T3DD12 Security Workshop

  • 1,117 views
Uploaded on

Although in general easy to avoid SQL-Injection and Cross-Site Scripting vulnerabilities are within the TOP 5 of web application flaws every year. …

Although in general easy to avoid SQL-Injection and Cross-Site Scripting vulnerabilities are within the TOP 5 of web application flaws every year.

The reasons are manifold. One of them could be bad application design where the security code is spread all over the place, or wrong use of validation, escaping or encoding.

In the first part of this workshop you will learn the how to securely handle user input and where the handling belong in your code.

In the second part we will look at several problematic code examples and evaluate which code can be secured and why some code should generally be avoided. In that part we will also cover many lesser known security problems like NULL byte injections or userialize vulnerabilities.

More in: Technology , Travel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,117
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
13
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Apache, OS, PHP\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • Green SQL\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • DB : tt_content:234:header\nDB : be_users:1:password\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • (CASE WHEN (SELECT ASCII(SUBSTRING(password, 1, 1)) FROM be_users where username = 0x61646D696E) = 65 THEN date ELSE title END)\n
  • \n
  • edit falsches Feld\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Transcript

  • 1. T3DD12 Security Beyond SQL Injections 13.04.2012 Helmut Hummel <helmut@typo3.org>TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 1 shar
  • 2. IntroductionWho‘s that guy? TYPO3 Security Team Leader TYPO3 Core Team Member Employed @ naw.info in Hannover, GermanyTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 2 shar
  • 3. T3DD12 Security WorkshopAgenda Web Application Security - a Recap Did you know ...? Knowing the Enemy Best Practice TYPO3 Security TeamTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 3 shar
  • 4. What is Security?TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 4 shar
  • 5. Absence of potentialTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 5 shar
  • 6. What is Security?Characteristics of SecurityTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 6 shar
  • 7. What is Security?Characteristics of Security There is no absolute SecurityTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 6 shar
  • 8. What is Security?Characteristics of Security There is no absolute Security An evironment is only as secure as it‘s weakest pointTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 6 shar
  • 9. What is Security?Characteristics of Security There is no absolute Security An evironment is only as secure as it‘s weakest point Security is an investmentTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 6 shar
  • 10. What is Security?Characteristics of Security There is no absolute Security An evironment is only as secure as it‘s weakest point Security is an investment The efforts for Security must be proportianal to the potential damageTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 6 shar
  • 11. What is Security?Characteristics of Security There is no absolute Security An evironment is only as secure as it‘s weakest point Security is an investment The efforts for Security must be proportianal to the potential damage An application or a service can be called secure, if the effort of compromising it are way higher than the possible gainsTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 6 shar
  • 12. What is Security?Security is relativeTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 7 shar
  • 13. What is Security?Security is relative Security depends on your needsTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 7 shar
  • 14. What is Security?Security is relative Security depends on your needs Security depends on a certain point in timeTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 7 shar
  • 15. What is Security?Security is relative Security depends on your needs Security depends on a certain point in time Security needs to be constantly adapte and improvedTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 7 shar
  • 16. Security is a process, not a product. (Bruce Schneier)TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 8 shar
  • 17. Criteria for SecurityTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 9 shar
  • 18. Criteria for Security 10
  • 19. Criteria for Security Security 10
  • 20. Criteria for Security Integrity Security 10
  • 21. Criteria for Security Integrity Security Availability 10
  • 22. Criteria for Security Integrity Security Confidentiality Availability 10
  • 23. General Security Priciples Least privilege Minimize Exposure Do not rely on „security by obscurity“ Defense in depthTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 11 shar
  • 24. Defense in Depth 12
  • 25. Defense in DepthPHP-application PHP DBMS Webserver OS Server 12
  • 26. Defense in DepthPHP-application PHP DBMS Webserver OS Server Firewall Proxy 12
  • 27. Defense in DepthPHP-application PHP DBMS Webserver OS Harding Server Firewall Proxy 12
  • 28. Defense in DepthPHP-application PHP DBMS Webserver mod_security OS Harding Server Firewall Proxy 12
  • 29. Defense in DepthPHP-application PHP DBMS SQL Proxy Webserver mod_security OS Harding Server Firewall Proxy 12
  • 30. Defense in DepthPHP-application PHP suhosin DBMS SQL Proxy Webserver mod_security OS Harding Server Firewall Proxy 12
  • 31. Defense in DepthPHP-application security layer(s) PHP suhosin DBMS SQL Proxy Webserver mod_security OS Harding Server Firewall Proxy 12
  • 32. Did you know?TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 13 shar
  • 33. TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 14 shar
  • 34. TypoScriptTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 15 shar
  • 35. page.10 = CONTENTpage.10.table = tt_contentpage.10.where = colPos=0page.10.andWhere.data = GP:page_idpage.10.andWhere.wrap = pid=| 16
  • 36. page.10 = CONTENTpage.10.table = tt_contentpage.10.where = colPos=0page.10.andWhere.data = GP:page_idpage.10.andWhere.intval = 1page.10.andWhere.wrap = pid=| 17
  • 37. page.10 = TEXTpage.10.field = titlepage.10.wrap = <h1 class="c-{field:layout}">|</h1>page.10.insertData = 1 18
  • 38. page.10 = TEXTpage.10.field = titlepage.10.wrap = <h1 class="c-{field:layout}">|</h1>page.10.insertData = 1 19
  • 39. page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1> 20
  • 40. page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>page.10.htmlSpecialChars = 1 21
  • 41. page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>page.10.htmlSpecialChars = 1 22
  • 42. Security ProblemsTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 23 shar
  • 43. XSSTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 24 shar
  • 44. HTML Contexts HTML-Element HTML-Attribute Value JS-Values URL ParameterTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 25 shar
  • 45. CSRFTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 26 shar
  • 46. CSRF<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1"border="0"> 27
  • 47. Avoid CSRF Secret random token in the request Save token in session One-Time Token may have usability impactsTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 28 shar
  • 48. SQLiTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 29 shar
  • 49. File HandlingTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 30 shar
  • 50. Header InjectionTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 31 shar
  • 51. Code InjectionTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 32 shar
  • 52. Insecure UnserializeTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 33 shar
  • 53. Extbase SecurityTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 34 shar
  • 54. XSSTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 35 shar
  • 55. extbaseXSS Flash Messages ContextTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 36 shar
  • 56. SQLiTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 37 shar
  • 57. Mass AssignmentTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 38 shar
  • 58. Access ViolationTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 39 shar
  • 59. Knowing the enemyTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 40 shar
  • 60. DemoTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 41 shar
  • 61. Best PracticeTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 42 shar
  • 62. Best PracticeTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
  • 63. Best Practice The world is bad™TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
  • 64. Best Practice The world is bad™ Every request is an attack as long the opposite is provenTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
  • 65. Best Practice The world is bad™ Every request is an attack as long the opposite is proven User input is untrustableTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
  • 66. Best Practice The world is bad™ Every request is an attack as long the opposite is proven User input is untrustable User input needs to be validated and encoded and escaped right before outputTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
  • 67. Best Practice The world is bad™ Every request is an attack as long the opposite is proven User input is untrustable User input needs to be validated and encoded and escaped right before output Encoding and escaping depends on the contextTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
  • 68. Best Practice The world is bad™ Every request is an attack as long the opposite is proven User input is untrustable User input needs to be validated and encoded and escaped right before output Encoding and escaping depends on the context Separation of ConcernsTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 43 shar
  • 69. What is User Input?TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
  • 70. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE)TYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
  • 71. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILESTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
  • 72. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES $_SERVERTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
  • 73. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES $_SERVER FilenamesTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
  • 74. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES $_SERVER Filenames External ServicesTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
  • 75. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES $_SERVER Filenames External Services Editors are usersTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 44 shar
  • 76. How to treat User Input Validation Filtering Escaping EncodingTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 45 shar
  • 77. How to treat User Input User Input evil™ Validate/ Filter stop execution? Escaping/ Encoding context! Output 46
  • 78. How to treat User Input Filter Input Escape OutputTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 47 shar
  • 79. How to treat User Input Filter Input Check Type Check Format Check length Escape Output Context! DB, HTML, JS Directly before outputTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 48 shar
  • 80. Separation of Concerns Security issues are bugs Clean code leads to less bugs Test Driven Development Leave Security to Security Code 49
  • 81. TYPO3 Security TeamTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 50 shar
  • 82. TYPO3 Security TeamTYPO3 Security Team Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only You can support us with sober and precise communication and reading the Security Bulletins carefullyTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 51 shar
  • 83. TYPO3 Security TeamCVSS2 Score It is a calculation to help you to identify the severity of a Security Issue The result are 4 different Scores Base Score Temporal Score Environmental Score Overall ScoreTYPO3 Developer Days - Munich 2012 Inspiring peopleSecurity Workshop 52 shar
  • 84. 53
  • 85. 53
  • 86. 53
  • 87. 53
  • 88. 54
  • 89. 54
  • 90. 54
  • 91. 55
  • 92. 55
  • 93. 55
  • 94. 56
  • 95. Questions? 57
  • 96. Thank you! @helhumh.hummel@naw.info 58