SlideShare a Scribd company logo

Hacking TYPO3 v9 (T3DD19 edition)

Oliver Hader
Oliver Hader

Hacking (insecure) TYPO3 v9 site during TYPO3 Developer Days 2019 (T3DD19). Demonstrating impact of Cross-Site Scripting, compromised HMAC signing using (disclosed) encryption key via Insecure Deserialization as well as SQL Injection via insecure TypoScript.

Technology
1 of 53
Download to read offline
Hacking TYPO3 Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2019 August 1st, 2019
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 2 ▪Research & Development ▪Security Team Lead ▪50% TYPO3 GmbH ▪50% freelance software engineer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 3 ▪ session probably recorded ▪ real attack vectors are shown ▪ hackers probably knew already ▪ official security fixes available ▪ report to security@typo3.org Disclaimer
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Web Application Security Basics 4
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Web Application Security 5 ▪ CIA/compliance triad ▪ confidentiality ▪ private, personal, sensitive information ▪ integrity ▪ manipulation of information (“fake news”) ▪ availability ▪ denial of service ▪ online bank account ▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 6 Hacking Playground CONFIDENTIALITY - unauthorised access to information
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 7 Hacking Playground INTEGRITY - e.g. manipulated information
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 8 Hacking Playground AVAILABILITY - information/service not available
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 9 Web Application Security Open Web Application Security Project - TOP 10 vulnerabilities https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf TYPO3 core TYPO3 3rd party extensionsPHP world TYPO3vulnerabilitiesinpast5years
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 10 Web Application Security attack chains - multiple components might be affected https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Hacking Playground
 https://github.com/ ohader/typo3v9- hack/ 11TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 12 Hacking Playground https://github.com/ohader/typo3v9-hack
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Session
 Hi-Jacking thanks to Cross-Site Scripting 13
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Session Hi-Jacking - insecure cookie 14 ▪ https://typo3.org/security/advisory/typo3-core-sa-2018-009/ ▪ Install Tool Cookie did not have HttpOnly flag ▪ addressed on December 11th, 2018
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 15 Insecure Install Tool Cookie (HTTP-only flag missing)
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 16 … cookies can be read by (any) JavaScript …
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Session Hi-Jacking - cross-site scripting 17 ▪ https://typo3.org/security/advisory/typo3-core-sa-2018-006/ ▪ file.youtube or file.vimeo vulnerable to cross-site scripting ▪ addressed on December 11th, 2018
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 18 Session Hi-Jacking - cross-site scripting & insecure cookie Asset.youtube file & JavaScript to be executed
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 19 Insecure Deserialization - Basics … social engineering - somebody must click the file …
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 20 Insecure Deserialization - Basics strange result & XSS exploitation in background
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 21 Session Hi-Jacking - cross-site scripting & insecure cookie view of attacker - retrieving session cookie
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Remote Code
 Execution #1 thanks to Insecure Deserialization 22
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 23 Insecure Deserialization - Basics __destruct() or __wakeup() methods are executed on deserialization
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 24 Insecure Deserialization - Basics user submitted payload to be deserialized
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Remote Code Execution #1 25 ▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/ ▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/ ▪ overrideVals[<table>][l10n_diffsource]=<serialized payload> ▪ addressed on June 25th, 2019
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 26 Insecure Deserialization - Basics __destruct() saves content to filesystem
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 27 Remote Code Execution #1 making use of FileCookieJar as attack container
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 28 Remote Code Execution #1 prepare attack against TYPO3 backend
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 29 Remote Code Execution #1 actual attack payload that shall be executed
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 30 Remote Code Execution #1 XSRF token needs to be know (valid backend user required)
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 31 Remote Code Execution #1 output of injected & executed /typo3/hack.php
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 32 Remote Code Execution #1 … new admin user h4ck3r31 …
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Remote Code
 Execution #2 thanks to
 Information Disclosure
 & Insecure Deserialization 33
typo3conf/ LocalConfiguration.php.old 34TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 35 typo3conf/LocalConfiguration.php.old backup file
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 36 … what else can we find here? (standard configuration)
encryptionKey 37TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 38 Extbase __trustedProperties deserialisation
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 39 HMAC signing of __trustedProperties - based on encryptionKey
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 40 Remote Code Execution #2 similar attack using FileCookieJar
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 41 Remote Code Execution #2 output of injected & executed /typo3/hack.php
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Okay, but what’s the point?! 42 ▪ When being hacked, update ALL sensitive information ▪ backend user passwords ▪ frontend user password ▪ database credentials ▪ TYPO3 encryption key ▪ private/public key files ▪ …
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org “Flexibility” #1 thanks to insecure TypoScript
 (Cross-Site Scripting & SQL Injection) 43
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 44 GET/POST data in TypoScript - insertData injection
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 45 … retrieving arbitrary values from database …
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Flexibility #1 - using TypoScript 46 ▪ http://…/?name=Oliver ▪ http://…/?name=<script>alert(‘XSS’)</script> ▪ http://…/?name={db:be_users:1:password} ▪ http://…/?name={file:1:contents} ▪ http://…/?name={getenv:PATH} ▪ … ▪ https://docs.typo3.org/m/typo3/reference-typoscript/master/en- us/DataTypes/Index.html ▪ TypoScript is powerful…
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org “Flexibility” #2 thanks to TypoScript for non-admins
 (Remote Code Execution) 47
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Flexibility #2 - using TypoScript/TSconfig 48 ▪ https://typo3.org/security/advisory/typo3-core-sa-2019-019/ ▪ Remote Code Execution using Page TSconfig ▪ access to pages.TSconfig needs to be granted explicitly ▪ addressed on June 25th, 2019
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 49 Page TSconfig assignments for pages
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 50 Page TSconfig supports conditions as well…
TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 51 ▪ TYPO3 Security Team needs YOU ▪ core, extension & infrastructure security ▪ GitHub, packagist.org - not only TER ▪ feedback, advise, educate ▪ analyse & hack (PoC) ▪ ask @ohader / oliver@typo3.org ▪ (security reports to security@typo3.org) TYPO3 Security Team
more? join T3DD Security Workshop on Sunday Morning 52
qstns? 53

Recommended

Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Oliver Hader
 
Hacking TYPO3 v9
Hacking TYPO3 v9Hacking TYPO3 v9
Hacking TYPO3 v9Oliver Hader
 
SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsOliver Hader
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
TYPO3 Backstage Development
TYPO3 Backstage DevelopmentTYPO3 Backstage Development
TYPO3 Backstage DevelopmentOliver Hader
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018SecuRing
 
Paolo Passeri - A Multi Layered Approach to Threat Intelligence
Paolo Passeri - A Multi Layered Approach to Threat IntelligencePaolo Passeri - A Multi Layered Approach to Threat Intelligence
Paolo Passeri - A Multi Layered Approach to Threat IntelligenceCodemotion
 

Recommended

Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Oliver Hader
 
Hacking TYPO3 v9
Hacking TYPO3 v9Hacking TYPO3 v9
Hacking TYPO3 v9Oliver Hader
 
SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsOliver Hader
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
TYPO3 Backstage Development
TYPO3 Backstage DevelopmentTYPO3 Backstage Development
TYPO3 Backstage DevelopmentOliver Hader
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018SecuRing
 
Paolo Passeri - A Multi Layered Approach to Threat Intelligence
Paolo Passeri - A Multi Layered Approach to Threat IntelligencePaolo Passeri - A Multi Layered Approach to Threat Intelligence
Paolo Passeri - A Multi Layered Approach to Threat IntelligenceCodemotion
 
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsT3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsOliver Hader
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)Chanaka Lasantha
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
44CON Hacking Enterprises
44CON Hacking Enterprises44CON Hacking Enterprises
44CON Hacking Enterprisesin.security Ltd.
 
2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor DamianITCamp
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud SecurityTudor Damian
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dAntonio Parata
 
CCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
CCPA (California Consumer Privacy Act) Tips For Software Developers and ManagersCCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
CCPA (California Consumer Privacy Act) Tips For Software Developers and ManagersAdam Sbeta
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
Software Security For DevOps And Continuous Deployment In The Cloud
Software Security For DevOps And Continuous Deployment In The CloudSoftware Security For DevOps And Continuous Deployment In The Cloud
Software Security For DevOps And Continuous Deployment In The CloudInterCon
 
1. Using the graphics below create a Microsoft Project..docx
1. Using the graphics below create a Microsoft Project..docx1. Using the graphics below create a Microsoft Project..docx
1. Using the graphics below create a Microsoft Project..docxjeremylockett77
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuNixu Corporation
 
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...Product School
 
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...REVULN
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareCSNP
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Macro malware common techniques - public
Macro malware common techniques - publicMacro malware common techniques - public
Macro malware common techniques - publicSecurity Bootcamp
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"Oliver Hader
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)Oliver Hader
 

More Related Content

Similar to Hacking TYPO3 v9 (T3DD19 edition)

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsT3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsOliver Hader
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)Chanaka Lasantha
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor DamianITCamp
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud SecurityTudor Damian
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dAntonio Parata
 
CCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
CCPA (California Consumer Privacy Act) Tips For Software Developers and ManagersCCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
CCPA (California Consumer Privacy Act) Tips For Software Developers and ManagersAdam Sbeta
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
Software Security For DevOps And Continuous Deployment In The Cloud
Software Security For DevOps And Continuous Deployment In The CloudSoftware Security For DevOps And Continuous Deployment In The Cloud
Software Security For DevOps And Continuous Deployment In The CloudInterCon
 
1. Using the graphics below create a Microsoft Project..docx
1. Using the graphics below create a Microsoft Project..docx1. Using the graphics below create a Microsoft Project..docx
1. Using the graphics below create a Microsoft Project..docxjeremylockett77
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuNixu Corporation
 
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...Product School
 
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...REVULN
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareCSNP
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Macro malware common techniques - public
Macro malware common techniques - publicMacro malware common techniques - public
Macro malware common techniques - publicSecurity Bootcamp
 

Similar to Hacking TYPO3 v9 (T3DD19 edition) (20)

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & PitfallsT3DD23 Content Security Policy - Concept, Strategies & Pitfalls
T3DD23 Content Security Policy - Concept, Strategies & Pitfalls
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
44CON Hacking Enterprises
44CON Hacking Enterprises44CON Hacking Enterprises
44CON Hacking Enterprises
 
2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian2016, A New Era of OS and Cloud Security - Tudor Damian
2016, A New Era of OS and Cloud Security - Tudor Damian
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.d
 
CCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
CCPA (California Consumer Privacy Act) Tips For Software Developers and ManagersCCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
CCPA (California Consumer Privacy Act) Tips For Software Developers and Managers
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 
Software Security For DevOps And Continuous Deployment In The Cloud
Software Security For DevOps And Continuous Deployment In The CloudSoftware Security For DevOps And Continuous Deployment In The Cloud
Software Security For DevOps And Continuous Deployment In The Cloud
 
1. Using the graphics below create a Microsoft Project..docx
1. Using the graphics below create a Microsoft Project..docx1. Using the graphics below create a Microsoft Project..docx
1. Using the graphics below create a Microsoft Project..docx
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...
 
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phis...
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & Ransomware
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Macro malware common techniques - public
Macro malware common techniques - publicMacro malware common techniques - public
Macro malware common techniques - public
 

More from Oliver Hader

TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"Oliver Hader
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)Oliver Hader
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event SourcingOliver Hader
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Oliver Hader
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSOliver Hader
 
Web application security
Web application securityWeb application security
Web application securityOliver Hader
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMSOliver Hader
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamOliver Hader
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0Oliver Hader
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)Oliver Hader
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7Oliver Hader
 

More from Oliver Hader (12)

TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event Sourcing
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
 
Web Components
Web ComponentsWeb Components
Web Components
 
Web application security
Web application securityWeb application security
Web application security
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMS
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS Team
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

Hacking TYPO3 v9 (T3DD19 edition)

  • 2. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 2 ▪Research & Development ▪Security Team Lead ▪50% TYPO3 GmbH ▪50% freelance software engineer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
  • 3. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 3 ▪ session probably recorded ▪ real attack vectors are shown ▪ hackers probably knew already ▪ official security fixes available ▪ report to security@typo3.org Disclaimer
  • 4. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Web Application Security Basics 4
  • 5. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Web Application Security 5 ▪ CIA/compliance triad ▪ confidentiality ▪ private, personal, sensitive information ▪ integrity ▪ manipulation of information (“fake news”) ▪ availability ▪ denial of service ▪ online bank account ▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
  • 6. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 6 Hacking Playground CONFIDENTIALITY - unauthorised access to information
  • 7. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 7 Hacking Playground INTEGRITY - e.g. manipulated information
  • 8. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 8 Hacking Playground AVAILABILITY - information/service not available
  • 9. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 9 Web Application Security Open Web Application Security Project - TOP 10 vulnerabilities https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf TYPO3 core TYPO3 3rd party extensionsPHP world TYPO3vulnerabilitiesinpast5years
  • 10. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 10 Web Application Security attack chains - multiple components might be affected https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 12. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 12 Hacking Playground https://github.com/ohader/typo3v9-hack
  • 13. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Session
 Hi-Jacking thanks to Cross-Site Scripting 13
  • 14. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Session Hi-Jacking - insecure cookie 14 ▪ https://typo3.org/security/advisory/typo3-core-sa-2018-009/ ▪ Install Tool Cookie did not have HttpOnly flag ▪ addressed on December 11th, 2018
  • 15. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 15 Insecure Install Tool Cookie (HTTP-only flag missing)
  • 16. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 16 … cookies can be read by (any) JavaScript …
  • 17. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Session Hi-Jacking - cross-site scripting 17 ▪ https://typo3.org/security/advisory/typo3-core-sa-2018-006/ ▪ file.youtube or file.vimeo vulnerable to cross-site scripting ▪ addressed on December 11th, 2018
  • 18. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 18 Session Hi-Jacking - cross-site scripting & insecure cookie Asset.youtube file & JavaScript to be executed
  • 19. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 19 Insecure Deserialization - Basics … social engineering - somebody must click the file …
  • 20. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 20 Insecure Deserialization - Basics strange result & XSS exploitation in background
  • 21. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 21 Session Hi-Jacking - cross-site scripting & insecure cookie view of attacker - retrieving session cookie
  • 22. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Remote Code
 Execution #1 thanks to Insecure Deserialization 22
  • 23. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 23 Insecure Deserialization - Basics __destruct() or __wakeup() methods are executed on deserialization
  • 24. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 24 Insecure Deserialization - Basics user submitted payload to be deserialized
  • 25. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Remote Code Execution #1 25 ▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/ ▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/ ▪ overrideVals[<table>][l10n_diffsource]=<serialized payload> ▪ addressed on June 25th, 2019
  • 26. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 26 Insecure Deserialization - Basics __destruct() saves content to filesystem
  • 27. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 27 Remote Code Execution #1 making use of FileCookieJar as attack container
  • 28. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 28 Remote Code Execution #1 prepare attack against TYPO3 backend
  • 29. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 29 Remote Code Execution #1 actual attack payload that shall be executed
  • 30. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 30 Remote Code Execution #1 XSRF token needs to be know (valid backend user required)
  • 31. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 31 Remote Code Execution #1 output of injected & executed /typo3/hack.php
  • 32. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 32 Remote Code Execution #1 … new admin user h4ck3r31 …
  • 33. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Remote Code
 Execution #2 thanks to
 Information Disclosure
 & Insecure Deserialization 33
  • 34. typo3conf/ LocalConfiguration.php.old 34TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 35. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 35 typo3conf/LocalConfiguration.php.old backup file
  • 36. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 36 … what else can we find here? (standard configuration)
  • 37. encryptionKey 37TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
  • 38. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 38 Extbase __trustedProperties deserialisation
  • 39. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 39 HMAC signing of __trustedProperties - based on encryptionKey
  • 40. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 40 Remote Code Execution #2 similar attack using FileCookieJar
  • 41. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 41 Remote Code Execution #2 output of injected & executed /typo3/hack.php
  • 42. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Okay, but what’s the point?! 42 ▪ When being hacked, update ALL sensitive information ▪ backend user passwords ▪ frontend user password ▪ database credentials ▪ TYPO3 encryption key ▪ private/public key files ▪ …
  • 43. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org “Flexibility” #1 thanks to insecure TypoScript
 (Cross-Site Scripting & SQL Injection) 43
  • 44. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 44 GET/POST data in TypoScript - insertData injection
  • 45. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 45 … retrieving arbitrary values from database …
  • 46. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Flexibility #1 - using TypoScript 46 ▪ http://…/?name=Oliver ▪ http://…/?name=<script>alert(‘XSS’)</script> ▪ http://…/?name={db:be_users:1:password} ▪ http://…/?name={file:1:contents} ▪ http://…/?name={getenv:PATH} ▪ … ▪ https://docs.typo3.org/m/typo3/reference-typoscript/master/en- us/DataTypes/Index.html ▪ TypoScript is powerful…
  • 47. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org “Flexibility” #2 thanks to TypoScript for non-admins
 (Remote Code Execution) 47
  • 48. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org Flexibility #2 - using TypoScript/TSconfig 48 ▪ https://typo3.org/security/advisory/typo3-core-sa-2019-019/ ▪ Remote Code Execution using Page TSconfig ▪ access to pages.TSconfig needs to be granted explicitly ▪ addressed on June 25th, 2019
  • 49. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 49 Page TSconfig assignments for pages
  • 50. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 50 Page TSconfig supports conditions as well…
  • 51. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 51 ▪ TYPO3 Security Team needs YOU ▪ core, extension & infrastructure security ▪ GitHub, packagist.org - not only TER ▪ feedback, advise, educate ▪ analyse & hack (PoC) ▪ ask @ohader / oliver@typo3.org ▪ (security reports to security@typo3.org) TYPO3 Security Team
  • 52. more? join T3DD Security Workshop on Sunday Morning 52