WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owasp-wordpress-meetup

Transcript

1.  
   / Yoshinori Matsumoto @ym405nm

2. 
   , , lc t C JB KA SO rm

   ids P e  1, 2 a N phoc Wnk 
   1 6 05 2 6 , 20 , 

3. &#\-A ] (5 (2018/10/8 !) @8C89 RNWK 0No Security No

   Life1A
   <6C89 ,89GWordPress<MYPUYV A %:;9 WordPress RNWXTLMYPUYVAOZQQSUL →F72IRNWXTLBA =/"?> 'HA0,+1J $@QVZXZ.E → 5*DI=7)@*4A?3 WordPress A @39[

4. OWASP
   

5. OWASP(, • OWASP (Open Web Application Security Project) – Web@;HLA:84

   8#5$. +)<FHCA: –
   0+ ,/%79+!(315  (8/&$?D>GL?B-$IO=+ <KEMO>JN*24*'5 " 6$8 

6. OWASP • OWASP Foundation – 2001  –  

   NPO – 200
     Chapter

7. Japan : OWASP Local Chapters
     
    

     
       
       
       
        
      
       
       
       
   

8. WORDPRESS
   

9. WordPress"%&# $"%&#&!    WordPress
     $"%&#&! 

    

10. WordPress  
     WordPress    OWASP TOP

    10 WordPress  OWASP WordPress Security Implementa:on Guideline

11. OWASP TOP 10 Web8AD<F=CE4API,%(3  &.#)"10
    1)2 57( 6 /03!#, $7'-,$

    76 ?:BD@9-D>;? :BD@9 +*,3$7( 6 ,3$7( 6 OWASP JAPAN https://www.owasp.org/index.php/Japan

12. WordPress 209:3/ WordPress.org -,209:3/ .&!(5098;4%   #209:3/*WordPress% 17963/%209:3/$%+ '#")
    -,

    OWASP TOP 10 (2013 ) % WordPress %  -,   + WordPress 209:3/ h6ps://ja.wordpress.org/security/

13. OWASP WordPress Security Implementation Guideline OWASP $"'
     WordPress  (#,+-'

    +-&)-%! WordPress $.*DB  !  OWASP WordPress Security Implementation Guideline https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline

14. WordPress'",-(  • WordPress.$!/ •   • WordPress 
    

    -&# 1*",+/)2  *",+/) WordPress  %!)0

15. WordPress    XML RPC wp-login.php TOP10 : A2(

    
    ) WP :  

16. P=6R ,A;KMD5 :B:B EI8NF wp-login.php,4<A@TXMLRPC/U 2497RFPC< H@QSGJM?S,  LS>-*!!$3"+%0 (1

    IP4GO@% $V A;KMD5.,””T
    U3# )&1$V ., -*2'0  )&1$V

17. 
    JETPACK

18.  A /@ $3 3,@& '7/@ .2)6)UYID\9#/@_39
    ` • 

    • N]W • UYID\  WordPress8LGXZNCBMUO]PA3!/@ OTF[P3%>1:58-4+)"?);.=*^ TOP10 : A9(8 8(@ J\V]R\P8) WP :LGXZNCZZ]K80<8 SMHIYE\Q

19. WordPress ! SQL$:+&'*6: XSS='9,;)$1;,'73/#:(> 0<-4<,  0<-4<,   
    

    JavaScript  )$1 )$1 58%&".%:9<2 TOP10 : A1($:+&'*6:)  A7('9,)$1,'73/#:()

20. WordPress + ,+ The WordPress Codex Is Your Friend… $wpdb->prepare

    ;@B4<?6B, 21>& wp_kses esc_html / esc_attr 
    %*+JavaScript& How to Prevent File Upload Vulnerabilities https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/ current_user_can('upload_files') &=B3 ,)! #'.8;AB9 ,)!$ wp_check_filetype :-/?5/;,7082+ MINE5/;,("7082+ +

21.   
    

22. OWASP ZAP • OWASP),.14>?;> • ?D58* <FC • 95@E('% 

    ),. %!. • :5AB=2 ('%#/. (' OWASP ZAP Hands-on In Osaka (2015-02-10) https://speakerdeck.com/ykame/owasp-zap-hands-on-in-osaka- 2015-02-10 "*<FC0
    *73>) %$.& 16:9) $. -+$

23. WPScan • WordPress3+- C>MSETQ • KO@=S$FTL$4ITBNS;#+.$" ,:  21(#/): •

    WordPress4!216#/): •  4JCRTHPCG'84 -96/): &21 WPSCan37:WordPress h.ps://www.slideshare.net/owaspnagoya/wpscanwordpress4  C>MS *4ETQ;
    4A=G3/,:0 <?DC3 ,: (%95,

24. WPScan9E/C3: • ID*UN\_S>% → %VGI[0' " • WordPress>*WZKI]^Q_X>T_MY] → )F-2C!

    <; • "<VGI[<;0(4D8,<,/ → readme.html :/
    &>T_MY]9? readme.html /AT_MY]0.8,C 3>P_[F
    >LIR=95C: HJON= #5C 0+B@5 3D72$916A ,,>9?`

25. 
       

26. 
    

27. $ % • WordPress!%0+215/ OWASP TOP10 WordPress-+23.) OWASP WordPress Security

    Implementation Guideline • 
     WordPress"4,*5(&  (& WordPress" ( -+23.)'#6(& #twpm1019