T3DD12 Security Workshop
•Download as KEY, PDF•
2 likes•1,293 views
Although in general easy to avoid SQL-Injection and Cross-Site Scripting vulnerabilities are within the TOP 5 of web application flaws every year. The reasons are manifold. One of them could be bad application design where the security code is spread all over the place, or wrong use of validation, escaping or encoding. In the first part of this workshop you will learn the how to securely handle user input and where the handling belong in your code. In the second part we will look at several problematic code examples and evaluate which code can be secured and why some code should generally be avoided. In that part we will also cover many lesser known security problems like NULL byte injections or userialize vulnerabilities.
Recommended
Recommended
More Related Content
Similar to T3DD12 Security Workshop
Similar to T3DD12 Security Workshop (20)
Recently uploaded
Recently uploaded (20)
T3DD12 Security Workshop
- 1. T3DD12 Security Beyond SQL Injections 13.04.2012 Helmut Hummel <helmut@typo3.org> TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 1 shar
- 2. Introduction Who‘s that guy? TYPO3 Security Team Leader TYPO3 Core Team Member Employed @ naw.info in Hannover, Germany TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 2 shar
- 3. T3DD12 Security Workshop Agenda Web Application Security - a Recap Did you know ...? Knowing the Enemy Best Practice TYPO3 Security Team TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 3 shar
- 4. What is Security? TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 4 shar
- 5. Absence of potential TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 5 shar
- 6. What is Security? Characteristics of Security TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 6 shar
- 7. What is Security? Characteristics of Security There is no absolute Security TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 6 shar
- 8. What is Security? Characteristics of Security There is no absolute Security An evironment is only as secure as it‘s weakest point TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 6 shar
- 9. What is Security? Characteristics of Security There is no absolute Security An evironment is only as secure as it‘s weakest point Security is an investment TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 6 shar
- 10. What is Security? Characteristics of Security There is no absolute Security An evironment is only as secure as it‘s weakest point Security is an investment The efforts for Security must be proportianal to the potential damage TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 6 shar
- 11. What is Security? Characteristics of Security There is no absolute Security An evironment is only as secure as it‘s weakest point Security is an investment The efforts for Security must be proportianal to the potential damage An application or a service can be called secure, if the effort of compromising it are way higher than the possible gains TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 6 shar
- 12. What is Security? Security is relative TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 7 shar
- 13. What is Security? Security is relative Security depends on your needs TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 7 shar
- 14. What is Security? Security is relative Security depends on your needs Security depends on a certain point in time TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 7 shar
- 15. What is Security? Security is relative Security depends on your needs Security depends on a certain point in time Security needs to be constantly adapte and improved TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 7 shar
- 16. Security is a process, not a product. (Bruce Schneier) TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 8 shar
- 17. Criteria for Security TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 9 shar
- 18. Criteria for Security 10
- 19. Criteria for Security Security 10
- 20. Criteria for Security Integrity Security 10
- 21. Criteria for Security Integrity Security Availability 10
- 22. Criteria for Security Integrity Security Confidentiality Availability 10
- 23. General Security Priciples Least privilege Minimize Exposure Do not rely on „security by obscurity“ Defense in depth TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 11 shar
- 24. Defense in Depth 12
- 25. Defense in Depth PHP-application PHP DBMS Webserver OS Server 12
- 26. Defense in Depth PHP-application PHP DBMS Webserver OS Server Firewall Proxy 12
- 27. Defense in Depth PHP-application PHP DBMS Webserver OS Harding Server Firewall Proxy 12
- 28. Defense in Depth PHP-application PHP DBMS Webserver mod_security OS Harding Server Firewall Proxy 12
- 29. Defense in Depth PHP-application PHP DBMS SQL Proxy Webserver mod_security OS Harding Server Firewall Proxy 12
- 30. Defense in Depth PHP-application PHP suhosin DBMS SQL Proxy Webserver mod_security OS Harding Server Firewall Proxy 12
- 31. Defense in Depth PHP-application security layer(s) PHP suhosin DBMS SQL Proxy Webserver mod_security OS Harding Server Firewall Proxy 12
- 32. Did you know? TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 13 shar
- 33. TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 14 shar
- 34. TypoScript TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 15 shar
- 35. page.10 = CONTENT page.10.table = tt_content page.10.where = colPos=0 page.10.andWhere.data = GP:page_id page.10.andWhere.wrap = pid=| 16
- 36. page.10 = CONTENT page.10.table = tt_content page.10.where = colPos=0 page.10.andWhere.data = GP:page_id page.10.andWhere.intval = 1 page.10.andWhere.wrap = pid=| 17
- 37. page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1 18
- 38. page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1 19
- 39. page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> 20
- 40. page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1 21
- 41. page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1 22
- 42. Security Problems TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 23 shar
- 43. XSS TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 24 shar
- 44. HTML Contexts HTML-Element HTML-Attribute Value JS-Values URL Parameter TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 25 shar
- 45. CSRF TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 26 shar
- 46. CSRF <img src="http://bank.com/transfer.do? acct=MARIA&amount=100000" width="1" height="1" border="0"> 27
- 47. Avoid CSRF Secret random token in the request Save token in session One-Time Token may have usability impacts TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 28 shar
- 48. SQLi TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 29 shar
- 49. File Handling TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 30 shar
- 50. Header Injection TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 31 shar
- 51. Code Injection TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 32 shar
- 52. Insecure Unserialize TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 33 shar
- 53. Extbase Security TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 34 shar
- 54. XSS TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 35 shar
- 55. extbase XSS Flash Messages Context TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 36 shar
- 56. SQLi TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 37 shar
- 57. Mass Assignment TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 38 shar
- 58. Access Violation TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 39 shar
- 59. Knowing the enemy TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 40 shar
- 60. Demo TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 41 shar
- 61. Best Practice TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 42 shar
- 62. Best Practice TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 43 shar
- 63. Best Practice The world is bad™ TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 43 shar
- 64. Best Practice The world is bad™ Every request is an attack as long the opposite is proven TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 43 shar
- 65. Best Practice The world is bad™ Every request is an attack as long the opposite is proven User input is untrustable TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 43 shar
- 66. Best Practice The world is bad™ Every request is an attack as long the opposite is proven User input is untrustable User input needs to be validated and encoded and escaped right before output TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 43 shar
- 67. Best Practice The world is bad™ Every request is an attack as long the opposite is proven User input is untrustable User input needs to be validated and encoded and escaped right before output Encoding and escaping depends on the context TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 43 shar
- 68. Best Practice The world is bad™ Every request is an attack as long the opposite is proven User input is untrustable User input needs to be validated and encoded and escaped right before output Encoding and escaping depends on the context Separation of Concerns TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 43 shar
- 69. What is User Input? TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 44 shar
- 70. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 44 shar
- 71. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 44 shar
- 72. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES $_SERVER TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 44 shar
- 73. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES $_SERVER Filenames TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 44 shar
- 74. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES $_SERVER Filenames External Services TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 44 shar
- 75. What is User Input? $_REQUEST ($_GET, $_POST, $_COOKIE) $_FILES $_SERVER Filenames External Services Editors are users TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 44 shar
- 76. How to treat User Input Validation Filtering Escaping Encoding TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 45 shar
- 77. How to treat User Input User Input evil™ Validate/ Filter stop execution? Escaping/ Encoding context! Output 46
- 78. How to treat User Input Filter Input Escape Output TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 47 shar
- 79. How to treat User Input Filter Input Check Type Check Format Check length Escape Output Context! DB, HTML, JS Directly before output TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 48 shar
- 80. Separation of Concerns Security issues are bugs Clean code leads to less bugs Test Driven Development Leave Security to Security Code 49
- 81. TYPO3 Security Team TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 50 shar
- 82. TYPO3 Security Team TYPO3 Security Team Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only You can support us with sober and precise communication and reading the Security Bulletins carefully TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 51 shar
- 83. TYPO3 Security Team CVSS2 Score It is a calculation to help you to identify the severity of a Security Issue The result are 4 different Scores Base Score Temporal Score Environmental Score Overall Score TYPO3 Developer Days - Munich 2012 Inspiring people Security Workshop 52 shar
- 84. 53
- 85. 53
- 86. 53
- 87. 53
- 88. 54
- 89. 54
- 90. 54
- 91. 55
- 92. 55
- 93. 55
- 94. 56
- 95. Questions? 57
- 96. Thank you! @helhum h.hummel@naw.info 58
Editor's Notes
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- Apache, OS, PHP\n
- Green SQL\n
- Green SQL\n
- Green SQL\n
- Green SQL\n
- Green SQL\n
- Green SQL\n
- Green SQL\n
- Green SQL\n
- Green SQL\n
- Green SQL\n
- Green SQL\n
- Green SQL\n
- \n
- \n
- \n
- \n
- \n
- DB : tt_content:234:header\nDB : be_users:1:password\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- (CASE WHEN (SELECT ASCII(SUBSTRING(password, 1, 1)) FROM be_users where username = 0x61646D696E) = 65 THEN date ELSE title END)\n
- \n
- edit falsches Feld\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n