SoftwareSecurity2014/Group 8/Case Study
Inhoud
Introduction
This is a case study of the OWASP Application Security Verification Standard (ASVS) V5: Input Validation requirement for Wordpress 3.8.1. The source for Wordpress 3.8.1 can be found at http://wordpress.org/download/release-archive/.
The scope for this security assessment will be the ASVS V5 requirement, which is about validating any user input the web application receives when running. Any user input should be validated and/or sanitized before it is used in the application. Some examples of user input may be filling in an email address to subscribe to a newsletter or trying to register a new account. In the past, several severe security vulnerabilities have been found, and even the Wordpress 3.8.1 version, that is under investigation in this assignment, contained a serious vulnerability.
Application
Wordpress is a very popular blogging platform that is free to use. People not only use it to blog, but are increasingly using it as a general content management system. It is programmed in PHP and uses MySQL as a database back-end. The software can be run on most of the popular web servers that are available, examples of which are the Apache HTTP Server and nginx. It is relatively easy to acquire and install new themes and plugins, which makes it easy to customize one's own website. There are many plug-ins available for Wordpress that extend its basic features in many ways, but due to the fact that anyone can write and distribute these plug-ins very easily, they are also the source of most security breaches on Wordpress websites.
In this assignment we take a look at a 'vanilla' Wordpress 3.8.1 code base, which does not contain any of those community-submitted plug-ins at its core.
Some useful links regarding Wordpress and Wordpress input validation/sanitization
http://codex.wordpress.org/Data_Validation
http://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data
http://code.tutsplus.com/articles/data-sanitization-and-validation-with-wordpress--wp-25536
http://wordpress.stackexchange.com/questions/17356/does-wp-insert-post-validate-the-input
http://adambrown.info/p/wp_hooks