Articles

    Publish
     
      • The Ultimate WordPress Plugin Security Testing Cheat Sheet

        Oct 20 2017, 8:40 PM

        by larsonr eever 2

        The security documentation provided by WordPress and found online for plugin security is sparse, outdated or unclear. This cheat sheet is intended for Penetration Testers who audit WordPress plugins or developers who wish to audit their own WordPress plugins. This cheat sheet can be effectively used to test various WordPress plugins.

        Cross-Site Scripting (XSS)

        Check if the following global PHP variables are echo'd to pages, or stored in the database and echo'd at a later time without first being sanitised or output encoded.

        • $_GET
        • $_POST
        • $_REQUEST
        • $_SERVER['REQUEST_URI']
        • $_SERVER['PHP_SELF']
        • $_SERVER['HTTP_REFERER']
        • $_COOKIE

        (Note: the list of sources above is not extensive nor complete)

        Cross-Site Scripting (XSS) Tips

        Unsafe API functions

        The following functions can cause XSS if not secured:

        • add_query_arg()
        • remove_query_arg()

        See References Below:

        DISALLOWUNFILTEREDHTML

        When doing dynamic testing for XSS the following setting in the wp-config.php file may reduce false positive results as it prevents administrative and editor users from being able to embed/execute JavaScript/HTML, which by default they are permitted to do.

        define( 'DISALLOW_UNFILTERED_HTML', true );

        SQL Injection

        Unsafe API methods (require sanitising/escaping):

        • $wpdb->query()
        • $wpdb->get_var()
        • $wpdb->get_row()
        • $wpdb->get_col()
        • $wpdb->get_results()
        • $wpdb->replace()

        Safe API methods (according to WordPress):

        • $wpdb->insert()
        • $wpdb->update()
        • $wpdb->delete()

        Safe code, prepared statement:

        <?php $sql = $wpdb->prepare( 'query' , value_parameter[, value_parameter ... ] ); ?>

        Note: Before WordPress 3.5 $wpdb->prepare could be used insecurely as you could just pass the query without using placeholders, like in the following example:

        $wpdb->query( $wpdb->prepare( "INSERT INTO table (user, pass) VALUES ('$user', '$pass')" ) );

        SQL Injection Tips

        Unsafe escaping ('securing') API methods:

        • esc_sql() function does not adequately protect against SQL Injection - see refs below
        • escape() same as above
        • esc_like() same as above
        • like_escape() same as above

        Displaying/hiding SQL errors:

        <?php $wpdb->show_errors(); ?> <?php $wpdb->hide_errors(); ?> <?php $wpdb->print_error(); ?>

        File Inclusion

        • include()
        • require()
        • include_once()
        • require_once()

        PHP Object Injection

        • unserialize()

        Command Execution

        • system()
        • exec()
        • passthru()
        • shell_exec()

        PHP Code Execution

        • eval()
        • assert()
        • preg_replace() dangerous "e" flag deprecated since PHP >= 5.5.0 and removed in PHP >= 7.0.0.

        Authorisation

        • is_admin() does not check if the user is authenticated as administrator, only checks if page displayed is in the admin section, can lead to auth bypass if misused.
        • is_user_admin() same as above
        • current_user_can() used for checking authorisation. This is what should be used to check authorisation.

        Open Redirect

        • wp_redirect() function can be used to redirect to user supplied URLs. If user input is not sanitised or validated this could lead to Open Redirect vulnerabilities.

        Cross-Site Request Forgery (CSRF)

        • wp_nonce_field() adds CSRF token to forms
        • wp_nonce_url() adds CSRF token to URL
        • wp_verify_nonce() checks the CSRF token validity server side
        • check_admin_referer() checks the CSRF token validity server side and came from admin screen

        SSL/TLS

        • CURLOPT_SSL_VERIFYHOST if set to 0 then does not check name in host certificate
        • CURLOPT_SSL_VERIFYPEER if set to FALSE then does not check if the certificate (inc chain), is trusted
        • Check if HTTP is used to communicate with backend servers or APIs. A grep for "http://" should be sufficient.

        Further reading/references:

        1. https://developer.wordpress.org/plugins/security/
        2. https://codex.wordpress.org/FunctionReference/escsql
        3. https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
        4. https://secure.wphackedhelp.com/fixmysite.html
        5. https://curl.haxx.se/libcurl/c/CURLOPTSSLVERIFYHOST.html
        6. https://www.owasp.org/index.php/OWASPWordpressSecurityImplementationGuideline
        7. http://php.net/manual/en/function.preg-replace.php

        • Tip How to
        • Security Risks
        • DigiCert Code Signing
        • Error messages
        • Vulnerabilities & Exploits
        • Best Practice
        • Products
        • Malware Scan
        • Vulnerability Assessment
        • Symantec Website Security
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • Managed PKI for SSL
      • Symantec Managed PKI: Windows PC VPN auto-configuration using PKI Clien

        May 18 2016, 3:44 PM

        by Kyle Barnard 1

        Symantec Managed PKI: Windows PC VPN auto-configuration using PKI Client auto-enrollment with post-processing (Job Aid in PDF format – download PDF to launch embedded video)

        Use-case Overview
        Enable a Windows domain user’s computer for strong authentication to a virtual private network (VPN). The PKI administrator configures a certificate profile using the PKI Enterprise Gateway and PKI Client auto-enrollment and post-processing capabilities to automatically issue the certificate to the domain user and automatically configure the certificate to work with the VPN client. The end-user logs into their Windows domain, PKI Client automatically authenticates the user, enrolls and issues the certificate, and configures the VPN client

        • Products
        • Identity and Authentication Services
        • Tip How to
        • Training
        • Troubleshooting
        • Managed PKI for SSL
      • Symantec Managed PKI: BYOD Apple iOS device connecting to Wi-Fi access point using EAP-TLS.

        May 18 2016, 3:42 PM

        by Kyle Barnard 1

        Symantec Managed PKI: BYOD Apple iOS device connecting to Wi-Fi access point using EAP-TLS authentication protocol (Job Aid in PDF format – download PDF to launch embedded video)

        Use-case Overview
        Enable an end-user’s iOS device to connect to a Wi-Fi access point that is secured using 802.1x EAP-TLS protocol. The PKI administrator configures the certificate profile, adds the end-user, and then sends an enrollment email to the user. The end-user enrolls for the certificate and the certificate is installed along with the Wi-Fi device configuration. It is simple, quick and easy for the end-user to connect to the strong-authenticated, secured Wi-Fi access point without the need for any configuration or complicated interaction.

        • Products
        • Identity and Authentication Services
        • Tip How to
        • Training
        • Troubleshooting
        • Managed PKI for SSL
      • Symantec Managed PKI Use-case Demos: Adobe CDS User Document Signing

        May 18 2016, 3:40 PM

        by Kyle Barnard 1

        Symantec Managed PKI Use-case Demos: Adobe CDS User Document Signing (Job Aid in PDF format – download PDF to launch embedded video)

        Use-case Overview
        Digitally sign an Adobe PDF document. The PKI administrator configures the certificate profile, adds the end-user, and then sends an enrollment email to the user. The enrollment code is communicated to the end-user separately from the enrollment link. The end-user enrolls for the certificate and the certificate
        is installed to their hardware token. The end-user digitally signs a PDF document.

        • Products
        • Identity and Authentication Services
        • Tip How to
        • Training
        • Troubleshooting
        • Managed PKI for SSL
      • Whitepaper - Simplify SSL Certificate Management Across the Enterprise

        May 28 2014, 5:32 PM

        by Mithun Sanghavi 8

        Hello,
        The need for SSL Certificates has moved well beyond the “buy” page to core functions of the enterprise. SSL Certificates are used to protect remote employee and partner communications via webmail, chat and IM. Browser-to-server communications for cloud-based services require SSL Certificates when used to display customer account information, business partner transactions and for employee productivity tools. Finally, SSL Certificates are used to secure server-to-server communications for applications and data exchange. Managing individual Certificates across a large organization quickly becomes complicated with multiple locations, many divisions, and rapidly growing Web-based services. If an SSL Certificate expires, a company not only loses sales and puts customer confidence in jeopardy, employees and business partners may not be able to do their work or risk exposure of confidential information. Managing SSL Certificates across complex networks to ensure protection and prevent unanticipated expirations has become mission critical to all businesses.
        This guide provides five simple steps for IT professionals to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of  control for these Certificates throughout their lifecycle.
        To know more check the attached Whitepaper.

        • Products
        • DigiCert Code Signing
        • Tip How to
        • Features
        • Symantec Website Security
        • Best Practice