OWASP Top 10 & WordPress Security (Page 4)

Please note: this post is incomplete & pending review.

A3 – Sensitive Data Exposure

This is a broad attack which can reveal a broad amount of things, but the result is simple: confidential information is revealed. This can be done at a number of different points, and executed from different attack techniques.

We prevent against revealing sensitive information by strengthening our app at all points of volunterability, and keeping aware of requirements list:

  • ensuring passwords are not stored in plain text or w/ simple hash’s
  • ensuring connections are HTTPS with TLS^1.2
  • verifying the source of the connection
  • making sure sensitive data is encrypted and abides by storage laws and policies

How Does WordPress Fight This?

On the core side of things, WordPress’s uses Portable PHP Password Hashing Framework12 to store and protect users passwords, these unique salts make rainbow-tabling passwords almost impossible.

In WordPress 3.7, a password strength meter was included in the core software providing additional information to users setting their passwords and hints on increasing strength. WordPress also has an optional configuration setting for requiring HTTPS.

At the admin level, for us developers, WordPress offers Roles and Capabilities system that can be used to permit and deny access to private information on the site. Things like third party form submissions, private posts, commenters emails.

if (user_can('read_private_pages')) {
   // private data
}

Note: is_admin() does not check if the user is authenticated as administrator like is_user_admin() does. is_admin() only checks if page displayed is in the admin section.

As for sensitive data within third party plugins:

As a developer, you need be aware of this attack and audit (it’s open source after all) third party themes and plugins that may of missed this vulnerability.


Leave a Reply