OWASP Top 10 & WordPress Security (Page 6)

Please note: this post is incomplete & pending review.

A5 – Broken Access Control

This attack reveals or processes information to an unauthorized user/person. Neglecting to prevent a user to only what they’re allow to see is the main weakness. A simple example of this is a user viewing their account page:

$user = get_user($_GET['id']);
// display account settings

By simply changing the user-supplied ?id=123 to a different user id, users could be compromised. A user must always be verified. Non-public content being display should be locked down and displays to only to correctly authorized users.

// sanitize the request
$userReq = intval($_GET['id']);

// verify the request is for the user themselves
if ($userReq == get_current_user_id()) {
    // verify this specific users abilities
    if (current_user_can_edit_this()) {
        // get the current user
        $user = get_user(get_current_user_id());
        // ..display account settings..
    } else {
      die('not authorized to do that');
    }
} else {
  die('boo!');
}

So how do we do this in WordPress?

WordPress offers a very easy to understand Permissions & Capabilities system that can be used to permit and deny access to private information on the site. Things like third party form submissions, private posts, commenters emails. See sensitive data exposure for more info.


Leave a Reply