Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TYPO3Camp Nantes 2017 - Web applications penetr...

TYPO3Camp Nantes 2017 - Web applications penetration testing methodology

Fedir RYKHTIK

June 24, 2017
Tweet

More Decks by Fedir RYKHTIK

Other Decks in Technology

Transcript

  1. About this presentation • Duration 1 hour • 100% open

    source • Intermediate technical level recommended • @ Developers || QA Engineers|| DevOps || CTO || ... • Interactive, study-oriented ...
  2. Contents • Introduction to Web security ◦ Major security risks

    ◦ Pentesting types • Insecure code • Vulnerable site create / study • Manual security testing with scanners • Manual security testing using Zed Attack Proxy GUI • Automated security testing
  3. Pentesting A penetration test, colloquially known as a pen test,

    is an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. Security issues that the penetration test uncovers should be reported to the system owner. Penetration tests are a component of a full security audit. https://en.wikipedia.org/wiki/Penetration_test
  4. Pentesting methods - Black-box • We don't know what is

    inside and how it works • Testing as an external user
  5. Pentesting methods - Grey-box • Global knowledge of used algorithms

    • Global architecture of code • Credentials • Demonstrations of the application • Communication with the target • ...
  6. Pentesting methods - White-box • We know all about the

    project • We have the access to the project code • Detailed technical documentation • Project specifications • Credentials • ...
  7. Where (majority of) vulnerabilities are hidden Role Risks of vulnerabilities

    Types Frontend Integrator JavaScript XSS, JS Hijacking, ... Integrator TYPO3 TypoScript, Fluid XSS, SQL, ... Backend Developer PHP SQL, Remote execution, ... DevOps Files permission Remote execution, CSRF, ... System administrator Obsolete packages, Firewall, Packages configuration CSRF, system access, ...
  8. Analyze recent security fixes • http://typo3versions.felixnagel.com/ ◦ Check security fixes

    ◦ Check TYPO3 versions 7 and 8 • Examples ◦ https://github.com/TYPO3/TYPO3.CMS/commits/TYPO3_8-6-1 ▪ https://github.com/TYPO3/TYPO3.CMS/commit/278af8209 db33d8f2ee85c46d6321918e680f58a ◦ https://github.com/TYPO3/TYPO3.CMS/commits/TYPO3_8-5-1 ▪ https://github.com/TYPO3/TYPO3.CMS/commit/c7e1ce9ce 3254ee73bdcd325244078e3647bb907
  9. TYPO3 Security > Information disclosure > Google Hacking examples •

    https://www.google.fr/search?q=inurl:typo3conf/LocalC onfiguration.php • https://www.google.fr/search?q=filetype:ts+inurl:typo3c onf • https://www.google.fr/search?q=inurl:typo3conf/ENABL E_INSTALL_TOOL
  10. There are much more risks ... SQL, HTML, iFrame, SSI,

    OS Command, PHP, XML, XPath, LDAP, Host Header and SMTP injections Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF) AJAX and Web Services issues (jQuery/JSON/XML/SOAP/WSDL) Authentication, authorization and session issues, file upload flaws and backdoor files Arbitrary file access, directory traversals, local and remote file inclusions (LFI/RFI) Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,... HTTP parameter pollution, HTTP response splitting and HTTP verb tampering Insecure DistCC, FTP, NTP, Samba, SNMP, VNC and WebDAV configurations HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues XML External Entity attacks (XXE) and Server Side Request Forgery (SSRF) Heartbleed and Shellshock vulnerability (OpenSSL), Denial-of-Service (DoS) attacks Parameter tampering, cookie and password reset poisoning ...
  11. Example of used infrastructure • Virtualbox VM ◦ Ubuntu 16.04

    LTS server 64 bit ◦ Jenkins CI ◦ OWASP ZAP, sqlmap, CMSMap ... ◦ Vulnerable site for manual and automatic testing
  12. sqlmap python sqlmap.py -v 2 --url=http://127.0.0.1/user/ --user-agent=SQLMAP --delay=1 --retries=2 --keep-alive

    --threads=5 --batch --dbms=MySQL --os=Linux --level=5 --risk=2 --banner --is-dba --dbs --tables --technique=BEUST -s /tmp/scan_report.txt --flush-session -t /tmp/scan_trace.txt --fresh-queries
  13. OWASP ZAP - Simple scan zap-cli quick-scan --self-contained --start-options '-config

    api.disablekey=true' http://127.0.0.1/ zap-cli --api-key coeoobt6fof9k4g3iajshtnp7v quick-scan --self-contained --spider -r http://127.0.0.1/ * API key could be found in ~/.ZAP/config.xml of current user.
  14. OWASP ZAP - Running as a daemon /opt/zaproxy/zap.sh -daemon -host

    0.0.0.0 -port 8480 Also, Docker usage possible : https://github.com/zaproxy/zaproxy/wiki/Docker
  15. OWASP ZAP - Plugins management Install all plugins, take some

    time : su jenkins /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 -addoninstallall Install selected plugin : su jenkins /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 -addoninstall exportreport * Plugins will be installed in the ~/.ZAP folder of user, who launches ZAP. ** Plugins keys could be found here : https://github.com/zaproxy/zap-extensions/releases
  16. OWASP ZAP https://github.com/zaproxy/zaproxy/wiki/Docker zap.sh -daemon -host 0.0.0.0 -port 8480 zap-x.sh

    -daemon -host 0.0.0.0 -port 8080 zap-cli quick-scan --self-contained \ --start-options '-config api.disablekey=true' http://target
  17. Ubuntu server VM Jenkins CI Server TYPO3 site target Owasp

    ZED Attack Proxy Report results Run security scan Automated security testing model
  18. Jenkins CI - Plugins used • Official OWASP ZAP Jenkins

    Plugin • Environment Injector Plugin
  19. Ressources • https://martijnvanlambalgen.wordpress.com/2015/10/18/automating-your-vulnerability-scan-with-owasp-zap/ • https://www.securify.nl/blog/SFY20150303/automating_security_tests_using_owasp_zap_and_jenkins.html • https://tools.pentestbox.org/ • https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project •

    http://connect.ed-diamond.com/MISC/MISC-087/Pourquoi-inclure-la-securite-dans-votre-pipeline-DevOps • https://www.owasp.org/index.php/Automated_Audit_using_SQLMap • https://myexploit.wordpress.com/information-gathering-sqlmap/ • https://docs.typo3.org/typo3cms/SecurityGuide/ • https://typo3.org/teams/security/extension-security-policy/ • https://insights.sei.cmu.edu/devops/2016/01/adding-security-to-your-devops-pipeline.html • https://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015 • https://es.slideshare.net/StephendeVries2/automating-security-tests-for-continuous-integration • https://prezi.com/gn3zack_uxr-/typo3-website-hacking-and-penetration-testing/ • https://www.cvedetails.com/vendor/3887/Typo3.html • http://www.exploitalert.com/search-results.html?search=typo3 • https://www.owasp.org/index.php/How_to_write_insecure_code • https://es.slideshare.net/StephendeVries2/continuous-and-visible-security-testing-with-bddsecurity • https://theagileadmin.com/2015/12/03/security-tooling-delivered-by-docker/ • https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria
  20. Special thanks • To @AgenceStratis, which understands the importance of

    open source culture and supports it • To Mikke Schirén (@mikkdroid) for the help with Jenkins • To TYPO3 Camp Nantes team for great organization of the event