Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owa...

WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owasp-wordpress-meetup

yoshinori matsumoto

October 19, 2018
Tweet

More Decks by yoshinori matsumoto

Other Decks in Technology

Transcript

  1.  , , lc t C JB KA SO rm

    ids P e  1, 2 a N phoc Wnk  1 6 05 2 6 , 20 , 
  2. &#\-A ] (5 (2018/10/8 !) @8C89 RNWK 0No Security No

    Life1A<6C89 ,89GWordPress<MYPUYV A %:;9 WordPress RNWXTLMYPUYVAOZQQSUL →F72IRNWXTLBA =/"?> 'HA0,+1J $@QVZXZ.E → 5*DI=7)@*4A?3 WordPress A @39[
  3. OWASP(, • OWASP (Open Web Application Security Project) – Web@;HLA:84

    8#5$. +)<FHCA: – 0+ ,/%79+!(315  (8/&$?D>GL?B-$IO=+ <KEMO>JN*24*'5 " 6$8 
  4. Japan : OWASP Local Chapters     

                                                 
  5. WordPress    WordPress    OWASP TOP

    10 WordPress  OWASP WordPress Security Implementa:on Guideline
  6. OWASP TOP 10 Web8AD<F=CE4API,%(3  &.#)"101)2 57( 6 /03!#, $7'-,$

    76 ?:BD@9-D>;? :BD@9 +*,3$7( 6 ,3$7( 6 OWASP JAPAN https://www.owasp.org/index.php/Japan
  7. WordPress 209:3/ WordPress.org -,209:3/ .&!(5098;4%   #209:3/*WordPress% 17963/%209:3/$%+ '#")-,

    OWASP TOP 10 (2013 ) % WordPress %  -,   + WordPress 209:3/ h6ps://ja.wordpress.org/security/
  8. OWASP WordPress Security Implementation Guideline OWASP $"' WordPress  (#,+-'

    +-&)-%! WordPress $.*DB  !  OWASP WordPress Security Implementation Guideline https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline
  9. WordPress'",-(  • WordPress.$!/ •   • WordPress 

    -&# 1*",+/)2  *",+/) WordPress  %!)0
  10.  A /@ $3 3,@& '7/@ .2)6)UYID\9#/@_39 ` • 

    • N]W • UYID\  WordPress8LGXZNCBMUO]PA3!/@ OTF[P3%>1:58-4+)"?);.=*^ TOP10 : A9(8 8(@ J\V]R\P8) WP :LGXZNCZZ]K80<8 SMHIYE\Q
  11. WordPress ! SQL$:+&'*6: XSS='9,;)$1;,'73/#:(> 0<-4<,  0<-4<,   

    JavaScript  )$1 )$1 58%&".%:9<2 TOP10 : A1($:+&'*6:)  A7('9,)$1,'73/#:()
  12. WordPress + ,+ The WordPress Codex Is Your Friend… $wpdb->prepare

    ;@B4<?6B, 21>& wp_kses esc_html / esc_attr %*+JavaScript& How to Prevent File Upload Vulnerabilities https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/ current_user_can('upload_files') &=B3 ,)! #'.8;AB9 ,)!$ wp_check_filetype :-/?5/;,7082+ MINE5/;,("7082+ +
  13. OWASP ZAP • OWASP),.14>?;> • ?D58* <FC • 95@E('% 

    ),. %!. • :5AB=2 ('%#/. (' OWASP ZAP Hands-on In Osaka (2015-02-10) https://speakerdeck.com/ykame/owasp-zap-hands-on-in-osaka- 2015-02-10 "*<FC0*73>) %$.& 16:9) $. -+$
  14. WPScan • WordPress3+- C>MSETQ • KO@=S$FTL$4ITBNS;#+.$" ,:  21(#/): •

    WordPress4!216#/): •  4JCRTHPCG'84 -96/): &21 WPSCan37:WordPress h.ps://www.slideshare.net/owaspnagoya/wpscanwordpress4  C>MS *4ETQ;4A=G3/,:0 <?DC3 ,: (%95,
  15. WPScan9E/C3: • ID*UN\_S>% → %VGI[0' " • WordPress>*WZKI]^Q_X>T_MY] → )F-2C!

    <; • "<VGI[<;0(4D8,<,/ → readme.html :/  &>T_MY]9? readme.html /AT_MY]0.8,C 3>P_[F>LIR=95C: HJON= #5C 0+B@5 3D72$916A ,,>9?`
  16. 

  17. $ % • WordPress!%0+215/ OWASP TOP10 WordPress-+23.) OWASP WordPress Security

    Implementation Guideline •  WordPress"4,*5(&  (& WordPress" ( -+23.)'#6(& #twpm1019