• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
T3DD11 Security Workshop
 

T3DD11 Security Workshop

on

  • 1,152 views

 

Statistics

Views

Total Views
1,152
Views on SlideShare
1,142
Embed Views
10

Actions

Likes
2
Downloads
0
Comments
0

3 Embeds 10

http://paper.li 7
http://twitter.com 2
url_unknown 1

Accessibility

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • Application Security, not personal nor gouvernmental\n\n
  • Privacy: Browser History\nIntegrity: Bank\nAvailability: Health monitoring\n
  • \n
  • \n
  • \n
  • \n
  • invest in resources taken for security / potential loss when hacked\n => If a hacker has to invest much more than he get‘s back, he or she won‘t attack\n=> Your system is secure\n\nAn application must constantly be improved\n => As hackers and hacker tools evolve, so the security concepts have to\n\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • \n
  • Injecting Up: "> \nInjecting Down:\n< img src="javascript:alert(document.cookie)" />\n„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“\n\n\n
  • Injecting Up: "> \nInjecting Down:\n< img src="javascript:alert(document.cookie)" />\n„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“\n\n\n
  • Injecting Up: "> \nInjecting Down:\n< img src="javascript:alert(document.cookie)" />\n„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“\n\n\n
  • Injecting Up: "> \nInjecting Down:\n< img src="javascript:alert(document.cookie)" />\n„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“\n\n\n
  • Injecting Up: "> \nInjecting Down:\n< img src="javascript:alert(document.cookie)" />\n„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“\n\n\n
  • Injecting Up: "> \nInjecting Down:\n< img src="javascript:alert(document.cookie)" />\n„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“\n\n\n
  • Injecting Up: "> \nInjecting Down:\n< img src="javascript:alert(document.cookie)" />\n„You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“\n\n\n
  • Input Validation: „a>b“ or „Me & you“\n\ntwitter attack\nEscape not easy because of the different contexts of HTML\n\nhttp://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/\n directly in a script\n <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment\n in an attribute name\n in a tag name\n\nContexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter\n
  • Input Validation: „a>b“ or „Me & you“\n\ntwitter attack\nEscape not easy because of the different contexts of HTML\n\nhttp://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/\n directly in a script\n <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment\n in an attribute name\n in a tag name\n\nContexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter\n
  • Input Validation: „a>b“ or „Me & you“\n\ntwitter attack\nEscape not easy because of the different contexts of HTML\n\nhttp://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/\n directly in a script\n <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment\n in an attribute name\n in a tag name\n\nContexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter\n
  • \n
  • \n
  • \n
  • SELECT title, description, body FROM items WHERE ID = 2 and 1=2\nSELECT title, description, body FROM items WHERE ID = 2 and 1=1\n\n1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;\n\nDefense in depth (saltedpw)\nhttp://localhost:8888/introductionpackage/t3dd10/pi1/?L=1%29%20union%20select%201,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,username,password,0%20from%20be_users%20where%20admin%20in%281\n\n
  • Escaping: \n * use the TYPO3 API for that\n * fullQuoteStr(): ‘‘ are necessary\n
  • Escaping: \n * use the TYPO3 API for that\n * fullQuoteStr(): ‘‘ are necessary\n
  • Escaping: \n * use the TYPO3 API for that\n * fullQuoteStr(): ‘‘ are necessary\n
  • Escaping: \n * use the TYPO3 API for that\n * fullQuoteStr(): ‘‘ are necessary\n
  • \n
  • \n
  • POST can be forged, referrer can be spoofed\nDouble Submit Cookies\n*sending session id as cookie and form values\nDownsides: session hijacking, httponly for cookies not valid any more\nChallange-Response:\n*CAPTCHA\n*Re-Authentication (password), confirmation? alert() per javascript klickbar?\n*One-time Token\nSynchronizer Token Pattern\n*Generate one or more random tokens for a session (per session or per request)\n*randomize token variable name (per request downside: browser back button)\nhttp://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet\n\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • \n
  • \n
  • \n

T3DD11 Security Workshop T3DD11 Security Workshop Presentation Transcript

  • T3DD11 Security Security flaws versus Security concepts How to code with Security in mind 07.07.2011Helmut Hummel <helmut.hummel@typo3.org>
  • IntroductionAbout me Involved in TYPO3 project since 2005 Member of the TYPO3 Security Team since 2008 TYPO3 Security Team Leader since 2009 TYPO3 Core Team Member since 2011 Employed at naw.info in Hannover, Germany Twitter: helhum Blog: http://www.naw.info/blogs/typo3security/ Inspiring peopleT3DD11 Security Workshop shar
  • IntroductionAbout you Working development environment (IDE / Firefox)? Know what XSS, SQLi or CSRF is? Found a vulnerability in a TYPO3 or an extension? Reported your findings to security@typo3.org? Did a security code review? Inspiring peopleT3DD11 Security Workshop shar
  • Security Flaws versus Security ConceptsAgenda What is Security? Security Guidelines Hacking / Code Review Session Getting into details about some vulnerability types Inspiring peopleT3DD11 Security Workshop shar
  • What is Security? Inspiring peopleT3DD11 Security Workshop shar
  • What is Security?Criteria for Security Privacy Integrity Availability Inspiring peopleT3DD11 Security Workshop shar
  • Why care? Inspiring peopleT3DD11 Security Workshop shar
  • The World is bad™ Inspiring peopleT3DD11 Security Workshop shar
  • How can we achieve Inspiring peopleT3DD11 Security Workshop shar
  • It depends! Inspiring peopleT3DD11 Security Workshop shar
  • What is Security?Characteristics of Security Security depends on your needs Security must constantly be adapted or improved There is no absolute Security Security is an investment Inspiring peopleT3DD11 Security Workshop shar
  • Security Guidelines Inspiring peopleT3DD11 Security Workshop shar
  • Inspiring peopleT3DD11 Security Workshop shar
  • SQL Injection<?php$searchWhere = "students.student_name LIKE " . $_GET[student_name];?> Inspiring peopleT3DD11 Security Workshop shar
  • Fixed<?php$studentName = mysql_real_escape_string($_GET[student_name], $link);$searchWhere = "students.student_name LIKE " . $studentName . "";?> Inspiring peopleT3DD11 Security Workshop shar
  • Even better<?php$studentName = mysql_real_escape_string($_GET[student_name], $link);$studentName = addcslashes($studentName, _%);$searchWhere = "students.student_name LIKE " . $studentName . "";?> Inspiring peopleT3DD11 Security Workshop shar
  • Security GuidelinesGuidelines Inspiring peopleT3DD11 Security Workshop shar
  • Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Inspiring peopleT3DD11 Security Workshop shar
  • Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Filter / Validate / Escape / Encode Inspiring peopleT3DD11 Security Workshop shar
  • Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Filter / Validate / Escape / Encode Defense in depth Inspiring peopleT3DD11 Security Workshop shar
  • Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Filter / Validate / Escape / Encode Defense in depth Minimize Exposure / Least privilege Inspiring peopleT3DD11 Security Workshop shar
  • Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Filter / Validate / Escape / Encode Defense in depth Minimize Exposure / Least privilege Positive Security Model (Whitelist) Inspiring peopleT3DD11 Security Workshop shar
  • Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Filter / Validate / Escape / Encode Defense in depth Minimize Exposure / Least privilege Positive Security Model (Whitelist) Avoid security by obscurity Inspiring peopleT3DD11 Security Workshop shar
  • Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Filter / Validate / Escape / Encode Defense in depth Minimize Exposure / Least privilege Positive Security Model (Whitelist) Avoid security by obscurity Use logging Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site Scripting (XSS) Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site ScriptingXSS Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site ScriptingXSS Persitent/ non persistent XSS Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site ScriptingXSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site ScriptingXSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site ScriptingXSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site ScriptingXSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities <img src="javascript:alert(document.cookie)" / > Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site ScriptingPreventing XSS Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site ScriptingPreventing XSS Input validation and/or filtering is not enough Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site ScriptingPreventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site ScriptingPreventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context <script>...NEVER PUT UNTRUSTED DATA HERE...</script> <img src=“... OR HERE ...“ /> Inspiring peopleT3DD11 Security Workshop shar
  • Email Header Injection Inspiring peopleT3DD11 Security Workshop shar
  • Email Header InjectionEmail Header Injection PHP mail() function and From: header Use filter_var($mail, FILTER_VALIDATE_EMAIL) do not allow chr(10) or chr(13) Inspiring peopleT3DD11 Security Workshop shar
  • SQL Injection (SQLi) Inspiring peopleT3DD11 Security Workshop shar
  • SQL InjectionSQLi (blind) SQL Injections Timing attacs UNION SELECT Example: union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,user name,password,0 from be_users where admin in(1) Check your TypoScript! Inspiring peopleT3DD11 Security Workshop shar
  • SQL InjectionPrevent SQLi Inspiring peopleT3DD11 Security Workshop shar
  • SQL InjectionPrevent SQLi Prepared Statements / PDO Inspiring peopleT3DD11 Security Workshop shar
  • SQL InjectionPrevent SQLi Prepared Statements / PDO Escaping Inspiring peopleT3DD11 Security Workshop shar
  • SQL InjectionPrevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Inspiring peopleT3DD11 Security Workshop shar
  • SQL InjectionPrevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Using an ORM (extbase, FLOW3, QCodo, ...) Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site Request Forgery Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site Request ForgeryCSRF Executing arbitrary actions on behalf of a victim <img src="http://bank.com/transfer.do? acct=MARIA&amount=100000" width="1" height="1" border="0"> stored CSRF (like XSS) Targeted Emails Requires probably some kind of social engineering Inspiring peopleT3DD11 Security Workshop shar
  • Cross Site Request ForgeryPrevent CSRF Limiting to POST not enough Double Submit Cookies Synchronizer Token Pattern Avoid Cross-Site Scripting (XSS) Vulnerabilities
  • Application VulnerabilitiesMore
  • Application VulnerabilitiesMore Information DisclosureHTTP Response Splitting Path Traversal Privilege Escalation Session Fixation LPAP Injection Remote Code Execution
  • T3DD10 Security WorkshopRescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://typo3.org/teams/security/resources/ http://www.naw.info/blogs/typo3security/ Inspiring peopleT3DD11 Security Workshop shar
  • Thank you! Inspiring peopleT3DD11 Security Workshop shar
  • inspiring people to share.