SlideShare a Scribd company logo
Hacking
TYPO3
Oliver Hader
oliver@typo3.org
@ohader
TYPO3 Developer Days 2019
August 1st, 2019
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 2
▪Research & Development
▪Security Team Lead
▪50% TYPO3 GmbH
▪50% freelance software engineer
▪#hof #cycling #paramedic #in.die.musik
~# whoami
Oliver Hader
@ohader
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 3
▪ session probably recorded
▪ real attack vectors are shown
▪ hackers probably knew already
▪ official security fixes available
▪ report to security@typo3.org
Disclaimer
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Web Application
Security Basics
4
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Web Application Security
5
▪ CIA/compliance triad
▪ confidentiality
▪ private, personal, sensitive information
▪ integrity
▪ manipulation of information (“fake news”)
▪ availability
▪ denial of service
▪ online bank account
▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 6
Hacking Playground
CONFIDENTIALITY - unauthorised access to information
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 7
Hacking Playground
INTEGRITY - e.g. manipulated information
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 8
Hacking Playground
AVAILABILITY - information/service not available
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 9
Web Application Security
Open Web Application Security Project - TOP 10 vulnerabilities
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
TYPO3 core TYPO3 3rd party extensionsPHP world
TYPO3vulnerabilitiesinpast5years
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 10
Web Application Security
attack chains - multiple components might be affected
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Hacking
Playground

https://github.com/
ohader/typo3v9-
hack/
11TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 12
Hacking Playground
https://github.com/ohader/typo3v9-hack
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Session

Hi-Jacking
thanks to Cross-Site Scripting
13
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Session Hi-Jacking - insecure cookie
14
▪ https://typo3.org/security/advisory/typo3-core-sa-2018-009/
▪ Install Tool Cookie did not have HttpOnly flag
▪ addressed on December 11th, 2018
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 15
Insecure Install Tool Cookie (HTTP-only flag missing)
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 16
… cookies can be read by (any) JavaScript …
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Session Hi-Jacking - cross-site scripting
17
▪ https://typo3.org/security/advisory/typo3-core-sa-2018-006/
▪ file.youtube or file.vimeo vulnerable to cross-site scripting
▪ addressed on December 11th, 2018
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 18
Session Hi-Jacking - cross-site scripting & insecure cookie
Asset.youtube file & JavaScript to be executed
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 19
Insecure Deserialization - Basics
… social engineering - somebody must click the file …
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 20
Insecure Deserialization - Basics
strange result & XSS exploitation in background
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 21
Session Hi-Jacking - cross-site scripting & insecure cookie
view of attacker - retrieving session cookie
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Remote Code

Execution #1
thanks to Insecure Deserialization
22
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 23
Insecure Deserialization - Basics
__destruct() or __wakeup() methods are executed on deserialization
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 24
Insecure Deserialization - Basics
user submitted payload to be deserialized
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Remote Code Execution #1
25
▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/
▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/
▪ overrideVals[<table>][l10n_diffsource]=<serialized payload>
▪ addressed on June 25th, 2019
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 26
Insecure Deserialization - Basics
__destruct() saves content to filesystem
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 27
Remote Code Execution #1
making use of FileCookieJar as attack container
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 28
Remote Code Execution #1
prepare attack against TYPO3 backend
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 29
Remote Code Execution #1
actual attack payload that shall be executed
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 30
Remote Code Execution #1
XSRF token needs to be know (valid backend user required)
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 31
Remote Code Execution #1
output of injected & executed /typo3/hack.php
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 32
Remote Code Execution #1
… new admin user h4ck3r31 …
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Remote Code

Execution #2
thanks to

Information Disclosure

& Insecure Deserialization
33
typo3conf/
LocalConfiguration.php.old
34TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 35
typo3conf/LocalConfiguration.php.old backup file
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 36
… what else can we find here? (standard configuration)
encryptionKey
37TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 38
Extbase __trustedProperties deserialisation
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 39
HMAC signing of __trustedProperties - based on encryptionKey
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 40
Remote Code Execution #2
similar attack using FileCookieJar
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 41
Remote Code Execution #2
output of injected & executed /typo3/hack.php
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Okay, but what’s the point?!
42
▪ When being hacked, update ALL sensitive information
▪ backend user passwords
▪ frontend user password
▪ database credentials
▪ TYPO3 encryption key
▪ private/public key files
▪ …
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
“Flexibility”
#1
thanks to insecure TypoScript

(Cross-Site Scripting & SQL Injection)
43
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 44
GET/POST data in TypoScript - insertData injection
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 45
… retrieving arbitrary values from database …
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Flexibility #1 - using TypoScript
46
▪ http://…/?name=Oliver
▪ http://…/?name=<script>alert(‘XSS’)</script>
▪ http://…/?name={db:be_users:1:password}
▪ http://…/?name={file:1:contents}
▪ http://…/?name={getenv:PATH}
▪ …
▪ https://docs.typo3.org/m/typo3/reference-typoscript/master/en-
us/DataTypes/Index.html
▪ TypoScript is powerful…
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
“Flexibility”
#2
thanks to TypoScript for non-admins

(Remote Code Execution)
47
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Flexibility #2 - using TypoScript/TSconfig
48
▪ https://typo3.org/security/advisory/typo3-core-sa-2019-019/
▪ Remote Code Execution using Page TSconfig
▪ access to pages.TSconfig needs to be granted explicitly
▪ addressed on June 25th, 2019
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 49
Page TSconfig assignments for pages
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 50
Page TSconfig supports conditions as well…
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 51
▪ TYPO3 Security Team needs YOU
▪ core, extension & infrastructure security
▪ GitHub, packagist.org - not only TER
▪ feedback, advise, educate
▪ analyse & hack (PoC)
▪ ask @ohader / oliver@typo3.org
▪ (security reports to security@typo3.org)
TYPO3 Security Team
more?
join T3DD Security Workshop
on Sunday Morning
52
qstns?
53

More Related Content

Similar to Hacking TYPO3 v9 (T3DD19 edition)

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsT3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
Oliver Hader
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
Chanaka Lasantha
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
44CON Hacking Enterprises
44CON Hacking Enterprises44CON Hacking Enterprises
44CON Hacking Enterprises
in.security Ltd.
 
2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian
ITCamp
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
Tudor Damian
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.d
Antonio Parata
 
CCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
CCPA (California Consumer Privacy Act) Tips For Software Developers and ManagersCCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
CCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
Adam Sbeta
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
NSC42 Ltd
 
Software Security For DevOps And Continuous Deployment In The Cloud
Software Security For DevOps And Continuous Deployment In The CloudSoftware Security For DevOps And Continuous Deployment In The Cloud
Software Security For DevOps And Continuous Deployment In The Cloud
InterCon
 
1. Using the graphics below create a Microsoft Project..docx
1. Using the graphics below create a Microsoft Project..docx1. Using the graphics below create a Microsoft Project..docx
1. Using the graphics below create a Microsoft Project..docx
jeremylockett77
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
Nixu Corporation
 
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
Product School
 
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
REVULN
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & Ransomware
CSNP
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
Macro malware common techniques - public
Macro malware   common techniques - publicMacro malware   common techniques - public
Macro malware common techniques - public
Security Bootcamp
 

Similar to Hacking TYPO3 v9 (T3DD19 edition) (20)

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsT3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
44CON Hacking Enterprises
44CON Hacking Enterprises44CON Hacking Enterprises
44CON Hacking Enterprises
 
2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.d
 
CCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
CCPA (California Consumer Privacy Act) Tips For Software Developers and ManagersCCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
CCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 
Software Security For DevOps And Continuous Deployment In The Cloud
Software Security For DevOps And Continuous Deployment In The CloudSoftware Security For DevOps And Continuous Deployment In The Cloud
Software Security For DevOps And Continuous Deployment In The Cloud
 
1. Using the graphics below create a Microsoft Project..docx
1. Using the graphics below create a Microsoft Project..docx1. Using the graphics below create a Microsoft Project..docx
1. Using the graphics below create a Microsoft Project..docx
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
 
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & Ransomware
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Macro malware common techniques - public
Macro malware   common techniques - publicMacro malware   common techniques - public
Macro malware common techniques - public
 

More from Oliver Hader

TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
Oliver Hader
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
Oliver Hader
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event Sourcing
Oliver Hader
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Oliver Hader
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
Oliver Hader
 
Web Components
Web ComponentsWeb Components
Web Components
Oliver Hader
 
Web application security
Web application securityWeb application security
Web application security
Oliver Hader
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMS
Oliver Hader
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS Team
Oliver Hader
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0Oliver Hader
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
Oliver Hader
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7
Oliver Hader
 

More from Oliver Hader (12)

TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event Sourcing
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
 
Web Components
Web ComponentsWeb Components
Web Components
 
Web application security
Web application securityWeb application security
Web application security
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMS
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS Team
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7
 

Recently uploaded

June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
jpupo2018
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 

Recently uploaded (20)

June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 

Hacking TYPO3 v9 (T3DD19 edition)

  • 2. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 2 ▪Research & Development ▪Security Team Lead ▪50% TYPO3 GmbH ▪50% freelance software engineer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
  • 3. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 3 ▪ session probably recorded ▪ real attack vectors are shown ▪ hackers probably knew already ▪ official security fixes available ▪ report to security@typo3.org Disclaimer
  • 4. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Web Application Security Basics 4
  • 5. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Web Application Security 5 ▪ CIA/compliance triad ▪ confidentiality ▪ private, personal, sensitive information ▪ integrity ▪ manipulation of information (“fake news”) ▪ availability ▪ denial of service ▪ online bank account ▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
  • 6. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 6 Hacking Playground CONFIDENTIALITY - unauthorised access to information
  • 7. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 7 Hacking Playground INTEGRITY - e.g. manipulated information
  • 8. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 8 Hacking Playground AVAILABILITY - information/service not available
  • 9. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 9 Web Application Security Open Web Application Security Project - TOP 10 vulnerabilities https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf TYPO3 core TYPO3 3rd party extensionsPHP world TYPO3vulnerabilitiesinpast5years
  • 10. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 10 Web Application Security attack chains - multiple components might be affected https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 12. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 12 Hacking Playground https://github.com/ohader/typo3v9-hack
  • 13. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Session
 Hi-Jacking thanks to Cross-Site Scripting 13
  • 14. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Session Hi-Jacking - insecure cookie 14 ▪ https://typo3.org/security/advisory/typo3-core-sa-2018-009/ ▪ Install Tool Cookie did not have HttpOnly flag ▪ addressed on December 11th, 2018
  • 15. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 15 Insecure Install Tool Cookie (HTTP-only flag missing)
  • 16. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 16 … cookies can be read by (any) JavaScript …
  • 17. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Session Hi-Jacking - cross-site scripting 17 ▪ https://typo3.org/security/advisory/typo3-core-sa-2018-006/ ▪ file.youtube or file.vimeo vulnerable to cross-site scripting ▪ addressed on December 11th, 2018
  • 18. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 18 Session Hi-Jacking - cross-site scripting & insecure cookie Asset.youtube file & JavaScript to be executed
  • 19. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 19 Insecure Deserialization - Basics … social engineering - somebody must click the file …
  • 20. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 20 Insecure Deserialization - Basics strange result & XSS exploitation in background
  • 21. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 21 Session Hi-Jacking - cross-site scripting & insecure cookie view of attacker - retrieving session cookie
  • 22. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Remote Code
 Execution #1 thanks to Insecure Deserialization 22
  • 23. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 23 Insecure Deserialization - Basics __destruct() or __wakeup() methods are executed on deserialization
  • 24. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 24 Insecure Deserialization - Basics user submitted payload to be deserialized
  • 25. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Remote Code Execution #1 25 ▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/ ▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/ ▪ overrideVals[<table>][l10n_diffsource]=<serialized payload> ▪ addressed on June 25th, 2019
  • 26. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 26 Insecure Deserialization - Basics __destruct() saves content to filesystem
  • 27. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 27 Remote Code Execution #1 making use of FileCookieJar as attack container
  • 28. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 28 Remote Code Execution #1 prepare attack against TYPO3 backend
  • 29. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 29 Remote Code Execution #1 actual attack payload that shall be executed
  • 30. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 30 Remote Code Execution #1 XSRF token needs to be know (valid backend user required)
  • 31. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 31 Remote Code Execution #1 output of injected & executed /typo3/hack.php
  • 32. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 32 Remote Code Execution #1 … new admin user h4ck3r31 …
  • 33. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Remote Code
 Execution #2 thanks to
 Information Disclosure
 & Insecure Deserialization 33
  • 34. typo3conf/ LocalConfiguration.php.old 34TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 35. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 35 typo3conf/LocalConfiguration.php.old backup file
  • 36. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 36 … what else can we find here? (standard configuration)
  • 37. encryptionKey 37TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 38. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 38 Extbase __trustedProperties deserialisation
  • 39. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 39 HMAC signing of __trustedProperties - based on encryptionKey
  • 40. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 40 Remote Code Execution #2 similar attack using FileCookieJar
  • 41. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 41 Remote Code Execution #2 output of injected & executed /typo3/hack.php
  • 42. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Okay, but what’s the point?! 42 ▪ When being hacked, update ALL sensitive information ▪ backend user passwords ▪ frontend user password ▪ database credentials ▪ TYPO3 encryption key ▪ private/public key files ▪ …
  • 43. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org “Flexibility” #1 thanks to insecure TypoScript
 (Cross-Site Scripting & SQL Injection) 43
  • 44. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 44 GET/POST data in TypoScript - insertData injection
  • 45. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 45 … retrieving arbitrary values from database …
  • 46. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Flexibility #1 - using TypoScript 46 ▪ http://…/?name=Oliver ▪ http://…/?name=<script>alert(‘XSS’)</script> ▪ http://…/?name={db:be_users:1:password} ▪ http://…/?name={file:1:contents} ▪ http://…/?name={getenv:PATH} ▪ … ▪ https://docs.typo3.org/m/typo3/reference-typoscript/master/en- us/DataTypes/Index.html ▪ TypoScript is powerful…
  • 47. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org “Flexibility” #2 thanks to TypoScript for non-admins
 (Remote Code Execution) 47
  • 48. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Flexibility #2 - using TypoScript/TSconfig 48 ▪ https://typo3.org/security/advisory/typo3-core-sa-2019-019/ ▪ Remote Code Execution using Page TSconfig ▪ access to pages.TSconfig needs to be granted explicitly ▪ addressed on June 25th, 2019
  • 49. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 49 Page TSconfig assignments for pages
  • 50. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 50 Page TSconfig supports conditions as well…
  • 51. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 51 ▪ TYPO3 Security Team needs YOU ▪ core, extension & infrastructure security ▪ GitHub, packagist.org - not only TER ▪ feedback, advise, educate ▪ analyse & hack (PoC) ▪ ask @ohader / oliver@typo3.org ▪ (security reports to security@typo3.org) TYPO3 Security Team
  • 52. more? join T3DD Security Workshop on Sunday Morning 52