T3DD11 Security Workshop
1 like550 views
Helmut Hummel gave a presentation on security concepts and flaws at T3DD11. He discussed what security is, characteristics of security like privacy and integrity. He outlined security guidelines like filtering user input, defense in depth, and avoiding security by obscurity. Specific vulnerabilities covered included SQL injection, cross-site scripting (XSS), email header injection, cross-site request forgery (CSRF). He explained how to prevent these vulnerabilities through techniques like prepared statements, escaping, and double submit cookies. Resources for further learning about security were provided.
![SQL Injection
<?php
$searchWhere = "students.student_name LIKE " . $_GET['student_name'];
?>
Inspiring people
T3DD11 Security Workshop shar](https://image.slidesharecdn.com/t3dd11-security-slideshare-110708191821-phpapp02/85/T3DD11-Security-Workshop-14-320.jpg)
![Fixed
<?php
$studentName = mysql_real_escape_string($_GET['student_name'], $link);
$searchWhere = "students.student_name LIKE '" . $studentName . "'";
?>
Inspiring people
T3DD11 Security Workshop shar](https://image.slidesharecdn.com/t3dd11-security-slideshare-110708191821-phpapp02/85/T3DD11-Security-Workshop-15-320.jpg)
![Even better
<?php
$studentName = mysql_real_escape_string($_GET['student_name'], $link);
$studentName = addcslashes($studentName, '_%');
$searchWhere = "students.student_name LIKE '" . $studentName . "'";
?>
Inspiring people
T3DD11 Security Workshop shar](https://image.slidesharecdn.com/t3dd11-security-slideshare-110708191821-phpapp02/85/T3DD11-Security-Workshop-16-320.jpg)
T3DD11 Security Workshop
- 1. T3DD11 Security Security 鍖aws versus Security concepts How to code with Security in mind 07.07.2011 Helmut Hummel <helmut.hummel@typo3.org>
- 2. Introduction About me Involved in TYPO3 project since 2005 Member of the TYPO3 Security Team since 2008 TYPO3 Security Team Leader since 2009 TYPO3 Core Team Member since 2011 Employed at naw.info in Hannover, Germany Twitter: helhum Blog: http://www.naw.info/blogs/typo3security/ Inspiring people T3DD11 Security Workshop shar
- 3. Introduction About you Working development environment (IDE / Firefox)? Know what XSS, SQLi or CSRF is? Found a vulnerability in a TYPO3 or an extension? Reported your 鍖ndings to security@typo3.org? Did a security code review? Inspiring people T3DD11 Security Workshop shar
- 4. Security Flaws versus Security Concepts Agenda What is Security? Security Guidelines Hacking / Code Review Session Getting into details about some vulnerability types Inspiring people T3DD11 Security Workshop shar
- 5. What is Security? Inspiring people T3DD11 Security Workshop shar
- 6. What is Security? Criteria for Security Privacy Integrity Availability Inspiring people T3DD11 Security Workshop shar
- 7. Why care? Inspiring people T3DD11 Security Workshop shar
- 8. The World is bad Inspiring people T3DD11 Security Workshop shar
- 9. How can we achieve Inspiring people T3DD11 Security Workshop shar
- 10. It depends! Inspiring people T3DD11 Security Workshop shar
- 11. What is Security? Characteristics of Security Security depends on your needs Security must constantly be adapted or improved There is no absolute Security Security is an investment Inspiring people T3DD11 Security Workshop shar
- 12. Security Guidelines Inspiring people T3DD11 Security Workshop shar
- 13. Inspiring people T3DD11 Security Workshop shar
- 14. SQL Injection <?php $searchWhere = "students.student_name LIKE " . $_GET['student_name']; ?> Inspiring people T3DD11 Security Workshop shar
- 15. Fixed <?php $studentName = mysql_real_escape_string($_GET['student_name'], $link); $searchWhere = "students.student_name LIKE '" . $studentName . "'"; ?> Inspiring people T3DD11 Security Workshop shar
- 16. Even better <?php $studentName = mysql_real_escape_string($_GET['student_name'], $link); $studentName = addcslashes($studentName, '_%'); $searchWhere = "students.student_name LIKE '" . $studentName . "'"; ?> Inspiring people T3DD11 Security Workshop shar
- 17. Security Guidelines Guidelines Inspiring people T3DD11 Security Workshop shar
- 18. Security Guidelines Guidelines Dont trust user data, dont trust Services Inspiring people T3DD11 Security Workshop shar
- 19. Security Guidelines Guidelines Dont trust user data, dont trust Services Filter / Validate / Escape / Encode Inspiring people T3DD11 Security Workshop shar
- 20. Security Guidelines Guidelines Dont trust user data, dont trust Services Filter / Validate / Escape / Encode Defense in depth Inspiring people T3DD11 Security Workshop shar
- 21. Security Guidelines Guidelines Dont trust user data, dont trust Services Filter / Validate / Escape / Encode Defense in depth Minimize Exposure / Least privilege Inspiring people T3DD11 Security Workshop shar
- 22. Security Guidelines Guidelines Dont trust user data, dont trust Services Filter / Validate / Escape / Encode Defense in depth Minimize Exposure / Least privilege Positive Security Model (Whitelist) Inspiring people T3DD11 Security Workshop shar
- 23. Security Guidelines Guidelines Dont trust user data, dont trust Services Filter / Validate / Escape / Encode Defense in depth Minimize Exposure / Least privilege Positive Security Model (Whitelist) Avoid security by obscurity Inspiring people T3DD11 Security Workshop shar
- 24. Security Guidelines Guidelines Dont trust user data, dont trust Services Filter / Validate / Escape / Encode Defense in depth Minimize Exposure / Least privilege Positive Security Model (Whitelist) Avoid security by obscurity Use logging Inspiring people T3DD11 Security Workshop shar
- 25. Cross Site Scripting (XSS) Inspiring people T3DD11 Security Workshop shar
- 26. Cross Site Scripting XSS Inspiring people T3DD11 Security Workshop shar
- 27. Cross Site Scripting XSS Persitent/ non persistent XSS Inspiring people T3DD11 Security Workshop shar
- 28. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Inspiring people T3DD11 Security Workshop shar
- 29. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Inspiring people T3DD11 Security Workshop shar
- 30. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities Inspiring people T3DD11 Security Workshop shar
- 31. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities <img src=/slideshow/t3dd11-security-workshop/8547623/"javascript:alert(document.cookie)" / > Inspiring people T3DD11 Security Workshop shar
- 32. Cross Site Scripting Preventing XSS Inspiring people T3DD11 Security Workshop shar
- 33. Cross Site Scripting Preventing XSS Input validation and/or 鍖ltering is not enough Inspiring people T3DD11 Security Workshop shar
- 34. Cross Site Scripting Preventing XSS Input validation and/or 鍖ltering is not enough Escape correctly, depending on the context Inspiring people T3DD11 Security Workshop shar
- 35. Cross Site Scripting Preventing XSS Input validation and/or 鍖ltering is not enough Escape correctly, depending on the context <script>...NEVER PUT UNTRUSTED DATA HERE...</script> <img src=/slideshow/t3dd11-security-workshop/8547623/... OR HERE ... /> Inspiring people T3DD11 Security Workshop shar
- 36. Email Header Injection Inspiring people T3DD11 Security Workshop shar
- 37. Email Header Injection Email Header Injection PHP mail() function and From: header Use 鍖lter_var($mail, FILTER_VALIDATE_EMAIL) do not allow chr(10) or chr(13) Inspiring people T3DD11 Security Workshop shar
- 38. SQL Injection (SQLi) Inspiring people T3DD11 Security Workshop shar
- 39. SQL Injection SQLi (blind) SQL Injections Timing attacs UNION SELECT Example: union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,user name,password,0 from be_users where admin in(1) Check your TypoScript! Inspiring people T3DD11 Security Workshop shar
- 40. SQL Injection Prevent SQLi Inspiring people T3DD11 Security Workshop shar
- 41. SQL Injection Prevent SQLi Prepared Statements / PDO Inspiring people T3DD11 Security Workshop shar
- 42. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Inspiring people T3DD11 Security Workshop shar
- 43. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Inspiring people T3DD11 Security Workshop shar
- 44. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Using an ORM (extbase, FLOW3, QCodo, ...) Inspiring people T3DD11 Security Workshop shar
- 45. Cross Site Request Forgery Inspiring people T3DD11 Security Workshop shar
- 46. Cross Site Request Forgery CSRF Executing arbitrary actions on behalf of a victim <img src=/slideshow/t3dd11-security-workshop/8547623/"http:/bank.com/transfer.do acct=MARIA&amount=100000" width="1" height="1" border="0"> stored CSRF (like XSS) Targeted Emails Requires probably some kind of social engineering Inspiring people T3DD11 Security Workshop shar
- 47. Cross Site Request Forgery Prevent CSRF Limiting to POST not enough Double Submit Cookies Synchronizer Token Pattern Avoid Cross-Site Scripting (XSS) Vulnerabilities
- 49. Application Vulnerabilities More Information Disclosure HTTP Response Splitting Path Traversal Privilege Escalation Session Fixation LPAP Injection Remote Code Execution
- 50. T3DD10 Security Workshop Rescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shi鍖ett) http://www.owasp.org/ http://typo3.org/teams/security/resources/ http://www.naw.info/blogs/typo3security/ Inspiring people T3DD11 Security Workshop shar
- 51. Thank you! Inspiring people T3DD11 Security Workshop shar
- 53. inspiring people to share.
Editor's Notes
- #2: \n
- #3: \n
- #4: \n
- #5: \n
- #6: Application Security, not personal nor gouvernmental\n\n
- #7: Privacy: Browser History\nIntegrity: Bank\nAvailability: Health monitoring\n
- #8: \n
- #9: \n
- #10: \n
- #11: \n
- #12: invest in resources taken for security / potential loss when hacked\n => If a hacker has to invest much more than he get&#x2018;s back, he or she won&#x2018;t attack\n=> Your system is secure\n\nAn application must constantly be improved\n => As hackers and hacker tools evolve, so the security concepts have to\n\n
- #13: \n
- #14: \n
- #15: \n
- #16: \n
- #17: \n
- #18: give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
- #19: give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
- #20: give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
- #21: give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
- #22: give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
- #23: give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
- #24: give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User\nUser Data: GET,POST,COOKIE, DB?\nEscaping is all about context\nDefense in depth: as many defense lines as reasonable (Gesundheitsakte)\nTYPO3, no private data stored in db or hd, not even images\nauthentication through 64bit hash calculated of password\nall data from external db where all is encrypted (decrypted with hash)\nObscurity: e.g. alternate telnet port; hide source\n
- #25: \n
- #26: Injecting Up: "> </script>\nInjecting Down:\n<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />\n&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;\n\n\n
- #27: Injecting Up: "> </script>\nInjecting Down:\n<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />\n&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;\n\n\n
- #28: Injecting Up: "> </script>\nInjecting Down:\n<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />\n&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;\n\n\n
- #29: Injecting Up: "> </script>\nInjecting Down:\n<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />\n&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;\n\n\n
- #30: Injecting Up: "> </script>\nInjecting Down:\n<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />\n&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;\n\n\n
- #31: Injecting Up: "> </script>\nInjecting Down:\n<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />\n&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;\n\n\n
- #32: Injecting Up: "> </script>\nInjecting Down:\n<img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />\n&#x201E;You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.&#x201C;\n\n\n
- #33: Input Validation: &#x201E;a>b&#x201C; or &#x201E;Me & you&#x201C;\n\ntwitter attack\nEscape not easy because of the different contexts of HTML\n\nhttp://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/\n <script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script\n <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment\n <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name\n <...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name\n\nContexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter\n
- #34: Input Validation: &#x201E;a>b&#x201C; or &#x201E;Me & you&#x201C;\n\ntwitter attack\nEscape not easy because of the different contexts of HTML\n\nhttp://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/\n <script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script\n <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment\n <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name\n <...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name\n\nContexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter\n
- #35: Input Validation: &#x201E;a>b&#x201C; or &#x201E;Me & you&#x201C;\n\ntwitter attack\nEscape not easy because of the different contexts of HTML\n\nhttp://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/\n <script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script\n <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment\n <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name\n <...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name\n\nContexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter\n
- #36: \n
- #37: \n
- #38: \n
- #39: SELECT title, description, body FROM items WHERE ID = 2 and 1=2\nSELECT title, description, body FROM items WHERE ID = 2 and 1=1\n\n1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;\n\nDefense in depth (saltedpw)\nhttp://localhost:8888/introductionpackage/t3dd10/pi1/?L=1%29%20union%20select%201,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,username,password,0%20from%20be_users%20where%20admin%20in%281\n\n
- #40: Escaping: \n * use the TYPO3 API for that\n * fullQuoteStr(): &#x2018;&#x2018; are necessary\n
- #41: Escaping: \n * use the TYPO3 API for that\n * fullQuoteStr(): &#x2018;&#x2018; are necessary\n
- #42: Escaping: \n * use the TYPO3 API for that\n * fullQuoteStr(): &#x2018;&#x2018; are necessary\n
- #43: Escaping: \n * use the TYPO3 API for that\n * fullQuoteStr(): &#x2018;&#x2018; are necessary\n
- #44: \n
- #45: \n
- #46: POST can be forged, referrer can be spoofed\nDouble Submit Cookies\n*sending session id as cookie and form values\nDownsides: session hijacking, httponly for cookies not valid any more\nChallange-Response:\n*CAPTCHA\n*Re-Authentication (password), confirmation? alert() per javascript klickbar?\n*One-time Token\nSynchronizer Token Pattern\n*Generate one or more random tokens for a session (per session or per request)\n*randomize token variable name (per request downside: browser back button)\nhttp://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet\n\n
- #47: Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
- #48: Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
- #49: Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
- #50: Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
- #51: Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
- #52: Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
- #53: Privilege Escalation\nSession Fixation\nInformation Disclosure\nPath Traversal (Files)\nRemote Code Execution\n
- #54: \n
- #55: \n
- #56: \n