OWASP Top 10 & WordPress Security (Page 9)

Please note: this post is incomplete & pending review.

A8 – Insecure Deserialization

Serialization is very popular method of taking an array or object and turning it into a string. Insecure Deserialization is a category of attack that occur when an attacker has access to a serialized string and modifies it to gain access to accounts or data.

An example of this could be shown with PHP, here a cookie has saved to the users browser with the followed low level privallges

a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}

An attacker modifies the serialized string to a higher privalge

a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin";i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}

If the application has no method of verifying this data as being correct, or no other security measures, would then presumably believe the attacker is an admin, not user.

How Does This Relate To WordPress?

In WordPress, all user authentication is handled by the core. Within WordPress’s API. As a WordPress developer if our plugin for whatever reason does require saving user-supplied serialized strings, we have to be aware of this attack and always validate, sanitize, and sure the data is correct. Presume all your users are malicious.


Leave a Reply