Security Pitfalls vs. Best Practices

1,887
-1

Published on

Published in: Technology, News & Politics
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,887
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Security Pitfalls vs. Best Practices

  1. 1. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop T3DD13 Security Workshop Helmut Hummel <helmut@typo3.org> 07.07.2013 Security Pitfalls vs. Best Practices 1
  2. 2. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop T3DD13 Security Workshop Agenda • What does Security mean? • Knowing the enemy • Pitfalls • Best Practice • TYPO3 Security Team 2
  3. 3. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop What does Security mean? 3
  4. 4. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Absence of potential Damage 4
  5. 5. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Protecting Information 5
  6. 6. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Unauthorized access 6
  7. 7. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Unauthorized modification 7
  8. 8. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Loss 8
  9. 9. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop CIA Triad 9
  10. 10. Availability CIA Triad Integrity Confidentiality Information 10
  11. 11. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop What is Security? Security is relative • Security depends on your needs/ kind of Information • Security depends on a certain point in time • Security needs to be constantly adapted and improved 11
  12. 12. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop What is Security? Characteristics of Security • There is no absolute Security • An evironment is only as secure as it‘s weakest point • Security is an investment • The efforts for Security must be proportianal to the potential damage • A system can be called secure, if the effort of compromising it are way higher than the possible gains 12
  13. 13. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Security is a process, not a product. (Bruce Schneier) 13
  14. 14. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop General Security Priciples • Least privilege • Minimize Exposure • Do not rely on „security by obscurity“ • Defense in depth 14
  15. 15. Defense in Depth OS PHP-application DBMS Webserver Server Firewall Proxy mod_security suhosinPHP Harding security layer(s) SQL Proxy 15
  16. 16. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Knowing the enemy 16
  17. 17. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Knowing the enemy Different Motivations 17 • Money • Influence • Fame • Fun
  18. 18. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Knowing the enemy Different Proceedings 18 • Automated attacks • Targeted attacks
  19. 19. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Demo 19
  20. 20. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Pitfalls 20
  21. 21. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop 21
  22. 22. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop TypoScript 22
  23. 23. page.10 = CONTENT page.10.table = tt_content page.10.where = colPos=0 page.10.andWhere.data = GP:page_id page.10.andWhere.wrap = pid=| 23
  24. 24. page.10 = CONTENT page.10.table = tt_content page.10.where = colPos=0 page.10.andWhere.data = GP:page_id page.10.andWhere.intval = 1 page.10.andWhere.wrap = pid=| 24
  25. 25. page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1 DB : be_users:1:password 25
  26. 26. page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1 26
  27. 27. page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> 27
  28. 28. page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1 28
  29. 29. page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1 29
  30. 30. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Security Problems 30
  31. 31. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop XSS 31
  32. 32. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop HTML Contexts • HTML-Element • HTML-Attribute Value • JS-Values • URL Parameter 32
  33. 33. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop CSRF 33
  34. 34. <img src="http://bank.com/transfer.do? acct=MARIA&amount=100000" width="1" height="1" border="0"> CSRF 34
  35. 35. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Avoid CSRF • Secret random token in the request • Save token in session • One-Time Token may have usability impacts 35
  36. 36. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop SQLi 36
  37. 37. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop File Handling 37
  38. 38. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Header Injection 38
  39. 39. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Code Injection 39
  40. 40. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Insecure Unserialize 40
  41. 41. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Extbase Security 41
  42. 42. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop XSS 42
  43. 43. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop extbase XSS • Flash Messages • Context 43
  44. 44. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop SQLi 44
  45. 45. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Mass Assignment 45
  46. 46. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Access Violation 46
  47. 47. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Best Practice 47
  48. 48. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop Best Practice • Every request is an attack as long the opposite is proven • User input is untrustable • User input needs to be validated and encoded and escaped right before output • Encoding and escaping depends on the context • Separation of Concerns 48
  49. 49. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop What is User Input? • $_REQUEST ($_GET, $_POST, $_COOKIE) • $_FILES • $_SERVER • Filenames • External Services • Editors are users 49
  50. 50. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop How to treat User Input • Validation • Filtering • Escaping • Encoding 50
  51. 51. How to treat User Input Escaping/ Encoding User Input Output Validate/ Filter evil™ stop execution? context! 51
  52. 52. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop How to treat User Input • Filter Input • Escape Output 52
  53. 53. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop How to treat User Input • Filter Input • Check Type • Check Format • Check length • Escape Output • Context! • DB, HTML, JS • Directly before output 53
  54. 54. Separation of Concerns • Security issues are bugs • Clean code leads to less bugs • Test Driven Development • Leave Security to Security Code 54
  55. 55. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop TYPO3 Security Team 55
  56. 56. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop TYPO3 Security Team TYPO3 Security Team • Responsible Disclosure Policy • One communication channel (security@typo3.org) • Pre-Announcements for critical issues only • You can support us with sober and precise communication and reading the Security Bulletins carefully 56
  57. 57. Inspiring people to share TYPO3 Developer Days - Hamburg 2013 Security Workshop TYPO3 Security Team CVSS2 Score • It is a calculation to help you to identify the severity of a Security Issue • The result are 4 different Scores • Base Score • Temporal Score • Environmental Score • Overall Score 57
  58. 58. 58
  59. 59. 59
  60. 60. 60
  61. 61. 61
  62. 62. Questions? 62
  63. 63. Thank you! @helhum helmut.hummel@typo3.org 63
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×