Web Application Security Workshop (T3DD19)

Web Application
Security Workshop
Oliver Hader
oliver@typo3.org
@ohader
TYPO3 Developer Days 2019
August 4th, 2019

TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 2
▪Research & Development
▪Security Team Lead
▪50% TYPO3 GmbH
▪50% freelance software engineer
▪#hof #cycling #paramedic #in.die.musik
~# whoami
Oliver Hader
@ohader

▪ session probably recorded
▪ real attack vectors are shown
▪ hackers probably knew already
▪ official security fixes available
▪ report to security@typo3.org
Disclaimer

TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Agenda
4
▪ Attack technique basics (XSS, SQLi, deserialization)
▪ Attack tools/simulation (SQLmap, BeEF, BoNeSi)
▪ Phar Stream Vulnerability & Wrapper
▪ CVSSv3 vulnerability scoring
▪ TYPO3 Security Team
▪ Capture the Flag
Agenda
⏳

What is your agenda?
Do you have questions?
5TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org

Web Application
Security Basics
6

Web Application Security
7
▪ CIA/compliance triad
▪ confidentiality
▪ private, personal, sensitive information
▪ integrity
▪ manipulation of information (“fake news”)
▪ availability
▪ denial of service
▪ online bank account
▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/

Hacking Playground
CONFIDENTIALITY - unauthorised access to information

Hacking Playground
INTEGRITY - e.g. manipulated information

Hacking Playground
AVAILABILITY - information/service not available

Open Web Application Security Project - TOP 10 vulnerabilities
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
TYPO3 core TYPO3 3rd party extensionsPHP world
TYPO3vulnerabilitiesinpast5years

attack chains - multiple components might be affected
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

Hacking
Playground 
https://github.com/
ohader/typo3v9-
hack/

Techniques,
Mitigation, Tools
14

Cross-Site
Scripting

Cross-Site Scripting - basics
“classic” XSS

XSS vectors - more at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

“classic” XSS mitigation
✔

XSS with Fluid - f:format.html relies on TypoScript being available

ViewHelper without any escaping == potentially vulnerable to XSS

http://typo3v9-hack.ddev.site:3000/ui/panel // admin & joh316

XSS exploitation

Browser Exploitation Framework in action

SQL injection

SQL injection basics
“classic” SQL injection - query

27
▪ SELECT … WHERE uid=10 AND pid>0;
▪ SELECT … WHERE uid=10 AND 1=1 -- AND pid>0; // bool true
▪ SELECT … WHERE uid=10 AND 1=0 -- AND pid>0; // bool false
▪ SELECT … WHERE uid=10 AND SLEEP(10) -- AND pid>0; // time
▪ comment literals (MySQL)
▪ --
▪ #
▪ /* data */

28
▪ SELECT … WHERE uid=10 AND pid>0;
▪ SELECT uid,pid,header WHERE uid=10  
UNION SELECT username,password,3  
FROM be_users WHERE SUBSTR(username, 1, 1) = ‘a’  
LIMIT 1,1  
-- AND pid>0;
▪ … FROM be_users WHERE SUBSTR(username, 2, 1) = ‘d’ …
▪ … FROM be_users WHERE SUBSTR(username, 3, 1) = ‘m’ …
▪ … FROM be_users WHERE SUBSTR(username, 4, 1) = ‘i’ …
▪ … FROM be_users WHERE SUBSTR(username, 5, 1) = ’n’ …

SQL injection QueryBuilder WHERE
SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = TEST;

SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = 0;

(prepared statement)
SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = :dcValue1;
✔

… WHERE `header` LIKE ‘%a%_%b%';

… WHERE `header` LIKE ‘%a%_%b%’;
✔

SQLmap

http://typo3v9-hack.ddev.site/?eID=comments&search=term

▪ ddev ssh -s sqlmap
▪ bash # suggested
▪ git checkout master
▪ git pull

▪ ./sqlmap -u '<uri>' ––risk 3 ––level 3 ––banner
▪ regular call
▪ ./sqlmap -u 'http://typo3v9-hack.ddev.site/?
eID=comments&search=typo3*' ––risk 3 ––level 3 ––banner
▪ inside ddev container
▪ ./sqlmap -u 'http://web/?eID=comments&search=typo3*' ––risk 3
––level 3 ––sql-shell # marker* in GET parameters
▪ ./sqlmap -u 'http://web/?eID=comments' ––data
'&search=typo3*' ––risk 3 ––level 3 ––sql-shell # marker* in POST

SQLmap

meanwhile in /var/log/nginx/access.log

possible SQL injection attack payload

remote SQL shell via SQL injection

“stacked queries” not allowed in PHP/PDO - SELECT …; INSERT …;

Insecure
Deserialization

Insecure Deserialization - Basics
__destruct() or __wakeup() methods are executed on deserialization

user submitted payload to be deserialized

allowed_classes introduced with PHP 7.0 (Polyfill available)

Insecure Deserialization - TYPO3-CORE-SA-2019-020
47
▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/
▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/
▪ overrideVals[<table>][l10n_diffsource]=<serialized payload>
▪ addressed on June 25th, 2019

__destruct() saves content to filesystem

Remote Code Execution #1
making use of FileCookieJar as attack container

prepare attack against TYPO3 backend

actual attack payload that shall be executed

XSRF token needs to be know (valid backend user required)

output of injected & executed /typo3/hack.php

… new admin user h4ck3r31 …

Other™

Other™ random topics
56
▪ File Upload
▪ check/deny extensions (file deny pattern)
▪ check mime-types - image/png, text/html, …
▪ Extbase controller actions
▪ user/group access needs individual handling
▪ classic: logged in user can access profile data of others
▪ Directory Traversal
▪ zip bundle.zip ../malicious.php
▪ depends on how it is extracted

phar://…
57

https://packagist.org/packages/typo3/phar-stream-wrapper

▪ usually used like 
require_once('phar://bundle.phar/vendor/autoload.php'); 
$service = new BundleService();
▪ Phar archives are vulnerable to insecure deserialisation
▪ all Phar archives in every PHP version (since 5.3)
▪ using “phar://“ stream wrapper is required here
▪ however, applies to regular file calls as well
▪ is_file(), file_exists(), fopen(), file_get_contents(), …
▪ is_file($_GET[‘fileName’]) // … user submitted data

demo web application

file does exist - correct

result of implicit insecure deserialization

Hybrid - Valid PNG file & Valid Phar archive

building hybrid Phar archive

PharStreamWrapper in TYPO3 core

▪ TYPO3CMSCoreIOPharStreamWrapperInterceptor
▪ TYPO3 core - Phar only in typo3conf/ext/ directories
▪ TYPO3PharStreamWrapper…PharExtensionInterceptor
▪ Phar only with file extension “.phar”
▪ TYPO3PharStreamWrapper…PharMetaDataInterceptor
▪ Phar only without serialized objects in meta-data

Vulnerability
Reporting
CVSSv3, Mitre & Co.
67

How to report?

How to report a security vulnerability?
69
▪ always report via mail to security@typo3.org (Security Team)
▪ don’t post potential attacks to Forge, Twitter, … (public media)
▪ inform security team in case vulnerabilities are leaked
▪ please be patient & wait for feedback
▪ approx first response time is ~8 hours

Responsible Disclosure Workflow
70
▪ report vulnerability to vendor (here: security team)
▪ wait for feedback, questions or confirmation of this issue
▪ ask for status updates in case there is no activity
▪ declare deadline for full disclosure (e.g. 90 days)
▪ in case vendor does not take actions - public disclosure
▪ vendors (should) have interest to release security bulletins
▪ hiding vulnerability caused feeling of false security

Responsible Disclosure Workflow
https://blog.ripstech.com/2019/typo3-overriding-the-database/

How to read
reports?

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

CVSSv3 example #1
76
▪ CVE-2013-1937
▪ phpMyAdmin Reflected Cross-site Scripting Vulnerability
▪ “Reflected cross-site scripting (XSS) vulnerabilities are present on
the tbl_gis_visualization.php page in phpMyAdmin 3.5.x, before
version 3.5.8. These allow remote attackers to inject arbitrary
JavaScript or HTML via the (1) visualizationSettings[width] or (2)
visualizationSettings[height] parameters.”

CVSSv3 example #1

CVSSv3 example #2
78
▪ CVE-2016-1645
▪ Google Chrome PDFium JPEG 2000 Remote Code Execution
Vulnerability
▪ “Allows remote attackers to execute arbitrary code on vulnerable
installations of Google Chrome. User interaction is required to
exploit this vulnerability in that the victim must visit a malicious
page or open a malicious file. Flaw exists within the handling of
JPEG 2000 images. Specially crafted JPEG 2000 image embedded
inside a PDF can force Google Chrome to write memory past the
end of an allocated object. Attacker can leverage this vulnerability
to execute arbitrary code under the context of the current process.”

CVSSv3 example #2

https://typo3.org/security/advisory/typo3-psa-2019-007/

https://nvd.nist.gov/vuln/detail/CVE-2019-11831

TYPO3
Security Team
84

▪ triage and answer reports
▪ communicate with reporters (individuals, pen-testers)
▪ forward information to maintainers (core, extension author, …)
▪ frankly remind people in case activity is kind of low
▪ coordinate releases & release dates
▪ compile information into security bulletins / announcements
▪ educate & raise awareness in teams & community

Capture the
Flag
86

https://www.root-me.org/en/Challenges/Web-Server/

https://ctf.hacker101.com/ctf

▪ https://www.root-me.org/en/Challenges/Web-Server/SQL-
injection-Error # might work with SQLmap
▪ https://ctf.hacker101.com/ctf/launch/7 # check public API

References
90
▪ Running an SQL Injection Attack: // “Computerphile“, nice series 
https://www.youtube.com/watch?v=ciNHn38EyRc
▪ WordPress WPDB SQL Injection: // nice, on “custom” escaping 
https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-
sql-injection-technical.html
▪ CVSSv3 Examples: 
https://www.first.org/cvss/v3.0/examples

Web Application Security Workshop (T3DD19)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Web Application Security Workshop (T3DD19)

Similar to Web Application Security Workshop (T3DD19) (20)

More from Oliver Hader

More from Oliver Hader (15)

Recently uploaded

Recently uploaded (20)

Web Application Security Workshop (T3DD19)