Security Pitfalls vs. Best Practices

Inspiring people toshare

TYPO3 Developer Days - Hamburg 2013

Security Workshop

T3DD13 Security Workshop

Helmut Hummel <[email protected]>

07.07.2013

Security Pitfalls vs. Best Practices

1

mailto:[email protected]

mailto:[email protected]



Security Workshop

T3DD13 Security Workshop

Agenda• What does Security mean?

• Knowing the enemy

• Pitfalls

• Best Practice

• TYPO3 Security Team

2



Security Workshop

What does Security mean?

3



Security Workshop

Absence of potential Damage

4



Security Workshop

Protecting Information

5



Security Workshop

Unauthorized access

6



Security Workshop

Unauthorized modification

7



Security Workshop

Loss

8



Security Workshop

CIA Triad

9

Availability

CIA Triad

Integrity

Confidentiality

Information

10



Security Workshop

What is Security?

Security is relative• Security depends on your needs/ kind of Information

• Security depends on a certain point in time

• Security needs to be constantly adapted and improved

11



Security Workshop

What is Security?

Characteristics of Security• There is no absolute Security

• An evironment is only as secure as it‘s weakest point

• Security is an investment

• The efforts for Security must be proportianal to the potential damage

• A system can be called secure, if the effort of compromising it are way higher than the possible gains

12



Security Workshop

Security is a process, not a product.(Bruce Schneier)

13



Security Workshop

General Security Priciples• Least privilege

• Minimize Exposure

• Do not rely on „security by obscurity“

• Defense in depth

14

Defense in Depth

OS

PHP-application

DBMS

Webserver

Server FirewallProxy

mod_security

suhosinPHP

Harding

security layer(s)

SQL Proxy

15



Security Workshop

Knowing the enemy

16



Security Workshop

Knowing the enemy

Different Motivations

17

• Money

• Influence

• Fame

• Fun



Security Workshop

Knowing the enemy

Different Proceedings

18

• Automated attacks

• Targeted attacks



Security Workshop

Demo

19



Security Workshop

Pitfalls

20



Security Workshop 21



Security Workshop

TypoScript

22

page.10 = CONTENTpage.10.table = tt_contentpage.10.where = colPos=0page.10.andWhere.data = GP:page_idpage.10.andWhere.wrap = pid=|

23

page.10 = CONTENTpage.10.table = tt_contentpage.10.where = colPos=0page.10.andWhere.data = GP:page_idpage.10.andWhere.intval = 1page.10.andWhere.wrap = pid=|

24

page.10 = TEXTpage.10.field = titlepage.10.wrap = <h1 class="c-{field:layout}">|</h1>page.10.insertData = 1 DB : be_users:1:password

25

page.10 = TEXTpage.10.field = titlepage.10.wrap = <h1 class="c-{field:layout}">|</h1>page.10.insertData = 1

26

page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>

27

page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>page.10.htmlSpecialChars = 1

28

page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>page.10.htmlSpecialChars = 1

29



Security Workshop

Security Problems

30



Security Workshop

XSS

31



Security Workshop

HTML Contexts• HTML-Element

• HTML-Attribute Value

• JS-Values

• URL Parameter

32



Security Workshop

CSRF

33

<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0">

CSRF

34

http://bank.com/transfer.do?acct=MARIA&amount=100000






Security Workshop

Avoid CSRF• Secret random token in the request

• Save token in session

• One-Time Token may have usability impacts

35



Security Workshop

SQLi

36



Security Workshop

File Handling

37



Security Workshop

Header Injection

38



Security Workshop

Code Injection

39



Security Workshop

Insecure Unserialize

40



Security Workshop

Extbase Security

41



Security Workshop

XSS

42



Security Workshop

extbase

XSS• Flash Messages

• Context

43



Security Workshop

SQLi

44



Security Workshop

Mass Assignment

45



Security Workshop

Access Violation

46



Security Workshop

Best Practice

47



Security Workshop

Best Practice• Every request is an attack as long the opposite is proven

• User input is untrustable

• User input needs to be validated and encoded and escaped right before output

• Encoding and escaping depends on the context

• Separation of Concerns

48



Security Workshop

What is User Input?• $_REQUEST ($_GET, $_POST, $_COOKIE)

• $_FILES

• $_SERVER

• Filenames

• External Services

• Editors are users

49



Security Workshop

How to treat User Input• Validation

• Filtering

• Escaping

• Encoding

50

How to treat User Input

Escaping/ Encoding

User Input

Output

Validate/ Filter

evil™

stop execution?

context!

51



Security Workshop

How to treat User Input• Filter Input

• Escape Output

52



Security Workshop

How to treat User Input• Filter Input

• Check Type

• Check Format

• Check length

• Escape Output

• Context!

• DB, HTML, JS

• Directly before output

53

Separation of Concerns• Security issues are bugs

• Clean code leads to less bugs

• Test Driven Development

• Leave Security to Security Code

54



Security Workshop

TYPO3 Security Team

55



Security Workshop

TYPO3 Security Team

TYPO3 Security Team• Responsible Disclosure Policy

• One communication channel ([email protected])

• Pre-Announcements for critical issues only

• You can support us with sober and precise communication and reading the Security Bulletins carefully

56



Security Workshop

TYPO3 Security Team

CVSS2 Score• It is a calculation to help you to identify the severity of a

Security Issue

• The result are 4 different Scores

• Base Score

• Temporal Score

• Environmental Score

• Overall Score

57

Questions?

62

Thank you!

@[email protected]

63

Security Pitfalls vs. Best Practices

Technology

Transcript of Security Pitfalls vs. Best Practices