Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
H4CK1N6
Web Application Security in TYPO3
September 17th, 2016
~whois oliver.hader
• is living in Hof, Bavaria, Germany
• is freelance software engineer
• is TYPO3 core developer since ...
~overviewing
~deep-analyzing

~evil-hacking
~considering
What we’re dealing with…
• A1: Injection - SQLi, CMDi - tricking interpreters
• A2: Authentication - permissions of ”someb...
You’ve been H4CK3D
Let’s assume…
• you have been hacked & and you know that
• no information about severity… yet
• is information or content ...
Strategy #1
• just overwrite from backup
• update system & extensions
• clear cache & that’s it
• BUT
• What was the entry...
Strategy #2
• take web-server offline & redirect to static page
• analyze what happened & find first entry-point
• understand...
Strategy #2
• search for anomalies in logs and file-system
• mass-requests to different URLs from same IP
• HTTP POST reque...
Analysis
• find modified files
	
  find	
  –mtime	
  –1	
  	
  	
  find	
  –mmin	
  –30	
  
• determine modification time - ti...
Results so far…
• exact time 2016-09-14T14:54:59+0200
• extension saltedpassword created - how?
• PHP script Resources/Pub...
!
!
!
!
!
Results so far…
• admin user somebody logged in & logged out
• extension saltedpassword installed during session
• further...
H4CK1N6 process
tx_listing_listing[itemId]=1
tx_listing_listing[itemId]=1+AND+1=0
tx_listing_listing[itemId]=1+OR+1=1
~/typo3conf/ext/listing/ext_tables.sql
11	
  columns
What the ”hacker” did…
• found website at http://7.6.local.typo3.org/
• found plugin that accepts parameters via HTTP
inde...
Kali Linux
• hacker’s toolbox
• network & wireless sniffing tools
• exploitation tools & distributed execution
• like Metas...
SqlMap & Collecting Data
!
!
BeEF XSS & client hijacking
Development & Security
A pessimistic approach…
• every request is a potential attack
• submitted data are not trustworthy
• as long as the opposi...
More optimistic approach…
• no necessity for fatal failures & exceptions
• provide understandable messages to user
• warn,...
Considerations
Mitigation strategies
• network-based intrusion detection - e.g. Snort
• analyses network-connections and anomalies
• host...
Information Disclosure
• everything that is not required by the application
• debug output & fragments - use a debugger
• ...
Session Management
• always use secure channels (HTTPS)
• enforce HTTP-only & secure cookies
• avoid custom $_SESSION & $_...
Authentication Management
• lock users with old MD5 passwords
• limit amount of admin users
• limit permissions per user
•...
Framework & Complexity
• understand what the framework is doing
• which security precautions are available
• which are not...
Laziness & Copy-Paste
• using ”Page PHP Content Element“
• allows (good) backend editors to write code
• … to write untest...
• cast or escape insecure variables 	
  (int)$item	
  
• use the provided API calls as much as possible
• understand what ...
• cast or escape insecure variables 	
  (int)$item	
  
• use the provided API calls as much as possible
• understand what ...
• filter or encode insecure variables
• really remove debug code or 	
  <f:comment>	
  
• understand what the framework is ...
There is more…
Further topics…
• on cross-site-scripting & cross-site-tracing
• CORS - cross-origin resource sharing
• HSTS - HTTP strict...
Questions?
Sources
• OWASP & Top 10 2013
• https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
• https://www.owasp.org/index....
Sources
• Considerations
• https://github.com/TYPO3/TYPO3.CMS/blob/master/_.htaccess (suggested .htaccess file)
• https://g...
Screencasts
• SqlMap
• https://www.youtube.com/watch?v=VIGVlmaKqxY
• BeEF XSS
• https://www.youtube.com/watch?v=WBDWWv5zdUQ
Thank you!
ohader

@ohader

Oliver_Hader
follow mehttps://h4ck3r31.net
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
Upcoming SlideShare
Loading in …5
×

H4CK1N6 - Web Application Security

1,385 views

Published on

Talk at TYPO3 Conference 2016 in Bologna/Italy. Basic insights into hacking websites with SqlMap and BeEF XSS and considerations to prevent that. Screencasts of SQLi and XSS at https://www.youtube.com/watch?v=VIGVlmaKqxY & https://www.youtube.com/watch?v=WBDWWv5zdUQ

Published in: Internet
  • Be the first to comment

H4CK1N6 - Web Application Security

  1. 1. H4CK1N6 Web Application Security in TYPO3 September 17th, 2016
  2. 2. ~whois oliver.hader • is living in Hof, Bavaria, Germany • is freelance software engineer • is TYPO3 core developer since 2007 • is member of the TYPO3 security team • is studying at University of Applied Sciences Hof • is currently working on event-sourcing for TYPO3 • loves cross-country mountain biking
  3. 3. ~overviewing ~deep-analyzing
 ~evil-hacking ~considering
  4. 4. What we’re dealing with… • A1: Injection - SQLi, CMDi - tricking interpreters • A2: Authentication - permissions of ”somebody” • A3: XSS - unintended, but executable information
  5. 5. You’ve been H4CK3D
  6. 6. Let’s assume… • you have been hacked & and you know that • no information about severity… yet • is information or content modified? • is the attack continuing or repeating? • is password or private data stolen? • you have to handle & clean up the hack • What to do? In which order?
  7. 7. Strategy #1 • just overwrite from backup • update system & extensions • clear cache & that’s it • BUT • What was the entry point? • What did exactly happen? • Will it happen again?
  8. 8. Strategy #2 • take web-server offline & redirect to static page • analyze what happened & find first entry-point • understand the attack & secure the whole system • apply clean backups - compromised or clean? • BUT • Your customer will hate you! … and love you! • … what? Going the secure way sounds better!
  9. 9. Strategy #2 • search for anomalies in logs and file-system • mass-requests to different URLs from same IP • HTTP POST requests with large (download) size • script files (PHP, Perl, CGI) in e.g. image folders • search for actions during non-business hours • back-end login at 03:00 in the morning • content changes at midnight
  10. 10. Analysis • find modified files  find  –mtime  –1      find  –mmin  –30   • determine modification time - time of attack?  stat  some-­‐file.php   • find accordant log entries • in web-server logs • in TYPO3 application logs
  11. 11. Results so far… • exact time 2016-09-14T14:54:59+0200 • extension saltedpassword created - how? • PHP script Resources/Public/test.php • called multiple times & with HTTP POST method • might be a web shell  eval(gzinflate(base64_decode('S03Oy  
  FdQ91RIzFVIVChPTSrOSM3JUbcGAA==')))  
  12. 12. !
  13. 13. !
  14. 14. ! !
  15. 15. !
  16. 16. Results so far… • admin user somebody logged in & logged out • extension saltedpassword installed during session • further PHP warnings & errors found in log • a bunch of MySQL warnings found • might be result of SQL injection
  17. 17. H4CK1N6 process
  18. 18. tx_listing_listing[itemId]=1
  19. 19. tx_listing_listing[itemId]=1+AND+1=0
  20. 20. tx_listing_listing[itemId]=1+OR+1=1
  21. 21. ~/typo3conf/ext/listing/ext_tables.sql 11  columns
  22. 22. What the ”hacker” did… • found website at http://7.6.local.typo3.org/ • found plugin that accepts parameters via HTTP index.php?id=37
 &tx_listing_listing[itemId]=1
 &tx_listing_listing[action]=show
 &tx_listing_listing[controller]=Item   • basically it was some penetration testing tool
  23. 23. Kali Linux • hacker’s toolbox • network & wireless sniffing tools • exploitation tools & distributed execution • like Metasploit & Armitage • web application hacking tools • like SqlMap & BeEF XSS
  24. 24. SqlMap & Collecting Data
  25. 25. !
  26. 26. !
  27. 27. BeEF XSS & client hijacking
  28. 28. Development & Security
  29. 29. A pessimistic approach… • every request is a potential attack • submitted data are not trustworthy • as long as the opposite is proven • validate & filter everything on server-side
 (even if browser ”did” that already) • encode, escape or cast for target context
 (HTML, database, file-system, system call, mail, …)
  30. 30. More optimistic approach… • no necessity for fatal failures & exceptions • provide understandable messages to user • warn, if something unexpected happened • notify & emit confirmation dialogs • put anomalies to dedicated log-files • implement alternative notifications • e.g. mail to user if username was used for login
  31. 31. Considerations
  32. 32. Mitigation strategies • network-based intrusion detection - e.g. Snort • analyses network-connections and anomalies • host-based intrusion detection - e.g. Samhain • file integrity checks & log file monitoring • web application firewall - e.g. mod_security • individual filter rules for HTTP requests • capable of denying SQL or XSS attacks
  33. 33. Information Disclosure • everything that is not required by the application • debug output & fragments - use a debugger • outdated source-code - use Git for this • carefully select failure messages • ”username was not found on system” versus • ”username and password are not correct” • hide configuration via server-rules - .htaccess
  34. 34. Session Management • always use secure channels (HTTPS) • enforce HTTP-only & secure cookies • avoid custom $_SESSION & $_COOKIE games • select reasonable session time-out values • use CSRF tokens for actions & forms
  35. 35. Authentication Management • lock users with old MD5 passwords • limit amount of admin users • limit permissions per user • enforce strong & different passwords • apply debriefing strategy (employee quit job) • use backend login notification feature of TYPO3 • separation of developer, integrator, admin, editor
  36. 36. Framework & Complexity • understand what the framework is doing • which security precautions are available • which are not & how to close that gap • keep track of important/breaking changes • this might take some time, sure • but hackers will do that as well • apply security updates as soon possible
  37. 37. Laziness & Copy-Paste • using ”Page PHP Content Element“ • allows (good) backend editors to write code • … to write untested, insecure & executable code • allowing TypoScript for everybody • allows (good) backend editors to write code • … to write even more insecure code • … since TypoScript is a facade to real PHP calls
  38. 38. • cast or escape insecure variables  (int)$item   • use the provided API calls as much as possible • understand what the framework is really doing
  39. 39. • cast or escape insecure variables  (int)$item   • use the provided API calls as much as possible • understand what the framework is really doing
  40. 40. • filter or encode insecure variables • really remove debug code or  <f:comment>   • understand what the framework is really doing
  41. 41. There is more…
  42. 42. Further topics… • on cross-site-scripting & cross-site-tracing • CORS - cross-origin resource sharing • HSTS - HTTP strict transport security • CSP - HTTP content security policy • httpoxy - attacks via HTTP Proxy headers • ImageTragick - attacks via crafted images • TYPO3 Security Guide - aspects in more detail
  43. 43. Questions?
  44. 44. Sources • OWASP & Top 10 2013 • https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 • https://www.owasp.org/index.php/Top_10_2013-Top_10 • Triad of Confidentially, Integrity & Availability • http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA • http://www.doc.ic.ac.uk/~ajs300/security/CIA.htm • System Commands & Kali Linux • http://www.thegeekstuff.com/2009/06/15-practical-unix-linux-find-command-examples-part-2/ • https://www.kali.org/ • https://github.com/sqlmapproject/sqlmap/wiki/Usage • https://github.com/beefproject/beef/wiki • Mitigation Strategies & • https://www.snort.org/ • http://la-samhna.de/samhain/ • https://www.modsecurity.org/
  45. 45. Sources • Considerations • https://github.com/TYPO3/TYPO3.CMS/blob/master/_.htaccess (suggested .htaccess file) • https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/frontend/Classes/ContentObject/ ContentObjectRenderer.php (example, TypoScript to PHP facade) • Examples - not recommended unless you really know what you’re doing • https://typo3.org/extensions/repository/view/pe_pagephpcontentelement/ (example only) • https://typo3.org/extensions/repository/view/typoscript_code (example only) • Further topics • https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS • https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security • https://developer.mozilla.org/de/docs/Web/Security/CSP • https://imagetragick.com/ • https://httpoxy.org/ • https://docs.typo3.org/typo3cms/SecurityGuide/Index.html
  46. 46. Screencasts • SqlMap • https://www.youtube.com/watch?v=VIGVlmaKqxY • BeEF XSS • https://www.youtube.com/watch?v=WBDWWv5zdUQ
  47. 47. Thank you! ohader
 @ohader
 Oliver_Hader follow mehttps://h4ck3r31.net

×