web application security workshop typo3 developer days 2014
TRANSCRIPT
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
T3DD14 Security Workshop
Helmut Hummel <[email protected]>
20.06.2014
Security Pitfalls vs. Best Practices
1
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
T3DD14 Security Workshop
Agenda• Prequel: trusted hosts pattern explained
• What does Security mean?
• Knowing the enemy
• Pitfalls
• Best Practice
• TYPO3 Security Team
2
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Trusted Hosts Pattern?
3
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop 4
<?php!!$hostName = $_SERVER['HTTP_HOST'];!echo $hostName;
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop 5
curl 'http://t3dd14.dev/host.php' ! -H 'Host: google.de'
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop 6
curl 'http://localhost/t3dd14/host.php' ! -H 'Host: google.de'
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop 7
telnet t3dd14.dev 80!!
GET http://t3dd14.dev/host.php HTTP/1.1!User-Agent: curl/7.33.0!Accept: */*!Host: google.de
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
What does Security mean?
8
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Absence of potential Damage
9
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Protecting Information
10
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Unauthorized access
11
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Unauthorized modification
12
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Loss
13
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
CIA Triad
14
Availability
CIA Triad
Integrity
Confidentiality
Information
15
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What is Security?
Security is relative• Security depends on your needs/ kind of Information
• Security depends on a certain point in time
• Security needs to be constantly adapted and improved
16
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What is Security?
Characteristics of Security• There is no absolute Security
• An evironment is only as secure as it‘s weakest point
• Security is an investment
• The efforts for Security must be proportianal to the potential damage
• A system can be called secure, if the effort of compromising it are way higher than the possible gains
17
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Security is a process, not a product.(Bruce Schneier)
18
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
General Security Priciples• Least privilege
• Minimize Exposure
• Do not rely on „security by obscurity“
• Defense in depth
19
Defense in Depth
OS
PHP-application
DBMS
Webserver
Server Firewall Proxy
mod_security
suhosinPHP
Harding
security layer(s)
SQL Proxy
20
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Knowing the enemy
21
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Knowing the enemy
Different Motivations
22
• Money
• Influence
• Fame
• Fun
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Knowing the enemy
Different Proceedings
23
• Automated attacks
• Targeted attacks
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Pitfalls
24
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop 25
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Security Problems
26
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
XSS
27
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
HTML Contexts• HTML-Element
• HTML-Attribute Value
• JS-Values
• URL Parameter
28
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
CSRF
29
<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0">
CSRF
30
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Avoid CSRF• Secret random token in the request
• Save token in session
• One-Time Token may have usability impacts
31
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
SQLi
32
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
File Handling
33
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Header Injection
34
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Code Injection
35
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Insecure Unserialize
36
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Extbase Security
37
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
XSS
38
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Extbase
XSS• Flash Messages
• Context
• Custom View Helpers
39
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
SQLi
40
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Mass Assignment
41
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Access Violation
42
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
TypoScript
43
page.10 = CONTENT page.10.table = tt_content page.10.where = colPos=0 page.10.andWhere.data = GP:page_id page.10.andWhere.wrap = pid=|
44
page.10 = CONTENT page.10.table = tt_content page.10.where = colPos=0 page.10.andWhere.data = GP:page_id page.10.andWhere.intval = 1 page.10.andWhere.wrap = pid=|
45
page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1 DB : be_users:1:password
46
page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
47
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>
48
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
49
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
50
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Best Practice
51
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Best Practice• Every request is an attack as long the opposite is proven
• User input is untrustable
• User input needs to be validated and encoded and escaped right before output
• Encoding and escaping depends on the context
• Separation of Concerns
52
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What is User Input?• $_REQUEST ($_GET, $_POST, $_COOKIE)
• $_FILES
• $_SERVER
• Filenames
• External Services
• Editors are users
53
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
How to treat User Input• Validation
• Filtering
• Escaping
• Encoding
54
How to treat User Input
Escaping/ Encoding
User Input
Output
Validate/ Filter
evil™
stop execution?
context!
55
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
How to treat User Input• Filter Input
!
!
!
• Escape Output
56
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
How to treat User Input• Filter Input
• Check Type
• Check Format
• Check length
• Escape Output
• Context!
• DB, HTML, JS
• Directly before output
57
Separation of Concerns• Security issues are bugs
• Clean code leads to less bugs
• Test Driven Development
• Leave Security to Security Code
58
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
TYPO3 Security Team
59
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
TYPO3 Security Team
TYPO3 Security Team• Responsible Disclosure Policy
• One communication channel ([email protected])
• Pre-Announcements for critical issues only
• You can support us with sober and precise communication and reading the Security Bulletins carefully
60
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
TYPO3 Security Team
CVSS2 Score• It is a calculation to help you to identify the severity of a
Security Issue
• The result are 4 different Scores
• Base Score
• Temporal Score
• Environmental Score
• Overall Score
61
62
63
64
65
Questions?
66