Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Novel Exploitation Techniques in WordPress - Prepared Statements and Object Injection

OWASP Foundation via YouTube

Overview

Explore novel exploitation techniques in WordPress through this conference talk from OWASP AppSec EU 2018. Delve into a fundamental design flaw in the WordPress core that led to severe security issues, including SQL injection vulnerabilities and a new type of PHP object injection. Examine how a custom design of prepared statements contributed to these vulnerabilities. Analyze the characteristics of this specific occurrence and learn how to identify similar issues in other PHP projects. Gain insights into new and generic exploitation techniques, as well as guidance for WordPress and other developers on preventing these security problems. Understand the implications of WordPress's wide adoption, its reliance on legacy code, and the challenges of implementing modern best practices. Learn about the exploitation of outdated cores and plugins, and the ongoing efforts to secure the platform despite the intrinsic features of the PHP language.

Syllabus

Introduction
About me
What is WordPress
Installing Plugins
Overview
Background
Medicals
Custom Prepared Statements
Exploit Technique 1
Exploit Technique 2 Demonstration
WordPress Patch
Second Exploit Technique
Recap
Exploit 2 WooCommerce
Exploit 6 Wordpress
Closing Words
Question
How it works
What the attacker does
WordPress version
Advice to plugin authors
Will there be a prepared statement
Is there a safe way to use that caching technique
How have you found the experience working with different plugin teams

Taught by

OWASP Foundation

Reviews

Start your review of Novel Exploitation Techniques in WordPress - Prepared Statements and Object Injection

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.