Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 45

CMS and Other Giants The Nightmare of AppSec PowerPoint PPT Presentation


  • 97 Views
  • Uploaded on
  • Presentation posted in: General

CMS and Other Giants The Nightmare of AppSec. Irene Abezgauz Product Manager. © 2005-2011. All Rights Reserved to Seeker Security Ltd . Seeker Security. Formerly Hacktics ® (Acquired by EY) New Generation of Application Security Testing (IAST)

Download Presentation

CMS and Other Giants The Nightmare of AppSec

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


CMS and Other Giants

The Nightmare of AppSec

Irene Abezgauz

Product Manager

© 2005-2011. All Rights Reserved to Seeker Security Ltd.


Seeker Security

  • Formerly Hacktics® (Acquired by EY)

  • New Generation of Application Security Testing (IAST)

  • Recognized as Top 10 Most Innovative Companies at RSA® 2010.

  • Recognized as “Cool Vendor” by Gartner


Introduction

  • Application Security is Important!

  • CMS – Mix of 3rd Party and Customizations

  • Heavy on Code and Content

  • Hard to Secure Properly

  • Difficult to Test for Application Security


Agenda

  • Size Matters… If you need to Secure it !

  • Somebody Else Did It !3rd Party Platforms

  • My CMS has Wings! So does Everybody Else’s..

  • Help!!! What can You do??


Size Matters…

If you need to secure it!


Size Matters

  • Large amount of pages (thousands and much more …)

  • Most are static content pages – dynamically generated HTMLs, Some aren’t …

  • Dynamic and static content mixed


Size Matters


Size Matters


Size Matters


Size Matters


Size Matters


Size Matters

http://www.vodafone.com/content/index/about/about_us/money_transfer.html?q=vodafone&start=10&perpage=10&area=all

  • http://www.vodafone.com/content/index/about/about_us/money_transfer.html?q=related%3A%2Fcontent%2Findex%2Fabout%2Fabout_us%2Fmoney_transfer%2Fnews%2Fsafaricom_in_anotherfirstasm-pesaenterssupermarkets


Size Matters

  • Often many parameters for each page

  • Some are needed for this specific page

  • Some are passed as a habit and never actually used

  • For Example – SharePoint Collaboration Document Center – adding a new announcement


Size Matters

  • MSO_PageHashCode=11-1773449651&MSOWebPartPage_PostbackSource=&MSOTlPn_SelectedWpId=&MSOTlPn_View=0&MSOTlPn_ShowSettings=False&MSOGallery_SelectedLibrary=&MSOGallery_FilterString=&MSOTlPn_Button=none&__EVENTTARGET=ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24toolBarTbl%24RightRptControls%24ctl00%24ctl00%24diidIOSaveItem&__EVENTARGUMENT=&__REQUESTDIGEST=0x757C078B42F882EFF34A131312AC47E01F6F3BECDB0A95043DCC31D76ACA1B0003D9777998AC8C2F0EF95689400DD7A956720CD542AED1B289A36426C21C1351%2C13+Sep+2011+15%3A47%3A26+-0000&_ListSchemaVersion_%7Bccae3ae4-3660-4556-89cb-aab1d923455d%7D=1&MSOSPWebPartManager_DisplayModeName=Browse&MSOWebPartPage_Shared=&MSOLayout_LayoutChanges=&MSOLayout_InDesignMode=&MSOSPWebPartManager_OldDisplayModeName=Browse&MSOSPWebPartManager_StartWebPartEditingName=false&__LASTFOCUS=&__VIEWSTATE=&__EVENTVALIDATION=%2FwEWDQLT6%2FHJCAKpn5bCCwKN%2F6CDBgL5zYOUAgLqo%2FWeCQLNrvW5AwLZqOGaAgL76ozMDAKL0KiqAgKz7beUCgLsgqilCQLMsJnGAwKx%2Ffn2Cf6RZ0n2OxRqN%2FFdf3g9LSzbuHEp&ctl00%24PlaceHolderSearchArea%24ctl01%24ctl00=http%3A%2F%2Fwin-ids6pjtg3yc%2FDocs&ctl00%24PlaceHolderSearchArea%24ctl01%24SBScopesDDL=&InputKeywords=&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24ctl01%24ctl00%24ctl00%24ctl00%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24onetidIOFile=a&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24ctl01%24ctl00%24ctl00%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24ctl05%24ctl00%24owshiddenversion=2&__spDummyText1=&__spDummyText2=

that’s over 25 parameters!


Size Matters

  • MSO_PageHashCode=11-1773449651&MSOWebPartPage_PostbackSource=&MSOTlPn_SelectedWpId=&MSOTlPn_View=0&MSOTlPn_ShowSettings=False&MSOGallery_SelectedLibrary=&MSOGallery_FilterString=&MSOTlPn_Button=none&__EVENTTARGET=ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24toolBarTbltop%24RightRptControls%24ctl01%24ctl00%24diidIOSaveItem&__EVENTARGUMENT=&__REQUESTDIGEST=0x07A4F374C689F1DD4E6BE6D8A27EA8B027C8AB38D6DAB67211AC1D7DE7E57911FC117CC2E16AC8258C32FFC9A5EEC1656C57D26BB829725A54358A18FF97F96B%2C13+Sep+2011+15%3A44%3A05+-0000&_ListSchemaVersion_%7Ba3701259-1bf8-4cf3-b120-d584603d38ea%7D=0&MSOSPWebPartManager_DisplayModeName=Browse&MSOWebPartPage_Shared=&MSOLayout_LayoutChanges=&MSOLayout_InDesignMode=&MSOSPWebPartManager_OldDisplayModeName=Browse&MSOSPWebPartManager_StartWebPartEditingName=false&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJNjgxOTI1NzMxD2QWAmYPZBYCZg9kFgICAw9kFgoCAQ9kFgIFJmdfM2MzMzcxNGRfNmU1Ml80NTBmX2I3OTJfMWM1NjcxOWQxZjcwD2QWAmYPZBYQAgMPZBYCAgEPZBYGAgEPFgIeB1Zpc2libGVoZAIDD2QWAmYPZBYCAgMPDxYEHg1PbkNsaWVudENsaWNrBSFpZiAoIVByZVNhdmVJdGVtKCkpIHJldHVybiBmYWxzZTseCFRhYkluZGV4AQAAZGQCBQ9kFgJmD2QWAgIDDw8WBh4JQWNjZXNzS2V5BQFDHgRUZXh0BQZDYW5jZWwfAQVYU1RTTmF2aWdhdGUoJ1x1MDAyZkRvY3NcdTAwMmZMaXN0c1x1MDAyZkFubm91bmNlbWVudHNcdTAwMmZBbGxJdGVtcy5hc3B4Jyk7cmV0dXJuIGZhbHNlO2RkAgUPZBYCZg9kFgICAw9kFgJmD2QWCAIBDw8WDh8EBQtBdHRhY2ggRmlsZR4ISW1hZ2VVcmwFHS9fbGF5b3V0cy9pbWFnZXMvYXR0YWNodGIuZ2lmHwMFAUkeC05hdmlnYXRlVXJsBR1qYXZhc2NyaXB0OlVwbG9hZEF0dGFjaG1lbnQoKR8BBR5qYXZhc2NyaXB0OlVwbG9hZEF0dGFjaG1lbnQoKTseEVBlcm1pc3Npb25Db250ZXh0CymKAU1pY3Jvc29mdC5TaGFyZVBvaW50LlV0aWxpdGllcy5QZXJtaXNzaW9uQ29udGV4dCwgTWljcm9zb2Z0LlNoYXJlUG9pbnQsIFZlcnNpb249MTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49NzFlOWJjZTExMWU5NDI5YwIeC1Blcm1pc3Npb25zKCmAAU1pY3Jvc29mdC5TaGFyZVBvaW50LlNQQmFzZVBlcm1pc3Npb25zLCBNaWNyb3NvZnQuU2hhcmVQb2ludCwgVmVyc2lvbj0xMi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj03MWU5YmNlMTExZTk0MjljDUVkaXRMaXN0SXRlbXNkZAIDDw8WAh8AaGRkAgUPDxYMHwQFC0RlbGV0ZSBJdGVtHwUFHC9fbGF5b3V0cy9pbWFnZXMvZGVsaXRlbS5naWYfAwUBWB8HCysEAh8IKCsFD0RlbGV0ZUxpc3RJdGVtcx8BBSByZXR1cm4gRGVsZXRlSXRlbUNvbmZpcm1hdGlvbigpO2RkAgcPDxYCHgxDUkJ1dHRvbk1vZGULKZ4BTWljcm9zb2Z0LlNoYXJlUG9pbnQuV2ViQ29udHJvbHMuQ2xhaW1SZWxlYXNlVGFza0J1dHRvbitDUkJ1dHRvbk1vZGUsIE1pY3Jvc29mdC5TaGFyZVBvaW50LCBWZXJzaW9uPTEyLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTcxZTliY2UxMTFlOTQyOWMCZGQCCQ9kFgJmD2QWAgIBD2QWAmYPZBYCAgkPFgIeE1ByZXZpb3VzQ29udHJvbE1vZGULKYgBTWljcm9zb2Z0LlNoYXJlUG9pbnQuV2ViQ29udHJvbHMuU1BDb250cm9sTW9kZSwgTWljcm9zb2Z0LlNoYXJlUG9pbnQsIFZlcnNpb249MTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49NzFlOWJjZTExMWU5NDI5YwIWAmYPFgIfCgsrBwJkAgsPZBYGZg9kFgICAQ9kFgJmD2QWAgIJDxYCHwoLKwcCFgJmDxYCHwoLKwcCFgJmD2QWAgIBDw8WCh4JTWF4TGVuZ3RoAv8BHwIBAAAeCENzc0NsYXNzBQdtcy1sb25nHgdUb29sVGlwBQVUaXRsZR4EXyFTQgICZGQCAQ9kFgICAQ9kFgJmD2QWAgIJDxYCHwoLKwcCFgJmDxYCHwoLKwcCFgJmD2QWAgIBD2QWAgIBDw8WCh8CAQAAHwwFB21zLWxvbmcfDQUEQm9keR4EUm93cwIPHw4CAhYCHgNkaXIFBG5vbmVkAgIPZBYCAgEPZBYCZg9kFgICCQ8WAh8KCysHAhYCZg8WAh8KCysHAhYCZg9kFgICAQ9kFghmDw8WBh8NBQdFeHBpcmVzHwQFCTkvMTQvMjAxMR4MQXV0b1Bvc3RCYWNraBYCHxEFATBkAgEPEA8WAh4LXyFEYXRhQm91bmRnZBAVGAUxMiBBTQQxIEFNBDIgQU0EMyBBTQQ0IEFNBDUgQU0ENiBBTQQ3IEFNBDggQU0EOSBBTQUxMCBBTQUxMSBBTQUxMiBQTQQxIFBNBDIgUE0EMyBQTQQ0IFBNBDUgUE0ENiBQTQQ3IFBNBDggUE0EOSBQTQUxMCBQTQUxMSBQTRUYBTEyIEFNBDEgQU0EMiBBTQQzIEFNBDQgQU0ENSBBTQQ2IEFNBDcgQU0EOCBBTQQ5IEFNBTEwIEFNBTExIEFNBTEyIFBNBDEgUE0EMiBQTQQzIFBNBDQgUE0ENSBQTQQ2IFBNBDcgUE0EOCBQTQQ5IFBNBTEwIFBNBTExIFBNFCsDGGdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZxYBZmQCAg8QDxYCHxJnZBAVDAIwMAIwNQIxMAIxNQIyMAIyNQIzMAIzNQI0MAI0NQI1MAI1NRUMAjAwAjA1AjEwAjE1AjIwAjI1AjMwAjM1AjQwAjQ1AjUwAjU1FCsDDGdnZ2dnZ2dnZ2dnZxYBZmQCAw8PFgIeEkVuYWJsZUNsaWVudFNjcmlwdGhkZAIND2QWAmYPZBYEAgMPFgIfCgsrBwEWAmYPFgIfCgsrBwFkAgUPFgIfCgsrBwEWAmYPFgIfCgsrBwFkAg8PZBYCZg9kFgICAw8WAh8KCysHAhYCZg9kFgICAQ8WAh8EBf4DPFRSIGlkPXtBRkVGNEU4OC1ENjU4LTQ3QUEtQjVBQi05ODlBMDUyNUQzRDN9PjxURCBjbGFzcz0ibXMtdmIiPjxzcGFuIGRpcj0ibHRyIj48YSB0YWJpbmRleD0xIG9uY2xpY2s9IkRpc3BEb2NJdGVtRXgodGhpcywgJ0ZBTFNFJywgJ0ZBTFNFJywgJ0ZBTFNFJywgJ1NoYXJlUG9pbnQuT3BlbkRvY3VtZW50cy4zJykiIGhyZWY9Imh0dHA6Ly93aW4taWRzNnBqdGczeWMvRG9jcy9MaXN0cy9Bbm5vdW5jZW1lbnRzL0F0dGFjaG1lbnRzLzM5L2EudHh0Ij5hLnR4dDwvYT48L3NwYW4%2BJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9URD48VEQgY2xhc3M9Im1zLXByb3BlcnR5c2hlZXQiPjxJTUcgYWx0PSdEZWxldGUnIFNSQz0iL19sYXlvdXRzL2ltYWdlcy9yZWN0LmdpZiI%2BJm5ic3A7PGEgdGFiaW5kZXg9MSBocmVmPSJqYXZhc2NyaXB0OlJlbW92ZUF0dGFjaG1lbnRGcm9tU2VydmVyKCd7QUZFRjRFODgtRDY1OC00N0FBLUI1QUItOTg5QTA1MjVEM0QzfScsMSkiPkRlbGV0ZTwvYT48L1REPjwvVFI%2BZAITDxYCHwoLKwcCZAIXD2QWBGYPZBYCAgEPZBYCZg9kFgQCAQ9kFgQCAQ8WAh8KCysHARYCZg8WAh8KCysHAWQCAw8WAh8KCysHARYCZg8WAh8KCysHAWQCAw9kFgQCAQ8WAh8KCysHARYCZg8WAh8KCysHAWQCAw8WAh8KCysHARYCZg8WAh8KCysHAWQCAQ9kFgQCAQ9kFgJmD2QWAgIDDw8WBB8BBSFpZiAoIVByZVNhdmVJdGVtKCkpIHJldHVybiBmYWxzZTsfAgEAAGRkAgMPZBYCZg9kFgICAw8PFgYfAwUBQx8EBQZDYW5jZWwfAQVYU1RTTmF2aWdhdGUoJ1x1MDAyZkRvY3NcdTAwMmZMaXN0c1x1MDAyZkFubm91bmNlbWVudHNcdTAwMmZBbGxJdGVtcy5hc3B4Jyk7cmV0dXJuIGZhbHNlO2RkAgMPZBYEAg0PZBYCZg9kFgYCAQ8WAh8EBSY8c3BhbiBzdHlsZT0ncGFkZGluZy1sZWZ0OjNweCc%2BPC9zcGFuPmQCAw8PFgQfBAUHTXkgU2l0ZR8GBTVodHRwOi8vd2luLWlkczZwanRnM3ljOjgwL015U2l0ZS9fbGF5b3V0cy9NeVNpdGUuYXNweGRkAgUPFgIfBAU5PHNwYW4gc3R5bGU9J3BhZGRpbmctbGVmdDo0cHg7cGFkZGluZy1yaWdodDozcHgnPnw8L3NwYW4%2BZAIPD2QWAmYPZBYCAgMPFgIfBAUBfGQCCQ9kFgICAQ9kFgJmD2QWAgIBDw9kFgIeBWNsYXNzBRhtcy1zYnRhYmxlIG1zLXNidGFibGUtZXhkAgsPZBYCAgMPZBYCZg9kFgQCAg9kFgICAw8WAh8AaGQCAw8PFgIfAwUBL2RkAi8PZBYCAgQPZBYCAgEPZBYCZg8PFgIfAGhkZBgBBUVjdGwwMCRQbGFjZUhvbGRlclRvcE5hdkJhciRQbGFjZUhvbGRlckhvcml6b250YWxOYXYkVG9wTmF2aWdhdGlvbk1lbnUPD2QFFEhvbWVcRG9jdW1lbnQgQ2VudGVyZGmgC8w1IPklANTRTq6iDjFHnwy4&__EVENTVALIDATION=%2FwEWDwLyy5zyDAKpn5bCCwKN%2F6CDBgL5zYOUAgLqo%2FWeCQLNrvW5AwLZuKB7ArusudMFAsze0tYPAsTg25UCAr%2B9mtoLAua14b0IAovagYEIAsOR0e0DAtDfiqYLc2%2BesVFsr0Dn92NbpXGZ53H0Zq0%3D&ctl00%24PlaceHolderSearchArea%24ctl01%24ctl00=http%3A%2F%2Fwin-ids6pjtg3yc%2FDocs&ctl00%24PlaceHolderSearchArea%24ctl01%24SBScopesDDL=&InputKeywords=&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl00%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=asdfasdf&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=%3Cdiv%3E%3C%2Fdiv%3E&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField_spSave=%3CDIV+class%3DExternalClass10DBD7507AA14EB0A345DB965125EACA%3E%0D%0A%3CDIV%3Easdfasdf%3C%2FDIV%3E%3C%2FDIV%3E&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl02%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24DateTimeField%24DateTimeFieldDate=9%2F14%2F2011&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl07%24ctl00%24owshiddenversion=1&attachmentsToBeRemovedFromServer=&RectGifUrl=%2F_layouts%2Fimages%2Frect.gif&fileupload0=&__spDummyText1=&__spDummyText2=

That’s just a lot!


Size Matters – manual testing…

  • Effort Estimation – even if it took only 3 weeks to build it - it won’t take 3 days to test it ! not enough time means hard to reach corners aren’t reached!

  • Difficulty to map out the application

  • Hard to Separate between infrastructure and custom code (SharePoint is easy, MyDownloadedCMS is not)


Size Matters – manual testing…

  • Difficulty to map module relationships – it comes in here and goes out … god knows where!

  • Mixed static and dynamic content

  • Code often very large, complex or not available

  • A lot of different user types, components and roles


Size Matters – manual testing…

  • Think about an application that has 5 user types (Superadmin, site admin, supervisor, normal user, read-only report-generation user)

  • 25 different components

  • Each user can access only part of the functionality in each component, let’s say 1/3…

  • Now imagine the nightmare of authorization bypassing testing!


Size Matters – blackbox scanning…

  • Difficulties to Crawl – a lot of pages to crawl, forms to submit, different functionality, JavaScript to parse

  • Redundant testing of same code that is activated from different locations (i.e. – email to a friend links –

http://www.site.com/somepage.jsp?func=mailToAFriend


Size Matters – blackbox scanning…

  • URL Rewriting / dynamically generated HTML– difficulty to identify parameters

http://www.ynet.co.il/articles/0,7340,L-4122262,00.html

http://www.amazon.com/Kindle-Wireless-Reading-Display-Generation/dp/B003FSUDM4/ref=sa_menu_kdp33/183-9381915-3823550


Size Matters – code analysis…

  • Often the code is not available

  • Sometimes user code is available but not the rest

  • A LOT of code to cover

  • Cross-module relations are difficult to map – too many components to map them all

  • Massive component reuse – optimization challenges


Somebody Else Did It!

3rd party platforms…


Somebody Else Did It…

  • Somebody Else Did It – so it’s inherently secure

  • (Especially if “Somebody” is a big, established software firm…)

  • … Even if it initially wasn’t, then I didn’t update it for 5 years and also built 1,000,000 lines of insecure code on top of it as “minor changes”

  • Lack of knowledge on customizations or security mechanisms


Somebody Else Did It…


Somebody Else Did It…


Somebody Else Did It…


Somebody Else Did It…


Somebody Else Did It…

  • Not using integrated security features – “…Windows SharePoint Services 3.0 provides 33 pre-defined permissions that you can use to allow users to perform specific actions”

  • Disabling integrated security features “the XSS defense was preventing me from using special characters, so I disabled it for the entire module…”


Somebody Else Did It…

  • Updates and Maintenance

    • The (not so) good - Somebody else did it… 5 years ago

    • The bad - Somebody else did it… but I didn’t install the updates

    • The ugly - Somebody else did it… and won’t fix it


Somebody Else Did It…

  • SharePoint File Upload Persistent XSS

    • Authentication and the ability to write to the SharePoint site are required to exploit this scenario.

    • Significant workarounds exist that allow SharePoint server configurations to be isolated from cross domain exploitation.

    • SharePoint administrators can restrict the uploading of files to SharePoint servers


Somebody Else Did It…

  • (Just Released! Found by Seeker™)


Somebody Else Did It…

  • SharePoint 2007 Central Administration XSS:

    • XSS  Perform Operations on Behalf of Users, Steal Information, Take Their Cookies, Corrupt Data…


Somebody Else Did It…

POST /Reports/Pages/Default.aspx HTTP/1.1

... ctl00$MSOTlPn_EditorZone$Edit0g_7aaa0c6d_72f5_4717_9b22_80188ffdbcde$peopleEditor$hiddenSpanData=

<script>alert(“I didn’t do HTML Encoding!")</script>

  • When placed directly into textbox – encoded on client side to prevent XSS!


Somebody Else Did It…

  • SharePoint 2007 & 2010 Insecure Redirect

  • Insecure Redirect  Sneakily lead users to a malicious website, there do bad things to them. Steal their credentials, tell them lies, have them tell their deepest secrets to www.evil.com!

  • The Vulnerable Parameter  Source, it’s a system wide parameter used in SharePoint for redirects all over.

  • Normal Values 

Source=http://mysite/Docs/Announcements/NewForm.aspx

Source=/Docs/Announcements/NewForm.aspx


Somebody Else Did It…

  • Normal Values  anything inside the site!

  • However, this includes:

  • Actually, it permits anything starting with

  • For Example:

Source=localhost/Docs/Announcements.NewItem.aspx

“Localhost” or “127.0.0.1”

Source=Localhost.EvilSite.Com


My CMS has Wings!

So Does Everybody Else’s


My CMS has Wings!

  • CommunityMS – Widgetization, Add-Ons, etc.

  • UGC – User Generated Content – Web2.0

  • creates many opportunities for security flaws!

  • Administration & Backoffice – leaving the admin interface publicly accessible, not testing the admin interface as nobody has access to it.


My CMS has Wings!

  • Administrative Interfaces? Just Google it!

  • SharePoint?

    • Google for inurl:/docs/lists/announcements

  • Wordpress?

  • Google for inurl:wp-login.php

  • (remote admin password reset vulnerability, anyone?)

  • PeopleSoft?

    • Google for inurl:maintain_security


  • My CMS has Wings!

    • I took a component, and then my custom code added write permissions to it. It was never secure enough for write permissions.

    • Adding components provided by dubious entities… (look what I found on Google! It’s just a widget… )


    My CMS has Wings!

    • Fresh from the Oven, released in the past week:

      • WordPress WP e-Commerce Plugin 'cs1' Parameter SQL Injection Vulnerability (14-Sep-2011)

      • WordPress 'comment_post_ID' Parameter SQL Injection Vulnerability (12-Sep-2011)

      • WordPress Easy Comment Uploads Plugin 'upload.php' Arbitrary File Upload Vulnerability (12-Sep-2011)

      • WordPress Tune Library Plugin 'letter' Parameter SQL Injection Vulnerability (10-Sep-2011)


    Help!!!

    What can You do??


    Help!!!

    • Provide enough time for thorough security testing

    • Know which components are present

    • Buy your platform from a reputable vendoror test it fully including platform components

    • Spend time to configure your security tools

    • Prefer security tools that know your specific platform


    Help!!!

    • Choose widgets and add-ons from a reputable vendor, and test them properly anyway

    • Take an expert who knows it to configure it and help you customize it

    • Use the built-in security features

    • Update and maintain it!

    • Secure it like any other development process


    Thank You!


  • Login