SlideShare a Scribd company logo
Web Application
Security Workshop
Oliver Hader
oliver@typo3.org
@ohader
TYPO3 Developer Days 2019
August 4th, 2019
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 2
▪Research & Development
▪Security Team Lead
▪50% TYPO3 GmbH
▪50% freelance software engineer
▪#hof #cycling #paramedic #in.die.musik
~# whoami
Oliver Hader
@ohader
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 3
▪ session probably recorded
▪ real attack vectors are shown
▪ hackers probably knew already
▪ official security fixes available
▪ report to security@typo3.org
Disclaimer
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Agenda
4
▪ Attack technique basics (XSS, SQLi, deserialization)
▪ Attack tools/simulation (SQLmap, BeEF, BoNeSi)
▪ Phar Stream Vulnerability & Wrapper
▪ CVSSv3 vulnerability scoring
▪ TYPO3 Security Team
▪ Capture the Flag
Agenda
⏳
What is your agenda?
Do you have questions?
5TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Web Application
Security Basics
6
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Web Application Security
7
▪ CIA/compliance triad
▪ confidentiality
▪ private, personal, sensitive information
▪ integrity
▪ manipulation of information (“fake news”)
▪ availability
▪ denial of service
▪ online bank account
▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 8
Hacking Playground
CONFIDENTIALITY - unauthorised access to information
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 9
Hacking Playground
INTEGRITY - e.g. manipulated information
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 10
Hacking Playground
AVAILABILITY - information/service not available
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 11
Web Application Security
Open Web Application Security Project - TOP 10 vulnerabilities
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
TYPO3 core TYPO3 3rd party extensionsPHP world
TYPO3vulnerabilitiesinpast5years
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 12
Web Application Security
attack chains - multiple components might be affected
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Hacking
Playground

https://github.com/
ohader/typo3v9-
hack/
13TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Techniques,
Mitigation, Tools
14
Cross-Site
Scripting
15TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 16
Cross-Site Scripting - basics
“classic” XSS
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 17
Cross-Site Scripting - basics
XSS vectors - more at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 18
Cross-Site Scripting - basics
“classic” XSS mitigation
✔
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 19
Cross-Site Scripting - basics
XSS with Fluid - f:format.html relies on TypoScript being available
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 20
Cross-Site Scripting - basics
ViewHelper without any escaping == potentially vulnerable to XSS
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 21
http://typo3v9-hack.ddev.site:3000/ui/panel // admin & joh316
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 22
XSS exploitation
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 23
Browser Exploitation Framework in action
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 24
Browser Exploitation Framework in action
SQL injection
25TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 26
SQL injection basics
“classic” SQL injection - query
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
SQL injection basics
27
▪ SELECT … WHERE uid=10 AND pid>0;
▪ SELECT … WHERE uid=10 AND 1=1 -- AND pid>0; // bool true
▪ SELECT … WHERE uid=10 AND 1=0 -- AND pid>0; // bool false
▪ SELECT … WHERE uid=10 AND SLEEP(10) -- AND pid>0; // time
▪ comment literals (MySQL)
▪ --
▪ #
▪ /* data */
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
SQL injection basics
28
▪ SELECT … WHERE uid=10 AND pid>0;
▪ SELECT uid,pid,header WHERE uid=10 

UNION SELECT username,password,3 

FROM be_users WHERE SUBSTR(username, 1, 1) = ‘a’ 

LIMIT 1,1 

-- AND pid>0;
▪ … FROM be_users WHERE SUBSTR(username, 2, 1) = ‘d’ …
▪ … FROM be_users WHERE SUBSTR(username, 3, 1) = ‘m’ …
▪ … FROM be_users WHERE SUBSTR(username, 4, 1) = ‘i’ …
▪ … FROM be_users WHERE SUBSTR(username, 5, 1) = ’n’ …
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 29
SQL injection QueryBuilder WHERE
SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = TEST;
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 30
SQL injection QueryBuilder WHERE
SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = 0;
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 31
SQL injection QueryBuilder WHERE
(prepared statement)
SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = :dcValue1;
✔
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 32
SQL injection QueryBuilder WHERE
… WHERE `header` LIKE ‘%a%_%b%';
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 33
SQL injection QueryBuilder WHERE
… WHERE `header` LIKE ‘%a%_%b%’;
✔
SQLmap
34TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 35
http://typo3v9-hack.ddev.site/?eID=comments&search=term
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 36
▪ ddev ssh -s sqlmap
▪ bash # suggested
▪ git checkout master
▪ git pull
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 37
▪ ./sqlmap -u '<uri>' ––risk 3 ––level 3 ––banner
▪ regular call
▪ ./sqlmap -u 'http://typo3v9-hack.ddev.site/?
eID=comments&search=typo3*' ––risk 3 ––level 3 ––banner
▪ inside ddev container
▪ ./sqlmap -u 'http://web/?eID=comments&search=typo3*' ––risk 3
––level 3 ––sql-shell # marker* in GET parameters
▪ ./sqlmap -u 'http://web/?eID=comments' ––data
'&search=typo3*' ––risk 3 ––level 3 ––sql-shell # marker* in POST
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 38
SQLmap
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 39
meanwhile in /var/log/nginx/access.log
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 40
possible SQL injection attack payload
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 41
remote SQL shell via SQL injection
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 42
“stacked queries” not allowed in PHP/PDO - SELECT …; INSERT …;
Insecure
Deserialization
43TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 44
Insecure Deserialization - Basics
__destruct() or __wakeup() methods are executed on deserialization
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 45
Insecure Deserialization - Basics
user submitted payload to be deserialized
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 46
allowed_classes introduced with PHP 7.0 (Polyfill available)
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Insecure Deserialization - TYPO3-CORE-SA-2019-020
47
▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/
▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/
▪ overrideVals[<table>][l10n_diffsource]=<serialized payload>
▪ addressed on June 25th, 2019
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 48
Insecure Deserialization - Basics
__destruct() saves content to filesystem
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 49
Remote Code Execution #1
making use of FileCookieJar as attack container
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 50
Remote Code Execution #1
prepare attack against TYPO3 backend
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 51
Remote Code Execution #1
actual attack payload that shall be executed
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 52
Remote Code Execution #1
XSRF token needs to be know (valid backend user required)
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 53
Remote Code Execution #1
output of injected & executed /typo3/hack.php
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 54
Remote Code Execution #1
… new admin user h4ck3r31 …
Other™
55TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Other™ random topics
56
▪ File Upload
▪ check/deny extensions (file deny pattern)
▪ check mime-types - image/png, text/html, …
▪ Extbase controller actions
▪ user/group access needs individual handling
▪ classic: logged in user can access profile data of others
▪ Directory Traversal
▪ zip bundle.zip ../malicious.php
▪ depends on how it is extracted
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
phar://…
57
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 58
https://packagist.org/packages/typo3/phar-stream-wrapper
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 59
▪ usually used like

require_once('phar://bundle.phar/vendor/autoload.php');

$service = new BundleService();
▪ Phar archives are vulnerable to insecure deserialisation
▪ all Phar archives in every PHP version (since 5.3)
▪ using “phar://“ stream wrapper is required here
▪ however, applies to regular file calls as well
▪ is_file(), file_exists(), fopen(), file_get_contents(), …
▪ is_file($_GET[‘fileName’]) // … user submitted data
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 60
demo web application
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 61
file does exist - correct
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 62
result of implicit insecure deserialization
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 63
Hybrid - Valid PNG file & Valid Phar archive
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 64
building hybrid Phar archive
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 65
PharStreamWrapper in TYPO3 core
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 66
▪ TYPO3CMSCoreIOPharStreamWrapperInterceptor
▪ TYPO3 core - Phar only in typo3conf/ext/ directories
▪ TYPO3PharStreamWrapper…PharExtensionInterceptor
▪ Phar only with file extension “.phar”
▪ TYPO3PharStreamWrapper…PharMetaDataInterceptor
▪ Phar only without serialized objects in meta-data
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Vulnerability
Reporting
CVSSv3, Mitre & Co.
67
How to report?
68TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
How to report a security vulnerability?
69
▪ always report via mail to security@typo3.org (Security Team)
▪ don’t post potential attacks to Forge, Twitter, … (public media)
▪ inform security team in case vulnerabilities are leaked
▪ please be patient & wait for feedback
▪ approx first response time is ~8 hours
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Responsible Disclosure Workflow
70
▪ report vulnerability to vendor (here: security team)
▪ wait for feedback, questions or confirmation of this issue
▪ ask for status updates in case there is no activity
▪ declare deadline for full disclosure (e.g. 90 days)
▪ in case vendor does not take actions - public disclosure
▪ vendors (should) have interest to release security bulletins
▪ hiding vulnerability caused feeling of false security
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 71
Responsible Disclosure Workflow
https://blog.ripstech.com/2019/typo3-overriding-the-database/
How to read
reports?
72TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 73
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 74
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 75
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
CVSSv3 example #1
76
▪ CVE-2013-1937
▪ phpMyAdmin Reflected Cross-site Scripting Vulnerability
▪ “Reflected cross-site scripting (XSS) vulnerabilities are present on
the tbl_gis_visualization.php page in phpMyAdmin 3.5.x, before
version 3.5.8. These allow remote attackers to inject arbitrary
JavaScript or HTML via the (1) visualizationSettings[width] or (2)
visualizationSettings[height] parameters.”
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 77
CVSSv3 example #1
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
CVSSv3 example #2
78
▪ CVE-2016-1645
▪ Google Chrome PDFium JPEG 2000 Remote Code Execution
Vulnerability
▪ “Allows remote attackers to execute arbitrary code on vulnerable
installations of Google Chrome. User interaction is required to
exploit this vulnerability in that the victim must visit a malicious
page or open a malicious file. Flaw exists within the handling of
JPEG 2000 images. Specially crafted JPEG 2000 image embedded
inside a PDF can force Google Chrome to write memory past the
end of an allocated object. Attacker can leverage this vulnerability
to execute arbitrary code under the context of the current process.”
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 79
CVSSv3 example #2
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 80
https://typo3.org/security/advisory/typo3-psa-2019-007/
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 81
https://typo3.org/security/advisory/typo3-psa-2019-007/
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 82
https://nvd.nist.gov/vuln/detail/CVE-2019-11831
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 83
https://nvd.nist.gov/vuln/detail/CVE-2019-11831
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
TYPO3
Security Team
84
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 85
▪ triage and answer reports
▪ communicate with reporters (individuals, pen-testers)
▪ forward information to maintainers (core, extension author, …)
▪ frankly remind people in case activity is kind of low
▪ coordinate releases & release dates
▪ compile information into security bulletins / announcements
▪ educate & raise awareness in teams & community
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Capture the
Flag
86
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 87
https://www.root-me.org/en/Challenges/Web-Server/
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 88
https://ctf.hacker101.com/ctf
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 89
▪ https://www.root-me.org/en/Challenges/Web-Server/SQL-
injection-Error # might work with SQLmap
▪ https://ctf.hacker101.com/ctf/launch/7 # check public API
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
References
90
▪ Running an SQL Injection Attack: // “Computerphile“, nice series

https://www.youtube.com/watch?v=ciNHn38EyRc
▪ WordPress WPDB SQL Injection: // nice, on “custom” escaping

https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-
sql-injection-technical.html
▪ CVSSv3 Examples:

https://www.first.org/cvss/v3.0/examples
thx! ;-)
91

More Related Content

What's hot

Advanced phishing for red team assessments
Advanced phishing for red team assessmentsAdvanced phishing for red team assessments
Advanced phishing for red team assessments
JEBARAJM
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editor
Paolo Dolci
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Session hijacking by rahul tyagi
Session hijacking by rahul tyagiSession hijacking by rahul tyagi
Session hijacking by rahul tyagi
amansyal
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark World
Avishek Datta
 
Linux commands part4
Linux commands part4Linux commands part4
Linux commands part4
bhatvijetha
 
Malware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyMalware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny Czarny
OPSWAT
 
Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)
Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)
Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)
Mark Thalib
 

What's hot (8)

Advanced phishing for red team assessments
Advanced phishing for red team assessmentsAdvanced phishing for red team assessments
Advanced phishing for red team assessments
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editor
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Session hijacking by rahul tyagi
Session hijacking by rahul tyagiSession hijacking by rahul tyagi
Session hijacking by rahul tyagi
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark World
 
Linux commands part4
Linux commands part4Linux commands part4
Linux commands part4
 
Malware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny CzarnyMalware and Anti-Malware Seminar by Benny Czarny
Malware and Anti-Malware Seminar by Benny Czarny
 
Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)
Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)
Bagaimana Belajar Menjadi Seorang Penetration Tester (PenTest)
 

Similar to Web Application Security Workshop (T3DD19)

Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)
Oliver Hader
 
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsT3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
Oliver Hader
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
Chanaka Lasantha
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley
 
Widespread security flaws in web application development 2015
Widespread security flaws in web  application development 2015Widespread security flaws in web  application development 2015
Widespread security flaws in web application development 2015
mahchiev
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
NSC42 Ltd
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
Nilesh Sapariya
 
Network Hacking Training - Course Gate
Network Hacking Training - Course GateNetwork Hacking Training - Course Gate
Network Hacking Training - Course Gate
Course Gate
 
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
Product School
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (..."Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
Tech in Asia ID
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
devObjective
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
ColdFusionConference
 
Hacking TYPO3 v9
Hacking TYPO3 v9Hacking TYPO3 v9
Hacking TYPO3 v9
Oliver Hader
 
TWISummit 2019 - Build Security In
TWISummit 2019 - Build Security InTWISummit 2019 - Build Security In
TWISummit 2019 - Build Security In
Thoughtworks
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Cristian Garcia G.
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
Matthew Ong
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenix
NSC42 Ltd
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Chetan Khatri
 

Similar to Web Application Security Workshop (T3DD19) (20)

Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)
 
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsT3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
 
Widespread security flaws in web application development 2015
Widespread security flaws in web  application development 2015Widespread security flaws in web  application development 2015
Widespread security flaws in web application development 2015
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Network Hacking Training - Course Gate
Network Hacking Training - Course GateNetwork Hacking Training - Course Gate
Network Hacking Training - Course Gate
 
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (..."Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
Hacking TYPO3 v9
Hacking TYPO3 v9Hacking TYPO3 v9
Hacking TYPO3 v9
 
TWISummit 2019 - Build Security In
TWISummit 2019 - Build Security InTWISummit 2019 - Build Security In
TWISummit 2019 - Build Security In
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenix
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 

More from Oliver Hader

SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 Extensions
Oliver Hader
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
Oliver Hader
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
Oliver Hader
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event Sourcing
Oliver Hader
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
Oliver Hader
 
TYPO3 Backstage Development
TYPO3 Backstage DevelopmentTYPO3 Backstage Development
TYPO3 Backstage Development
Oliver Hader
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Oliver Hader
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
Oliver Hader
 
Web Components
Web ComponentsWeb Components
Web Components
Oliver Hader
 
Web application security
Web application securityWeb application security
Web application security
Oliver Hader
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMS
Oliver Hader
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS Team
Oliver Hader
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0Oliver Hader
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
Oliver Hader
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7
Oliver Hader
 

More from Oliver Hader (15)

SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 Extensions
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event Sourcing
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
TYPO3 Backstage Development
TYPO3 Backstage DevelopmentTYPO3 Backstage Development
TYPO3 Backstage Development
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
 
Web Components
Web ComponentsWeb Components
Web Components
 
Web application security
Web application securityWeb application security
Web application security
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMS
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS Team
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7
 

Recently uploaded

"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 

Recently uploaded (20)

"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 

Web Application Security Workshop (T3DD19)

  • 1. Web Application Security Workshop Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2019 August 4th, 2019
  • 2. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 2 ▪Research & Development ▪Security Team Lead ▪50% TYPO3 GmbH ▪50% freelance software engineer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
  • 3. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 3 ▪ session probably recorded ▪ real attack vectors are shown ▪ hackers probably knew already ▪ official security fixes available ▪ report to security@typo3.org Disclaimer
  • 4. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Agenda 4 ▪ Attack technique basics (XSS, SQLi, deserialization) ▪ Attack tools/simulation (SQLmap, BeEF, BoNeSi) ▪ Phar Stream Vulnerability & Wrapper ▪ CVSSv3 vulnerability scoring ▪ TYPO3 Security Team ▪ Capture the Flag Agenda ⏳
  • 5. What is your agenda? Do you have questions? 5TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 6. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Web Application Security Basics 6
  • 7. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Web Application Security 7 ▪ CIA/compliance triad ▪ confidentiality ▪ private, personal, sensitive information ▪ integrity ▪ manipulation of information (“fake news”) ▪ availability ▪ denial of service ▪ online bank account ▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
  • 8. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 8 Hacking Playground CONFIDENTIALITY - unauthorised access to information
  • 9. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 9 Hacking Playground INTEGRITY - e.g. manipulated information
  • 10. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 10 Hacking Playground AVAILABILITY - information/service not available
  • 11. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 11 Web Application Security Open Web Application Security Project - TOP 10 vulnerabilities https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf TYPO3 core TYPO3 3rd party extensionsPHP world TYPO3vulnerabilitiesinpast5years
  • 12. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 12 Web Application Security attack chains - multiple components might be affected https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 14. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Techniques, Mitigation, Tools 14
  • 15. Cross-Site Scripting 15TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 16. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 16 Cross-Site Scripting - basics “classic” XSS
  • 17. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 17 Cross-Site Scripting - basics XSS vectors - more at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  • 18. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 18 Cross-Site Scripting - basics “classic” XSS mitigation ✔
  • 19. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 19 Cross-Site Scripting - basics XSS with Fluid - f:format.html relies on TypoScript being available
  • 20. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 20 Cross-Site Scripting - basics ViewHelper without any escaping == potentially vulnerable to XSS
  • 21. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 21 http://typo3v9-hack.ddev.site:3000/ui/panel // admin & joh316
  • 22. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 22 XSS exploitation
  • 23. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 23 Browser Exploitation Framework in action
  • 24. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 24 Browser Exploitation Framework in action
  • 25. SQL injection 25TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 26. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 26 SQL injection basics “classic” SQL injection - query
  • 27. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org SQL injection basics 27 ▪ SELECT … WHERE uid=10 AND pid>0; ▪ SELECT … WHERE uid=10 AND 1=1 -- AND pid>0; // bool true ▪ SELECT … WHERE uid=10 AND 1=0 -- AND pid>0; // bool false ▪ SELECT … WHERE uid=10 AND SLEEP(10) -- AND pid>0; // time ▪ comment literals (MySQL) ▪ -- ▪ # ▪ /* data */
  • 28. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org SQL injection basics 28 ▪ SELECT … WHERE uid=10 AND pid>0; ▪ SELECT uid,pid,header WHERE uid=10 
 UNION SELECT username,password,3 
 FROM be_users WHERE SUBSTR(username, 1, 1) = ‘a’ 
 LIMIT 1,1 
 -- AND pid>0; ▪ … FROM be_users WHERE SUBSTR(username, 2, 1) = ‘d’ … ▪ … FROM be_users WHERE SUBSTR(username, 3, 1) = ‘m’ … ▪ … FROM be_users WHERE SUBSTR(username, 4, 1) = ‘i’ … ▪ … FROM be_users WHERE SUBSTR(username, 5, 1) = ’n’ …
  • 29. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 29 SQL injection QueryBuilder WHERE SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = TEST;
  • 30. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 30 SQL injection QueryBuilder WHERE SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = 0;
  • 31. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 31 SQL injection QueryBuilder WHERE (prepared statement) SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = :dcValue1; ✔
  • 32. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 32 SQL injection QueryBuilder WHERE … WHERE `header` LIKE ‘%a%_%b%';
  • 33. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 33 SQL injection QueryBuilder WHERE … WHERE `header` LIKE ‘%a%_%b%’; ✔
  • 34. SQLmap 34TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 35. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 35 http://typo3v9-hack.ddev.site/?eID=comments&search=term
  • 36. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 36 ▪ ddev ssh -s sqlmap ▪ bash # suggested ▪ git checkout master ▪ git pull
  • 37. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 37 ▪ ./sqlmap -u '<uri>' ––risk 3 ––level 3 ––banner ▪ regular call ▪ ./sqlmap -u 'http://typo3v9-hack.ddev.site/? eID=comments&search=typo3*' ––risk 3 ––level 3 ––banner ▪ inside ddev container ▪ ./sqlmap -u 'http://web/?eID=comments&search=typo3*' ––risk 3 ––level 3 ––sql-shell # marker* in GET parameters ▪ ./sqlmap -u 'http://web/?eID=comments' ––data '&search=typo3*' ––risk 3 ––level 3 ––sql-shell # marker* in POST
  • 38. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 38 SQLmap
  • 39. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 39 meanwhile in /var/log/nginx/access.log
  • 40. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 40 possible SQL injection attack payload
  • 41. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 41 remote SQL shell via SQL injection
  • 42. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 42 “stacked queries” not allowed in PHP/PDO - SELECT …; INSERT …;
  • 43. Insecure Deserialization 43TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 44. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 44 Insecure Deserialization - Basics __destruct() or __wakeup() methods are executed on deserialization
  • 45. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 45 Insecure Deserialization - Basics user submitted payload to be deserialized
  • 46. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 46 allowed_classes introduced with PHP 7.0 (Polyfill available)
  • 47. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Insecure Deserialization - TYPO3-CORE-SA-2019-020 47 ▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/ ▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/ ▪ overrideVals[<table>][l10n_diffsource]=<serialized payload> ▪ addressed on June 25th, 2019
  • 48. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 48 Insecure Deserialization - Basics __destruct() saves content to filesystem
  • 49. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 49 Remote Code Execution #1 making use of FileCookieJar as attack container
  • 50. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 50 Remote Code Execution #1 prepare attack against TYPO3 backend
  • 51. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 51 Remote Code Execution #1 actual attack payload that shall be executed
  • 52. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 52 Remote Code Execution #1 XSRF token needs to be know (valid backend user required)
  • 53. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 53 Remote Code Execution #1 output of injected & executed /typo3/hack.php
  • 54. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 54 Remote Code Execution #1 … new admin user h4ck3r31 …
  • 55. Other™ 55TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 56. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Other™ random topics 56 ▪ File Upload ▪ check/deny extensions (file deny pattern) ▪ check mime-types - image/png, text/html, … ▪ Extbase controller actions ▪ user/group access needs individual handling ▪ classic: logged in user can access profile data of others ▪ Directory Traversal ▪ zip bundle.zip ../malicious.php ▪ depends on how it is extracted
  • 57. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org phar://… 57
  • 58. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 58 https://packagist.org/packages/typo3/phar-stream-wrapper
  • 59. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 59 ▪ usually used like
 require_once('phar://bundle.phar/vendor/autoload.php');
 $service = new BundleService(); ▪ Phar archives are vulnerable to insecure deserialisation ▪ all Phar archives in every PHP version (since 5.3) ▪ using “phar://“ stream wrapper is required here ▪ however, applies to regular file calls as well ▪ is_file(), file_exists(), fopen(), file_get_contents(), … ▪ is_file($_GET[‘fileName’]) // … user submitted data
  • 60. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 60 demo web application
  • 61. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 61 file does exist - correct
  • 62. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 62 result of implicit insecure deserialization
  • 63. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 63 Hybrid - Valid PNG file & Valid Phar archive
  • 64. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 64 building hybrid Phar archive
  • 65. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 65 PharStreamWrapper in TYPO3 core
  • 66. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 66 ▪ TYPO3CMSCoreIOPharStreamWrapperInterceptor ▪ TYPO3 core - Phar only in typo3conf/ext/ directories ▪ TYPO3PharStreamWrapper…PharExtensionInterceptor ▪ Phar only with file extension “.phar” ▪ TYPO3PharStreamWrapper…PharMetaDataInterceptor ▪ Phar only without serialized objects in meta-data
  • 67. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Vulnerability Reporting CVSSv3, Mitre & Co. 67
  • 68. How to report? 68TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 69. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org How to report a security vulnerability? 69 ▪ always report via mail to security@typo3.org (Security Team) ▪ don’t post potential attacks to Forge, Twitter, … (public media) ▪ inform security team in case vulnerabilities are leaked ▪ please be patient & wait for feedback ▪ approx first response time is ~8 hours
  • 70. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Responsible Disclosure Workflow 70 ▪ report vulnerability to vendor (here: security team) ▪ wait for feedback, questions or confirmation of this issue ▪ ask for status updates in case there is no activity ▪ declare deadline for full disclosure (e.g. 90 days) ▪ in case vendor does not take actions - public disclosure ▪ vendors (should) have interest to release security bulletins ▪ hiding vulnerability caused feeling of false security
  • 71. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 71 Responsible Disclosure Workflow https://blog.ripstech.com/2019/typo3-overriding-the-database/
  • 72. How to read reports? 72TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 73. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 73 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 74. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 74 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 75. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 75 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 76. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org CVSSv3 example #1 76 ▪ CVE-2013-1937 ▪ phpMyAdmin Reflected Cross-site Scripting Vulnerability ▪ “Reflected cross-site scripting (XSS) vulnerabilities are present on the tbl_gis_visualization.php page in phpMyAdmin 3.5.x, before version 3.5.8. These allow remote attackers to inject arbitrary JavaScript or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameters.”
  • 77. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 77 CVSSv3 example #1 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 78. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org CVSSv3 example #2 78 ▪ CVE-2016-1645 ▪ Google Chrome PDFium JPEG 2000 Remote Code Execution Vulnerability ▪ “Allows remote attackers to execute arbitrary code on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the victim must visit a malicious page or open a malicious file. Flaw exists within the handling of JPEG 2000 images. Specially crafted JPEG 2000 image embedded inside a PDF can force Google Chrome to write memory past the end of an allocated object. Attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.”
  • 79. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 79 CVSSv3 example #2 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 80. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 80 https://typo3.org/security/advisory/typo3-psa-2019-007/
  • 81. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 81 https://typo3.org/security/advisory/typo3-psa-2019-007/
  • 82. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 82 https://nvd.nist.gov/vuln/detail/CVE-2019-11831
  • 83. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 83 https://nvd.nist.gov/vuln/detail/CVE-2019-11831
  • 84. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org TYPO3 Security Team 84
  • 85. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 85 ▪ triage and answer reports ▪ communicate with reporters (individuals, pen-testers) ▪ forward information to maintainers (core, extension author, …) ▪ frankly remind people in case activity is kind of low ▪ coordinate releases & release dates ▪ compile information into security bulletins / announcements ▪ educate & raise awareness in teams & community
  • 86. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Capture the Flag 86
  • 87. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 87 https://www.root-me.org/en/Challenges/Web-Server/
  • 88. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 88 https://ctf.hacker101.com/ctf
  • 89. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 89 ▪ https://www.root-me.org/en/Challenges/Web-Server/SQL- injection-Error # might work with SQLmap ▪ https://ctf.hacker101.com/ctf/launch/7 # check public API
  • 90. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org References 90 ▪ Running an SQL Injection Attack: // “Computerphile“, nice series
 https://www.youtube.com/watch?v=ciNHn38EyRc ▪ WordPress WPDB SQL Injection: // nice, on “custom” escaping
 https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb- sql-injection-technical.html ▪ CVSSv3 Examples:
 https://www.first.org/cvss/v3.0/examples