4. Introduction
About me
Senior Consultant / Developer @ ELCA Informatique SA
Server administrator
Using TYPO3 since 2005/2006
Actively developing for TYPO3 since 2008
Monday, January 26, 2009
5. Introduction
The Problem
Wide variety of threats
Integration of popular software packages
Server updates not installed
SQL injection, XSS
Unknown exploits
Monday, January 26, 2009
6. Introduction
The Problem (Big Picture)
Input
Validation SQL
Error Injection
Z
Web Database
Client
Server + extensions Server
R W X
Command
XSS Execution
Filesystem
File Privilege
Disclosure Escalation
Monday, January 26, 2009
7. Introduction
Solutions
Prompt patching and updating for server software
Code quality in your extensions
Developing extensions with security in mind
Firewall / Server hardening
Monday, January 26, 2009
8. Introduction
Solution, is that all?
Secure development practices?
Firewall
TCP/IP layer
XSS, remote file inclusion, ...
SSL encrypted traffic?
Monday, January 26, 2009
10. Suhosin
What’s that?
Advanced protection system for PHP (module / patch)
Runtime protection:
Transparent cookie / session encryption
Function black- and whitelist
...
With patch:
Low-level protection (buffer overflow, ...)
Monday, January 26, 2009
11. Suhosin
Sample Code
Very basic ACL check:
Monday, January 26, 2009
12. Suhosin
Sample Code (cont.)
read
Monday, January 26, 2009
13. Suhosin
Sample Code (cont.)
write
Monday, January 26, 2009
14. Suhosin
Sample Code (cont.)
Monday, January 26, 2009
15. Suhosin
Sample Code (cont.)
TYPO3 does not have such code (hopefully)
But the extensions you use?
Let’s try Suhosin as PHP module
Monday, January 26, 2009
16. Suhosin
How To Install (Debian)
Install as usual
# apt-get install php5-suhosin
Edit file /etc/php5/conf.d/suhosin.ini
Activate any feature you wish
Do not use characters {}[] and the like for cryptkeys
Restart Apache
Monday, January 26, 2009
17. Suhosin
Sample Code (again)
Monday, January 26, 2009
18. Suhosin
Sample Code (again)
Monday, January 26, 2009
19. Suhosin
Sample Code (again)
Monday, January 26, 2009
20. Suhosin
(Some) Other Features
Scanning uploaded files
Use a script that outputs “1” if the file is valid. If not,
$_FILES will be empty!
Disallow script to change memory limit or force an upper
bound when not using safe_mode
Monday, January 26, 2009
22. ModSecurity
Web Application Firewall
Filtering requests with regular expressions
Able to scan uploaded files (just as Suhosin does)
Prevents JavaScript/SQL injection
much more
Application
ModSecurity
Monday, January 26, 2009
23. ModSecurity
How To Install
Compile from source or
Use a package (available from official website)
Debian, Fedora, FreeBSD, RedHat, ...
Core rules included in distribution (more on this later)
Monday, January 26, 2009
24. ModSecurity
Let’s Start Blocking!
Create file /etc/apache2/conf.d/mod-security2
Open your browser
Monday, January 26, 2009
25. ModSecurity
Let’s Start Blocking!
Create file /etc/apache2/conf.d/mod-security2
Open your browser
Monday, January 26, 2009
26. ModSecurity
Let’s Start Blocking!
--b1361a18-A--
[23/Jan/2009:10:27:01 +0100] SXmNY38AAQEAADmWkaQAAAAG 84.73.171.189 46474 193.33.30.197 80
GET /?attack HTTP/1.1
--b1361a18-B--
GET /?attack HTTP/1.1
Host: yoursite.com
Host: yoursite.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: fe_typo_user=kCTZx3iDYyAZxRI2UWtEv4xZSTBM96VPknodB1dnx1OPzDcA0is0q8ewWvOb16XM
--b1361a18-F--
HTTP/1.1 412 Precondition Failed
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 267
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Message: Access denied with code 412 (phase 2).
--b1361a18-H--
Message: Access denied with code 412 (phase 2). Pattern match "attack" at REQUEST_LINE. [file "/etc/apache2/conf.d/mod-security2"] [line "7"]
Action: Intercepted (phase 2)
Pattern match "attack" at REQUEST_LINE.
Stopwatch: 1232702819271014 2259647 (3639 3892 -)
Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/).
Server: Apache/2.2.9 (Debian) mod_gnutls/0.5.1
--b1361a18-Z--
Monday, January 26, 2009
27. ModSecurity
What about real protection?
Willing to write “real” set of SecRules yourself?
# Validate request line
#
SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}s+(?:w{3,7}?://[w-./]*(?::d+)?)?/[^?#]*(?:?[^#s]*)?(?:#[S]*)?|connect (?:d{1,3}.){3}d{1,3}.?(?::d+)?|options *)s+[w./]+|get /[^?#]*(?:?[^#s]*)?(?:#[S]*)?)$"
"t:none,t:lowercase,phase:2,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'2'"
# HTTP Request Smuggling
#
SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,t:none,deny,log,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',severity:'1'"
# Block request with malformed content.
# ModSecurity will not inspect these, but the server application might do so
#
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'2'"
# Accept only digits in content length
#
SecRule REQUEST_HEADERS:Content-Length "!^d+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'"
# Do not accept GET or HEAD requests with bodies
# HTTP standard allows GET requests to have a body but this
# feature is not used in real life. Attackers could try to force
# a request body on an unsuspecting web applications.
#
SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
# Require Content-Length to be provided with every POST request.
#
SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none
# Don't accept transfer encodings we know we don't know how to handle
#
Monday, JanuaryModSecurity does not support chunked transfer encodings at
# NOTE 26, 2009
28. ModSecurity
What about real protection?
Willing to write “real” set of SecRules yourself?
I don’t!
Monday, January 26, 2009
29. ModSecurity
What about real protection?
Core rules installed with Debian package
/usr/share/doc/mod-security2-common/examples/rules/
Copy them to /var/lib/modsecurity2/core/
Edit your configuration
Monday, January 26, 2009
30. ModSecurity
What about real protection?
Edit core rule file modsecurity_crs_10_config.conf
Fit your needs
Hint: modsecurity.conf-minimal (from package)
Restart Apache
Monday, January 26, 2009
31. ModSecurity
Let’s Use TYPO3
Monday, January 26, 2009
32. ModSecurity
TYPO3 needs some tuning...
--1a422639-A--
[23/Jan/2009:16:08:59 +0100] SXndi38AAQEAADs5YUUAAAAB 84.73.171.189 37436 193.33.30.197 80
--1a422639-B--
POST /typo3/alt_doc.php
POST /typo3/alt_doc.php?&returnUrl=%2Ftypo3conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php%3Fid
%3D12&edit[tt_content][12]=edit HTTP/1.1
...
...
...
--1a422639-H--
id “950001”
Message: Access denied with code 412 (phase 2). Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b.
{1,100}?bfrom|fromb.{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:
(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(? ..." at ARGS:data[tt_content][12]
msg “SQL Injection Attack”
[bodytext]. [file "/var/lib/modsecurity2/core/modsecurity_crs_40_generic_attacks.conf"] [line "66"] [id "950001"] [msg "SQL
Injection Attack"] [data "insert into"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]
Monday, January 26, 2009
33. ModSecurity
Tuning for TYPO3
Add exceptions to /etc/apache2/conf.typo3.d/exceptions
POST /typo3/alt_doc.php
id “950001”
msg “SQL Injection Attack”
Monday, January 26, 2009
34. ModSecurity
Tuning for TYPO3
Add exceptions to /etc/apache2/conf.typo3.d/exceptions
Reference this file for TYPO3 virtual hosts
Monday, January 26, 2009
35. ModSecurity
Tuning for TYPO3 (cont.)
Manual tuning with “common” extensions > 100 lines
TYPO3 WAF project
Ready set of rules for ModSecurity
Lars Houmark and Lars E. D. Jensen
"Our goals with TYPO3 WAF. To create
a minimal (server performance wise) rule set for
TYPO3 and extensions which address very generic
methods of attacking and TYPO3/extension
security holes."
Monday, January 26, 2009
36. Summary
&
Further Protection
Monday, January 26, 2009
37. Summary
Suhosin
Protects PHP and lock down the system
ModSecurity
Focused on Web protocols
Can analyze SSL traffic
Do not only rely on those systems
Monday, January 26, 2009
38. Summary
Be Proactive
Think like the adversary
What is wrong with my system?
How can I exploit it?
Never too late to add security
Do not ignore risk but mitigate it
Compartmentalize / Least privilege
Fail safely w/o information disclosure
Monday, January 26, 2009
39. Summary
System Lock Down
Fix filesystem permission
Do not allow write unless needed (typo3conf, uploads, ...)
Prevent file execution
Use SSL whenever possible
mod_ssl (dedicated ip / port)
mod_gnutls (not well supported though)
Reverse proxy (Apache, pound, nginx, ...)
Monday, January 26, 2009
40. Summary
Monitoring
Know if you are compromised / attacked
Offsite backups
Recovery procedures
Monday, January 26, 2009