T3DD11 Security     Security flaws versus Security concepts       How to code with Security in mind                   07.07...
IntroductionAbout me   Involved in TYPO3 project since 2005   Member of the TYPO3 Security Team since 2008   TYPO3 Securit...
IntroductionAbout you   Working development environment (IDE /   Firefox)?   Know what XSS, SQLi or CSRF is?   Found a vul...
Security Flaws versus Security ConceptsAgenda   What is Security?   Security Guidelines   Hacking / Code Review Session   ...
What is Security?                             Inspiring peopleT3DD11 Security Workshop     shar
What is Security?Criteria for Security   Privacy   Integrity   Availability                           Inspiring peopleT3DD...
Why care?                           Inspiring peopleT3DD11 Security Workshop   shar
The World is bad™                           Inspiring peopleT3DD11 Security Workshop   shar
How can we achieve                           Inspiring peopleT3DD11 Security Workshop   shar
It depends!                            Inspiring peopleT3DD11 Security Workshop    shar
What is Security?Characteristics of Security   Security depends on your needs   Security must constantly be adapted or imp...
Security Guidelines                            Inspiring peopleT3DD11 Security Workshop    shar
Inspiring peopleT3DD11 Security Workshop   shar
SQL Injection<?php$searchWhere = "students.student_name LIKE " . $_GET[student_name];?>                                   ...
Fixed<?php$studentName = mysql_real_escape_string($_GET[student_name], $link);$searchWhere = "students.student_name LIKE "...
Even better<?php$studentName = mysql_real_escape_string($_GET[student_name], $link);$studentName = addcslashes($studentNam...
Security GuidelinesGuidelines                           Inspiring peopleT3DD11 Security Workshop   shar
Security GuidelinesGuidelines   Don‘t trust user data, don‘t trust Services                                               ...
Security GuidelinesGuidelines   Don‘t trust user data, don‘t trust Services   Filter / Validate / Escape / Encode         ...
Security GuidelinesGuidelines   Don‘t trust user data, don‘t trust Services   Filter / Validate / Escape / Encode   Defens...
Security GuidelinesGuidelines   Don‘t trust user data, don‘t trust Services   Filter / Validate / Escape / Encode   Defens...
Security GuidelinesGuidelines   Don‘t trust user data, don‘t trust Services   Filter / Validate / Escape / Encode   Defens...
Security GuidelinesGuidelines   Don‘t trust user data, don‘t trust Services   Filter / Validate / Escape / Encode   Defens...
Security GuidelinesGuidelines   Don‘t trust user data, don‘t trust Services   Filter / Validate / Escape / Encode   Defens...
Cross Site Scripting (XSS)                           Inspiring peopleT3DD11 Security Workshop   shar
Cross Site ScriptingXSS                           Inspiring peopleT3DD11 Security Workshop   shar
Cross Site ScriptingXSS   Persitent/ non persistent XSS                                   Inspiring peopleT3DD11 Security ...
Cross Site ScriptingXSS   Persitent/ non persistent XSS   Injecting Up / Break out of the current DOM   context           ...
Cross Site ScriptingXSS   Persitent/ non persistent XSS   Injecting Up / Break out of the current DOM   context   Injectin...
Cross Site ScriptingXSS   Persitent/ non persistent XSS   Injecting Up / Break out of the current DOM   context   Injectin...
Cross Site ScriptingXSS   Persitent/ non persistent XSS   Injecting Up / Break out of the current DOM   context   Injectin...
Cross Site ScriptingPreventing XSS                           Inspiring peopleT3DD11 Security Workshop   shar
Cross Site ScriptingPreventing XSS   Input validation and/or filtering is not enough                                       ...
Cross Site ScriptingPreventing XSS   Input validation and/or filtering is not enough   Escape correctly, depending on the c...
Cross Site ScriptingPreventing XSS   Input validation and/or filtering is not enough   Escape correctly, depending on the c...
Email Header Injection                           Inspiring peopleT3DD11 Security Workshop   shar
Email Header InjectionEmail Header Injection   PHP mail() function and From: header   Use filter_var($mail, FILTER_VALIDATE...
SQL Injection (SQLi)                           Inspiring peopleT3DD11 Security Workshop   shar
SQL InjectionSQLi   (blind) SQL Injections   Timing attacs   UNION SELECT     Example: union select     1,2,3,4,5,6,7,8,9,...
SQL InjectionPrevent SQLi                           Inspiring peopleT3DD11 Security Workshop   shar
SQL InjectionPrevent SQLi   Prepared Statements / PDO                               Inspiring peopleT3DD11 Security Worksh...
SQL InjectionPrevent SQLi   Prepared Statements / PDO   Escaping                               Inspiring peopleT3DD11 Secu...
SQL InjectionPrevent SQLi   Prepared Statements / PDO   Escaping   Typecasting (intval), whitelist validation             ...
SQL InjectionPrevent SQLi   Prepared Statements / PDO   Escaping   Typecasting (intval), whitelist validation   Using an O...
Cross Site Request Forgery                           Inspiring peopleT3DD11 Security Workshop   shar
Cross Site Request ForgeryCSRF   Executing arbitrary actions on behalf of a victim     <img src="http://bank.com/transfer....
Cross Site Request ForgeryPrevent CSRF   Limiting to POST not enough   Double Submit Cookies   Synchronizer Token Pattern ...
Application VulnerabilitiesMore
Application VulnerabilitiesMore                              Information DisclosureHTTP Response Splitting                ...
T3DD10 Security WorkshopRescources   PHP-Sicherheit (Christopher Kunz and Stefan   Esser)   Essential PHP Security (Chris ...
Thank you!                           Inspiring peopleT3DD11 Security Workshop   shar
inspiring people to share.
T3DD11 Security Workshop
Upcoming SlideShare
Loading in …5
×

T3DD11 Security Workshop

1,263 views

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,263
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • Application Security, not personal nor gouvernmental\n\n
  • Privacy: Browser History\nIntegrity: Bank\nAvailability: Health monitoring\n
  • \n
  • \n
  • \n
  • \n
  • invest in resources taken for security / potential loss when hacked\n =&gt; If a hacker has to invest much more than he get&amp;#x2018;s back, he or she won&amp;#x2018;t attack\n=&gt; Your system is secure\n\nAn application must constantly be improved\n =&gt; As hackers and hacker tools evolve, so the security concepts have to\n\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
  • \n
  • Injecting Up: &quot;&gt; &lt;/script&gt;\nInjecting Down:\n&lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;\n&amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;\n\n\n
  • Injecting Up: &quot;&gt; &lt;/script&gt;\nInjecting Down:\n&lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;\n&amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;\n\n\n
  • Injecting Up: &quot;&gt; &lt;/script&gt;\nInjecting Down:\n&lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;\n&amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;\n\n\n
  • Injecting Up: &quot;&gt; &lt;/script&gt;\nInjecting Down:\n&lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;\n&amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;\n\n\n
  • Injecting Up: &quot;&gt; &lt;/script&gt;\nInjecting Down:\n&lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;\n&amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;\n\n\n
  • Injecting Up: &quot;&gt; &lt;/script&gt;\nInjecting Down:\n&lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;\n&amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;\n\n\n
  • Injecting Up: &quot;&gt; &lt;/script&gt;\nInjecting Down:\n&lt;img src=&quot;...UNTRUSTED DATA HERE...&quot; /&gt;&lt; img src=&quot;javascript:alert(document.cookie)&quot; /&gt;\n&amp;#x201E;You MUST use the escape syntax for the part of the HTML document you&apos;re putting untrusted data into.&amp;#x201C;\n\n\n
  • Input Validation: &amp;#x201E;a&gt;b&amp;#x201C; or &amp;#x201E;Me &amp; you&amp;#x201C;\n\ntwitter attack\nEscape not easy because of the different contexts of HTML\n\nhttp://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/\n &lt;script&gt;...NEVER PUT UNTRUSTED DATA HERE...&lt;/script&gt; directly in a script\n &lt;!--...NEVER PUT UNTRUSTED DATA HERE...--&gt; inside an HTML comment\n &lt;div ...NEVER PUT UNTRUSTED DATA HERE...=test /&gt; in an attribute name\n &lt;...NEVER PUT UNTRUSTED DATA HERE... href=&quot;/test&quot; /&gt; in a tag name\n\nContexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter\n
  • Input Validation: &amp;#x201E;a&gt;b&amp;#x201C; or &amp;#x201E;Me &amp; you&amp;#x201C;\n\ntwitter attack\nEscape not easy because of the different contexts of HTML\n\nhttp://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/\n &lt;script&gt;...NEVER PUT UNTRUSTED DATA HERE...&lt;/script&gt; directly in a script\n &lt;!--...NEVER PUT UNTRUSTED DATA HERE...--&gt; inside an HTML comment\n &lt;div ...NEVER PUT UNTRUSTED DATA HERE...=test /&gt; in an attribute name\n &lt;...NEVER PUT UNTRUSTED DATA HERE... href=&quot;/test&quot; /&gt; in a tag name\n\nContexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter\n
  • Input Validation: &amp;#x201E;a&gt;b&amp;#x201C; or &amp;#x201E;Me &amp; you&amp;#x201C;\n\ntwitter attack\nEscape not easy because of the different contexts of HTML\n\nhttp://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/\n &lt;script&gt;...NEVER PUT UNTRUSTED DATA HERE...&lt;/script&gt; directly in a script\n &lt;!--...NEVER PUT UNTRUSTED DATA HERE...--&gt; inside an HTML comment\n &lt;div ...NEVER PUT UNTRUSTED DATA HERE...=test /&gt; in an attribute name\n &lt;...NEVER PUT UNTRUSTED DATA HERE... href=&quot;/test&quot; /&gt; in a tag name\n\nContexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter\n
  • \n
  • \n
  • \n
  • SELECT title, description, body FROM items WHERE ID = 2 and 1=2\nSELECT title, description, body FROM items WHERE ID = 2 and 1=1\n\n1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE(&apos;MSG&apos;,&apos;by 5 seconds&apos;)),null) FROM users WHERE user_id = 1;\n\nDefense in depth (saltedpw)\nhttp://localhost:8888/introductionpackage/t3dd10/pi1/?L=1%29%20union%20select%201,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,username,password,0%20from%20be_users%20where%20admin%20in%281\n\n
  • Escaping: \n * use the TYPO3 API for that\n * fullQuoteStr(): &amp;#x2018;&amp;#x2018; are necessary\n
  • Escaping: \n * use the TYPO3 API for that\n * fullQuoteStr(): &amp;#x2018;&amp;#x2018; are necessary\n
  • Escaping: \n * use the TYPO3 API for that\n * fullQuoteStr(): &amp;#x2018;&amp;#x2018; are necessary\n
  • Escaping: \n * use the TYPO3 API for that\n * fullQuoteStr(): &amp;#x2018;&amp;#x2018; are necessary\n
  • \n
  • \n
  • POST can be forged, referrer can be spoofed\nDouble Submit Cookies\n*sending session id as cookie and form values\nDownsides: session hijacking, httponly for cookies not valid any more\nChallange-Response:\n*CAPTCHA\n*Re-Authentication (password), confirmation? alert() per javascript klickbar?\n*One-time Token\nSynchronizer Token Pattern\n*Generate one or more random tokens for a session (per session or per request)\n*randomize token variable name (per request downside: browser back button)\nhttp://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet\n\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
  • \n
  • \n
  • \n
  • T3DD11 Security Workshop

    1. 1. T3DD11 Security Security flaws versus Security concepts How to code with Security in mind 07.07.2011Helmut Hummel <helmut.hummel@typo3.org>
    2. 2. IntroductionAbout me Involved in TYPO3 project since 2005 Member of the TYPO3 Security Team since 2008 TYPO3 Security Team Leader since 2009 TYPO3 Core Team Member since 2011 Employed at naw.info in Hannover, Germany Twitter: helhum Blog: http://www.naw.info/blogs/typo3security/ Inspiring peopleT3DD11 Security Workshop shar
    3. 3. IntroductionAbout you Working development environment (IDE / Firefox)? Know what XSS, SQLi or CSRF is? Found a vulnerability in a TYPO3 or an extension? Reported your findings to security@typo3.org? Did a security code review? Inspiring peopleT3DD11 Security Workshop shar
    4. 4. Security Flaws versus Security ConceptsAgenda What is Security? Security Guidelines Hacking / Code Review Session Getting into details about some vulnerability types Inspiring peopleT3DD11 Security Workshop shar
    5. 5. What is Security? Inspiring peopleT3DD11 Security Workshop shar
    6. 6. What is Security?Criteria for Security Privacy Integrity Availability Inspiring peopleT3DD11 Security Workshop shar
    7. 7. Why care? Inspiring peopleT3DD11 Security Workshop shar
    8. 8. The World is bad™ Inspiring peopleT3DD11 Security Workshop shar
    9. 9. How can we achieve Inspiring peopleT3DD11 Security Workshop shar
    10. 10. It depends! Inspiring peopleT3DD11 Security Workshop shar
    11. 11. What is Security?Characteristics of Security Security depends on your needs Security must constantly be adapted or improved There is no absolute Security Security is an investment Inspiring peopleT3DD11 Security Workshop shar
    12. 12. Security Guidelines Inspiring peopleT3DD11 Security Workshop shar
    13. 13. Inspiring peopleT3DD11 Security Workshop shar
    14. 14. SQL Injection<?php$searchWhere = "students.student_name LIKE " . $_GET[student_name];?> Inspiring peopleT3DD11 Security Workshop shar
    15. 15. Fixed<?php$studentName = mysql_real_escape_string($_GET[student_name], $link);$searchWhere = "students.student_name LIKE " . $studentName . "";?> Inspiring peopleT3DD11 Security Workshop shar
    16. 16. Even better<?php$studentName = mysql_real_escape_string($_GET[student_name], $link);$studentName = addcslashes($studentName, _%);$searchWhere = "students.student_name LIKE " . $studentName . "";?> Inspiring peopleT3DD11 Security Workshop shar
    17. 17. Security GuidelinesGuidelines Inspiring peopleT3DD11 Security Workshop shar
    18. 18. Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Inspiring peopleT3DD11 Security Workshop shar
    19. 19. Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Filter / Validate / Escape / Encode Inspiring peopleT3DD11 Security Workshop shar
    20. 20. Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Filter / Validate / Escape / Encode Defense in depth Inspiring peopleT3DD11 Security Workshop shar
    21. 21. Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Filter / Validate / Escape / Encode Defense in depth Minimize Exposure / Least privilege Inspiring peopleT3DD11 Security Workshop shar
    22. 22. Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Filter / Validate / Escape / Encode Defense in depth Minimize Exposure / Least privilege Positive Security Model (Whitelist) Inspiring peopleT3DD11 Security Workshop shar
    23. 23. Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Filter / Validate / Escape / Encode Defense in depth Minimize Exposure / Least privilege Positive Security Model (Whitelist) Avoid security by obscurity Inspiring peopleT3DD11 Security Workshop shar
    24. 24. Security GuidelinesGuidelines Don‘t trust user data, don‘t trust Services Filter / Validate / Escape / Encode Defense in depth Minimize Exposure / Least privilege Positive Security Model (Whitelist) Avoid security by obscurity Use logging Inspiring peopleT3DD11 Security Workshop shar
    25. 25. Cross Site Scripting (XSS) Inspiring peopleT3DD11 Security Workshop shar
    26. 26. Cross Site ScriptingXSS Inspiring peopleT3DD11 Security Workshop shar
    27. 27. Cross Site ScriptingXSS Persitent/ non persistent XSS Inspiring peopleT3DD11 Security Workshop shar
    28. 28. Cross Site ScriptingXSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Inspiring peopleT3DD11 Security Workshop shar
    29. 29. Cross Site ScriptingXSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Inspiring peopleT3DD11 Security Workshop shar
    30. 30. Cross Site ScriptingXSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities Inspiring peopleT3DD11 Security Workshop shar
    31. 31. Cross Site ScriptingXSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities <img src="javascript:alert(document.cookie)" / > Inspiring peopleT3DD11 Security Workshop shar
    32. 32. Cross Site ScriptingPreventing XSS Inspiring peopleT3DD11 Security Workshop shar
    33. 33. Cross Site ScriptingPreventing XSS Input validation and/or filtering is not enough Inspiring peopleT3DD11 Security Workshop shar
    34. 34. Cross Site ScriptingPreventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context Inspiring peopleT3DD11 Security Workshop shar
    35. 35. Cross Site ScriptingPreventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context <script>...NEVER PUT UNTRUSTED DATA HERE...</script> <img src=“... OR HERE ...“ /> Inspiring peopleT3DD11 Security Workshop shar
    36. 36. Email Header Injection Inspiring peopleT3DD11 Security Workshop shar
    37. 37. Email Header InjectionEmail Header Injection PHP mail() function and From: header Use filter_var($mail, FILTER_VALIDATE_EMAIL) do not allow chr(10) or chr(13) Inspiring peopleT3DD11 Security Workshop shar
    38. 38. SQL Injection (SQLi) Inspiring peopleT3DD11 Security Workshop shar
    39. 39. SQL InjectionSQLi (blind) SQL Injections Timing attacs UNION SELECT Example: union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,user name,password,0 from be_users where admin in(1) Check your TypoScript! Inspiring peopleT3DD11 Security Workshop shar
    40. 40. SQL InjectionPrevent SQLi Inspiring peopleT3DD11 Security Workshop shar
    41. 41. SQL InjectionPrevent SQLi Prepared Statements / PDO Inspiring peopleT3DD11 Security Workshop shar
    42. 42. SQL InjectionPrevent SQLi Prepared Statements / PDO Escaping Inspiring peopleT3DD11 Security Workshop shar
    43. 43. SQL InjectionPrevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Inspiring peopleT3DD11 Security Workshop shar
    44. 44. SQL InjectionPrevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Using an ORM (extbase, FLOW3, QCodo, ...) Inspiring peopleT3DD11 Security Workshop shar
    45. 45. Cross Site Request Forgery Inspiring peopleT3DD11 Security Workshop shar
    46. 46. Cross Site Request ForgeryCSRF Executing arbitrary actions on behalf of a victim <img src="http://bank.com/transfer.do? acct=MARIA&amount=100000" width="1" height="1" border="0"> stored CSRF (like XSS) Targeted Emails Requires probably some kind of social engineering Inspiring peopleT3DD11 Security Workshop shar
    47. 47. Cross Site Request ForgeryPrevent CSRF Limiting to POST not enough Double Submit Cookies Synchronizer Token Pattern Avoid Cross-Site Scripting (XSS) Vulnerabilities
    48. 48. Application VulnerabilitiesMore
    49. 49. Application VulnerabilitiesMore Information DisclosureHTTP Response Splitting Path Traversal Privilege Escalation Session Fixation LPAP Injection Remote Code Execution
    50. 50. T3DD10 Security WorkshopRescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://typo3.org/teams/security/resources/ http://www.naw.info/blogs/typo3security/ Inspiring peopleT3DD11 Security Workshop shar
    51. 51. Thank you! Inspiring peopleT3DD11 Security Workshop shar
    52. 52. inspiring people to share.

    ×