T3DD10 Security Workshop
by Helmut Hummel on Jul 03, 2010
- 1,022 views
Slides of the T3DD10 Security Workshop
Slides of the T3DD10 Security Workshop
Accessibility
Categories
Tags
Upload Details
Uploaded via SlideShare as Apple Keynote
Usage Rights
© All Rights Reserved
Statistics
- Favorites
- 3
- Downloads
- 0
- Comments
- 0
- Embed Views
- Views on SlideShare
- 1,022
- Total Views
- 1,022
=> If a hacker has to invest much more than he get‘s back, he or she won‘t attack
=> Your system is secure
An application must constantly be improved
=> As hackers and hacker tools evolve, so the security concepts have to
=> If a hacker has to invest much more than he get‘s back, he or she won‘t attack
=> Your system is secure
An application must constantly be improved
=> As hackers and hacker tools evolve, so the security concepts have to
=> If a hacker has to invest much more than he get‘s back, he or she won‘t attack
=> Your system is secure
An application must constantly be improved
=> As hackers and hacker tools evolve, so the security concepts have to
=> If a hacker has to invest much more than he get‘s back, he or she won‘t attack
=> Your system is secure
An application must constantly be improved
=> As hackers and hacker tools evolve, so the security concepts have to
=> If a hacker has to invest much more than he get‘s back, he or she won‘t attack
=> Your system is secure
An application must constantly be improved
=> As hackers and hacker tools evolve, so the security concepts have to
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
User Data: GET,POST,COOKIE, DB?
Escaping is all about context
Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
TYPO3, no private data stored in db or hd, not even images
authentication through 64bit hash calculated of password
all data from external db where all is encrypted (decrypted with hash)
Obscurity: e.g. alternate telnet port; hide source
Injecting Down:
< img src="javascript:alert(document.cookie)" />
„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“
Injecting Down:
< img src="javascript:alert(document.cookie)" />
„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“
Injecting Down:
< img src="javascript:alert(document.cookie)" />
„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“
Injecting Down:
< img src="javascript:alert(document.cookie)" />
„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“
Injecting Down:
< img src="javascript:alert(document.cookie)" />
„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“
Injecting Down:
< img src="javascript:alert(document.cookie)" />
„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“
Injecting Down:
< img src="javascript:alert(document.cookie)" />
„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“
twitter attack
Escape not easy because of the different contexts of HTML
http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
directly in a script
<!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
in an attribute name
<...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name
Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
twitter attack
Escape not easy because of the different contexts of HTML
http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
directly in a script
<!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
in an attribute name
<...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name
Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
twitter attack
Escape not easy because of the different contexts of HTML
http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
directly in a script
<!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
in an attribute name
<...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name
Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
SELECT title, description, body FROM items WHERE ID = 2 and 1=1
1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;
Defense in depth (saltedpw)
http://localhost:8888/introductionpackage/t3dd10/pi1/?L=1%29%20union%20select%201,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,username,password,0%20from%20be_users%20where%20admin%20in%281
* use the TYPO3 API for that
* fullQuoteStr(): ‘‘ are necessary
* use the TYPO3 API for that
* fullQuoteStr(): ‘‘ are necessary
* use the TYPO3 API for that
* fullQuoteStr(): ‘‘ are necessary
* use the TYPO3 API for that
* fullQuoteStr(): ‘‘ are necessary
Double Submit Cookies
*sending session id as cookie and form values
Downsides: session hijacking, httponly for cookies not valid any more
Challange-Response:
*CAPTCHA
*Re-Authentication (password), confirmation? alert() per javascript klickbar?
*One-time Token
Synchronizer Token Pattern
*Generate one or more random tokens for a session (per session or per request)
*randomize token variable name (per request downside: browser back button)
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Session Fixation
Information Disclosure
Path Traversal (Files)
Remote Code Execution
Session Fixation
Information Disclosure
Path Traversal (Files)
Remote Code Execution
Session Fixation
Information Disclosure
Path Traversal (Files)
Remote Code Execution
Session Fixation
Information Disclosure
Path Traversal (Files)
Remote Code Execution
Session Fixation
Information Disclosure
Path Traversal (Files)
Remote Code Execution
Session Fixation
Information Disclosure
Path Traversal (Files)
Remote Code Execution
Session Fixation
Information Disclosure
Path Traversal (Files)
Remote Code Execution