Hacking (insecure) TYPO3 v9 site during TYPO3 Developer Days 2019 (T3DD19). Demonstrating impact of Cross-Site Scripting, compromised HMAC signing using (disclosed) encryption key via Insecure Deserialization as well as SQL Injection via insecure TypoScript.
2. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 2
▪Research & Development
▪Security Team Lead
▪50% TYPO3 GmbH
▪50% freelance software engineer
▪#hof #cycling #paramedic #in.die.musik
~# whoami
Oliver Hader
@ohader
3. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 3
▪ session probably recorded
▪ real attack vectors are shown
▪ hackers probably knew already
▪ official security fixes available
▪ report to security@typo3.org
Disclaimer
4. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Web Application
Security Basics
4
5. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Web Application Security
5
▪ CIA/compliance triad
▪ confidentiality
▪ private, personal, sensitive information
▪ integrity
▪ manipulation of information (“fake news”)
▪ availability
▪ denial of service
▪ online bank account
▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
6. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 6
Hacking Playground
CONFIDENTIALITY - unauthorised access to information
7. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 7
Hacking Playground
INTEGRITY - e.g. manipulated information
8. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 8
Hacking Playground
AVAILABILITY - information/service not available
9. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 9
Web Application Security
Open Web Application Security Project - TOP 10 vulnerabilities
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
TYPO3 core TYPO3 3rd party extensionsPHP world
TYPO3vulnerabilitiesinpast5years
10. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 10
Web Application Security
attack chains - multiple components might be affected
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
13. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Session
Hi-Jacking
thanks to Cross-Site Scripting
13
14. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Session Hi-Jacking - insecure cookie
14
▪ https://typo3.org/security/advisory/typo3-core-sa-2018-009/
▪ Install Tool Cookie did not have HttpOnly flag
▪ addressed on December 11th, 2018
15. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 15
Insecure Install Tool Cookie (HTTP-only flag missing)
16. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 16
… cookies can be read by (any) JavaScript …
17. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Session Hi-Jacking - cross-site scripting
17
▪ https://typo3.org/security/advisory/typo3-core-sa-2018-006/
▪ file.youtube or file.vimeo vulnerable to cross-site scripting
▪ addressed on December 11th, 2018
18. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 18
Session Hi-Jacking - cross-site scripting & insecure cookie
Asset.youtube file & JavaScript to be executed
19. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 19
Insecure Deserialization - Basics
… social engineering - somebody must click the file …
20. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 20
Insecure Deserialization - Basics
strange result & XSS exploitation in background
42. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Okay, but what’s the point?!
42
▪ When being hacked, update ALL sensitive information
▪ backend user passwords
▪ frontend user password
▪ database credentials
▪ TYPO3 encryption key
▪ private/public key files
▪ …
47. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
“Flexibility”
#2
thanks to TypoScript for non-admins
(Remote Code Execution)
47
48. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Flexibility #2 - using TypoScript/TSconfig
48
▪ https://typo3.org/security/advisory/typo3-core-sa-2019-019/
▪ Remote Code Execution using Page TSconfig
▪ access to pages.TSconfig needs to be granted explicitly
▪ addressed on June 25th, 2019
49. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 49
Page TSconfig assignments for pages
50. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 50
Page TSconfig supports conditions as well…
51. TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 51
▪ TYPO3 Security Team needs YOU
▪ core, extension & infrastructure security
▪ GitHub, packagist.org - not only TER
▪ feedback, advise, educate
▪ analyse & hack (PoC)
▪ ask @ohader / oliver@typo3.org
▪ (security reports to security@typo3.org)
TYPO3 Security Team