SoftwareSecurity2014/Group 8/Case Study

Uit Werkplaats
< SoftwareSecurity2014‎ | Group 8
Versie door Herman Slatman (overleg | bijdragen) op 5 jun 2014 om 10:34 (Some useful links regarding Wordpress)
(wijz) ← Oudere versie | Huidige versie (wijz) | Nieuwere versie → (wijz)
Ga naar: navigatie, zoeken

Introduction

This is a case study of the OWASP Application Security Verification Standard (ASVS) V5: Input Validation requirement for Wordpress 3.8.1. The source for Wordpress 3.8.1 can be found at http://wordpress.org/download/release-archive/.

The scope for this security assessment will be the ASVS V5 requirement, which is about validating any user input the web application receives when running. Any user input should be validated and/or sanitized before it is used in the application. Some examples of user input may be filling in an email address to subscribe to a newsletter or trying to register a new account. In the past, several severe security vulnerabilities have been found, and even the Wordpress 3.8.1 version, that is under investigation in this assignment, contained a serious vulnerability.

Application

Wordpress is a very popular blogging platform that is free to use. People not only use it to blog, but are increasingly using it as a general content management system. It is programmed in PHP and uses MySQL as a database back-end. The software can be run on most of the popular web servers that are available, examples of which are the Apache HTTP Server and nginx. It is relatively easy to acquire and install new themes and plugins, which makes it easy to customize one's own website. There are many plug-ins available for Wordpress that extend its basic features in many ways, but due to the fact that anyone can write and distribute these plug-ins very easily, they are also the source of most security breaches on Wordpress websites.

In this assignment we take a look at a 'vanilla' Wordpress 3.8.1 code base, which does not contain any of those community-submitted plug-ins at its core.

Some useful links regarding Wordpress and Wordpress input validation/sanitization

http://codex.wordpress.org/Data_Validation

http://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data

http://code.tutsplus.com/articles/data-sanitization-and-validation-with-wordpress--wp-25536

http://wordpress.stackexchange.com/questions/17356/does-wp-insert-post-validate-the-input

http://adambrown.info/p/wp_hooks

Resources regarding input validation and PHP security

https://www.owasp.org/index.php/Data_Validation

https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet