SlideShare a Scribd company logo
H4CK1N6
Web Application Security in TYPO3
September 17th, 2016
~whois oliver.hader
• is living in Hof, Bavaria, Germany
• is freelance software engineer
• is TYPO3 core developer since 2007
• is member of the TYPO3 security team
• is studying at University of Applied Sciences Hof
• is currently working on event-sourcing for TYPO3
• loves cross-country mountain biking
~overviewing
~deep-analyzing

~evil-hacking
~considering
What we’re dealing with…
• A1: Injection - SQLi, CMDi - tricking interpreters
• A2: Authentication - permissions of ”somebody”
• A3: XSS - unintended, but executable information
You’ve been H4CK3D
Let’s assume…
• you have been hacked & and you know that
• no information about severity… yet
• is information or content modified?
• is the attack continuing or repeating?
• is password or private data stolen?
• you have to handle & clean up the hack
• What to do? In which order?
Strategy #1
• just overwrite from backup
• update system & extensions
• clear cache & that’s it
• BUT
• What was the entry point?
• What did exactly happen?
• Will it happen again?
Strategy #2
• take web-server offline & redirect to static page
• analyze what happened & find first entry-point
• understand the attack & secure the whole system
• apply clean backups - compromised or clean?
• BUT
• Your customer will hate you! … and love you!
• … what? Going the secure way sounds better!
Strategy #2
• search for anomalies in logs and file-system
• mass-requests to different URLs from same IP
• HTTP POST requests with large (download) size
• script files (PHP, Perl, CGI) in e.g. image folders
• search for actions during non-business hours
• back-end login at 03:00 in the morning
• content changes at midnight
Analysis
• find modified files
	
  find	
  –mtime	
  –1	
  	
  	
  find	
  –mmin	
  –30	
  
• determine modification time - time of attack?
	
  stat	
  some-­‐file.php	
  
• find accordant log entries
• in web-server logs
• in TYPO3 application logs
Results so far…
• exact time 2016-09-14T14:54:59+0200
• extension saltedpassword created - how?
• PHP script Resources/Public/test.php
• called multiple times & with HTTP POST method
• might be a web shell
	
  eval(gzinflate(base64_decode('S03Oy	
  

	
  FdQ91RIzFVIVChPTSrOSM3JUbcGAA==')))	
  
!
!
!
!
!
Results so far…
• admin user somebody logged in & logged out
• extension saltedpassword installed during session
• further PHP warnings & errors found in log
• a bunch of MySQL warnings found
• might be result of SQL injection
H4CK1N6 process
tx_listing_listing[itemId]=1
tx_listing_listing[itemId]=1+AND+1=0
tx_listing_listing[itemId]=1+OR+1=1
~/typo3conf/ext/listing/ext_tables.sql
11	
  columns
What the ”hacker” did…
• found website at http://7.6.local.typo3.org/
• found plugin that accepts parameters via HTTP
index.php?id=37

&tx_listing_listing[itemId]=1

&tx_listing_listing[action]=show

&tx_listing_listing[controller]=Item	
  
• basically it was some penetration testing tool
Kali Linux
• hacker’s toolbox
• network & wireless sniffing tools
• exploitation tools & distributed execution
• like Metasploit & Armitage
• web application hacking tools
• like SqlMap & BeEF XSS
SqlMap & Collecting Data
!
!
BeEF XSS & client hijacking
Development & Security
A pessimistic approach…
• every request is a potential attack
• submitted data are not trustworthy
• as long as the opposite is proven
• validate & filter everything on server-side

(even if browser ”did” that already)
• encode, escape or cast for target context

(HTML, database, file-system, system call, mail, …)
More optimistic approach…
• no necessity for fatal failures & exceptions
• provide understandable messages to user
• warn, if something unexpected happened
• notify & emit confirmation dialogs
• put anomalies to dedicated log-files
• implement alternative notifications
• e.g. mail to user if username was used for login
Considerations
Mitigation strategies
• network-based intrusion detection - e.g. Snort
• analyses network-connections and anomalies
• host-based intrusion detection - e.g. Samhain
• file integrity checks & log file monitoring
• web application firewall - e.g. mod_security
• individual filter rules for HTTP requests
• capable of denying SQL or XSS attacks
Information Disclosure
• everything that is not required by the application
• debug output & fragments - use a debugger
• outdated source-code - use Git for this
• carefully select failure messages
• ”username was not found on system” versus
• ”username and password are not correct”
• hide configuration via server-rules - .htaccess
Session Management
• always use secure channels (HTTPS)
• enforce HTTP-only & secure cookies
• avoid custom $_SESSION & $_COOKIE games
• select reasonable session time-out values
• use CSRF tokens for actions & forms
Authentication Management
• lock users with old MD5 passwords
• limit amount of admin users
• limit permissions per user
• enforce strong & different passwords
• apply debriefing strategy (employee quit job)
• use backend login notification feature of TYPO3
• separation of developer, integrator, admin, editor
Framework & Complexity
• understand what the framework is doing
• which security precautions are available
• which are not & how to close that gap
• keep track of important/breaking changes
• this might take some time, sure
• but hackers will do that as well
• apply security updates as soon possible
Laziness & Copy-Paste
• using ”Page PHP Content Element“
• allows (good) backend editors to write code
• … to write untested, insecure & executable code
• allowing TypoScript for everybody
• allows (good) backend editors to write code
• … to write even more insecure code
• … since TypoScript is a facade to real PHP calls
• cast or escape insecure variables 	
  (int)$item	
  
• use the provided API calls as much as possible
• understand what the framework is really doing
• cast or escape insecure variables 	
  (int)$item	
  
• use the provided API calls as much as possible
• understand what the framework is really doing
• filter or encode insecure variables
• really remove debug code or 	
  <f:comment>	
  
• understand what the framework is really doing
There is more…
Further topics…
• on cross-site-scripting & cross-site-tracing
• CORS - cross-origin resource sharing
• HSTS - HTTP strict transport security
• CSP - HTTP content security policy
• httpoxy - attacks via HTTP Proxy headers
• ImageTragick - attacks via crafted images
• TYPO3 Security Guide - aspects in more detail
Questions?
Sources
• OWASP & Top 10 2013
• https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
• https://www.owasp.org/index.php/Top_10_2013-Top_10
• Triad of Confidentially, Integrity & Availability
• http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
• http://www.doc.ic.ac.uk/~ajs300/security/CIA.htm
• System Commands & Kali Linux
• http://www.thegeekstuff.com/2009/06/15-practical-unix-linux-find-command-examples-part-2/
• https://www.kali.org/
• https://github.com/sqlmapproject/sqlmap/wiki/Usage
• https://github.com/beefproject/beef/wiki
• Mitigation Strategies &
• https://www.snort.org/
• http://la-samhna.de/samhain/
• https://www.modsecurity.org/
Sources
• Considerations
• https://github.com/TYPO3/TYPO3.CMS/blob/master/_.htaccess (suggested .htaccess file)
• https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/frontend/Classes/ContentObject/
ContentObjectRenderer.php (example, TypoScript to PHP facade)
• Examples - not recommended unless you really know what you’re doing
• https://typo3.org/extensions/repository/view/pe_pagephpcontentelement/ (example only)
• https://typo3.org/extensions/repository/view/typoscript_code (example only)
• Further topics
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
• https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
• https://developer.mozilla.org/de/docs/Web/Security/CSP
• https://imagetragick.com/
• https://httpoxy.org/
• https://docs.typo3.org/typo3cms/SecurityGuide/Index.html
Screencasts
• SqlMap
• https://www.youtube.com/watch?v=VIGVlmaKqxY
• BeEF XSS
• https://www.youtube.com/watch?v=WBDWWv5zdUQ
Thank you!
ohader

@ohader

Oliver_Hader
follow mehttps://h4ck3r31.net

More Related Content

What's hot

ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
Mauricio Velazco
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
There’s an OpenBullet Attack Config for Your Site – What Should You Do?There’s an OpenBullet Attack Config for Your Site – What Should You Do?
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
DevOps.com
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
SecuRing
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
Greg Foss
 
Finding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingFinding Bugs FASTER with Fuzzing
Finding Bugs FASTER with Fuzzing
Alper Başaran
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
 
Security Automation using ZAP
Security Automation using ZAPSecurity Automation using ZAP
Security Automation using ZAP
Vaibhav Gupta
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
Tomasz Fajks
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
Teri Radichel
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
OWASP Delhi
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
Micah Hoffman
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
Isuru Samaraweera
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
Ciaran McNally
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
PRISMA CSI
 

What's hot (19)

ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
There’s an OpenBullet Attack Config for Your Site – What Should You Do?There’s an OpenBullet Attack Config for Your Site – What Should You Do?
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
Finding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingFinding Bugs FASTER with Fuzzing
Finding Bugs FASTER with Fuzzing
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
 
Security Automation using ZAP
Security Automation using ZAPSecurity Automation using ZAP
Security Automation using ZAP
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
 

Similar to H4CK1N6 - Web Application Security

BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
Flaskdata.io
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
Positive Hack Days
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
dcervigni
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
Gareth Davies
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
ClubHack
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
EC-Council
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdfAdvanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Infosec train
 
Advanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_contentAdvanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_content
priyanshamadhwal2
 

Similar to H4CK1N6 - Web Application Security (20)

BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdfAdvanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
 
Advanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_contentAdvanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_content
 

More from Oliver Hader

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsT3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
Oliver Hader
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
Oliver Hader
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
Oliver Hader
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Oliver Hader
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
Oliver Hader
 
Web Components
Web ComponentsWeb Components
Web Components
Oliver Hader
 
Web application security
Web application securityWeb application security
Web application security
Oliver Hader
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS Team
Oliver Hader
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0Oliver Hader
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
Oliver Hader
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7
Oliver Hader
 

More from Oliver Hader (11)

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsT3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
 
Web Components
Web ComponentsWeb Components
Web Components
 
Web application security
Web application securityWeb application security
Web application security
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS Team
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7
 

Recently uploaded

Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 

Recently uploaded (12)

Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 

H4CK1N6 - Web Application Security

  • 1. H4CK1N6 Web Application Security in TYPO3 September 17th, 2016
  • 2. ~whois oliver.hader • is living in Hof, Bavaria, Germany • is freelance software engineer • is TYPO3 core developer since 2007 • is member of the TYPO3 security team • is studying at University of Applied Sciences Hof • is currently working on event-sourcing for TYPO3 • loves cross-country mountain biking
  • 4. What we’re dealing with… • A1: Injection - SQLi, CMDi - tricking interpreters • A2: Authentication - permissions of ”somebody” • A3: XSS - unintended, but executable information
  • 6. Let’s assume… • you have been hacked & and you know that • no information about severity… yet • is information or content modified? • is the attack continuing or repeating? • is password or private data stolen? • you have to handle & clean up the hack • What to do? In which order?
  • 7. Strategy #1 • just overwrite from backup • update system & extensions • clear cache & that’s it • BUT • What was the entry point? • What did exactly happen? • Will it happen again?
  • 8. Strategy #2 • take web-server offline & redirect to static page • analyze what happened & find first entry-point • understand the attack & secure the whole system • apply clean backups - compromised or clean? • BUT • Your customer will hate you! … and love you! • … what? Going the secure way sounds better!
  • 9. Strategy #2 • search for anomalies in logs and file-system • mass-requests to different URLs from same IP • HTTP POST requests with large (download) size • script files (PHP, Perl, CGI) in e.g. image folders • search for actions during non-business hours • back-end login at 03:00 in the morning • content changes at midnight
  • 10. Analysis • find modified files  find  –mtime  –1      find  –mmin  –30   • determine modification time - time of attack?  stat  some-­‐file.php   • find accordant log entries • in web-server logs • in TYPO3 application logs
  • 11.
  • 12.
  • 13.
  • 14.
  • 15. Results so far… • exact time 2016-09-14T14:54:59+0200 • extension saltedpassword created - how? • PHP script Resources/Public/test.php • called multiple times & with HTTP POST method • might be a web shell  eval(gzinflate(base64_decode('S03Oy  
  FdQ91RIzFVIVChPTSrOSM3JUbcGAA==')))  
  • 16. !
  • 17. !
  • 18. ! !
  • 19. !
  • 20. Results so far… • admin user somebody logged in & logged out • extension saltedpassword installed during session • further PHP warnings & errors found in log • a bunch of MySQL warnings found • might be result of SQL injection
  • 22.
  • 27. What the ”hacker” did… • found website at http://7.6.local.typo3.org/ • found plugin that accepts parameters via HTTP index.php?id=37
 &tx_listing_listing[itemId]=1
 &tx_listing_listing[action]=show
 &tx_listing_listing[controller]=Item   • basically it was some penetration testing tool
  • 28. Kali Linux • hacker’s toolbox • network & wireless sniffing tools • exploitation tools & distributed execution • like Metasploit & Armitage • web application hacking tools • like SqlMap & BeEF XSS
  • 30. !
  • 31. !
  • 32. BeEF XSS & client hijacking
  • 34. A pessimistic approach… • every request is a potential attack • submitted data are not trustworthy • as long as the opposite is proven • validate & filter everything on server-side
 (even if browser ”did” that already) • encode, escape or cast for target context
 (HTML, database, file-system, system call, mail, …)
  • 35. More optimistic approach… • no necessity for fatal failures & exceptions • provide understandable messages to user • warn, if something unexpected happened • notify & emit confirmation dialogs • put anomalies to dedicated log-files • implement alternative notifications • e.g. mail to user if username was used for login
  • 37. Mitigation strategies • network-based intrusion detection - e.g. Snort • analyses network-connections and anomalies • host-based intrusion detection - e.g. Samhain • file integrity checks & log file monitoring • web application firewall - e.g. mod_security • individual filter rules for HTTP requests • capable of denying SQL or XSS attacks
  • 38. Information Disclosure • everything that is not required by the application • debug output & fragments - use a debugger • outdated source-code - use Git for this • carefully select failure messages • ”username was not found on system” versus • ”username and password are not correct” • hide configuration via server-rules - .htaccess
  • 39. Session Management • always use secure channels (HTTPS) • enforce HTTP-only & secure cookies • avoid custom $_SESSION & $_COOKIE games • select reasonable session time-out values • use CSRF tokens for actions & forms
  • 40. Authentication Management • lock users with old MD5 passwords • limit amount of admin users • limit permissions per user • enforce strong & different passwords • apply debriefing strategy (employee quit job) • use backend login notification feature of TYPO3 • separation of developer, integrator, admin, editor
  • 41. Framework & Complexity • understand what the framework is doing • which security precautions are available • which are not & how to close that gap • keep track of important/breaking changes • this might take some time, sure • but hackers will do that as well • apply security updates as soon possible
  • 42. Laziness & Copy-Paste • using ”Page PHP Content Element“ • allows (good) backend editors to write code • … to write untested, insecure & executable code • allowing TypoScript for everybody • allows (good) backend editors to write code • … to write even more insecure code • … since TypoScript is a facade to real PHP calls
  • 43. • cast or escape insecure variables  (int)$item   • use the provided API calls as much as possible • understand what the framework is really doing
  • 44. • cast or escape insecure variables  (int)$item   • use the provided API calls as much as possible • understand what the framework is really doing
  • 45. • filter or encode insecure variables • really remove debug code or  <f:comment>   • understand what the framework is really doing
  • 47. Further topics… • on cross-site-scripting & cross-site-tracing • CORS - cross-origin resource sharing • HSTS - HTTP strict transport security • CSP - HTTP content security policy • httpoxy - attacks via HTTP Proxy headers • ImageTragick - attacks via crafted images • TYPO3 Security Guide - aspects in more detail
  • 49. Sources • OWASP & Top 10 2013 • https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 • https://www.owasp.org/index.php/Top_10_2013-Top_10 • Triad of Confidentially, Integrity & Availability • http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA • http://www.doc.ic.ac.uk/~ajs300/security/CIA.htm • System Commands & Kali Linux • http://www.thegeekstuff.com/2009/06/15-practical-unix-linux-find-command-examples-part-2/ • https://www.kali.org/ • https://github.com/sqlmapproject/sqlmap/wiki/Usage • https://github.com/beefproject/beef/wiki • Mitigation Strategies & • https://www.snort.org/ • http://la-samhna.de/samhain/ • https://www.modsecurity.org/
  • 50. Sources • Considerations • https://github.com/TYPO3/TYPO3.CMS/blob/master/_.htaccess (suggested .htaccess file) • https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/frontend/Classes/ContentObject/ ContentObjectRenderer.php (example, TypoScript to PHP facade) • Examples - not recommended unless you really know what you’re doing • https://typo3.org/extensions/repository/view/pe_pagephpcontentelement/ (example only) • https://typo3.org/extensions/repository/view/typoscript_code (example only) • Further topics • https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS • https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security • https://developer.mozilla.org/de/docs/Web/Security/CSP • https://imagetragick.com/ • https://httpoxy.org/ • https://docs.typo3.org/typo3cms/SecurityGuide/Index.html
  • 51. Screencasts • SqlMap • https://www.youtube.com/watch?v=VIGVlmaKqxY • BeEF XSS • https://www.youtube.com/watch?v=WBDWWv5zdUQ