5. Introduction
Do you ...
... know me?
... have a working development environment?
Inspiring people to
T3DD10 Security Workshop share
6. Introduction
Do you ...
... know me?
... have a working development environment?
... ever heared of XSS?
Inspiring people to
T3DD10 Security Workshop share
7. Introduction
Do you ...
... know me?
... have a working development environment?
... ever heared of XSS?
... ever heared of SQLi?
Inspiring people to
T3DD10 Security Workshop share
8. Introduction
Do you ...
... know me?
... have a working development environment?
... ever heared of XSS?
... ever heared of SQLi?
... ever heared of CSRF?
Inspiring people to
T3DD10 Security Workshop share
9. Introduction
Do you ...
... know me?
... have a working development environment?
... ever heared of XSS?
... ever heared of SQLi?
... ever heared of CSRF?
... ever found a vulnerability in a TYPO3
extension?
Inspiring people to
T3DD10 Security Workshop share
10. Introduction
Do you ...
... know me?
... have a working development environment?
... ever heared of XSS?
... ever heared of SQLi?
... ever heared of CSRF?
... ever found a vulnerability in a TYPO3
extension?
... reported your findings to security@typo3.org?
Inspiring people to
T3DD10 Security Workshop share
11. Did you ever hack for
Inspiring people to
T3DD10 Security Workshop share
12. Security Flaws versus Security Concepts
Agenda
General Security Concepts
Hacking / Code Review Session
Getting into details about some vulnerabilitiy
types
Writing down best practices for TYPO3 developers
Inspiring people to
T3DD10 Security Workshop share
13. What is Security?
Inspiring people to
T3DD10 Security Workshop share
14. Security is not a state
Inspiring people to
T3DD10 Security Workshop share
16. What is Security?
Security is a process
The security of an application must be proven
over time
Inspiring people to
T3DD10 Security Workshop share
17. What is Security?
Security is a process
The security of an application must be proven
over time
Security must constantly be improved
Inspiring people to
T3DD10 Security Workshop share
18. What is Security?
Security is a process
The security of an application must be proven
over time
Security must constantly be improved
An application can never be secure ...
Inspiring people to
T3DD10 Security Workshop share
19. What is Security?
Security is a process
The security of an application must be proven
over time
Security must constantly be improved
An application can never be secure ...
... but only not insecure at a particular time
Inspiring people to
T3DD10 Security Workshop share
20. What is Security?
Security is a process
The security of an application must be proven
over time
Security must constantly be improved
An application can never be secure ...
... but only not insecure at a particular time
The „costs“ for security must relate to the
possible impacts
Inspiring people to
T3DD10 Security Workshop share
22. What is Security?
General Security Concepts
Minimize Exposure / Least privilege
Inspiring people to
T3DD10 Security Workshop share
23. What is Security?
General Security Concepts
Minimize Exposure / Least privilege
Don‘t trust user data, don‘t trust Services
Inspiring people to
T3DD10 Security Workshop share
24. What is Security?
General Security Concepts
Minimize Exposure / Least privilege
Don‘t trust user data, don‘t trust Services
Filter->Validate->Escape never mix them up
Inspiring people to
T3DD10 Security Workshop share
25. What is Security?
General Security Concepts
Minimize Exposure / Least privilege
Don‘t trust user data, don‘t trust Services
Filter->Validate->Escape never mix them up
Defense in depth
Inspiring people to
T3DD10 Security Workshop share
26. What is Security?
General Security Concepts
Minimize Exposure / Least privilege
Don‘t trust user data, don‘t trust Services
Filter->Validate->Escape never mix them up
Defense in depth
Positive Security Model (Whitelist)
Inspiring people to
T3DD10 Security Workshop share
27. What is Security?
General Security Concepts
Minimize Exposure / Least privilege
Don‘t trust user data, don‘t trust Services
Filter->Validate->Escape never mix them up
Defense in depth
Positive Security Model (Whitelist)
Use logging
Inspiring people to
T3DD10 Security Workshop share
28. What is Security?
General Security Concepts
Minimize Exposure / Least privilege
Don‘t trust user data, don‘t trust Services
Filter->Validate->Escape never mix them up
Defense in depth
Positive Security Model (Whitelist)
Use logging
Avoid security by obscurity
Inspiring people to
T3DD10 Security Workshop share
31. Cross Site Scripting
XSS
Persitent/ non persistent XSS
Inspiring people to
T3DD10 Security Workshop share
32. Cross Site Scripting
XSS
Persitent/ non persistent XSS
Injecting Up / Break out of the current DOM
context
Inspiring people to
T3DD10 Security Workshop share
33. Cross Site Scripting
XSS
Persitent/ non persistent XSS
Injecting Up / Break out of the current DOM
context
Injecting Down
Inspiring people to
T3DD10 Security Workshop share
34. Cross Site Scripting
XSS
Persitent/ non persistent XSS
Injecting Up / Break out of the current DOM
context
Injecting Down
Stay in the current context, but use the
possibiities
Inspiring people to
T3DD10 Security Workshop share
35. Cross Site Scripting
XSS
Persitent/ non persistent XSS
Injecting Up / Break out of the current DOM
context
Injecting Down
Stay in the current context, but use the
possibiities
<img src="javascript:alert(document.cookie)" /
>
Inspiring people to
T3DD10 Security Workshop share
37. Cross Site Scripting
Preventing XSS
Input validation and/or filtering is not enough
Inspiring people to
T3DD10 Security Workshop share
38. Cross Site Scripting
Preventing XSS
Input validation and/or filtering is not enough
Escape correctly, depending on the context
Inspiring people to
T3DD10 Security Workshop share
39. Cross Site Scripting
Preventing XSS
Input validation and/or filtering is not enough
Escape correctly, depending on the context
<script>...NEVER PUT UNTRUSTED DATA
HERE...</script>
<img src=“... OR HERE ...“ />
... because then you‘re doomed
Inspiring people to
T3DD10 Security Workshop share
41. Email Header Injection
Email Header Injection
PHP mail() function and From: header
Use filter_var($mail, FILTER_VALIDATE_EMAIL)
do not allow chr(10) or chr(13)
Inspiring people to
T3DD10 Security Workshop share
43. SQL Injection
SQLi
(blind) SQL Injections
Timing attacs
UNION SELECT
Example: union select
1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,user
name,password,0 from be_users where admin
in(1)
Check your TypoScript!
Inspiring people to
T3DD10 Security Workshop share
48. SQL Injection
Prevent SQLi
Prepared Statements / PDO
Escaping
Typecasting (intval), whitelist validation
Using an ORM (extbase, FLOW3, QCodo, ...)
Inspiring people to
T3DD10 Security Workshop share
49. Cross Site Request Forgery
Inspiring people to
T3DD10 Security Workshop share
50. Cross Site Request Forgery
CSRF
Executing arbitrary actions on behalf of a victim
<img src="http://bank.com/transfer.do?
acct=MARIA&amount=100000" width="1"
height="1" border="0">
stored CSRF (like XSS)
Targeted Emails
Requires probably some kind of social
engineering
Inspiring people to
T3DD10 Security Workshop share
51. Cross Site Request Forgery
Prevent CSRF
Limiting to POST and checking referrer not
enough
Double Submit Cookies
Challenge-Response
Synchronizer Token Pattern
No Cross-Site Scripting (XSS) Vulnerabilities
since 2005, security since 2008, leader since end 2009
since 2005, security since 2008, leader since end 2009
since 2005, security since 2008, leader since end 2009
since 2005, security since 2008, leader since end 2009
since 2005, security since 2008, leader since end 2009
since 2005, security since 2008, leader since end 2009
since 2005, security since 2008, leader since end 2009
since 2005, security since 2008, leader since end 2009
Application Security, not personal nor gouvernmental
invest in resources taken for security / potential loss when hacked
=> If a hacker has to invest much more than he get&#x2018;s back, he or she won&#x2018;t attack
=> Your system is secure
An application must constantly be improved
=> As hackers and hacker tools evolve, so the security concepts have to
invest in resources taken for security / potential loss when hacked
=> If a hacker has to invest much more than he get&#x2018;s back, he or she won&#x2018;t attack
=> Your system is secure
An application must constantly be improved
=> As hackers and hacker tools evolve, so the security concepts have to
invest in resources taken for security / potential loss when hacked
=> If a hacker has to invest much more than he get&#x2018;s back, he or she won&#x2018;t attack
=> Your system is secure
An application must constantly be improved
=> As hackers and hacker tools evolve, so the security concepts have to
invest in resources taken for security / potential loss when hacked
=> If a hacker has to invest much more than he get&#x2018;s back, he or she won&#x2018;t attack
=> Your system is secure
An application must constantly be improved
=> As hackers and hacker tools evolve, so the security concepts have to
invest in resources taken for security / potential loss when hacked
=> If a hacker has to invest much more than he get&#x2018;s back, he or she won&#x2018;t attack
=> Your system is secure
An application must constantly be improved
=> As hackers and hacker tools evolve, so the security concepts have to
give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
Injecting Up: "> </script>
Injecting Down:
<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;
Injecting Up: "> </script>
Injecting Down:
<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;
Injecting Up: "> </script>
Injecting Down:
<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;
Injecting Up: "> </script>
Injecting Down:
<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;
Injecting Up: "> </script>
Injecting Down:
<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;
Injecting Up: "> </script>
Injecting Down:
<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;
Injecting Up: "> </script>
Injecting Down:
<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;
Input Validation: &#x201E;a>b&#x201C; or &#x201E;Me & you&#x201C;
twitter attack
Escape not easy because of the different contexts of HTML
http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
<script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script
<!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
<div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name
<...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name
Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
Input Validation: &#x201E;a>b&#x201C; or &#x201E;Me & you&#x201C;
twitter attack
Escape not easy because of the different contexts of HTML
http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
<script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script
<!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
<div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name
<...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name
Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
Input Validation: &#x201E;a>b&#x201C; or &#x201E;Me & you&#x201C;
twitter attack
Escape not easy because of the different contexts of HTML
http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
<script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script
<!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
<div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name
<...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name
Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
SELECT title, description, body FROM items WHERE ID = 2 and 1=1
1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;
Defense in depth (saltedpw)
http://localhost:8888/introductionpackage/t3dd10/pi1/?L=1%29%20union%20select%201,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,username,password,0%20from%20be_users%20where%20admin%20in%281
Escaping:
* use the TYPO3 API for that
* fullQuoteStr(): &#x2018;&#x2018; are necessary
Escaping:
* use the TYPO3 API for that
* fullQuoteStr(): &#x2018;&#x2018; are necessary
Escaping:
* use the TYPO3 API for that
* fullQuoteStr(): &#x2018;&#x2018; are necessary
Escaping:
* use the TYPO3 API for that
* fullQuoteStr(): &#x2018;&#x2018; are necessary
POST can be forged, referrer can be spoofed
Double Submit Cookies
*sending session id as cookie and form values
Downsides: session hijacking, httponly for cookies not valid any more
Challange-Response:
*CAPTCHA
*Re-Authentication (password), confirmation? alert() per javascript klickbar?
*One-time Token
Synchronizer Token Pattern
*Generate one or more random tokens for a session (per session or per request)
*randomize token variable name (per request downside: browser back button)
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet