H4CK1N6Web Application Security in TYPO3

September 17th, 2016

~whois oliver.hader• is living in Hof, Bavaria, Germany • is freelance software engineer • is TYPO3 core developer since 2007 • is member of the TYPO3 security team • is studying at University of Applied Sciences Hof • is currently working on event-sourcing for TYPO3 • loves cross-country mountain biking

~overviewing ~deep-analyzing

~evil-hacking ~considering

What we’re dealing with…

• A1: Injection - SQLi, CMDi - tricking interpreters • A2: Authentication - permissions of ”somebody” • A3: XSS - unintended, but executable information

You’ve been H4CK3D

Let’s assume…• you have been hacked & and you know that • no information about severity… yet

• is information or content modified? • is the attack continuing or repeating? • is password or private data stolen?

• you have to handle & clean up the hack • What to do? In which order?

Strategy #1• just overwrite from backup • update system & extensions • clear cache & that’s it • BUT

• What was the entry point? • What did exactly happen? • Will it happen again?

Strategy #2• take web-server offline & redirect to static page • analyze what happened & find first entry-point • understand the attack & secure the whole system • apply clean backups - compromised or clean? • BUT

• Your customer will hate you! … and love you! • … what? Going the secure way sounds better!

Strategy #2• search for anomalies in logs and file-system

• mass-requests to different URLs from same IP • HTTP POST requests with large (download) size • script files (PHP, Perl, CGI) in e.g. image folders

• search for actions during non-business hours • back-end login at 03:00 in the morning • content changes at midnight

Analysis• find modified files  find  –mtime  –1      find  –mmin  –30  

• determine modification time - time of attack?  stat  some-­‐file.php  

• find accordant log entries • in web-server logs • in TYPO3 application logs

Results so far…• exact time 2016-09-14T14:54:59+0200 • extension saltedpassword created - how? • PHP script Resources/Public/test.php • called multiple times & with HTTP POST method • might be a web shell  eval(gzinflate(base64_decode('S03Oy    FdQ91RIzFVIVChPTSrOSM3JUbcGAA==')))  

!

!

!

!

!

Results so far…• admin user somebody logged in & logged out • extension saltedpassword installed during session • further PHP warnings & errors found in log • a bunch of MySQL warnings found • might be result of SQL injection

H4CK1N6 process

tx_listing_listing[itemId]=1

tx_listing_listing[itemId]=1+AND+1=0

tx_listing_listing[itemId]=1+OR+1=1

~/typo3conf/ext/listing/ext_tables.sql

11  columns

What the ”hacker” did…• found website at http://7.6.local.typo3.org/ • found plugin that accepts parameters via HTTP index.php?id=37&tx_listing_listing[itemId]=1&tx_listing_listing[action]=show&tx_listing_listing[controller]=Item  

• basically it was some penetration testing tool

Kali Linux• hacker’s toolbox • network & wireless sniffing tools • exploitation tools & distributed execution

• like Metasploit & Armitage • web application hacking tools

• like SqlMap & BeEF XSS

SqlMap & Collecting Data

!

!

BeEF XSS & client hijacking

Development & Security

A pessimistic approach…• every request is a potential attack • submitted data are not trustworthy • as long as the opposite is proven • validate & filter everything on server-side

(even if browser ”did” that already) • encode, escape or cast for target context

(HTML, database, file-system, system call, mail, …)

More optimistic approach…• no necessity for fatal failures & exceptions • provide understandable messages to user

• warn, if something unexpected happened • notify & emit confirmation dialogs

• put anomalies to dedicated log-files • implement alternative notifications

• e.g. mail to user if username was used for login

Considerations

Mitigation strategies• network-based intrusion detection - e.g. Snort

• analyses network-connections and anomalies • host-based intrusion detection - e.g. Samhain

• file integrity checks & log file monitoring • web application firewall - e.g. mod_security

• individual filter rules for HTTP requests • capable of denying SQL or XSS attacks

Information Disclosure• everything that is not required by the application

• debug output & fragments - use a debugger • outdated source-code - use Git for this

• carefully select failure messages • ”username was not found on system” versus • ”username and password are not correct”

• hide configuration via server-rules - .htaccess

Session Management• always use secure channels (HTTPS) • enforce HTTP-only & secure cookies • avoid custom $_SESSION & $_COOKIE games • select reasonable session time-out values • use CSRF tokens for actions & forms

Authentication Management• lock users with old MD5 passwords • limit amount of admin users • limit permissions per user • enforce strong & different passwords • apply debriefing strategy (employee quit job) • use backend login notification feature of TYPO3 • separation of developer, integrator, admin, editor

Framework & Complexity• understand what the framework is doing

• which security precautions are available • which are not & how to close that gap

• keep track of important/breaking changes • this might take some time, sure • but hackers will do that as well • apply security updates as soon possible

Laziness & Copy-Paste• using ”Page PHP Content Element“

• allows (good) backend editors to write code • … to write untested, insecure & executable code

• allowing TypoScript for everybody • allows (good) backend editors to write code • … to write even more insecure code • … since TypoScript is a facade to real PHP calls

• cast or escape insecure variables  (int)$item   • use the provided API calls as much as possible • understand what the framework is really doing

• cast or escape insecure variables  (int)$item   • use the provided API calls as much as possible • understand what the framework is really doing

• filter or encode insecure variables • really remove debug code or  <f:comment>   • understand what the framework is really doing

There is more…

Further topics…• on cross-site-scripting & cross-site-tracing

• CORS - cross-origin resource sharing • HSTS - HTTP strict transport security • CSP - HTTP content security policy

• httpoxy - attacks via HTTP Proxy headers • ImageTragick - attacks via crafted images • TYPO3 Security Guide - aspects in more detail

Questions?

Sources• OWASP & Top 10 2013

• https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 • https://www.owasp.org/index.php/Top_10_2013-Top_10

• Triad of Confidentially, Integrity & Availability • http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA • http://www.doc.ic.ac.uk/~ajs300/security/CIA.htm

• System Commands & Kali Linux • http://www.thegeekstuff.com/2009/06/15-practical-unix-linux-find-command-examples-part-2/ • https://www.kali.org/ • https://github.com/sqlmapproject/sqlmap/wiki/Usage • https://github.com/beefproject/beef/wiki

• Mitigation Strategies & • https://www.snort.org/ • http://la-samhna.de/samhain/ • https://www.modsecurity.org/

Sources• Considerations

• https://github.com/TYPO3/TYPO3.CMS/blob/master/_.htaccess (suggested .htaccess file) • https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/frontend/Classes/ContentObject/

ContentObjectRenderer.php (example, TypoScript to PHP facade) • Examples - not recommended unless you really know what you’re doing

• https://typo3.org/extensions/repository/view/pe_pagephpcontentelement/ (example only) • https://typo3.org/extensions/repository/view/typoscript_code (example only)

• Further topics • https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS • https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security • https://developer.mozilla.org/de/docs/Web/Security/CSP • https://imagetragick.com/ • https://httpoxy.org/ • https://docs.typo3.org/typo3cms/SecurityGuide/Index.html

Screencasts• SqlMap

• https://www.youtube.com/watch?v=VIGVlmaKqxY • BeEF XSS

• https://www.youtube.com/watch?v=WBDWWv5zdUQ

Thank you!ohader

@ohader

Oliver_Hader

follow mehttps://h4ck3r31.net