SlideShare a Scribd company logo

Web Application Security Workshop (T3DD19)

Oliver Hader, profile picture
Oliver Hader

The document outlines a web application security workshop led by Oliver Hader during the TYPO3 Developer Days 2019, focusing on various attack techniques such as XSS, SQL injection, and insecure deserialization. Participants are introduced to attack tools, vulnerability scoring, and best practices for reporting security issues. The workshop emphasizes the importance of confidentiality, integrity, and availability in web application security.

Technology
1 of 91
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
Web Application Security Workshop Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2019 August 4th, 2019
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 2 ▪Research & Development ▪Security Team Lead ▪50% TYPO3 GmbH ▪50% freelance software engineer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 3 ▪ session probably recorded ▪ real attack vectors are shown ▪ hackers probably knew already ▪ official security fixes available ▪ report to security@typo3.org Disclaimer
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Agenda 4 ▪ Attack technique basics (XSS, SQLi, deserialization) ▪ Attack tools/simulation (SQLmap, BeEF, BoNeSi) ▪ Phar Stream Vulnerability & Wrapper ▪ CVSSv3 vulnerability scoring ▪ TYPO3 Security Team ▪ Capture the Flag Agenda ⏳
What is your agenda? Do you have questions? 5TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Web Application Security Basics 6
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Web Application Security 7 ▪ CIA/compliance triad ▪ confidentiality ▪ private, personal, sensitive information ▪ integrity ▪ manipulation of information (“fake news”) ▪ availability ▪ denial of service ▪ online bank account ▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 8 Hacking Playground CONFIDENTIALITY - unauthorised access to information
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 9 Hacking Playground INTEGRITY - e.g. manipulated information
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 10 Hacking Playground AVAILABILITY - information/service not available
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 11 Web Application Security Open Web Application Security Project - TOP 10 vulnerabilities https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf TYPO3 core TYPO3 3rd party extensionsPHP world TYPO3vulnerabilitiesinpast5years
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 12 Web Application Security attack chains - multiple components might be affected https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Hacking Playground
 https://github.com/ ohader/typo3v9- hack/ 13TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Techniques, Mitigation, Tools 14
Cross-Site Scripting 15TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 16 Cross-Site Scripting - basics “classic” XSS
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 17 Cross-Site Scripting - basics XSS vectors - more at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 18 Cross-Site Scripting - basics “classic” XSS mitigation ✔
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 19 Cross-Site Scripting - basics XSS with Fluid - f:format.html relies on TypoScript being available
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 20 Cross-Site Scripting - basics ViewHelper without any escaping == potentially vulnerable to XSS
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 21 http://typo3v9-hack.ddev.site:3000/ui/panel // admin & joh316
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 22 XSS exploitation
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 23 Browser Exploitation Framework in action
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 24 Browser Exploitation Framework in action
SQL injection 25TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 26 SQL injection basics “classic” SQL injection - query
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org SQL injection basics 27 ▪ SELECT … WHERE uid=10 AND pid>0; ▪ SELECT … WHERE uid=10 AND 1=1 -- AND pid>0; // bool true ▪ SELECT … WHERE uid=10 AND 1=0 -- AND pid>0; // bool false ▪ SELECT … WHERE uid=10 AND SLEEP(10) -- AND pid>0; // time ▪ comment literals (MySQL) ▪ -- ▪ # ▪ /* data */
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org SQL injection basics 28 ▪ SELECT … WHERE uid=10 AND pid>0; ▪ SELECT uid,pid,header WHERE uid=10 
 UNION SELECT username,password,3 
 FROM be_users WHERE SUBSTR(username, 1, 1) = ‘a’ 
 LIMIT 1,1 
 -- AND pid>0; ▪ … FROM be_users WHERE SUBSTR(username, 2, 1) = ‘d’ … ▪ … FROM be_users WHERE SUBSTR(username, 3, 1) = ‘m’ … ▪ … FROM be_users WHERE SUBSTR(username, 4, 1) = ‘i’ … ▪ … FROM be_users WHERE SUBSTR(username, 5, 1) = ’n’ …
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 29 SQL injection QueryBuilder WHERE SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = TEST;
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 30 SQL injection QueryBuilder WHERE SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = 0;
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 31 SQL injection QueryBuilder WHERE (prepared statement) SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = :dcValue1; ✔
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 32 SQL injection QueryBuilder WHERE … WHERE `header` LIKE ‘%a%_%b%';
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 33 SQL injection QueryBuilder WHERE … WHERE `header` LIKE ‘%a%_%b%’; ✔
SQLmap 34TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 35 http://typo3v9-hack.ddev.site/?eID=comments&search=term
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 36 ▪ ddev ssh -s sqlmap ▪ bash # suggested ▪ git checkout master ▪ git pull
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 37 ▪ ./sqlmap -u '<uri>' ––risk 3 ––level 3 ––banner ▪ regular call ▪ ./sqlmap -u 'http://typo3v9-hack.ddev.site/? eID=comments&search=typo3*' ––risk 3 ––level 3 ––banner ▪ inside ddev container ▪ ./sqlmap -u 'http://web/?eID=comments&search=typo3*' ––risk 3 ––level 3 ––sql-shell # marker* in GET parameters ▪ ./sqlmap -u 'http://web/?eID=comments' ––data '&search=typo3*' ––risk 3 ––level 3 ––sql-shell # marker* in POST
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 38 SQLmap
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 39 meanwhile in /var/log/nginx/access.log
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 40 possible SQL injection attack payload
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 41 remote SQL shell via SQL injection
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 42 “stacked queries” not allowed in PHP/PDO - SELECT …; INSERT …;
Insecure Deserialization 43TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 44 Insecure Deserialization - Basics __destruct() or __wakeup() methods are executed on deserialization
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 45 Insecure Deserialization - Basics user submitted payload to be deserialized
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 46 allowed_classes introduced with PHP 7.0 (Polyfill available)
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Insecure Deserialization - TYPO3-CORE-SA-2019-020 47 ▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/ ▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/ ▪ overrideVals[<table>][l10n_diffsource]=<serialized payload> ▪ addressed on June 25th, 2019
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 48 Insecure Deserialization - Basics __destruct() saves content to filesystem
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 49 Remote Code Execution #1 making use of FileCookieJar as attack container
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 50 Remote Code Execution #1 prepare attack against TYPO3 backend
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 51 Remote Code Execution #1 actual attack payload that shall be executed
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 52 Remote Code Execution #1 XSRF token needs to be know (valid backend user required)
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 53 Remote Code Execution #1 output of injected & executed /typo3/hack.php
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 54 Remote Code Execution #1 … new admin user h4ck3r31 …
Other™ 55TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Other™ random topics 56 ▪ File Upload ▪ check/deny extensions (file deny pattern) ▪ check mime-types - image/png, text/html, … ▪ Extbase controller actions ▪ user/group access needs individual handling ▪ classic: logged in user can access profile data of others ▪ Directory Traversal ▪ zip bundle.zip ../malicious.php ▪ depends on how it is extracted
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org phar://… 57
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 58 https://packagist.org/packages/typo3/phar-stream-wrapper
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 59 ▪ usually used like
 require_once('phar://bundle.phar/vendor/autoload.php');
 $service = new BundleService(); ▪ Phar archives are vulnerable to insecure deserialisation ▪ all Phar archives in every PHP version (since 5.3) ▪ using “phar://“ stream wrapper is required here ▪ however, applies to regular file calls as well ▪ is_file(), file_exists(), fopen(), file_get_contents(), … ▪ is_file($_GET[‘fileName’]) // … user submitted data
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 60 demo web application
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 61 file does exist - correct
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 62 result of implicit insecure deserialization
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 63 Hybrid - Valid PNG file & Valid Phar archive
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 64 building hybrid Phar archive
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 65 PharStreamWrapper in TYPO3 core
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 66 ▪ TYPO3CMSCoreIOPharStreamWrapperInterceptor ▪ TYPO3 core - Phar only in typo3conf/ext/ directories ▪ TYPO3PharStreamWrapper…PharExtensionInterceptor ▪ Phar only with file extension “.phar” ▪ TYPO3PharStreamWrapper…PharMetaDataInterceptor ▪ Phar only without serialized objects in meta-data
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Vulnerability Reporting CVSSv3, Mitre & Co. 67
How to report? 68TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org How to report a security vulnerability? 69 ▪ always report via mail to security@typo3.org (Security Team) ▪ don’t post potential attacks to Forge, Twitter, … (public media) ▪ inform security team in case vulnerabilities are leaked ▪ please be patient & wait for feedback ▪ approx first response time is ~8 hours
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Responsible Disclosure Workflow 70 ▪ report vulnerability to vendor (here: security team) ▪ wait for feedback, questions or confirmation of this issue ▪ ask for status updates in case there is no activity ▪ declare deadline for full disclosure (e.g. 90 days) ▪ in case vendor does not take actions - public disclosure ▪ vendors (should) have interest to release security bulletins ▪ hiding vulnerability caused feeling of false security
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 71 Responsible Disclosure Workflow https://blog.ripstech.com/2019/typo3-overriding-the-database/
How to read reports? 72TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 73 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 74 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 75 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org CVSSv3 example #1 76 ▪ CVE-2013-1937 ▪ phpMyAdmin Reflected Cross-site Scripting Vulnerability ▪ “Reflected cross-site scripting (XSS) vulnerabilities are present on the tbl_gis_visualization.php page in phpMyAdmin 3.5.x, before version 3.5.8. These allow remote attackers to inject arbitrary JavaScript or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameters.”
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 77 CVSSv3 example #1 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org CVSSv3 example #2 78 ▪ CVE-2016-1645 ▪ Google Chrome PDFium JPEG 2000 Remote Code Execution Vulnerability ▪ “Allows remote attackers to execute arbitrary code on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the victim must visit a malicious page or open a malicious file. Flaw exists within the handling of JPEG 2000 images. Specially crafted JPEG 2000 image embedded inside a PDF can force Google Chrome to write memory past the end of an allocated object. Attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.”
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 79 CVSSv3 example #2 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 80 https://typo3.org/security/advisory/typo3-psa-2019-007/
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 81 https://typo3.org/security/advisory/typo3-psa-2019-007/
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 82 https://nvd.nist.gov/vuln/detail/CVE-2019-11831
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 83 https://nvd.nist.gov/vuln/detail/CVE-2019-11831
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org TYPO3 Security Team 84
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 85 ▪ triage and answer reports ▪ communicate with reporters (individuals, pen-testers) ▪ forward information to maintainers (core, extension author, …) ▪ frankly remind people in case activity is kind of low ▪ coordinate releases & release dates ▪ compile information into security bulletins / announcements ▪ educate & raise awareness in teams & community
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Capture the Flag 86
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 87 https://www.root-me.org/en/Challenges/Web-Server/
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 88 https://ctf.hacker101.com/ctf
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 89 ▪ https://www.root-me.org/en/Challenges/Web-Server/SQL- injection-Error # might work with SQLmap ▪ https://ctf.hacker101.com/ctf/launch/7 # check public API
TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org References 90 ▪ Running an SQL Injection Attack: // “Computerphile“, nice series
 https://www.youtube.com/watch?v=ciNHn38EyRc ▪ WordPress WPDB SQL Injection: // nice, on “custom” escaping
 https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb- sql-injection-technical.html ▪ CVSSv3 Examples:
 https://www.first.org/cvss/v3.0/examples
thx! ;-) 91

More Related Content

PDF
Little Gems in TYPO3 v12
Jigal van Hemert
 
PDF
Spark로 알아보는 빅데이터 처리
Jeong-gyu Kim
 
PDF
Druid Adoption Tips and Tricks
Imply
 
PDF
Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
Mydbops
 
PDF
Percona Xtrabackup - Highly Efficient Backups
Mydbops
 
PDF
MySQL InnoDB Cluster - Group Replication
Frederic Descamps
 
PDF
Oracle GoldenGate Presentation from OTN Virtual Technology Summit - 7/9/14 (PDF)
Bobby Curtis
 
PDF
Treinamento Data Guard
Douglas Paiva de Sousa
 
Little Gems in TYPO3 v12
Jigal van Hemert
 
Spark로 알아보는 빅데이터 처리
Jeong-gyu Kim
 
Druid Adoption Tips and Tricks
Imply
 
Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
Mydbops
 
Percona Xtrabackup - Highly Efficient Backups
Mydbops
 
MySQL InnoDB Cluster - Group Replication
Frederic Descamps
 
Oracle GoldenGate Presentation from OTN Virtual Technology Summit - 7/9/14 (PDF)
Bobby Curtis
 
Treinamento Data Guard
Douglas Paiva de Sousa
 

Similar to Web Application Security Workshop (T3DD19) (20)

PDF
Hacking TYPO3 v9 (T3DD19 edition)
Oliver Hader
 
PDF
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
Oliver Hader
 
PPTX
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
Chanaka Lasantha
 
PDF
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley
 
PPTX
Widespread security flaws in web application development 2015
mahchiev
 
PDF
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
NSC42 Ltd
 
PDF
Cyber Security Workshop @SPIT- 3rd October 2015
Nilesh Sapariya
 
PDF
Network Hacking Training - Course Gate
Course Gate
 
PDF
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
PDF
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
Tech in Asia ID
 
PDF
Who owns Software Security
devObjective
 
PDF
Who Owns Software Security?
ColdFusionConference
 
PDF
Hacking TYPO3 v9
Oliver Hader
 
PPTX
TWISummit 2019 - Build Security In
Thoughtworks
 
PPTX
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
PPTX
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Cristian Garcia G.
 
PDF
Common Security Misconception
Matthew Ong
 
PPTX
Nsc42 the security phoenix
NSC42 Ltd
 
PDF
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Chetan Khatri
 
PDF
Mitre ATT&CK by Mattias Almeflo Nixu
Nixu Corporation
 
Hacking TYPO3 v9 (T3DD19 edition)
Oliver Hader
 
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
Oliver Hader
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
Chanaka Lasantha
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley
 
Widespread security flaws in web application development 2015
mahchiev
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
NSC42 Ltd
 
Cyber Security Workshop @SPIT- 3rd October 2015
Nilesh Sapariya
 
Network Hacking Training - Course Gate
Course Gate
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...
Tech in Asia ID
 
Who owns Software Security
devObjective
 
Who Owns Software Security?
ColdFusionConference
 
Hacking TYPO3 v9
Oliver Hader
 
TWISummit 2019 - Build Security In
Thoughtworks
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Cristian Garcia G.
 
Common Security Misconception
Matthew Ong
 
Nsc42 the security phoenix
NSC42 Ltd
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Chetan Khatri
 
Mitre ATT&CK by Mattias Almeflo Nixu
Nixu Corporation
 
Ad

More from Oliver Hader (15)

PDF
SAST für TYPO3 Extensions
Oliver Hader
 
PDF
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
Oliver Hader
 
PDF
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
Oliver Hader
 
PDF
TYPO3 Event Sourcing
Oliver Hader
 
PDF
H4CK1N6 - Web Application Security
Oliver Hader
 
PDF
TYPO3 Backstage Development
Oliver Hader
 
PDF
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Oliver Hader
 
PDF
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
Oliver Hader
 
PDF
Web Components
Oliver Hader
 
PDF
Web application security
Oliver Hader
 
PDF
Contribute to TYPO3 CMS
Oliver Hader
 
PDF
T3CON13DE - TYPO3 CMS Team
Oliver Hader
 
PDF
TYPO3camp Regensburg: TYPO3 6.0
Oliver Hader
 
PDF
TYPO3 Inline Relational Record Editing (IRRE)
Oliver Hader
 
PDF
TYPO3 4.6 & TYPO3 4.7
Oliver Hader
 
SAST für TYPO3 Extensions
Oliver Hader
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
Oliver Hader
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
Oliver Hader
 
TYPO3 Event Sourcing
Oliver Hader
 
H4CK1N6 - Web Application Security
Oliver Hader
 
TYPO3 Backstage Development
Oliver Hader
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Oliver Hader
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
Oliver Hader
 
Web Components
Oliver Hader
 
Web application security
Oliver Hader
 
Contribute to TYPO3 CMS
Oliver Hader
 
T3CON13DE - TYPO3 CMS Team
Oliver Hader
 
TYPO3camp Regensburg: TYPO3 6.0
Oliver Hader
 
TYPO3 Inline Relational Record Editing (IRRE)
Oliver Hader
 
TYPO3 4.6 & TYPO3 4.7
Oliver Hader
 
Ad

Recently uploaded (20)

PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Approach and Philosophy of On baking technology
30anthuong17
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
August Patch Tuesday
Ivanti
 
A Presentation on Touch Screen Technology
memembruh336
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 

Web Application Security Workshop (T3DD19)

  • 1. Web Application Security Workshop Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2019 August 4th, 2019
  • 2. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 2 ▪Research & Development ▪Security Team Lead ▪50% TYPO3 GmbH ▪50% freelance software engineer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
  • 3. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 3 ▪ session probably recorded ▪ real attack vectors are shown ▪ hackers probably knew already ▪ official security fixes available ▪ report to security@typo3.org Disclaimer
  • 4. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Agenda 4 ▪ Attack technique basics (XSS, SQLi, deserialization) ▪ Attack tools/simulation (SQLmap, BeEF, BoNeSi) ▪ Phar Stream Vulnerability & Wrapper ▪ CVSSv3 vulnerability scoring ▪ TYPO3 Security Team ▪ Capture the Flag Agenda ⏳
  • 5. What is your agenda? Do you have questions? 5TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 6. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Web Application Security Basics 6
  • 7. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Web Application Security 7 ▪ CIA/compliance triad ▪ confidentiality ▪ private, personal, sensitive information ▪ integrity ▪ manipulation of information (“fake news”) ▪ availability ▪ denial of service ▪ online bank account ▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
  • 8. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 8 Hacking Playground CONFIDENTIALITY - unauthorised access to information
  • 9. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 9 Hacking Playground INTEGRITY - e.g. manipulated information
  • 10. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 10 Hacking Playground AVAILABILITY - information/service not available
  • 11. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 11 Web Application Security Open Web Application Security Project - TOP 10 vulnerabilities https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf TYPO3 core TYPO3 3rd party extensionsPHP world TYPO3vulnerabilitiesinpast5years
  • 12. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 12 Web Application Security attack chains - multiple components might be affected https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 14. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Techniques, Mitigation, Tools 14
  • 15. Cross-Site Scripting 15TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 16. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 16 Cross-Site Scripting - basics “classic” XSS
  • 17. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 17 Cross-Site Scripting - basics XSS vectors - more at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  • 18. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 18 Cross-Site Scripting - basics “classic” XSS mitigation ✔
  • 19. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 19 Cross-Site Scripting - basics XSS with Fluid - f:format.html relies on TypoScript being available
  • 20. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 20 Cross-Site Scripting - basics ViewHelper without any escaping == potentially vulnerable to XSS
  • 21. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 21 http://typo3v9-hack.ddev.site:3000/ui/panel // admin & joh316
  • 22. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 22 XSS exploitation
  • 23. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 23 Browser Exploitation Framework in action
  • 24. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 24 Browser Exploitation Framework in action
  • 25. SQL injection 25TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 26. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 26 SQL injection basics “classic” SQL injection - query
  • 27. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org SQL injection basics 27 ▪ SELECT … WHERE uid=10 AND pid>0; ▪ SELECT … WHERE uid=10 AND 1=1 -- AND pid>0; // bool true ▪ SELECT … WHERE uid=10 AND 1=0 -- AND pid>0; // bool false ▪ SELECT … WHERE uid=10 AND SLEEP(10) -- AND pid>0; // time ▪ comment literals (MySQL) ▪ -- ▪ # ▪ /* data */
  • 28. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org SQL injection basics 28 ▪ SELECT … WHERE uid=10 AND pid>0; ▪ SELECT uid,pid,header WHERE uid=10 
 UNION SELECT username,password,3 
 FROM be_users WHERE SUBSTR(username, 1, 1) = ‘a’ 
 LIMIT 1,1 
 -- AND pid>0; ▪ … FROM be_users WHERE SUBSTR(username, 2, 1) = ‘d’ … ▪ … FROM be_users WHERE SUBSTR(username, 3, 1) = ‘m’ … ▪ … FROM be_users WHERE SUBSTR(username, 4, 1) = ‘i’ … ▪ … FROM be_users WHERE SUBSTR(username, 5, 1) = ’n’ …
  • 29. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 29 SQL injection QueryBuilder WHERE SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = TEST;
  • 30. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 30 SQL injection QueryBuilder WHERE SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = 0;
  • 31. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 31 SQL injection QueryBuilder WHERE (prepared statement) SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = :dcValue1; ✔
  • 32. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 32 SQL injection QueryBuilder WHERE … WHERE `header` LIKE ‘%a%_%b%';
  • 33. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 33 SQL injection QueryBuilder WHERE … WHERE `header` LIKE ‘%a%_%b%’; ✔
  • 34. SQLmap 34TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 35. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 35 http://typo3v9-hack.ddev.site/?eID=comments&search=term
  • 36. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 36 ▪ ddev ssh -s sqlmap ▪ bash # suggested ▪ git checkout master ▪ git pull
  • 37. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 37 ▪ ./sqlmap -u '<uri>' ––risk 3 ––level 3 ––banner ▪ regular call ▪ ./sqlmap -u 'http://typo3v9-hack.ddev.site/? eID=comments&search=typo3*' ––risk 3 ––level 3 ––banner ▪ inside ddev container ▪ ./sqlmap -u 'http://web/?eID=comments&search=typo3*' ––risk 3 ––level 3 ––sql-shell # marker* in GET parameters ▪ ./sqlmap -u 'http://web/?eID=comments' ––data '&search=typo3*' ––risk 3 ––level 3 ––sql-shell # marker* in POST
  • 38. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 38 SQLmap
  • 39. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 39 meanwhile in /var/log/nginx/access.log
  • 40. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 40 possible SQL injection attack payload
  • 41. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 41 remote SQL shell via SQL injection
  • 42. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 42 “stacked queries” not allowed in PHP/PDO - SELECT …; INSERT …;
  • 43. Insecure Deserialization 43TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 44. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 44 Insecure Deserialization - Basics __destruct() or __wakeup() methods are executed on deserialization
  • 45. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 45 Insecure Deserialization - Basics user submitted payload to be deserialized
  • 46. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 46 allowed_classes introduced with PHP 7.0 (Polyfill available)
  • 47. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Insecure Deserialization - TYPO3-CORE-SA-2019-020 47 ▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/ ▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/ ▪ overrideVals[<table>][l10n_diffsource]=<serialized payload> ▪ addressed on June 25th, 2019
  • 48. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 48 Insecure Deserialization - Basics __destruct() saves content to filesystem
  • 49. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 49 Remote Code Execution #1 making use of FileCookieJar as attack container
  • 50. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 50 Remote Code Execution #1 prepare attack against TYPO3 backend
  • 51. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 51 Remote Code Execution #1 actual attack payload that shall be executed
  • 52. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 52 Remote Code Execution #1 XSRF token needs to be know (valid backend user required)
  • 53. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 53 Remote Code Execution #1 output of injected & executed /typo3/hack.php
  • 54. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 54 Remote Code Execution #1 … new admin user h4ck3r31 …
  • 55. Other™ 55TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 56. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Other™ random topics 56 ▪ File Upload ▪ check/deny extensions (file deny pattern) ▪ check mime-types - image/png, text/html, … ▪ Extbase controller actions ▪ user/group access needs individual handling ▪ classic: logged in user can access profile data of others ▪ Directory Traversal ▪ zip bundle.zip ../malicious.php ▪ depends on how it is extracted
  • 57. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org phar://… 57
  • 58. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 58 https://packagist.org/packages/typo3/phar-stream-wrapper
  • 59. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 59 ▪ usually used like
 require_once('phar://bundle.phar/vendor/autoload.php');
 $service = new BundleService(); ▪ Phar archives are vulnerable to insecure deserialisation ▪ all Phar archives in every PHP version (since 5.3) ▪ using “phar://“ stream wrapper is required here ▪ however, applies to regular file calls as well ▪ is_file(), file_exists(), fopen(), file_get_contents(), … ▪ is_file($_GET[‘fileName’]) // … user submitted data
  • 60. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 60 demo web application
  • 61. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 61 file does exist - correct
  • 62. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 62 result of implicit insecure deserialization
  • 63. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 63 Hybrid - Valid PNG file & Valid Phar archive
  • 64. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 64 building hybrid Phar archive
  • 65. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 65 PharStreamWrapper in TYPO3 core
  • 66. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 66 ▪ TYPO3CMSCoreIOPharStreamWrapperInterceptor ▪ TYPO3 core - Phar only in typo3conf/ext/ directories ▪ TYPO3PharStreamWrapper…PharExtensionInterceptor ▪ Phar only with file extension “.phar” ▪ TYPO3PharStreamWrapper…PharMetaDataInterceptor ▪ Phar only without serialized objects in meta-data
  • 67. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Vulnerability Reporting CVSSv3, Mitre & Co. 67
  • 68. How to report? 68TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 69. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org How to report a security vulnerability? 69 ▪ always report via mail to security@typo3.org (Security Team) ▪ don’t post potential attacks to Forge, Twitter, … (public media) ▪ inform security team in case vulnerabilities are leaked ▪ please be patient & wait for feedback ▪ approx first response time is ~8 hours
  • 70. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Responsible Disclosure Workflow 70 ▪ report vulnerability to vendor (here: security team) ▪ wait for feedback, questions or confirmation of this issue ▪ ask for status updates in case there is no activity ▪ declare deadline for full disclosure (e.g. 90 days) ▪ in case vendor does not take actions - public disclosure ▪ vendors (should) have interest to release security bulletins ▪ hiding vulnerability caused feeling of false security
  • 71. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 71 Responsible Disclosure Workflow https://blog.ripstech.com/2019/typo3-overriding-the-database/
  • 72. How to read reports? 72TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 73. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 73 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 74. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 74 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 75. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 75 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 76. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org CVSSv3 example #1 76 ▪ CVE-2013-1937 ▪ phpMyAdmin Reflected Cross-site Scripting Vulnerability ▪ “Reflected cross-site scripting (XSS) vulnerabilities are present on the tbl_gis_visualization.php page in phpMyAdmin 3.5.x, before version 3.5.8. These allow remote attackers to inject arbitrary JavaScript or HTML via the (1) visualizationSettings[width] or (2) visualizationSettings[height] parameters.”
  • 77. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 77 CVSSv3 example #1 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 78. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org CVSSv3 example #2 78 ▪ CVE-2016-1645 ▪ Google Chrome PDFium JPEG 2000 Remote Code Execution Vulnerability ▪ “Allows remote attackers to execute arbitrary code on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the victim must visit a malicious page or open a malicious file. Flaw exists within the handling of JPEG 2000 images. Specially crafted JPEG 2000 image embedded inside a PDF can force Google Chrome to write memory past the end of an allocated object. Attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.”
  • 79. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 79 CVSSv3 example #2 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
  • 80. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 80 https://typo3.org/security/advisory/typo3-psa-2019-007/
  • 81. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 81 https://typo3.org/security/advisory/typo3-psa-2019-007/
  • 82. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 82 https://nvd.nist.gov/vuln/detail/CVE-2019-11831
  • 83. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 83 https://nvd.nist.gov/vuln/detail/CVE-2019-11831
  • 84. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org TYPO3 Security Team 84
  • 85. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 85 ▪ triage and answer reports ▪ communicate with reporters (individuals, pen-testers) ▪ forward information to maintainers (core, extension author, …) ▪ frankly remind people in case activity is kind of low ▪ coordinate releases & release dates ▪ compile information into security bulletins / announcements ▪ educate & raise awareness in teams & community
  • 86. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org Capture the Flag 86
  • 87. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 87 https://www.root-me.org/en/Challenges/Web-Server/
  • 88. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 88 https://ctf.hacker101.com/ctf
  • 89. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 89 ▪ https://www.root-me.org/en/Challenges/Web-Server/SQL- injection-Error # might work with SQLmap ▪ https://ctf.hacker101.com/ctf/launch/7 # check public API
  • 90. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org References 90 ▪ Running an SQL Injection Attack: // “Computerphile“, nice series
 https://www.youtube.com/watch?v=ciNHn38EyRc ▪ WordPress WPDB SQL Injection: // nice, on “custom” escaping
 https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb- sql-injection-technical.html ▪ CVSSv3 Examples:
 https://www.first.org/cvss/v3.0/examples