Cave
SQLi Alexander Concha
WordPress Security Team
Clickjacking Andrew Horton
XSS Jon Cave
CSRF Alexander Concha
SQLi Alexander Concha
WordPress Security Team
WordPress Community
what if I find a security issue?
DO1. verify that it is a real issue
2. email [email protected]
DON’T1. maliciously exploit other wordpress sites
2. publish details of the vulnerability before it has been fixed
upgrade to
3.7
SELECT * FROM questions