security pitfalls vs. best practices
TRANSCRIPT
![Page 1: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/1.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
T3DD13 Security Workshop
Helmut Hummel <[email protected]>
07.07.2013
Security Pitfalls vs. Best Practices
1
![Page 2: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/2.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
T3DD13 Security Workshop
Agenda• What does Security mean?
• Knowing the enemy
• Pitfalls
• Best Practice
• TYPO3 Security Team
2
![Page 3: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/3.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What does Security mean?
3
![Page 4: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/4.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Absence of potential Damage
4
![Page 5: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/5.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Protecting Information
5
![Page 6: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/6.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Unauthorized access
6
![Page 7: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/7.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Unauthorized modification
7
![Page 8: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/8.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Loss
8
![Page 9: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/9.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
CIA Triad
9
![Page 10: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/10.jpg)
Availability
CIA Triad
Integrity
Confidentiality
Information
10
![Page 11: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/11.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What is Security?
Security is relative• Security depends on your needs/ kind of Information
• Security depends on a certain point in time
• Security needs to be constantly adapted and improved
11
![Page 12: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/12.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What is Security?
Characteristics of Security• There is no absolute Security
• An evironment is only as secure as it‘s weakest point
• Security is an investment
• The efforts for Security must be proportianal to the potential damage
• A system can be called secure, if the effort of compromising it are way higher than the possible gains
12
![Page 13: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/13.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Security is a process, not a product.(Bruce Schneier)
13
![Page 14: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/14.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
General Security Priciples• Least privilege
• Minimize Exposure
• Do not rely on „security by obscurity“
• Defense in depth
14
![Page 15: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/15.jpg)
Defense in Depth
OS
PHP-application
DBMS
Webserver
Server FirewallProxy
mod_security
suhosinPHP
Harding
security layer(s)
SQL Proxy
15
![Page 16: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/16.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Knowing the enemy
16
![Page 17: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/17.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Knowing the enemy
Different Motivations
17
• Money
• Influence
• Fame
• Fun
![Page 18: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/18.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Knowing the enemy
Different Proceedings
18
• Automated attacks
• Targeted attacks
![Page 19: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/19.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Demo
19
![Page 20: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/20.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Pitfalls
20
![Page 21: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/21.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop 21
![Page 22: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/22.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
TypoScript
22
![Page 23: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/23.jpg)
page.10 = CONTENTpage.10.table = tt_contentpage.10.where = colPos=0page.10.andWhere.data = GP:page_idpage.10.andWhere.wrap = pid=|
23
![Page 24: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/24.jpg)
page.10 = CONTENTpage.10.table = tt_contentpage.10.where = colPos=0page.10.andWhere.data = GP:page_idpage.10.andWhere.intval = 1page.10.andWhere.wrap = pid=|
24
![Page 25: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/25.jpg)
page.10 = TEXTpage.10.field = titlepage.10.wrap = <h1 class="c-{field:layout}">|</h1>page.10.insertData = 1 DB : be_users:1:password
25
![Page 26: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/26.jpg)
page.10 = TEXTpage.10.field = titlepage.10.wrap = <h1 class="c-{field:layout}">|</h1>page.10.insertData = 1
26
![Page 27: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/27.jpg)
page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>
27
![Page 28: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/28.jpg)
page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>page.10.htmlSpecialChars = 1
28
![Page 29: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/29.jpg)
page.10 = TEXTpage.10.field = titlepage.10.dataWrap = <h1 class="c-{field:layout}">|</h1>page.10.htmlSpecialChars = 1
29
![Page 30: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/30.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Security Problems
30
![Page 31: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/31.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
XSS
31
![Page 32: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/32.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
HTML Contexts• HTML-Element
• HTML-Attribute Value
• JS-Values
• URL Parameter
32
![Page 33: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/33.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
CSRF
33
![Page 34: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/34.jpg)
<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0">
CSRF
34
![Page 35: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/35.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Avoid CSRF• Secret random token in the request
• Save token in session
• One-Time Token may have usability impacts
35
![Page 36: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/36.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
SQLi
36
![Page 37: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/37.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
File Handling
37
![Page 38: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/38.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Header Injection
38
![Page 39: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/39.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Code Injection
39
![Page 40: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/40.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Insecure Unserialize
40
![Page 41: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/41.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Extbase Security
41
![Page 42: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/42.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
XSS
42
![Page 43: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/43.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
extbase
XSS• Flash Messages
• Context
43
![Page 44: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/44.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
SQLi
44
![Page 45: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/45.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Mass Assignment
45
![Page 46: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/46.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Access Violation
46
![Page 47: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/47.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Best Practice
47
![Page 48: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/48.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Best Practice• Every request is an attack as long the opposite is proven
• User input is untrustable
• User input needs to be validated and encoded and escaped right before output
• Encoding and escaping depends on the context
• Separation of Concerns
48
![Page 49: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/49.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What is User Input?• $_REQUEST ($_GET, $_POST, $_COOKIE)
• $_FILES
• $_SERVER
• Filenames
• External Services
• Editors are users
49
![Page 50: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/50.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
How to treat User Input• Validation
• Filtering
• Escaping
• Encoding
50
![Page 51: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/51.jpg)
How to treat User Input
Escaping/ Encoding
User Input
Output
Validate/ Filter
evil™
stop execution?
context!
51
![Page 52: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/52.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
How to treat User Input• Filter Input
• Escape Output
52
![Page 53: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/53.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
How to treat User Input• Filter Input
• Check Type
• Check Format
• Check length
• Escape Output
• Context!
• DB, HTML, JS
• Directly before output
53
![Page 54: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/54.jpg)
Separation of Concerns• Security issues are bugs
• Clean code leads to less bugs
• Test Driven Development
• Leave Security to Security Code
54
![Page 55: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/55.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
TYPO3 Security Team
55
![Page 56: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/56.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
TYPO3 Security Team
TYPO3 Security Team• Responsible Disclosure Policy
• One communication channel ([email protected])
• Pre-Announcements for critical issues only
• You can support us with sober and precise communication and reading the Security Bulletins carefully
56
![Page 57: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/57.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
TYPO3 Security Team
CVSS2 Score• It is a calculation to help you to identify the severity of a
Security Issue
• The result are 4 different Scores
• Base Score
• Temporal Score
• Environmental Score
• Overall Score
57
![Page 58: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/58.jpg)
58
![Page 59: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/59.jpg)
59
![Page 60: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/60.jpg)
60
![Page 61: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/61.jpg)
61
![Page 62: Security Pitfalls vs. Best Practices](https://reader034.vdocuments.us/reader034/viewer/2022042700/554bd934b4c905706a8b534d/html5/thumbnails/62.jpg)
Questions?
62