Although in general easy to avoid SQL-Injection and Cross-Site Scripting vulnerabilities are within the TOP 5 of web application flaws every year.
The reasons are manifold. One of them could be bad application design where the security code is spread all over the place, or wrong use of validation, escaping or encoding.
In the first part of this workshop you will learn the how to securely handle user input and where the handling belong in your code.
In the second part we will look at several problematic code examples and evaluate which code can be secured and why some code should generally be avoided. In that part we will also cover many lesser known security problems like NULL byte injections or userialize vulnerabilities.
1. T3DD12 Security
Beyond SQL Injections
13.04.2012
Helmut Hummel <helmut@typo3.org>
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 1
shar
2. Introduction
Who‘s that guy?
TYPO3 Security Team Leader
TYPO3 Core Team Member
Employed @ naw.info in Hannover, Germany
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 2
shar
3. T3DD12 Security Workshop
Agenda
Web Application Security - a Recap
Did you know ...?
Knowing the Enemy
Best Practice
TYPO3 Security Team
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 3
shar
4. What is Security?
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 4
shar
7. What is Security?
Characteristics of Security
There is no absolute Security
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 6
shar
8. What is Security?
Characteristics of Security
There is no absolute Security
An evironment is only as secure as it‘s weakest
point
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 6
shar
9. What is Security?
Characteristics of Security
There is no absolute Security
An evironment is only as secure as it‘s weakest
point
Security is an investment
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 6
shar
10. What is Security?
Characteristics of Security
There is no absolute Security
An evironment is only as secure as it‘s weakest
point
Security is an investment
The efforts for Security must be proportianal to
the potential damage
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 6
shar
11. What is Security?
Characteristics of Security
There is no absolute Security
An evironment is only as secure as it‘s weakest
point
Security is an investment
The efforts for Security must be proportianal to
the potential damage
An application or a service can be called secure, if
the effort of compromising it are way higher than
the possible gains
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 6
shar
12. What is Security?
Security is relative
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 7
shar
13. What is Security?
Security is relative
Security depends on your needs
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 7
shar
14. What is Security?
Security is relative
Security depends on your needs
Security depends on a certain point in time
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 7
shar
15. What is Security?
Security is relative
Security depends on your needs
Security depends on a certain point in time
Security needs to be constantly adapte and
improved
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 7
shar
16. Security is a process, not
a product.
(Bruce Schneier)
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 8
shar
23. General Security Priciples
Least privilege
Minimize Exposure
Do not rely on „security by obscurity“
Defense in depth
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 11
shar
47. Avoid CSRF
Secret random token in the request
Save token in session
One-Time Token may have usability impacts
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 28
shar
63. Best Practice
The world is bad™
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 43
shar
64. Best Practice
The world is bad™
Every request is an attack as long the opposite is
proven
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 43
shar
65. Best Practice
The world is bad™
Every request is an attack as long the opposite is
proven
User input is untrustable
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 43
shar
66. Best Practice
The world is bad™
Every request is an attack as long the opposite is
proven
User input is untrustable
User input needs to be validated and encoded and
escaped right before output
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 43
shar
67. Best Practice
The world is bad™
Every request is an attack as long the opposite is
proven
User input is untrustable
User input needs to be validated and encoded and
escaped right before output
Encoding and escaping depends on the context
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 43
shar
68. Best Practice
The world is bad™
Every request is an attack as long the opposite is
proven
User input is untrustable
User input needs to be validated and encoded and
escaped right before output
Encoding and escaping depends on the context
Separation of Concerns
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 43
shar
69. What is User Input?
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 44
shar
70. What is User Input?
$_REQUEST ($_GET, $_POST, $_COOKIE)
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 44
shar
71. What is User Input?
$_REQUEST ($_GET, $_POST, $_COOKIE)
$_FILES
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 44
shar
72. What is User Input?
$_REQUEST ($_GET, $_POST, $_COOKIE)
$_FILES
$_SERVER
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 44
shar
73. What is User Input?
$_REQUEST ($_GET, $_POST, $_COOKIE)
$_FILES
$_SERVER
Filenames
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 44
shar
74. What is User Input?
$_REQUEST ($_GET, $_POST, $_COOKIE)
$_FILES
$_SERVER
Filenames
External Services
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 44
shar
75. What is User Input?
$_REQUEST ($_GET, $_POST, $_COOKIE)
$_FILES
$_SERVER
Filenames
External Services
Editors are users
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 44
shar
76. How to treat User Input
Validation
Filtering
Escaping
Encoding
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 45
shar
77. How to treat User Input
User Input evil™
Validate/ Filter stop execution?
Escaping/ Encoding context!
Output
46
78. How to treat User Input
Filter Input
Escape Output
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 47
shar
79. How to treat User Input
Filter Input
Check Type
Check Format
Check length
Escape Output
Context!
DB, HTML, JS
Directly before output
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 48
shar
80. Separation of Concerns
Security issues are bugs
Clean code leads to less bugs
Test Driven Development
Leave Security to Security Code
49
82. TYPO3 Security Team
TYPO3 Security Team
Responsible Disclosure Policy
One communication channel (security@typo3.org)
Pre-Announcements for critical issues only
You can support us with sober and precise
communication and reading the Security Bulletins
carefully
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 51
shar
83. TYPO3 Security Team
CVSS2 Score
It is a calculation to help you to identify the
severity of a Security Issue
The result are 4 different Scores
Base Score
Temporal Score
Environmental Score
Overall Score
TYPO3 Developer Days - Munich 2012 Inspiring people
Security Workshop 52
shar