Oct 20 2017, 8:40 PM
by larsonr eever 2
The security documentation provided by WordPress and found online for plugin security is sparse, outdated or unclear. This cheat sheet is intended for Penetration Testers who audit WordPress plugins or developers who wish to audit their own WordPress plugins. This cheat sheet can be effectively used to test various WordPress plugins.
Cross-Site Scripting (XSS)
Check if the following global PHP variables are echo'd to pages, or stored in the database and echo'd at a later time without first being sanitised or output encoded.
(Note: the list of sources above is not extensive nor complete)
Cross-Site Scripting (XSS) Tips
Unsafe API functions
The following functions can cause XSS if not secured:
See References Below:
define( 'DISALLOW_UNFILTERED_HTML', true );
Unsafe API methods (require sanitising/escaping):
Safe API methods (according to WordPress):
Safe code, prepared statement:
<?php $sql = $wpdb->prepare( 'query' , value_parameter[, value_parameter ... ] ); ?>
Note: Before WordPress 3.5
$wpdb->preparecould be used insecurely as you could just pass the query without using placeholders, like in the following example:
$wpdb->query( $wpdb->prepare( "INSERT INTO table (user, pass) VALUES ('$user', '$pass')" ) );
SQL Injection Tips
Unsafe escaping ('securing') API methods:
esc_sql()function does not adequately protect against SQL Injection - see refs below
escape()same as above
esc_like()same as above
like_escape()same as above
Displaying/hiding SQL errors:
<?php $wpdb->show_errors(); ?> <?php $wpdb->hide_errors(); ?> <?php $wpdb->print_error(); ?>
PHP Object Injection
PHP Code Execution
preg_replace()dangerous "e" flag deprecated since PHP >= 5.5.0 and removed in PHP >= 7.0.0.
is_admin()does not check if the user is authenticated as administrator, only checks if page displayed is in the admin section, can lead to auth bypass if misused.
is_user_admin()same as above
current_user_can()used for checking authorisation. This is what should be used to check authorisation.
wp_redirect()function can be used to redirect to user supplied URLs. If user input is not sanitised or validated this could lead to Open Redirect vulnerabilities.
Cross-Site Request Forgery (CSRF)
wp_nonce_field()adds CSRF token to forms
wp_nonce_url()adds CSRF token to URL
wp_verify_nonce()checks the CSRF token validity server side
check_admin_referer()checks the CSRF token validity server side and came from admin screen
CURLOPT_SSL_VERIFYHOSTif set to 0 then does not check name in host certificate
CURLOPT_SSL_VERIFYPEERif set to FALSE then does not check if the certificate (inc chain), is trusted
- Check if HTTP is used to communicate with backend servers or APIs. A grep for "http://" should be sufficient.
May 18 2016, 3:44 PM
by Kyle Barnard 1
Symantec Managed PKI: Windows PC VPN auto-configuration using PKI Client auto-enrollment with post-processing (Job Aid in PDF format – download PDF to launch embedded video)
Enable a Windows domain user’s computer for strong authentication to a virtual private network (VPN). The PKI administrator configures a certificate profile using the PKI Enterprise Gateway and PKI Client auto-enrollment and post-processing capabilities to automatically issue the certificate to the domain user and automatically configure the certificate to work with the VPN client. The end-user logs into their Windows domain, PKI Client automatically authenticates the user, enrolls and issues the certificate, and configures the VPN client
May 18 2016, 3:42 PM
by Kyle Barnard 1
Symantec Managed PKI: BYOD Apple iOS device connecting to Wi-Fi access point using EAP-TLS authentication protocol (Job Aid in PDF format – download PDF to launch embedded video)
Enable an end-user’s iOS device to connect to a Wi-Fi access point that is secured using 802.1x EAP-TLS protocol. The PKI administrator configures the certificate profile, adds the end-user, and then sends an enrollment email to the user. The end-user enrolls for the certificate and the certificate is installed along with the Wi-Fi device configuration. It is simple, quick and easy for the end-user to connect to the strong-authenticated, secured Wi-Fi access point without the need for any configuration or complicated interaction.
May 18 2016, 3:40 PM
by Kyle Barnard 1
Symantec Managed PKI Use-case Demos: Adobe CDS User Document Signing (Job Aid in PDF format – download PDF to launch embedded video)
Digitally sign an Adobe PDF document. The PKI administrator configures the certificate profile, adds the end-user, and then sends an enrollment email to the user. The enrollment code is communicated to the end-user separately from the enrollment link. The end-user enrolls for the certificate and the certificate
is installed to their hardware token. The end-user digitally signs a PDF document.
WHAT IS USER AUTHENTICATION?Protect access to your networks and websites with strong user authentication by combining multiple identification factors together for enhanced security. Choose from a range of easy-to-use and easy-to-implement secure credentials and digital certificates.
- Validation and ID Protection Service (VIP)
- Managed PKI Service
- VIP Access for Mobile
- Device Certificate Service
- Digital IDs for Secure Email
- National PKI Solutions
- HSPD-12 Solutions
- Non-Federal Shared Service Provider PKI
- ECA Certificates
- WebTrust for Certification Authorities - Symantec/VeriSign *
- WebTrust for Certification Authorities - Symantec/GeoTrust *
- WebTrust for Certification Authorities - Symantec/Thawte *
- SOC 2 Security Report for Symantec Trust Services Data Center Environments *
- Frequently Requested Information
* Content restricted. Please log into and/or join the Customer Trust Portal group.
Return to the Customer Trust Portal