How To Break Odoo's Security [Odoo Experience 2018]

•

0 recomendaciones•236 vistas

Recent years have seen a steady increase in the digital threats faced by businesses, small and large alike. The security of business and personal data becomes more and more important every day, and the arrival of new regulation such as GDPR adds legal burden to the existing business risk. XSS, CSRF, SQL injection, broken authentication, data leak, and so on. All kinds of security problems happen every day, even to the biggest companies. We can't stop that, but we can at least prepare for it, by carefully considering the risks, and integrating best practices into daily coding tasks. Before trying to break it, the talk will first describe the Odoo Security Model, with a quick recap of the key features built into the framework to help developers design secure Apps. Then we'll explore a few real-life coding examples. We'll show how the security features are used in practice, and how they can be defeated if the developers are not careful, compromising the whole security of the system. Analyzing these examples will give substance and context to the security primitives, and help new and experienced developers integrate best practices into their development workflow.

Software

How to Break Odoo's Security
Olivier DONY • Platform & Security
(or how to prevent it :-))
EXPERIENCE
2018
security@odoo.com - @odony

Odoo Security Team
★ Audit / Review source code
★ Analyze customer audits
★ Raise awareness
★ Monitor security@odoo.com
★ Responsible Disclosure Process
★ Security Advisories
odoo.com/security-report
★ Now an Official CVE Numbering
Authority (CNA)!

THE SECURITY
MODEL Business
Data
DATA
ACCESS
LAYER
ACCESS CONTROL
Groups
ACLs
Rules
APPS

GroupA
GroupB
User
Multi-Level Access Control
data
User wants to
access data
ir.model.access
(groups)
ir.rule
(groups)
ir.rule
(global)
Per-field @groups

Multi-Level Access Control
User wants to
access data
GroupA
GroupB
User
data
ir.model.access
(groups)
ir.rule
(groups)
ir.rule
(global)
Per-field @groups

data
Multi-Level Access Control
GroupA
GroupB
User
ir.model.access
(groups)
ir.rule
(groups)
ir.rule
(global)
Per-field @groups

Multi-Level Access Control
Each layer controls separately the 4 CRUD operations
Create Read Update Delete
GroupA
GroupB
User
data
ir.model.access
(groups)
ir.rule
(groups)
ir.rule
(global)
Per-field @groups

ir.model.access
(groups)
ir.rule
(groups)
ir.rule
(global)
Per-field @groups
Multi-Level Access Control
These layers controls separately the 4 CRUD operations
Create Read Update Delete
a.k.a CRWU
Create
Read
Write
Unlink
GroupA
GroupB
User
data

Correct ACLs are key for securing an Odoo App
fleet/
controllers/
data/
models/
views/
security/
ir.model.access.csv
security.xml
fleet.vehicle fleet.contract
<record model="res.groups" id="group_manager">
<field name="name">Fleet Manager</field>
</record>
model group C R W U
fleet.vehicle base.group_user 0 1 0 0
fleet.vehicle fleet.group_manager 1 1 1 1
fleet.contract fleet.group_manager 1 1 1 1
<record model="ir.rule" id="rule_fleet_user">
<field name="model_id" ref="model_fleet_vehicle"/>
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
<field name="domain_force">
[('driver_id', '=', user.id)]
</field>
</record>

Common vulnerabilities?
Injection
(SQL, Code, …)
Access Control
(Wrong checks)
Broken Auth
(Sessions/Cred)
Information
Leaks
Security
Misconfiguration
Cross-site
scripting (XSS)
Covered.
Cross-Site
Request
Forgery
(CSRF/XSRF)

Breaks security? (2)
NOPE, but close!
Ugly but not injectable

Breaks security? (4)
ACCESS
CONTROL!
Accepts arbitrary fields, not just
those in the form: unsafe sudo!!

Breaks security? (5)
DATA LEAK!
Unsafe domain concat
Could receive partial domain: ['|',('body','ilike','password'),'&']
Result: ['|',('body','ilike','password'),
'&',('model','=','sale.order'),
('res_id','=',res_id)]

Breaks security? (5)
Safe domain
combination

There's more...
https://www.odoo.com/r/h3shttps://www.odoo.com/r/dbN

Merge Security Checklist
New fields/models? -> ACLs to add? Sensitive fields?
New methods? -> Private by default?
sudo? -> Double-check scope - record leaks - args
t-raw? -> Remove it quickly, unless it's a sanitized Html field
getattr? -> Find an alternative, there should be one...
(safe)_eval? -> Triple-check! Not for parsing data, right?
raw SQL? -> No %, concat or format(), right? Check again!
An ow in t o 're ta r…

Thank you.
#odooexperience
Security concern? ➢ security@odoo.com
EXPERIENCE
2018
Photos credits:
https://www.flickr.com/photos/129153735@N02/
https://www.flickr.com/photos/fallentomato/
https://www.flickr.com/photos/popatito_feo/
https://www.flickr.com/photos/medevac71/

Más contenido relacionado

La actualidad más candente

Encrypt and decrypt in solaris systemuzzal basak

Presentation of framework AngularLhouceine OUHAMZA

Cross Origin Resource SharingLuke Weerasooriya

Intro to Pentesting JenkinsBrian Hysell

A5: Security Misconfiguration Tariq Islam

Types of sql injection attacksRespa Peter

Security: Odoo Code HardeningOdoo

Structured and centralized logging with serilogDenis Missias

How to show warning _ error messages in Odoo 16 Celine George

Impact of the New ORM on Your ModulesOdoo

Deploying & Scaling your Odoo ServerOdoo

Tatil Öncesi Güvenlik Kontrol Listesi.pdfBGA Cyber Security

Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili

Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi ToplamaPRISMA CSI

A5-Security misconfiguration-OWASP 2013 Sorina Chirilă

security misconfigurationsMegha Sahu

jmp206 - Lotus Domino Web Services JumpstartBill Buchan

Java Securityelliando dias

Odoo's Test Framework - Learn Best PracticesOdoo

La actualidad más candente (20)

Encrypt and decrypt in solaris system

Presentation of framework Angular

Cross Origin Resource Sharing

Intro to Pentesting Jenkins

A5: Security Misconfiguration

Types of sql injection attacks

Security: Odoo Code Hardening

Structured and centralized logging with serilog

How to show warning _ error messages in Odoo 16

Impact of the New ORM on Your Modules

Deploying & Scaling your Odoo Server

Tatil Öncesi Güvenlik Kontrol Listesi.pdf

Android security and penetration testing | DIVA | Yogesh Ojha

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour

Beyaz Şapkalı Hacker CEH Eğitimi - Aktif Bilgi Toplama

A5-Security misconfiguration-OWASP 2013

security misconfigurations

jmp206 - Lotus Domino Web Services Jumpstart

Java Security

Odoo's Test Framework - Learn Best Practices

Similar a How To Break Odoo's Security [Odoo Experience 2018]

Safer Odoo Code [Odoo Experience 2017]Olivier Dony

Top Ten Proactive Web Security Controls v5Jim Manico

ruxc0n 2012mimeframe

Secure SDLC for Software Shreeraj Shah

SAP (in)security: New and bestERPScan

OWASP, PHP, life and universeSebastien Gioria

2014 06-05-mozilla-afupSebastien Gioria

Enterprise Cloud Security - Concepts Mash-upDileep Kalidindi

Drupal Security SeminarCalibrate

OWASPPen Testeronyguy

Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir

Super1neelakanteswarreddy

(In) Security graph database in real world Miguel Hernández Boza

Secure coding guidelinesZakaria SMAHI

Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...iotcloudserve_tein

GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )Md Raffiqunnabi Rumman

The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor

Shields up - improving web application securityKonstantin Mirin

香港六合彩baoyin

Mobile Security Assessment: 101wireharbor

Similar a How To Break Odoo's Security [Odoo Experience 2018] (20)

Safer Odoo Code [Odoo Experience 2017]

Top Ten Proactive Web Security Controls v5

ruxc0n 2012

Secure SDLC for Software

SAP (in)security: New and best

OWASP, PHP, life and universe

2014 06-05-mozilla-afup

Enterprise Cloud Security - Concepts Mash-up

Drupal Security Seminar

OWASP

Hacking WebApps for fun and profit : how to approach a target?

Super1

(In) Security graph database in real world

Secure coding guidelines

Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...

GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )

The Hacking Games - Operation System Vulnerabilities Meetup 29112022

Shields up - improving web application security

香港六合彩

Mobile Security Assessment: 101

Último

Top Mobile App Development Companies 2024XongoLab Technologies LLP

COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...naitiksharma1124

10 Essential Software Testing Tools You Need to Know About.pdfkalichargn70th171

Secure Software Ecosystem Teqnation 2024Soroosh Khodami

KLARNA - Language Models and Knowledge Graphs: A Systems ApproachNeo4j

how-to-download-files-safely-from-the-internet.pdfMehmet Akar

AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...Alluxio, Inc.

Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet

AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.

JustNaik Solution Deck (stage bus sector)Max Lee

A Guideline to Gorgias to to Re:amaze Data MigrationHelp Desk Migration

Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion Clinic

A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfkalichargn70th171

INGKA DIGITAL: Linked Metadata by DesignNeo4j

A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed

Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Gáspár Nagy

IT Software Development Resume, Vaibhav jha 2024vaibhav130304

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2

Crafting the Perfect Measurement Sheet with PLM IntegrationWave PLM

Mastering Windows 7 A Comprehensive Guide for Power Users .pdfmbmh111980

How To Break Odoo's Security [Odoo Experience 2018]

1. How to Break Odoo's Security Olivier DONY • Platform & Security (or how to prevent it :-)) EXPERIENCE 2018 security@odoo.com - @odony

2. Odoo Security Team ★ Audit / Review source code ★ Analyze customer audits ★ Raise awareness ★ Monitor security@odoo.com ★ Responsible Disclosure Process ★ Security Advisories odoo.com/security-report ★ Now an Official CVE Numbering Authority (CNA)!

3. THE SECURITY MODEL Business Data DATA ACCESS LAYER ACCESS CONTROL Groups ACLs Rules APPS

4. GroupA GroupB User Multi-Level Access Control data User wants to access data ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups

5. Multi-Level Access Control User wants to access data GroupA GroupB User data ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups

6. data Multi-Level Access Control GroupA GroupB User ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups

7. Multi-Level Access Control Each layer controls separately the 4 CRUD operations Create Read Update Delete GroupA GroupB User data ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups

8. ir.model.access (groups) ir.rule (groups) ir.rule (global) Per-field @groups Multi-Level Access Control These layers controls separately the 4 CRUD operations Create Read Update Delete a.k.a CRWU Create Read Write Unlink GroupA GroupB User data

9. Correct ACLs are key for securing an Odoo App fleet/ controllers/ data/ models/ views/ security/ ir.model.access.csv security.xml fleet.vehicle fleet.contract <record model="res.groups" id="group_manager"> <field name="name">Fleet Manager</field> </record> model group C R W U fleet.vehicle base.group_user 0 1 0 0 fleet.vehicle fleet.group_manager 1 1 1 1 fleet.contract fleet.group_manager 1 1 1 1 <record model="ir.rule" id="rule_fleet_user"> <field name="model_id" ref="model_fleet_vehicle"/> <field name="groups" eval="[(4, ref('base.group_user'))]"/> <field name="domain_force"> [('driver_id', '=', user.id)] </field> </record>

10. Common vulnerabilities? Injection (SQL, Code, …) Access Control (Wrong checks) Broken Auth (Sessions/Cred) Information Leaks Security Misconfiguration Cross-site scripting (XSS) Covered. Cross-Site Request Forgery (CSRF/XSRF)

11. So, how do we break in?

12. Breaks security? (1)

13. Breaks security. (1) SQL Injection!

14. Bobby Tables...

15. Breaks security? (2) NOPE, but close! Ugly but not injectable

16. Breaks security? (3)

17. Breaks security? (3) ACCESS CONTROL!

18. Breaks security? (3)

19. Breaks security? (4)

20. Breaks security? (4)

21. Breaks security? (4)

22. Breaks security? (4) ACCESS CONTROL! Accepts arbitrary fields, not just those in the form: unsafe sudo!!

23. Breaks security? (5) DATA LEAK! Unsafe domain concat Could receive partial domain: ['|',('body','ilike','password'),'&'] Result: ['|',('body','ilike','password'), '&',('model','=','sale.order'), ('res_id','=',res_id)]

24. Breaks security? (5) Safe domain combination

25. There's more... https://www.odoo.com/r/h3shttps://www.odoo.com/r/dbN

26. Merge Security Checklist New fields/models? -> ACLs to add? Sensitive fields? New methods? -> Private by default? sudo? -> Double-check scope - record leaks - args t-raw? -> Remove it quickly, unless it's a sanitized Html field getattr? -> Find an alternative, there should be one... (safe)_eval? -> Triple-check! Not for parsing data, right? raw SQL? -> No %, concat or format(), right? Check again! An ow in t o 're ta r…

27. Thank you. #odooexperience Security concern? ➢ security@odoo.com EXPERIENCE 2018 Photos credits: https://www.flickr.com/photos/129153735@N02/ https://www.flickr.com/photos/fallentomato/ https://www.flickr.com/photos/popatito_feo/ https://www.flickr.com/photos/medevac71/

How To Break Odoo's Security [Odoo Experience 2018]

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a How To Break Odoo's Security [Odoo Experience 2018]

Similar a How To Break Odoo's Security [Odoo Experience 2018] (20)

Último

Último (20)

How To Break Odoo's Security [Odoo Experience 2018]