Submit Search
Upload
Writing Secure Plugins — WordCamp New York 2009
•
13 likes
•
7,652 views
Mark Jaquith
Follow
How to write secure plugins, from my presentation at WordCamp New York 2009.
Read less
Read more
Technology
Business
Report
Share
Report
Share
1 of 54
Download now
Download to read offline
Recommended
Mojolicious, real-time web framework
Mojolicious, real-time web framework
taggg
Mojolicious: what works and what doesn't
Mojolicious: what works and what doesn't
Cosimo Streppone
Mojolicious on Steroids
Mojolicious on Steroids
Tudor Constantin
Mojolicious - Perl Framework for the Real-Time Web (Lightning Talk)
Mojolicious - Perl Framework for the Real-Time Web (Lightning Talk)
Dotan Dimet
Mojolicious - A new hope
Mojolicious - A new hope
Marcus Ramberg
Mojolicious. Веб в коробке!
Mojolicious. Веб в коробке!
Anatoly Sharifulin
Plugin jQuery, Design Patterns
Plugin jQuery, Design Patterns
Robert Casanova
Mojolicious
Mojolicious
Marcos Rebelo
Recommended
Mojolicious, real-time web framework
Mojolicious, real-time web framework
taggg
Mojolicious: what works and what doesn't
Mojolicious: what works and what doesn't
Cosimo Streppone
Mojolicious on Steroids
Mojolicious on Steroids
Tudor Constantin
Mojolicious - Perl Framework for the Real-Time Web (Lightning Talk)
Mojolicious - Perl Framework for the Real-Time Web (Lightning Talk)
Dotan Dimet
Mojolicious - A new hope
Mojolicious - A new hope
Marcus Ramberg
Mojolicious. Веб в коробке!
Mojolicious. Веб в коробке!
Anatoly Sharifulin
Plugin jQuery, Design Patterns
Plugin jQuery, Design Patterns
Robert Casanova
Mojolicious
Mojolicious
Marcos Rebelo
Contributing to WordPress Core - Peter Wilson
Contributing to WordPress Core - Peter Wilson
WordCamp Sydney
jQuery Plugin Creation
jQuery Plugin Creation
benalman
RESTful web services
RESTful web services
Tudor Constantin
Keeping it small: Getting to know the Slim micro framework
Keeping it small: Getting to know the Slim micro framework
Jeremy Kendall
Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919
Paul Bearne
Inside Bokete: Web Application with Mojolicious and others
Inside Bokete: Web Application with Mojolicious and others
Yusuke Wada
Make your own wp cli command in 10min
Make your own wp cli command in 10min
Ivelina Dimova
You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011
andrewnacin
Keeping it small - Getting to know the Slim PHP micro framework
Keeping it small - Getting to know the Slim PHP micro framework
Jeremy Kendall
Avinash Kundaliya: Javascript and WordPress
Avinash Kundaliya: Javascript and WordPress
wpnepal
Developing apps using Perl
Developing apps using Perl
Anatoly Sharifulin
Mojolicious
Mojolicious
Marcus Ramberg
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Arc & Codementor
Keeping it Small: Getting to know the Slim Micro Framework
Keeping it Small: Getting to know the Slim Micro Framework
Jeremy Kendall
You Don't Know Query (WordCamp Netherlands 2012)
You Don't Know Query (WordCamp Netherlands 2012)
andrewnacin
Xmpp prebind
Xmpp prebind
Syed Arshad
Slim RedBeanPHP and Knockout
Slim RedBeanPHP and Knockout
Vic Metcalfe
How to learn j query
How to learn j query
Baoyu Xu
Responsive Design with WordPress
Responsive Design with WordPress
Joe Casabona
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Balázs Tatár
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Tatsuhiko Miyagawa
mro-every.pdf
mro-every.pdf
Workhorse Computing
More Related Content
What's hot
Contributing to WordPress Core - Peter Wilson
Contributing to WordPress Core - Peter Wilson
WordCamp Sydney
jQuery Plugin Creation
jQuery Plugin Creation
benalman
RESTful web services
RESTful web services
Tudor Constantin
Keeping it small: Getting to know the Slim micro framework
Keeping it small: Getting to know the Slim micro framework
Jeremy Kendall
Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919
Paul Bearne
Inside Bokete: Web Application with Mojolicious and others
Inside Bokete: Web Application with Mojolicious and others
Yusuke Wada
Make your own wp cli command in 10min
Make your own wp cli command in 10min
Ivelina Dimova
You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011
andrewnacin
Keeping it small - Getting to know the Slim PHP micro framework
Keeping it small - Getting to know the Slim PHP micro framework
Jeremy Kendall
Avinash Kundaliya: Javascript and WordPress
Avinash Kundaliya: Javascript and WordPress
wpnepal
Developing apps using Perl
Developing apps using Perl
Anatoly Sharifulin
Mojolicious
Mojolicious
Marcus Ramberg
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Arc & Codementor
Keeping it Small: Getting to know the Slim Micro Framework
Keeping it Small: Getting to know the Slim Micro Framework
Jeremy Kendall
You Don't Know Query (WordCamp Netherlands 2012)
You Don't Know Query (WordCamp Netherlands 2012)
andrewnacin
Xmpp prebind
Xmpp prebind
Syed Arshad
Slim RedBeanPHP and Knockout
Slim RedBeanPHP and Knockout
Vic Metcalfe
How to learn j query
How to learn j query
Baoyu Xu
Responsive Design with WordPress
Responsive Design with WordPress
Joe Casabona
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Balázs Tatár
What's hot
(20)
Contributing to WordPress Core - Peter Wilson
Contributing to WordPress Core - Peter Wilson
jQuery Plugin Creation
jQuery Plugin Creation
RESTful web services
RESTful web services
Keeping it small: Getting to know the Slim micro framework
Keeping it small: Getting to know the Slim micro framework
Childthemes ottawa-word camp-1919
Childthemes ottawa-word camp-1919
Inside Bokete: Web Application with Mojolicious and others
Inside Bokete: Web Application with Mojolicious and others
Make your own wp cli command in 10min
Make your own wp cli command in 10min
You Don't Know Query - WordCamp Portland 2011
You Don't Know Query - WordCamp Portland 2011
Keeping it small - Getting to know the Slim PHP micro framework
Keeping it small - Getting to know the Slim PHP micro framework
Avinash Kundaliya: Javascript and WordPress
Avinash Kundaliya: Javascript and WordPress
Developing apps using Perl
Developing apps using Perl
Mojolicious
Mojolicious
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Building Modern and Secure PHP Applications – Codementor Office Hours with Be...
Keeping it Small: Getting to know the Slim Micro Framework
Keeping it Small: Getting to know the Slim Micro Framework
You Don't Know Query (WordCamp Netherlands 2012)
You Don't Know Query (WordCamp Netherlands 2012)
Xmpp prebind
Xmpp prebind
Slim RedBeanPHP and Knockout
Slim RedBeanPHP and Knockout
How to learn j query
How to learn j query
Responsive Design with WordPress
Responsive Design with WordPress
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Similar to Writing Secure Plugins — WordCamp New York 2009
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Tatsuhiko Miyagawa
mro-every.pdf
mro-every.pdf
Workhorse Computing
Software livre e padrões abertos no desenvolvimento Web
Software livre e padrões abertos no desenvolvimento Web
Felipe Ribeiro
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
Amazon Web Services
AnyMQ, Hippie, and the real-time web
AnyMQ, Hippie, and the real-time web
clkao
Developing applications for performance
Developing applications for performance
Leon Fayer
Customizer-ing Theme Options: A Visual Playground
Customizer-ing Theme Options: A Visual Playground
DrewAPicture
WordPress: From Antispambot to Zeroize
WordPress: From Antispambot to Zeroize
Yoav Farhi
מ-antispambot ועד zeroise – עשר פונקציות וורדפרס שאתם כנראה לא מכירים
מ-antispambot ועד zeroise – עשר פונקציות וורדפרס שאתם כנראה לא מכירים
Miriam Schwab
WCLV13 JavaScript
WCLV13 JavaScript
Jeffrey Zinn
Introduction To Moco
Introduction To Moco
Naoya Ito
Wp query
Wp query
Savita Soni
Daily notes
Daily notes
meghendra168
logic321
logic321
logic321
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
John Ford
November Camp - Spec BDD with PHPSpec 2
November Camp - Spec BDD with PHPSpec 2
Kacper Gunia
Building a desktop app with HTTP::Engine, SQLite and jQuery
Building a desktop app with HTTP::Engine, SQLite and jQuery
Tatsuhiko Miyagawa
The History of PHPersistence
The History of PHPersistence
Hugo Hamon
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
arcware
Perl Web Client
Perl Web Client
Flavio Poletti
Similar to Writing Secure Plugins — WordCamp New York 2009
(20)
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
mro-every.pdf
mro-every.pdf
Software livre e padrões abertos no desenvolvimento Web
Software livre e padrões abertos no desenvolvimento Web
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
(DEV305) Building Apps with the AWS SDK for PHP | AWS re:Invent 2014
AnyMQ, Hippie, and the real-time web
AnyMQ, Hippie, and the real-time web
Developing applications for performance
Developing applications for performance
Customizer-ing Theme Options: A Visual Playground
Customizer-ing Theme Options: A Visual Playground
WordPress: From Antispambot to Zeroize
WordPress: From Antispambot to Zeroize
מ-antispambot ועד zeroise – עשר פונקציות וורדפרס שאתם כנראה לא מכירים
מ-antispambot ועד zeroise – עשר פונקציות וורדפרס שאתם כנראה לא מכירים
WCLV13 JavaScript
WCLV13 JavaScript
Introduction To Moco
Introduction To Moco
Wp query
Wp query
Daily notes
Daily notes
logic321
logic321
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
November Camp - Spec BDD with PHPSpec 2
November Camp - Spec BDD with PHPSpec 2
Building a desktop app with HTTP::Engine, SQLite and jQuery
Building a desktop app with HTTP::Engine, SQLite and jQuery
The History of PHPersistence
The History of PHPersistence
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
10 Things Every Plugin Developer Should Know (WordCamp Atlanta 2013)
Perl Web Client
Perl Web Client
More from Mark Jaquith
Cache Money Business
Cache Money Business
Mark Jaquith
Scaling WordPress
Scaling WordPress
Mark Jaquith
Creating and Maintaining WordPress Plugins
Creating and Maintaining WordPress Plugins
Mark Jaquith
Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!
Mark Jaquith
WordPress Security - WordCamp Phoenix
WordPress Security - WordCamp Phoenix
Mark Jaquith
WordPress Custom Post Types
WordPress Custom Post Types
Mark Jaquith
Writing Your First WordPress Plugin
Writing Your First WordPress Plugin
Mark Jaquith
What I Hate About Wordpress
What I Hate About Wordpress
Mark Jaquith
BuddyPress and the Future of WordPress Plugins
BuddyPress and the Future of WordPress Plugins
Mark Jaquith
"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith
"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith
Mark Jaquith
Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)
Mark Jaquith
Wordcamp Charlotte: WordPress Today and Tomorrow
Wordcamp Charlotte: WordPress Today and Tomorrow
Mark Jaquith
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008
Mark Jaquith
Amping up your WordPress Blog
Amping up your WordPress Blog
Mark Jaquith
Contributing To WordPress
Contributing To WordPress
Mark Jaquith
More from Mark Jaquith
(15)
Cache Money Business
Cache Money Business
Scaling WordPress
Scaling WordPress
Creating and Maintaining WordPress Plugins
Creating and Maintaining WordPress Plugins
Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!
WordPress Security - WordCamp Phoenix
WordPress Security - WordCamp Phoenix
WordPress Custom Post Types
WordPress Custom Post Types
Writing Your First WordPress Plugin
Writing Your First WordPress Plugin
What I Hate About Wordpress
What I Hate About Wordpress
BuddyPress and the Future of WordPress Plugins
BuddyPress and the Future of WordPress Plugins
"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith
"State of the Word" at WordCamp Mid-Atlantic, by Mark Jaquith
Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)
Wordcamp Charlotte: WordPress Today and Tomorrow
Wordcamp Charlotte: WordPress Today and Tomorrow
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008
Amping up your WordPress Blog
Amping up your WordPress Blog
Contributing To WordPress
Contributing To WordPress
Recently uploaded
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
LoriGlavin3
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Mark Goldstein
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
ThousandEyes
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BookNet Canada
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
itnewsafrica
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
Wes McKinney
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
itnewsafrica
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
panagenda
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
Bernd Ruecker
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
LoriGlavin3
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
Hiroshi SHIBATA
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
LoriGlavin3
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
LoriGlavin3
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
LoriGlavin3
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
Knoldus Inc.
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Nikki Chapple
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
Inflectra
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
LoriGlavin3
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
Kaya Weers
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
Mydbops
Recently uploaded
(20)
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
Writing Secure Plugins — WordCamp New York 2009
1.
Writing Secure
Plugins Mark Jaquith @markjaquith markjaquith.com coveredwebservices.com Saturday, November 14, 2009
2.
XSS
privilege shell execution escalation CSRF SQL injection Saturday, November 14, 2009
3.
Plugin
security is hit-or-miss Saturday, November 14, 2009
4.
Mostly
miss Saturday, November 14, 2009
5.
SQL
Injection Saturday, November 14, 2009
6.
<?php
$wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" ); ?> Saturday, November 14, 2009
7.
<?php
$newtitle = esc_sql( $newtitle ); $my_id = absint( $my_id ); $wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" ); ?> Saturday, November 14, 2009
8.
$wpdb->update() Saturday, November 14,
2009
9.
<?php
$wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle ), array( 'ID' => $my_id ) ); ?> Saturday, November 14, 2009
10.
$wpdb->insert() Saturday, November 14,
2009
11.
<?php
$wpdb->insert( $wpdb->posts, array( 'post_title' => $newtitle ) ); ?> Saturday, November 14, 2009
12.
<?php
$wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle, 'post_content' => $newcontent ), array( 'ID' => $my_id, 'post_title' => $old_title ) ); ?> Saturday, November 14, 2009
13.
<?php
$post_title = 'New Title'; $wheres['ID'] = 123; $wheres['post_title'] = 'Old Title'; $wpdb->update( $wpdb->posts, compact( 'post_title' ), $wheres ); ?> Saturday, November 14, 2009
14.
$wpdb->prepare() Saturday, November 14,
2009
15.
<?php
$title = 'Post Title'; $ID = 123; $content = $wpdb->get_var( $wpdb->prepare( "SELECT post_content FROM $wpdb->posts WHERE post_title = %s AND ID = %d", $title, $ID ) ); ?> Saturday, November 14, 2009
16.
•Uses sprintf() formatting
•%s for strings •%d for integers •You should not quote or escape Saturday, November 14, 2009
17.
Escape
late Saturday, November 14, 2009
18.
XSS Saturday, November 14,
2009
19.
<h1>
<?php echo $title; ?> </h1> Saturday, November 14, 2009
20.
<?php
$title = '<script> pwnage(); </script>' ?> <h1> <?php echo $title; ?> </h1> Saturday, November 14, 2009
21.
Anything that
isn’t hardcoded is suspect Saturday, November 14, 2009
22.
Better:
Everything is suspect Saturday, November 14, 2009
23.
Saturday, November 14,
2009
24.
esc_html() Saturday, November 14,
2009
25.
<?php
$title = '<script> pwnage(); </script>' ?> <h1> <?php echo esc_html( $title ); ?> </h1> Saturday, November 14, 2009
26.
<?php
$title = '" onmouseover="pwnd();'; ?> <a href="#wordcamp" title=" <?php echo $title; ?> "> Link Text </a> Saturday, November 14, 2009
27.
esc_attr() Saturday, November 14,
2009
28.
<?php
$title = '" onmouseover="pwnd();'; ?> <a href="#wordcamp" title=" <?php echo esc_attr( $title ); ?> "> Link Text </a> Saturday, November 14, 2009
29.
<?php
$url = 'javascript:pwnage();'; ?> <a href=" <?php echo esc_attr( $url ); ?> "> WRONG Link Text </a> Saturday, November 14, 2009
30.
esc_url() Saturday, November 14,
2009
31.
<?php
$url = 'javascript:pwnage();'; ?> <a href=" <?php echo esc_url( $url ); ?> "> Link Text </a> Saturday, November 14, 2009
32.
esc_url_raw(),
sister of esc_url() Saturday, November 14, 2009
33.
esc_ js() Saturday, November
14, 2009
34.
<script>
var foo = '<?php echo esc_js( $bar ); ?>'; </script> Saturday, November 14, 2009
35.
CSRF Saturday, November 14,
2009
36.
Authorization
vs. Intention Saturday, November 14, 2009
37.
Nonces
action-, object-, user-specific time limited secret keys Saturday, November 14, 2009
38.
Specific to
•WordPress user •Action attempted •Object of attempted action •Time window Saturday, November 14, 2009
39.
wp_nonce_field() Saturday, November 14,
2009
40.
<form action="process.php"
method="post"> <?php wp_nonce_field('plugin-action_object'); ?> ... </form> Saturday, November 14, 2009
41.
check_admin_referer( ) Saturday, November
14, 2009
42.
<?php
// before output goes to browser check_admin_referer('plugin- action_object'); ?> Saturday, November 14, 2009
43.
Still need to
use current_user_can() Saturday, November 14, 2009
44.
AJAX
CSRF Saturday, November 14, 2009
45.
• wp_create_nonce(
'your_action' ); • &_ajax_nonce=YOUR_NONCE • check_ajax_referer( 'your_action' ); Saturday, November 14, 2009
46.
Privilege
Escalation Saturday, November 14, 2009
47.
current_user_can() Saturday, November 14,
2009
48.
Set your salts!
http://api.wordpress.org/secret-key/1.1/ Saturday, November 14, 2009
49.
Stupid shit
I see all the time Saturday, November 14, 2009
50.
exec() Saturday, November 14,
2009
51.
<form action="<?php echo
$_SERVER['REQUEST_URI']; ?>"> Saturday, November 14, 2009
52.
<a href="<?php echo
$url; ?>" title="<?php echo $title; ?>"> <?php echo $text; ?> </a> <script> var foo = '<?php echo $js; ?>'; </script> Saturday, November 14, 2009
53.
<a href="<?php echo
esc_url( $url ); ?>" title="<?php echo esc_attr( $title ); ?>"> <?php echo esc_html( $text ); ?> </a> <script> var foo = '<?php echo esc_js( $js ); ?>'; </script> Saturday, November 14, 2009
54.
Discussion Saturday, November 14,
2009
Download now