H4CK1N6 - Web Application Security

  • Published on
    16-Jan-2017

  • View
    957

  • Download
    1

Embed Size (px)

Transcript

  • H4CK1N6Web Application Security in TYPO3

    September 17th, 2016

  • ~whois oliver.hader is living in Hof, Bavaria, Germany is freelance software engineer is TYPO3 core developer since 2007 is member of the TYPO3 security team is studying at University of Applied Sciences Hof is currently working on event-sourcing for TYPO3 loves cross-country mountain biking

  • ~overviewing ~deep-analyzing

    ~evil-hacking ~considering

  • What were dealing with

    A1: Injection - SQLi, CMDi - tricking interpreters A2: Authentication - permissions of somebody A3: XSS - unintended, but executable information

  • Youve been H4CK3D

  • Lets assume you have been hacked & and you know that no information about severity yet

    is information or content modified? is the attack continuing or repeating? is password or private data stolen?

    you have to handle & clean up the hack What to do? In which order?

  • Strategy #1 just overwrite from backup update system & extensions clear cache & thats it BUT

    What was the entry point? What did exactly happen? Will it happen again?

  • Strategy #2 take web-server offline & redirect to static page analyze what happened & find first entry-point understand the attack & secure the whole system apply clean backups - compromised or clean? BUT

    Your customer will hate you! and love you! what? Going the secure way sounds better!

  • Strategy #2 search for anomalies in logs and file-system

    mass-requests to different URLs from same IP HTTP POST requests with large (download) size script files (PHP, Perl, CGI) in e.g. image folders

    search for actions during non-business hours back-end login at 03:00 in the morning content changes at midnight

  • Analysis find modified files find mtime 1 find mmin 30

    determine modification time - time of attack? stat some-file.php

    find accordant log entries in web-server logs in TYPO3 application logs

  • Results so far exact time 2016-09-14T14:54:59+0200 extension saltedpassword created - how? PHP script Resources/Public/test.php called multiple times & with HTTP POST method might be a web shell eval(gzinflate(base64_decode('S03Oy FdQ91RIzFVIVChPTSrOSM3JUbcGAA==')))

  • !

  • !

  • !

    !

  • !

  • Results so far admin user somebody logged in & logged out extension saltedpassword installed during session further PHP warnings & errors found in log a bunch of MySQL warnings found might be result of SQL injection

  • H4CK1N6 process

  • tx_listing_listing[itemId]=1

  • tx_listing_listing[itemId]=1+AND+1=0

  • tx_listing_listing[itemId]=1+OR+1=1

  • ~/typo3conf/ext/listing/ext_tables.sql

    11 columns

  • What the hacker did found website at http://7.6.local.typo3.org/ found plugin that accepts parameters via HTTP index.php?id=37&tx_listing_listing[itemId]=1&tx_listing_listing[action]=show&tx_listing_listing[controller]=Item

    basically it was some penetration testing tool

  • Kali Linux hackers toolbox network & wireless sniffing tools exploitation tools & distributed execution

    like Metasploit & Armitage web application hacking tools

    like SqlMap & BeEF XSS

  • SqlMap & Collecting Data

  • !

  • !

  • BeEF XSS & client hijacking

  • Development & Security

  • A pessimistic approach every request is a potential attack submitted data are not trustworthy as long as the opposite is proven validate & filter everything on server-side

    (even if browser did that already) encode, escape or cast for target context

    (HTML, database, file-system, system call, mail, )

  • More optimistic approach no necessity for fatal failures & exceptions provide understandable messages to user

    warn, if something unexpected happened notify & emit confirmation dialogs

    put anomalies to dedicated log-files implement alternative notifications

    e.g. mail to user if username was used for login

  • Considerations

  • Mitigation strategies network-based intrusion detection - e.g. Snort

    analyses network-connections and anomalies host-based intrusion detection - e.g. Samhain

    file integrity checks & log file monitoring web application firewall - e.g. mod_security

    individual filter rules for HTTP requests capable of denying SQL or XSS attacks

  • Information Disclosure everything that is not required by the application

    debug output & fragments - use a debugger outdated source-code - use Git for this

    carefully select failure messages username was not found on system versus username and password are not correct

    hide configuration via server-rules - .htaccess

  • Session Management always use secure channels (HTTPS) enforce HTTP-only & secure cookies avoid custom $_SESSION & $_COOKIE games select reasonable session time-out values use CSRF tokens for actions & forms

  • Authentication Management lock users with old MD5 passwords limit amount of admin users limit permissions per user enforce strong & different passwords apply debriefing strategy (employee quit job) use backend login notification feature of TYPO3 separation of developer, integrator, admin, editor

  • Framework & Complexity understand what the framework is doing

    which security precautions are available which are not & how to close that gap

    keep track of important/breaking changes this might take some time, sure but hackers will do that as well apply security updates as soon possible

  • Laziness & Copy-Paste using Page PHP Content Element

    allows (good) backend editors to write code to write untested, insecure & executable code

    allowing TypoScript for everybody allows (good) backend editors to write code to write even more insecure code since TypoScript is a facade to real PHP calls

  • cast or escape insecure variables (int)$item use the provided API calls as much as possible understand what the framework is really doing

  • cast or escape insecure variables (int)$item use the provided API calls as much as possible understand what the framework is really doing

  • filter or encode insecure variables really remove debug code or understand what the framework is really doing

  • There is more

  • Further topics on cross-site-scripting & cross-site-tracing

    CORS - cross-origin resource sharing HSTS - HTTP strict transport security CSP - HTTP content security policy

    httpoxy - attacks via HTTP Proxy headers ImageTragick - attacks via crafted images TYPO3 Security Guide - aspects in more detail

  • Questions?

  • Sources OWASP & Top 10 2013

    https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 https://www.owasp.org/index.php/Top_10_2013-Top_10

    Triad of Confidentially, Integrity & Availability http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA http://www.doc.ic.ac.uk/~ajs300/security/CIA.htm

    System Commands & Kali Linux http://www.thegeekstuff.com/2009/06/15-practical-unix-linux-find-command-examples-part-2/ https://www.kali.org/ https://github.com/sqlmapproject/sqlmap/wiki/Usage https://github.com/beefproject/beef/wiki

    Mitigation Strategies & https://www.snort.org/ http://la-samhna.de/samhain/ https://www.modsecurity.org/

    https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013https://www.owasp.org/index.php/Top_10_2013-Top_10http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIAhttp://www.doc.ic.ac.uk/~ajs300/security/CIA.htmhttp://www.thegeekstuff.com/2009/06/15-practical-unix-linux-find-command-examples-part-2/https://www.kali.org/https://github.com/sqlmapproject/sqlmap/wiki/Usagehttps://github.com/beefproject/beef/wikihttps://www.snort.org/http://la-samhna.de/samhain/https://www.modsecurity.org/

  • Sources Considerations

    https://github.com/TYPO3/TYPO3.CMS/blob/master/_.htaccess (suggested .htaccess file) https://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/frontend/Classes/ContentObject/

    ContentObjectRenderer.php (example, TypoScript to PHP facade) Examples - not recommended unless you really know what youre doing

    https://typo3.org/extensions/repository/view/pe_pagephpcontentelement/ (example only) https://typo3.org/extensions/repository/view/typoscript_code (example only)

    Further topics https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security https://developer.mozilla.org/de/docs/Web/Security/CSP https://imagetragick.com/ https://httpoxy.org/ https://docs.typo3.org/typo3cms/SecurityGuide/Index.html

    https://github.com/TYPO3/TYPO3.CMS/blob/master/_.htaccesshttps://github.com/TYPO3/TYPO3.CMS/blob/master/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.phphttps://typo3.org/extensions/repository/view/pe_pagephpcontentelement/https://typo3.org/extensions/repository/view/typoscript_codehttps://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORShttps://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_securityhttps://developer.mozilla.org/de/docs/Web/Security/CSPhttps://imagetragick.com/https://httpoxy.org/https://docs.typo3.org/typo3cms/SecurityGuide/Index.html

  • Screencasts SqlMap

    https://www.youtube.com/watch?v=VIGVlmaKqxY BeEF XSS

    https://www.youtube.com/watch?v=WBDWWv5zdUQ

    https://www.youtube.com/watch?v=VIGVlmaKqxYhttps://www.youtube.com/watch?v=WBDWWv5zdUQ

  • Thank you!ohader

    @ohader

    Oliver_Hader

    follow mehttps://h4ck3r31.net

    https://twitter.com/@ohaderhttps://twitter.com/@ohaderhttps://twitter.com/@ohaderhttps://twitter.com/@ohaderhttps://twitter.com/@ohaderhttps://twitter.com/@ohaderhttps://www.xing.com/profile/Oliver_Haderhttps://www.xing.com/profile/Oliver_Haderhttps://www.xing.com/profile/Oliver_Haderhttps://www.xing.com/profile/Oliver_Haderhttps://www.xing.com/profile/Oliver_Haderhttps://www.xing.com/profile/Oliver_Haderhttps://github.com/ohaderhttps://github.com/ohaderhttps://github.com/ohaderhttps://github.com/ohaderhttps://github.com/ohaderhttps://github.com/ohaderhttps://github.com/ohaderhttps://twitter.com/@ohaderhttps://www.xing.com/profile/Oliver_Haderhttps://h4ck3r31.net