1 / 45

CMS and Other Giants The Nightmare of AppSec

CMS and Other Giants The Nightmare of AppSec. Irene Abezgauz Product Manager. © 2005-2011. All Rights Reserved to Seeker Security Ltd . Seeker Security. Formerly Hacktics ® (Acquired by EY) New Generation of Application Security Testing (IAST)

vesta
Download Presentation

CMS and Other Giants The Nightmare of AppSec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMS and Other Giants The Nightmare of AppSec Irene Abezgauz Product Manager © 2005-2011. All Rights Reserved to Seeker Security Ltd.

  2. Seeker Security • Formerly Hacktics® (Acquired by EY) • New Generation of Application Security Testing (IAST) • Recognized as Top 10 Most Innovative Companies at RSA® 2010. • Recognized as “Cool Vendor” by Gartner

  3. Introduction • Application Security is Important! • CMS – Mix of 3rd Party and Customizations • Heavy on Code and Content • Hard to Secure Properly • Difficult to Test for Application Security

  4. Agenda • Size Matters… If you need to Secure it ! • Somebody Else Did It !3rd Party Platforms • My CMS has Wings! So does Everybody Else’s.. • Help!!! What can You do??

  5. Size Matters… If you need to secure it!

  6. Size Matters • Large amount of pages (thousands and much more …) • Most are static content pages – dynamically generated HTMLs, Some aren’t … • Dynamic and static content mixed

  7. Size Matters

  8. Size Matters

  9. Size Matters

  10. Size Matters

  11. Size Matters

  12. Size Matters http://www.vodafone.com/content/index/about/about_us/money_transfer.html?q=vodafone&start=10&perpage=10&area=all • http://www.vodafone.com/content/index/about/about_us/money_transfer.html?q=related%3A%2Fcontent%2Findex%2Fabout%2Fabout_us%2Fmoney_transfer%2Fnews%2Fsafaricom_in_anotherfirstasm-pesaenterssupermarkets

  13. Size Matters • Often many parameters for each page • Some are needed for this specific page • Some are passed as a habit and never actually used • For Example – SharePoint Collaboration Document Center – adding a new announcement

  14. Size Matters • MSO_PageHashCode=11-1773449651&MSOWebPartPage_PostbackSource=&MSOTlPn_SelectedWpId=&MSOTlPn_View=0&MSOTlPn_ShowSettings=False&MSOGallery_SelectedLibrary=&MSOGallery_FilterString=&MSOTlPn_Button=none&__EVENTTARGET=ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24toolBarTbl%24RightRptControls%24ctl00%24ctl00%24diidIOSaveItem&__EVENTARGUMENT=&__REQUESTDIGEST=0x757C078B42F882EFF34A131312AC47E01F6F3BECDB0A95043DCC31D76ACA1B0003D9777998AC8C2F0EF95689400DD7A956720CD542AED1B289A36426C21C1351%2C13+Sep+2011+15%3A47%3A26+-0000&_ListSchemaVersion_%7Bccae3ae4-3660-4556-89cb-aab1d923455d%7D=1&MSOSPWebPartManager_DisplayModeName=Browse&MSOWebPartPage_Shared=&MSOLayout_LayoutChanges=&MSOLayout_InDesignMode=&MSOSPWebPartManager_OldDisplayModeName=Browse&MSOSPWebPartManager_StartWebPartEditingName=false&__LASTFOCUS=&__VIEWSTATE=&__EVENTVALIDATION=%2FwEWDQLT6%2FHJCAKpn5bCCwKN%2F6CDBgL5zYOUAgLqo%2FWeCQLNrvW5AwLZqOGaAgL76ozMDAKL0KiqAgKz7beUCgLsgqilCQLMsJnGAwKx%2Ffn2Cf6RZ0n2OxRqN%2FFdf3g9LSzbuHEp&ctl00%24PlaceHolderSearchArea%24ctl01%24ctl00=http%3A%2F%2Fwin-ids6pjtg3yc%2FDocs&ctl00%24PlaceHolderSearchArea%24ctl01%24SBScopesDDL=&InputKeywords=&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24ctl01%24ctl00%24ctl00%24ctl00%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24onetidIOFile=a&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24ctl01%24ctl00%24ctl00%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24ctl05%24ctl00%24owshiddenversion=2&__spDummyText1=&__spDummyText2= that’s over 25 parameters!

  15. Size Matters • MSO_PageHashCode=11-1773449651&MSOWebPartPage_PostbackSource=&MSOTlPn_SelectedWpId=&MSOTlPn_View=0&MSOTlPn_ShowSettings=False&MSOGallery_SelectedLibrary=&MSOGallery_FilterString=&MSOTlPn_Button=none&__EVENTTARGET=ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24toolBarTbltop%24RightRptControls%24ctl01%24ctl00%24diidIOSaveItem&__EVENTARGUMENT=&__REQUESTDIGEST=0x07A4F374C689F1DD4E6BE6D8A27EA8B027C8AB38D6DAB67211AC1D7DE7E57911FC117CC2E16AC8258C32FFC9A5EEC1656C57D26BB829725A54358A18FF97F96B%2C13+Sep+2011+15%3A44%3A05+-0000&_ListSchemaVersion_%7Ba3701259-1bf8-4cf3-b120-d584603d38ea%7D=0&MSOSPWebPartManager_DisplayModeName=Browse&MSOWebPartPage_Shared=&MSOLayout_LayoutChanges=&MSOLayout_InDesignMode=&MSOSPWebPartManager_OldDisplayModeName=Browse&MSOSPWebPartManager_StartWebPartEditingName=false&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJNjgxOTI1NzMxD2QWAmYPZBYCZg9kFgICAw9kFgoCAQ9kFgIFJmdfM2MzMzcxNGRfNmU1Ml80NTBmX2I3OTJfMWM1NjcxOWQxZjcwD2QWAmYPZBYQAgMPZBYCAgEPZBYGAgEPFgIeB1Zpc2libGVoZAIDD2QWAmYPZBYCAgMPDxYEHg1PbkNsaWVudENsaWNrBSFpZiAoIVByZVNhdmVJdGVtKCkpIHJldHVybiBmYWxzZTseCFRhYkluZGV4AQAAZGQCBQ9kFgJmD2QWAgIDDw8WBh4JQWNjZXNzS2V5BQFDHgRUZXh0BQZDYW5jZWwfAQVYU1RTTmF2aWdhdGUoJ1x1MDAyZkRvY3NcdTAwMmZMaXN0c1x1MDAyZkFubm91bmNlbWVudHNcdTAwMmZBbGxJdGVtcy5hc3B4Jyk7cmV0dXJuIGZhbHNlO2RkAgUPZBYCZg9kFgICAw9kFgJmD2QWCAIBDw8WDh8EBQtBdHRhY2ggRmlsZR4ISW1hZ2VVcmwFHS9fbGF5b3V0cy9pbWFnZXMvYXR0YWNodGIuZ2lmHwMFAUkeC05hdmlnYXRlVXJsBR1qYXZhc2NyaXB0OlVwbG9hZEF0dGFjaG1lbnQoKR8BBR5qYXZhc2NyaXB0OlVwbG9hZEF0dGFjaG1lbnQoKTseEVBlcm1pc3Npb25Db250ZXh0CymKAU1pY3Jvc29mdC5TaGFyZVBvaW50LlV0aWxpdGllcy5QZXJtaXNzaW9uQ29udGV4dCwgTWljcm9zb2Z0LlNoYXJlUG9pbnQsIFZlcnNpb249MTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49NzFlOWJjZTExMWU5NDI5YwIeC1Blcm1pc3Npb25zKCmAAU1pY3Jvc29mdC5TaGFyZVBvaW50LlNQQmFzZVBlcm1pc3Npb25zLCBNaWNyb3NvZnQuU2hhcmVQb2ludCwgVmVyc2lvbj0xMi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj03MWU5YmNlMTExZTk0MjljDUVkaXRMaXN0SXRlbXNkZAIDDw8WAh8AaGRkAgUPDxYMHwQFC0RlbGV0ZSBJdGVtHwUFHC9fbGF5b3V0cy9pbWFnZXMvZGVsaXRlbS5naWYfAwUBWB8HCysEAh8IKCsFD0RlbGV0ZUxpc3RJdGVtcx8BBSByZXR1cm4gRGVsZXRlSXRlbUNvbmZpcm1hdGlvbigpO2RkAgcPDxYCHgxDUkJ1dHRvbk1vZGULKZ4BTWljcm9zb2Z0LlNoYXJlUG9pbnQuV2ViQ29udHJvbHMuQ2xhaW1SZWxlYXNlVGFza0J1dHRvbitDUkJ1dHRvbk1vZGUsIE1pY3Jvc29mdC5TaGFyZVBvaW50LCBWZXJzaW9uPTEyLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTcxZTliY2UxMTFlOTQyOWMCZGQCCQ9kFgJmD2QWAgIBD2QWAmYPZBYCAgkPFgIeE1ByZXZpb3VzQ29udHJvbE1vZGULKYgBTWljcm9zb2Z0LlNoYXJlUG9pbnQuV2ViQ29udHJvbHMuU1BDb250cm9sTW9kZSwgTWljcm9zb2Z0LlNoYXJlUG9pbnQsIFZlcnNpb249MTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49NzFlOWJjZTExMWU5NDI5YwIWAmYPFgIfCgsrBwJkAgsPZBYGZg9kFgICAQ9kFgJmD2QWAgIJDxYCHwoLKwcCFgJmDxYCHwoLKwcCFgJmD2QWAgIBDw8WCh4JTWF4TGVuZ3RoAv8BHwIBAAAeCENzc0NsYXNzBQdtcy1sb25nHgdUb29sVGlwBQVUaXRsZR4EXyFTQgICZGQCAQ9kFgICAQ9kFgJmD2QWAgIJDxYCHwoLKwcCFgJmDxYCHwoLKwcCFgJmD2QWAgIBD2QWAgIBDw8WCh8CAQAAHwwFB21zLWxvbmcfDQUEQm9keR4EUm93cwIPHw4CAhYCHgNkaXIFBG5vbmVkAgIPZBYCAgEPZBYCZg9kFgICCQ8WAh8KCysHAhYCZg8WAh8KCysHAhYCZg9kFgICAQ9kFghmDw8WBh8NBQdFeHBpcmVzHwQFCTkvMTQvMjAxMR4MQXV0b1Bvc3RCYWNraBYCHxEFATBkAgEPEA8WAh4LXyFEYXRhQm91bmRnZBAVGAUxMiBBTQQxIEFNBDIgQU0EMyBBTQQ0IEFNBDUgQU0ENiBBTQQ3IEFNBDggQU0EOSBBTQUxMCBBTQUxMSBBTQUxMiBQTQQxIFBNBDIgUE0EMyBQTQQ0IFBNBDUgUE0ENiBQTQQ3IFBNBDggUE0EOSBQTQUxMCBQTQUxMSBQTRUYBTEyIEFNBDEgQU0EMiBBTQQzIEFNBDQgQU0ENSBBTQQ2IEFNBDcgQU0EOCBBTQQ5IEFNBTEwIEFNBTExIEFNBTEyIFBNBDEgUE0EMiBQTQQzIFBNBDQgUE0ENSBQTQQ2IFBNBDcgUE0EOCBQTQQ5IFBNBTEwIFBNBTExIFBNFCsDGGdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZxYBZmQCAg8QDxYCHxJnZBAVDAIwMAIwNQIxMAIxNQIyMAIyNQIzMAIzNQI0MAI0NQI1MAI1NRUMAjAwAjA1AjEwAjE1AjIwAjI1AjMwAjM1AjQwAjQ1AjUwAjU1FCsDDGdnZ2dnZ2dnZ2dnZxYBZmQCAw8PFgIeEkVuYWJsZUNsaWVudFNjcmlwdGhkZAIND2QWAmYPZBYEAgMPFgIfCgsrBwEWAmYPFgIfCgsrBwFkAgUPFgIfCgsrBwEWAmYPFgIfCgsrBwFkAg8PZBYCZg9kFgICAw8WAh8KCysHAhYCZg9kFgICAQ8WAh8EBf4DPFRSIGlkPXtBRkVGNEU4OC1ENjU4LTQ3QUEtQjVBQi05ODlBMDUyNUQzRDN9PjxURCBjbGFzcz0ibXMtdmIiPjxzcGFuIGRpcj0ibHRyIj48YSB0YWJpbmRleD0xIG9uY2xpY2s9IkRpc3BEb2NJdGVtRXgodGhpcywgJ0ZBTFNFJywgJ0ZBTFNFJywgJ0ZBTFNFJywgJ1NoYXJlUG9pbnQuT3BlbkRvY3VtZW50cy4zJykiIGhyZWY9Imh0dHA6Ly93aW4taWRzNnBqdGczeWMvRG9jcy9MaXN0cy9Bbm5vdW5jZW1lbnRzL0F0dGFjaG1lbnRzLzM5L2EudHh0Ij5hLnR4dDwvYT48L3NwYW4%2BJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9URD48VEQgY2xhc3M9Im1zLXByb3BlcnR5c2hlZXQiPjxJTUcgYWx0PSdEZWxldGUnIFNSQz0iL19sYXlvdXRzL2ltYWdlcy9yZWN0LmdpZiI%2BJm5ic3A7PGEgdGFiaW5kZXg9MSBocmVmPSJqYXZhc2NyaXB0OlJlbW92ZUF0dGFjaG1lbnRGcm9tU2VydmVyKCd7QUZFRjRFODgtRDY1OC00N0FBLUI1QUItOTg5QTA1MjVEM0QzfScsMSkiPkRlbGV0ZTwvYT48L1REPjwvVFI%2BZAITDxYCHwoLKwcCZAIXD2QWBGYPZBYCAgEPZBYCZg9kFgQCAQ9kFgQCAQ8WAh8KCysHARYCZg8WAh8KCysHAWQCAw8WAh8KCysHARYCZg8WAh8KCysHAWQCAw9kFgQCAQ8WAh8KCysHARYCZg8WAh8KCysHAWQCAw8WAh8KCysHARYCZg8WAh8KCysHAWQCAQ9kFgQCAQ9kFgJmD2QWAgIDDw8WBB8BBSFpZiAoIVByZVNhdmVJdGVtKCkpIHJldHVybiBmYWxzZTsfAgEAAGRkAgMPZBYCZg9kFgICAw8PFgYfAwUBQx8EBQZDYW5jZWwfAQVYU1RTTmF2aWdhdGUoJ1x1MDAyZkRvY3NcdTAwMmZMaXN0c1x1MDAyZkFubm91bmNlbWVudHNcdTAwMmZBbGxJdGVtcy5hc3B4Jyk7cmV0dXJuIGZhbHNlO2RkAgMPZBYEAg0PZBYCZg9kFgYCAQ8WAh8EBSY8c3BhbiBzdHlsZT0ncGFkZGluZy1sZWZ0OjNweCc%2BPC9zcGFuPmQCAw8PFgQfBAUHTXkgU2l0ZR8GBTVodHRwOi8vd2luLWlkczZwanRnM3ljOjgwL015U2l0ZS9fbGF5b3V0cy9NeVNpdGUuYXNweGRkAgUPFgIfBAU5PHNwYW4gc3R5bGU9J3BhZGRpbmctbGVmdDo0cHg7cGFkZGluZy1yaWdodDozcHgnPnw8L3NwYW4%2BZAIPD2QWAmYPZBYCAgMPFgIfBAUBfGQCCQ9kFgICAQ9kFgJmD2QWAgIBDw9kFgIeBWNsYXNzBRhtcy1zYnRhYmxlIG1zLXNidGFibGUtZXhkAgsPZBYCAgMPZBYCZg9kFgQCAg9kFgICAw8WAh8AaGQCAw8PFgIfAwUBL2RkAi8PZBYCAgQPZBYCAgEPZBYCZg8PFgIfAGhkZBgBBUVjdGwwMCRQbGFjZUhvbGRlclRvcE5hdkJhciRQbGFjZUhvbGRlckhvcml6b250YWxOYXYkVG9wTmF2aWdhdGlvbk1lbnUPD2QFFEhvbWVcRG9jdW1lbnQgQ2VudGVyZGmgC8w1IPklANTRTq6iDjFHnwy4&__EVENTVALIDATION=%2FwEWDwLyy5zyDAKpn5bCCwKN%2F6CDBgL5zYOUAgLqo%2FWeCQLNrvW5AwLZuKB7ArusudMFAsze0tYPAsTg25UCAr%2B9mtoLAua14b0IAovagYEIAsOR0e0DAtDfiqYLc2%2BesVFsr0Dn92NbpXGZ53H0Zq0%3D&ctl00%24PlaceHolderSearchArea%24ctl01%24ctl00=http%3A%2F%2Fwin-ids6pjtg3yc%2FDocs&ctl00%24PlaceHolderSearchArea%24ctl01%24SBScopesDDL=&InputKeywords=&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl00%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=asdfasdf&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=%3Cdiv%3E%3C%2Fdiv%3E&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField_spSave=%3CDIV+class%3DExternalClass10DBD7507AA14EB0A345DB965125EACA%3E%0D%0A%3CDIV%3Easdfasdf%3C%2FDIV%3E%3C%2FDIV%3E&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl02%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24DateTimeField%24DateTimeFieldDate=9%2F14%2F2011&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl07%24ctl00%24owshiddenversion=1&attachmentsToBeRemovedFromServer=&RectGifUrl=%2F_layouts%2Fimages%2Frect.gif&fileupload0=&__spDummyText1=&__spDummyText2= That’s just a lot!

  16. Size Matters – manual testing… • Effort Estimation – even if it took only 3 weeks to build it - it won’t take 3 days to test it ! not enough time means hard to reach corners aren’t reached! • Difficulty to map out the application • Hard to Separate between infrastructure and custom code (SharePoint is easy, MyDownloadedCMS is not)

  17. Size Matters – manual testing… • Difficulty to map module relationships – it comes in here and goes out … god knows where! • Mixed static and dynamic content • Code often very large, complex or not available • A lot of different user types, components and roles

  18. Size Matters – manual testing… • Think about an application that has 5 user types (Superadmin, site admin, supervisor, normal user, read-only report-generation user) • 25 different components • Each user can access only part of the functionality in each component, let’s say 1/3… • Now imagine the nightmare of authorization bypassing testing!

  19. Size Matters – blackbox scanning… • Difficulties to Crawl – a lot of pages to crawl, forms to submit, different functionality, JavaScript to parse • Redundant testing of same code that is activated from different locations (i.e. – email to a friend links – http://www.site.com/somepage.jsp?func=mailToAFriend

  20. Size Matters – blackbox scanning… • URL Rewriting / dynamically generated HTML– difficulty to identify parameters http://www.ynet.co.il/articles/0,7340,L-4122262,00.html http://www.amazon.com/Kindle-Wireless-Reading-Display-Generation/dp/B003FSUDM4/ref=sa_menu_kdp33/183-9381915-3823550

  21. Size Matters – code analysis… • Often the code is not available • Sometimes user code is available but not the rest • A LOT of code to cover • Cross-module relations are difficult to map – too many components to map them all • Massive component reuse – optimization challenges

  22. Somebody Else Did It! 3rd party platforms…

  23. Somebody Else Did It… • Somebody Else Did It – so it’s inherently secure • (Especially if “Somebody” is a big, established software firm…) • … Even if it initially wasn’t, then I didn’t update it for 5 years and also built 1,000,000 lines of insecure code on top of it as “minor changes” • Lack of knowledge on customizations or security mechanisms

  24. Somebody Else Did It…

  25. Somebody Else Did It…

  26. Somebody Else Did It…

  27. Somebody Else Did It…

  28. Somebody Else Did It… • Not using integrated security features – “…Windows SharePoint Services 3.0 provides 33 pre-defined permissions that you can use to allow users to perform specific actions” • Disabling integrated security features “the XSS defense was preventing me from using special characters, so I disabled it for the entire module…”

  29. Somebody Else Did It… • Updates and Maintenance • The (not so) good - Somebody else did it… 5 years ago • The bad - Somebody else did it… but I didn’t install the updates • The ugly - Somebody else did it… and won’t fix it

  30. Somebody Else Did It… • SharePoint File Upload Persistent XSS • Authentication and the ability to write to the SharePoint site are required to exploit this scenario. • Significant workarounds exist that allow SharePoint server configurations to be isolated from cross domain exploitation. • SharePoint administrators can restrict the uploading of files to SharePoint servers

  31. Somebody Else Did It… • (Just Released! Found by Seeker™)

  32. Somebody Else Did It… • SharePoint 2007 Central Administration XSS: • XSS  Perform Operations on Behalf of Users, Steal Information, Take Their Cookies, Corrupt Data…

  33. Somebody Else Did It… POST /Reports/Pages/Default.aspx HTTP/1.1 ... ctl00$MSOTlPn_EditorZone$Edit0g_7aaa0c6d_72f5_4717_9b22_80188ffdbcde$peopleEditor$hiddenSpanData= <script>alert(“I didn’t do HTML Encoding!")</script> • When placed directly into textbox – encoded on client side to prevent XSS!

  34. Somebody Else Did It… • SharePoint 2007 & 2010 Insecure Redirect • Insecure Redirect  Sneakily lead users to a malicious website, there do bad things to them. Steal their credentials, tell them lies, have them tell their deepest secrets to www.evil.com! • The Vulnerable Parameter  Source, it’s a system wide parameter used in SharePoint for redirects all over. • Normal Values  Source=http://mysite/Docs/Announcements/NewForm.aspx Source=/Docs/Announcements/NewForm.aspx

  35. Somebody Else Did It… • Normal Values  anything inside the site! • However, this includes: • Actually, it permits anything starting with • For Example: Source=localhost/Docs/Announcements.NewItem.aspx “Localhost” or “127.0.0.1” Source=Localhost.EvilSite.Com

  36. My CMS has Wings! So Does Everybody Else’s

  37. My CMS has Wings! • CommunityMS – Widgetization, Add-Ons, etc. • UGC – User Generated Content – Web2.0 • creates many opportunities for security flaws! • Administration & Backoffice – leaving the admin interface publicly accessible, not testing the admin interface as nobody has access to it.

  38. My CMS has Wings! • Administrative Interfaces? Just Google it! • SharePoint? • Google for inurl:/docs/lists/announcements • Wordpress? • Google for inurl:wp-login.php • (remote admin password reset vulnerability, anyone?) • PeopleSoft? • Google for inurl:maintain_security

  39. My CMS has Wings! • I took a component, and then my custom code added write permissions to it. It was never secure enough for write permissions. • Adding components provided by dubious entities… (look what I found on Google! It’s just a widget… )

  40. My CMS has Wings! • Fresh from the Oven, released in the past week: • WordPress WP e-Commerce Plugin 'cs1' Parameter SQL Injection Vulnerability (14-Sep-2011) • WordPress 'comment_post_ID' Parameter SQL Injection Vulnerability (12-Sep-2011) • WordPress Easy Comment Uploads Plugin 'upload.php' Arbitrary File Upload Vulnerability (12-Sep-2011) • WordPress Tune Library Plugin 'letter' Parameter SQL Injection Vulnerability (10-Sep-2011)

  41. Help!!! What can You do??

  42. Help!!! • Provide enough time for thorough security testing • Know which components are present • Buy your platform from a reputable vendoror test it fully including platform components • Spend time to configure your security tools • Prefer security tools that know your specific platform

  43. Help!!! • Choose widgets and add-ons from a reputable vendor, and test them properly anyway • Take an expert who knows it to configure it and help you customize it • Use the built-in security features • Update and maintain it! • Secure it like any other development process

  44. Thank You!

More Related