H4CK1N6 - Web Application Security

1. H4CK1N6 Web Application Security in TYPO3 September 17th, 2016

2. ~whois oliver.hader • is living in Hof, Bavaria, Germany • is freelance software engineer • is TYPO3 core developer since 2007 • is member of the TYPO3 security team • is studying at University of Applied Sciences Hof • is currently working on event-sourcing for TYPO3 • loves cross-country mountain biking

3. ~overviewing ~deep-analyzing  ~evil-hacking ~considering

4. What we’re dealing with… • A1: Injection - SQLi, CMDi - tricking interpreters • A2: Authentication - permissions of ”somebody” • A3: XSS - unintended, but executable information

5. You’ve been H4CK3D

6. Let’s assume… • you have been hacked & and you know that • no information about severity… yet • is information or content modiﬁed? • is the attack continuing or repeating? • is password or private data stolen? • you have to handle & clean up the hack • What to do? In which order?

7. Strategy #1 • just overwrite from backup • update system & extensions • clear cache & that’s it • BUT • What was the entry point? • What did exactly happen? • Will it happen again?

8. Strategy #2 • take web-server offline & redirect to static page • analyze what happened & find first entry-point • understand the attack & secure the whole system • apply clean backups - compromised or clean? • BUT • Your customer will hate you! … and love you! • … what? Going the secure way sounds better!

9. Strategy #2 • search for anomalies in logs and ﬁle-system • mass-requests to different URLs from same IP • HTTP POST requests with large (download) size • script ﬁles (PHP, Perl, CGI) in e.g. image folders • search for actions during non-business hours • back-end login at 03:00 in the morning • content changes at midnight

10. Analysis • find modified files find –mtime –1 find –mmin –30 • determine modification time - time of attack? stat some-‐file.php • find accordant log entries • in web-server logs • in TYPO3 application logs

11. Results so far… • exact time 2016-09-14T14:54:59+0200 • extension saltedpassword created - how? • PHP script Resources/Public/test.php • called multiple times & with HTTP POST method • might be a web shell eval(gzinflate(base64_decode('S03Oy   FdQ91RIzFVIVChPTSrOSM3JUbcGAA==')))

14. ! !

16. Results so far… • admin user somebody logged in & logged out • extension saltedpassword installed during session • further PHP warnings & errors found in log • a bunch of MySQL warnings found • might be result of SQL injection

17. H4CK1N6 process

18. tx_listing_listing[itemId]=1

19. tx_listing_listing[itemId]=1+AND+1=0

20. tx_listing_listing[itemId]=1+OR+1=1

21. ~/typo3conf/ext/listing/ext_tables.sql 11 columns

22. What the ”hacker” did… • found website at http://7.6.local.typo3.org/ • found plugin that accepts parameters via HTTP index.php?id=37  &tx_listing_listing[itemId]=1  &tx_listing_listing[action]=show  &tx_listing_listing[controller]=Item • basically it was some penetration testing tool

23. Kali Linux • hacker’s toolbox • network & wireless snifﬁng tools • exploitation tools & distributed execution • like Metasploit & Armitage • web application hacking tools • like SqlMap & BeEF XSS

24. SqlMap & Collecting Data

27. BeEF XSS & client hijacking

28. Development & Security

29. A pessimistic approach… • every request is a potential attack • submitted data are not trustworthy • as long as the opposite is proven • validate & ﬁlter everything on server-side  (even if browser ”did” that already) • encode, escape or cast for target context  (HTML, database, ﬁle-system, system call, mail, …)

30. More optimistic approach… • no necessity for fatal failures & exceptions • provide understandable messages to user • warn, if something unexpected happened • notify & emit confirmation dialogs • put anomalies to dedicated log-files • implement alternative notifications • e.g. mail to user if username was used for login

31. Considerations

32. Mitigation strategies • network-based intrusion detection - e.g. Snort • analyses network-connections and anomalies • host-based intrusion detection - e.g. Samhain • file integrity checks & log file monitoring • web application firewall - e.g. mod_security • individual filter rules for HTTP requests • capable of denying SQL or XSS attacks

33. Information Disclosure • everything that is not required by the application • debug output & fragments - use a debugger • outdated source-code - use Git for this • carefully select failure messages • ”username was not found on system” versus • ”username and password are not correct” • hide conﬁguration via server-rules - .htaccess

34. Session Management • always use secure channels (HTTPS) • enforce HTTP-only & secure cookies • avoid custom $_SESSION & $_COOKIE games • select reasonable session time-out values • use CSRF tokens for actions & forms

35. Authentication Management • lock users with old MD5 passwords • limit amount of admin users • limit permissions per user • enforce strong & different passwords • apply debrieﬁng strategy (employee quit job) • use backend login notiﬁcation feature of TYPO3 • separation of developer, integrator, admin, editor

36. Framework & Complexity • understand what the framework is doing • which security precautions are available • which are not & how to close that gap • keep track of important/breaking changes • this might take some time, sure • but hackers will do that as well • apply security updates as soon possible

37. Laziness & Copy-Paste • using ”Page PHP Content Element“ • allows (good) backend editors to write code • … to write untested, insecure & executable code • allowing TypoScript for everybody • allows (good) backend editors to write code • … to write even more insecure code • … since TypoScript is a facade to real PHP calls

38. • cast or escape insecure variables (int)$item • use the provided API calls as much as possible • understand what the framework is really doing

39. • cast or escape insecure variables (int)$item • use the provided API calls as much as possible • understand what the framework is really doing

40. • ﬁlter or encode insecure variables • really remove debug code or <f:comment> • understand what the framework is really doing

41. There is more…

42. Further topics… • on cross-site-scripting & cross-site-tracing • CORS - cross-origin resource sharing • HSTS - HTTP strict transport security • CSP - HTTP content security policy • httpoxy - attacks via HTTP Proxy headers • ImageTragick - attacks via crafted images • TYPO3 Security Guide - aspects in more detail

43. Questions?

44. Sources • OWASP & Top 10 2013 • https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 • https://www.owasp.org/index.php/Top_10_2013-Top_10 • Triad of Confidentially, Integrity & Availability • http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA • http://www.doc.ic.ac.uk/~ajs300/security/CIA.htm • System Commands & Kali Linux • http://www.thegeekstuff.com/2009/06/15-practical-unix-linux-find-command-examples-part-2/ • https://www.kali.org/ • https://github.com/sqlmapproject/sqlmap/wiki/Usage • https://github.com/beefproject/beef/wiki • Mitigation Strategies & • https://www.snort.org/ • http://la-samhna.de/samhain/ • https://www.modsecurity.org/

45. Sources • Considerations • https://github.com/TYPO3/TYPO3.CMS/blob/master/_.htaccess (suggested .htaccess ﬁle) • https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/frontend/Classes/ContentObject/ ContentObjectRenderer.php (example, TypoScript to PHP facade) • Examples - not recommended unless you really know what you’re doing • https://typo3.org/extensions/repository/view/pe_pagephpcontentelement/ (example only) • https://typo3.org/extensions/repository/view/typoscript_code (example only) • Further topics • https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS • https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security • https://developer.mozilla.org/de/docs/Web/Security/CSP • https://imagetragick.com/ • https://httpoxy.org/ • https://docs.typo3.org/typo3cms/SecurityGuide/Index.html

46. Screencasts • SqlMap • https://www.youtube.com/watch?v=VIGVlmaKqxY • BeEF XSS • https://www.youtube.com/watch?v=WBDWWv5zdUQ

47. Thank you! ohader  @ohader  Oliver_Hader follow mehttps://h4ck3r31.net

H4CK1N6 - Web Application Security

Oliver Hader

H4CK1N6 - Web Application Security