Post on 08-May-2015
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
T3DD13 Security Workshop
Helmut Hummel <helmut@typo3.org>
07.07.2013
Security Pitfalls vs. Best Practices
1
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
T3DD13 Security Workshop
Agenda• What does Security mean?
• Knowing the enemy
• Pitfalls
• Best Practice
• TYPO3 Security Team
2
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What does Security mean?
3
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Absence of potential Damage
4
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Protecting Information
5
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Unauthorized access
6
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Unauthorized modification
7
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Loss
8
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
CIA Triad
9
Availability
CIA Triad
Integrity
Confidentiality
Information
10
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What is Security?
Security is relative• Security depends on your needs/ kind of Information
• Security depends on a certain point in time
• Security needs to be constantly adapted and improved
11
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What is Security?
Characteristics of Security• There is no absolute Security
• An evironment is only as secure as it‘s weakest point
• Security is an investment
• The efforts for Security must be proportianal to the potential damage
• A system can be called secure, if the effort of compromising it are way higher than the possible gains
12
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Security is a process, not a product.(Bruce Schneier)
13
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
General Security Priciples• Least privilege
• Minimize Exposure
• Do not rely on „security by obscurity“
• Defense in depth
14
Defense in Depth
OS
PHP-application
DBMS
Webserver
Server FirewallProxy
mod_security
suhosinPHP
Harding
security layer(s)
SQL Proxy
15
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Knowing the enemy
16
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Knowing the enemy
Different Motivations
17
• Money
• Influence
• Fame
• Fun
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Knowing the enemy
Different Proceedings
18
• Automated attacks
• Targeted attacks
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Demo
19
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Pitfalls
20
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop 21
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
TypoScript
22
page.10 = CONTENTpage.10.table = tt_contentpage.10.where = colPos=0page.10.andWhere.data = GP:page_idpage.10.andWhere.wrap = pid=|
23
page.10 = CONTENTpage.10.table = tt_contentpage.10.where = colPos=0page.10.andWhere.data = GP:page_idpage.10.andWhere.intval = 1page.10.andWhere.wrap = pid=|
24
page.10 = TEXTpage.10.field = titlepage.10.wrap = <h1 class="c-{field:layout}">|</h1>page.10.insertData = 1 DB : be_users:1:password
25
page.10 = TEXTpage.10.field = titlepage.10.wrap = <h1 class="c-{field:layout}">|</h1>page.10.insertData = 1
26
page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>
27
page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>page.10.htmlSpecialChars = 1
28
page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>page.10.htmlSpecialChars = 1
29
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Security Problems
30
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
XSS
31
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
HTML Contexts• HTML-Element
• HTML-Attribute Value
• JS-Values
• URL Parameter
32
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
CSRF
33
<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0">
CSRF
34
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Avoid CSRF• Secret random token in the request
• Save token in session
• One-Time Token may have usability impacts
35
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
SQLi
36
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
File Handling
37
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Header Injection
38
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Code Injection
39
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Insecure Unserialize
40
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Extbase Security
41
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
XSS
42
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
extbase
XSS• Flash Messages
• Context
43
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
SQLi
44
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Mass Assignment
45
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Access Violation
46
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Best Practice
47
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Best Practice• Every request is an attack as long the opposite is proven
• User input is untrustable
• User input needs to be validated and encoded and escaped right before output
• Encoding and escaping depends on the context
• Separation of Concerns
48
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What is User Input?• $_REQUEST ($_GET, $_POST, $_COOKIE)
• $_FILES
• $_SERVER
• Filenames
• External Services
• Editors are users
49
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
How to treat User Input• Validation
• Filtering
• Escaping
• Encoding
50
How to treat User Input
Escaping/ Encoding
User Input
Output
Validate/ Filter
evil™
stop execution?
context!
51
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
How to treat User Input• Filter Input
• Escape Output
52
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
How to treat User Input• Filter Input
• Check Type
• Check Format
• Check length
• Escape Output
• Context!
• DB, HTML, JS
• Directly before output
53
Separation of Concerns• Security issues are bugs
• Clean code leads to less bugs
• Test Driven Development
• Leave Security to Security Code
54
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
TYPO3 Security Team
55
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
TYPO3 Security Team
TYPO3 Security Team• Responsible Disclosure Policy
• One communication channel (security@typo3.org)
• Pre-Announcements for critical issues only
• You can support us with sober and precise communication and reading the Security Bulletins carefully
56
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
TYPO3 Security Team
CVSS2 Score• It is a calculation to help you to identify the severity of a
Security Issue
• The result are 4 different Scores
• Base Score
• Temporal Score
• Environmental Score
• Overall Score
57
58
59
60
61
Questions?
62
Thank you!
@helhumhelmut.hummel@typo3.org
63