T3DD12 Security Workshop

1,616 views

Published on

Although in general easy to avoid SQL-Injection and Cross-Site Scripting vulnerabilities are within the TOP 5 of web application flaws every year.

The reasons are manifold. One of them could be bad application design where the security code is spread all over the place, or wrong use of validation, escaping or encoding.

In the first part of this workshop you will learn the how to securely handle user input and where the handling belong in your code.

In the second part we will look at several problematic code examples and evaluate which code can be secured and why some code should generally be avoided. In that part we will also cover many lesser known security problems like NULL byte injections or userialize vulnerabilities.

Published in: Technology, Travel
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,616
On SlideShare
0
From Embeds
0
Number of Embeds
282
Actions
Shares
0
Downloads
16
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Apache, OS, PHP\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • DB : tt_content:234:header\nDB : be_users:1:password\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • (CASE WHEN (SELECT ASCII(SUBSTRING(password, 1, 1)) FROM be_users where username = 0x61646D696E) = 65 THEN date ELSE title END)\n
  • \n
  • edit falsches Feld\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • T3DD12 Security Workshop

    1. 1. T3DD12 Security Beyond SQL Injections 13.04.2012 Helmut Hummel <helmut@typo3.org>TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 1 shar
    2. 2. IntroductionWho‘s that guy? TYPO3 Security Team Leader TYPO3 Core Team Member Employed @ naw.info in Hannover, GermanyTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 2 shar
    3. 3. T3DD12 Security WorkshopAgenda Web Application Security - a Recap Did you know ...? Knowing the Enemy Best Practice TYPO3 Security TeamTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 3 shar
    4. 4. What is Security?TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 4 shar
    5. 5. Absence of potentialTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 5 shar
    6. 6. What is Security?Characteristics of SecurityTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 6 shar
    7. 7. What is Security?Characteristics of Security There is no absolute SecurityTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 6 shar
    8. 8. What is Security?Characteristics of Security There is no absolute Security An evironment is only as secure as it‘s weakest pointTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 6 shar
    9. 9. What is Security?Characteristics of Security There is no absolute Security An evironment is only as secure as it‘s weakest point Security is an investmentTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 6 shar
    10. 10. What is Security?Characteristics of Security There is no absolute Security An evironment is only as secure as it‘s weakest point Security is an investment The efforts for Security must be proportianal to the potential damageTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 6 shar
    11. 11. What is Security?Characteristics of Security There is no absolute Security An evironment is only as secure as it‘s weakest point Security is an investment The efforts for Security must be proportianal to the potential damage An application or a service can be called secure, if the effort of compromising it are way higher than the possible gainsTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 6 shar
    12. 12. What is Security?Security is relativeTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 7 shar
    13. 13. What is Security?Security is relative Security depends on your needsTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 7 shar
    14. 14. What is Security?Security is relative Security depends on your needs Security depends on a certain point in timeTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 7 shar
    15. 15. What is Security?Security is relative Security depends on your needs Security depends on a certain point in time Security needs to be constantly adapte and improvedTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 7 shar
    16. 16. Security is a process, not a product. (Bruce Schneier)TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 8 shar
    17. 17. Criteria for SecurityTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 9 shar
    18. 18. Criteria for Security 10
    19. 19. Criteria for Security Security 10
    20. 20. Criteria for Security Integrity Security 10
    21. 21. Criteria for Security Integrity Security Availability 10
    22. 22. Criteria for Security Integrity Security Confidentiality Availability 10
    23. 23. General Security Priciples Least privilege Minimize Exposure Do not rely on „security by obscurity“ Defense in depthTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 11 shar
    24. 24. Defense in Depth 12
    25. 25. Defense in DepthPHP-application PHP DBMS Webserver OS Server 12
    26. 26. Defense in DepthPHP-application PHP DBMS Webserver OS Server Firewall Proxy 12
    27. 27. Defense in DepthPHP-application PHP DBMS Webserver OS Harding Server Firewall Proxy 12
    28. 28. Defense in DepthPHP-application PHP DBMS Webserver mod_security OS Harding Server Firewall Proxy 12
    29. 29. Defense in DepthPHP-application PHP DBMS SQL Proxy Webserver mod_security OS Harding Server Firewall Proxy 12
    30. 30. Defense in DepthPHP-application PHP suhosin DBMS SQL Proxy Webserver mod_security OS Harding Server Firewall Proxy 12
    31. 31. Defense in DepthPHP-application security layer(s) PHP suhosin DBMS SQL Proxy Webserver mod_security OS Harding Server Firewall Proxy 12
    32. 32. Did you know?TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 13 shar
    33. 33. TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 14 shar
    34. 34. TypoScriptTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 15 shar
    35. 35. page.10 = CONTENTpage.10.table = tt_contentpage.10.where = colPos=0page.10.andWhere.data = GP:page_idpage.10.andWhere.wrap = pid=| 16
    36. 36. page.10 = CONTENTpage.10.table = tt_contentpage.10.where = colPos=0page.10.andWhere.data = GP:page_idpage.10.andWhere.intval = 1page.10.andWhere.wrap = pid=| 17
    37. 37. page.10 = TEXTpage.10.field = titlepage.10.wrap = <h1 class="c-{field:layout}">|</h1>page.10.insertData = 1 18
    38. 38. page.10 = TEXTpage.10.field = titlepage.10.wrap = <h1 class="c-{field:layout}">|</h1>page.10.insertData = 1 19
    39. 39. page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1> 20
    40. 40. page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>page.10.htmlSpecialChars = 1 21
    41. 41. page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>page.10.htmlSpecialChars = 1 22
    42. 42. Security ProblemsTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 23 shar
    43. 43. XSSTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 24 shar
    44. 44. HTML Contexts HTML-Element HTML-Attribute Value JS-Values URL ParameterTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 25 shar
    45. 45. CSRFTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 26 shar
    46. 46. CSRF<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1"border="0"> 27
    47. 47. Avoid CSRF Secret random token in the request Save token in session One-Time Token may have usability impactsTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 28 shar
    48. 48. SQLiTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 29 shar
    49. 49. File HandlingTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 30 shar
    50. 50. Header InjectionTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 31 shar
    51. 51. Code InjectionTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 32 shar
    52. 52. Insecure UnserializeTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 33 shar
    53. 53. Extbase SecurityTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 34 shar
    54. 54. XSSTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 35 shar
    55. 55. extbaseXSS Flash Messages ContextTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 36 shar
    56. 56. SQLiTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 37 shar
    57. 57. Mass AssignmentTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 38 shar
    58. 58. Access ViolationTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 39 shar
    59. 59. Knowing the enemyTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 40 shar
    60. 60. DemoTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 41 shar
    61. 61. Best PracticeTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 42 shar
    62. 62. Best PracticeTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
    63. 63. Best Practice The world is bad™TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
    64. 64. Best Practice The world is bad™ Every request is an attack as long the opposite is provenTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
    65. 65. Best Practice The world is bad™ Every request is an attack as long the opposite is proven User input is untrustableTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
    66. 66. Best Practice The world is bad™ Every request is an attack as long the opposite is proven User input is untrustable User input needs to be validated and encoded and escaped right before outputTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
    67. 67. Best Practice The world is bad™ Every request is an attack as long the opposite is proven User input is untrustable User input needs to be validated and encoded and escaped right before output Encoding and escaping depends on the contextTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
    68. 68. Best Practice The world is bad™ Every request is an attack as long the opposite is proven User input is untrustable User input needs to be validated and encoded and escaped right before output Encoding and escaping depends on the context Separation of ConcernsTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
    69. 69. What is User Input?TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
    70. 70. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE)TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
    71. 71. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILESTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
    72. 72. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES $_SERVERTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
    73. 73. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES $_SERVER FilenamesTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
    74. 74. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES $_SERVER Filenames External ServicesTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
    75. 75. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES $_SERVER Filenames External Services Editors are usersTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
    76. 76. How to treat User Input Validation Filtering Escaping EncodingTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 45 shar
    77. 77. How to treat User Input User Input evil™ Validate/ Filter stop execution? Escaping/ Encoding context! Output 46
    78. 78. How to treat User Input Filter Input Escape OutputTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 47 shar
    79. 79. How to treat User Input Filter Input Check Type Check Format Check length Escape Output Context! DB, HTML, JS Directly before outputTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 48 shar
    80. 80. Separation of Concerns Security issues are bugs Clean code leads to less bugs Test Driven Development Leave Security to Security Code 49
    81. 81. TYPO3 Security TeamTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 50 shar
    82. 82. TYPO3 Security TeamTYPO3 Security Team Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only You can support us with sober and precise communication and reading the Security Bulletins carefullyTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 51 shar
    83. 83. TYPO3 Security TeamCVSS2 Score It is a calculation to help you to identify the severity of a Security Issue The result are 4 different Scores Base Score Temporal Score Environmental Score Overall ScoreTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 52 shar
    84. 84. 53
    85. 85. 53
    86. 86. 53
    87. 87. 53
    88. 88. 54
    89. 89. 54
    90. 90. 54
    91. 91. 55
    92. 92. 55
    93. 93. 55
    94. 94. 56
    95. 95. Questions? 57
    96. 96. Thank you! @helhumh.hummel@naw.info 58

    ×