SlideShare une entreprise Scribd logo

Enterprise Portals - Gateway to the Gold

Security B-Sides
Security B-Sides

Ian De Villiers ZaCon 2009 http://www.zacon.org.za/Archives/2009/slides/

Technologie
1  sur  16
Télécharger pour lire hors ligne
Enterprise Portals Gate to the Gold
`whoami` •  SensePost –  Specialist Security firm based in Pretoria –  Customers all over the globe –  Talks / Papers / Books •  ian@sensepost.com –  Associate security analyst –  I break stuff and write reports about breaking stuff •  Why this talk?
EP Vendors •  IBM WebSphere Portal •  SAP NetWeaver Portal •  Oracle Portal Products (PlumTree, BEA, SUN, ∞) •  OpenText Portal (Formerly Vignette) •  JBoss Portal •  Microsoft SharePoint Server •  Apache Jetspeed, Interwoven TeamPortal, …, ∞
EP Overview •  Frequent on intranets. •  Also frequent on the Internet… :) •  Framework for integrating information, people and processes** •  Consolidate and summarise diverse sources of information •  Provide customisable home-page for registered users **
EP Overview •  Popular platform for deployment of applications due to framework and built-in functionality •  Provide SDK’s for customisation and deployment of custom applications •  Support pluggable components called portlets •  Generally J2EE-based, but there are some alternate platforms (i.e.: .NET, PHP, ∞)
Portlet Overview •  Pluggable user interface components which are managed and displayed in a portal** •  Fragments of markup code (i.e: HTML / XML etc) which are aggregated in a portal page** •  Adhere to various standards –  WSRP (web services for remote portlets) –  Java Portlet Specification GET /moo?portlet=id&URI=http%3A%2F%2FHR%2Fbaa •  JSR168 HTTP 200 OK •  JSR268 •  Proprietary **
Functionality++ •  User Registration •  Portals are generally designed to share information – provide functionality for searching documents, users, ..., ∞ •  Workflow components •  Messaging / Social networking •  Configuration and administrative components
Common Shortcomings •  Generally cater for multiple portal applications –  May expose intranet applications to the Internet •  Frequently allow registration for public users – Functionality++ •  Due to complex installation of J2EE application servers and lazy sys-admins, frequently run with elevated privileges
Common Shortcomings •  Diverse log-in capabilities –  LDAP, XML, Database, ..., ∞, * == SSO •  Developers of custom applications deployed on portal platforms frequently have not considered the underlying functionality of the platform •  Custom error pages defined for platform •  Complexity++
Breaking Out •  Custom applications frequently exploit functionality of portal framework but don’t allow users direct access to framework functions… •  … or do they ?
Breaking Out •  Direct object access •  Google is your friend… :> •  Forcing errors to display generic portal error messages •  Accessing site-registration •  HTML source comments and JavaScript •  Once we can break out of the custom application, we expose the full functionality of the portal…
Finding Portals •  Google Hacks (nods at Johnny Long…) •  site:, insite:, inurl:, …, ∞ •  Demo… –  site:za –  inurl:/portal/site –  inurl:/template.REGISTER
Abusing Portlets •  Original Advisory pertaining to IBM WebSphere –  WebSphere – 2006/01/24 – EPAM Systems •  Port Scanning •  Accessing protected resources •  Attacks at third parties •  Blended Attack Scenarios –  Denial Of Service –  Brute-Force –  Attacks against other protocols
PortletSuite.tgz •  PortletScan.py –  Scan for open ports by abusing portlets •  Pikto.py –  Scan for common virtual directory names and web server misconfigurations •  PorProx.py –  Provides proxy server functionality tunnelling HTTP requests through remote portlets
PortletSuite.tgz •  http://www.sensepost.com/blog •  Demo… –  Breaking out –  Portlet-scanning –  Pikto –  Accessing protected resources –  PortletProx
Questions ? ian@sensepost.com

Recommandé

Portets to composite applications
Portets to composite applicationsPortets to composite applications
Portets to composite applications
Serge Huber
 
Forefront UAG
Forefront UAGForefront UAG
Forefront UAG
James Tramel
 
The Evolution of Webinjects
The Evolution of WebinjectsThe Evolution of Webinjects
The Evolution of Webinjects
jiboutin
 
Java Portal platforms presentation
Java Portal platforms presentationJava Portal platforms presentation
Java Portal platforms presentation
Rashedul Hasan Khan
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
Security B-Sides
 
Security YMCA
Security YMCASecurity YMCA
Security YMCA
Security BSides London
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atl
Security B-Sides
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6
Security B-Sides
 

Recommandé

Portets to composite applications
Portets to composite applicationsPortets to composite applications
Portets to composite applications
Serge Huber
 
Forefront UAG
Forefront UAGForefront UAG
Forefront UAG
James Tramel
 
The Evolution of Webinjects
The Evolution of WebinjectsThe Evolution of Webinjects
The Evolution of Webinjects
jiboutin
 
Java Portal platforms presentation
Java Portal platforms presentationJava Portal platforms presentation
Java Portal platforms presentation
Rashedul Hasan Khan
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
Security B-Sides
 
Security YMCA
Security YMCASecurity YMCA
Security YMCA
Security BSides London
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atl
Security B-Sides
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6
Security B-Sides
 
WebSphere Portal Technical Overview
WebSphere Portal Technical OverviewWebSphere Portal Technical Overview
WebSphere Portal Technical Overview
Vincent Perrin
 
Introduction to Portlets using Liferay Portal (Part 2)
Introduction to Portlets using Liferay Portal (Part 2)Introduction to Portlets using Liferay Portal (Part 2)
Introduction to Portlets using Liferay Portal (Part 2)
rivetlogic
 
GateIn - The Solution for Managing and Building Enterprise Web Apps
GateIn - The Solution for Managing and Building Enterprise Web AppsGateIn - The Solution for Managing and Building Enterprise Web Apps
GateIn - The Solution for Managing and Building Enterprise Web Apps
Wesley Hales
 
Introduction to Portlets Using Liferay Portal
Introduction to Portlets Using Liferay PortalIntroduction to Portlets Using Liferay Portal
Introduction to Portlets Using Liferay Portal
rivetlogic
 
01/2009 - Portral development with liferay
01/2009 - Portral development with liferay01/2009 - Portral development with liferay
01/2009 - Portral development with liferay
daveayan
 
Orion Introduction
Orion IntroductionOrion Introduction
Orion Introduction
Tomasz Zarna
 
Liferay Portal Introduction
Liferay Portal IntroductionLiferay Portal Introduction
Liferay Portal Introduction
Nguyen Tung
 
Shindig Apachecon Asia 09
Shindig Apachecon Asia 09Shindig Apachecon Asia 09
Shindig Apachecon Asia 09
Nuwan Bandara
 
Orion Introduction
Orion IntroductionOrion Introduction
Orion Introduction
Tomasz Zarna
 
Webcenter Portlal training...
Webcenter Portlal training...Webcenter Portlal training...
Webcenter Portlal training...
Vinay Kumar
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
chuckbt
 
2010 code camp rest for the rest of us
2010 code camp rest for the rest of us2010 code camp rest for the rest of us
2010 code camp rest for the rest of us
Ken Yagen
 
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
Jean Vanderdonckt
 
AMF Flash and .NET
AMF Flash and .NETAMF Flash and .NET
AMF Flash and .NET
Yaniv Uriel
 
Oracle web center
Oracle web centerOracle web center
Oracle web center
East Le
 
The Java Story
The Java StoryThe Java Story
The Java Story
David Parsons
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado
 
Polyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and morePolyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and more
DefconRussia
 
Phonegap 2.x
Phonegap 2.xPhonegap 2.x
Phonegap 2.x
Brian LeRoux
 
Codestrong 2012 breakout session introduction to mobile web and best practices
Codestrong 2012 breakout session introduction to mobile web and best practicesCodestrong 2012 breakout session introduction to mobile web and best practices
Codestrong 2012 breakout session introduction to mobile web and best practices
Axway Appcelerator
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
Security B-Sides
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Security B-Sides
 

Contenu connexe

Similaire à Enterprise Portals - Gateway to the Gold

WebSphere Portal Technical Overview
WebSphere Portal Technical OverviewWebSphere Portal Technical Overview
WebSphere Portal Technical Overview
Vincent Perrin
 
01/2009 - Portral development with liferay
01/2009 - Portral development with liferay01/2009 - Portral development with liferay
01/2009 - Portral development with liferay
daveayan
 
2010 code camp rest for the rest of us
2010 code camp rest for the rest of us2010 code camp rest for the rest of us
2010 code camp rest for the rest of us
Ken Yagen
 
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
Jean Vanderdonckt
 
AMF Flash and .NET
AMF Flash and .NETAMF Flash and .NET
AMF Flash and .NET
Yaniv Uriel
 
Polyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and morePolyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and more
DefconRussia
 
Codestrong 2012 breakout session introduction to mobile web and best practices
Codestrong 2012 breakout session introduction to mobile web and best practicesCodestrong 2012 breakout session introduction to mobile web and best practices
Codestrong 2012 breakout session introduction to mobile web and best practices
Axway Appcelerator
 

Similaire à Enterprise Portals - Gateway to the Gold (20)

WebSphere Portal Technical Overview
WebSphere Portal Technical OverviewWebSphere Portal Technical Overview
WebSphere Portal Technical Overview
 
Introduction to Portlets using Liferay Portal (Part 2)
Introduction to Portlets using Liferay Portal (Part 2)Introduction to Portlets using Liferay Portal (Part 2)
Introduction to Portlets using Liferay Portal (Part 2)
 
GateIn - The Solution for Managing and Building Enterprise Web Apps
GateIn - The Solution for Managing and Building Enterprise Web AppsGateIn - The Solution for Managing and Building Enterprise Web Apps
GateIn - The Solution for Managing and Building Enterprise Web Apps
 
Introduction to Portlets Using Liferay Portal
Introduction to Portlets Using Liferay PortalIntroduction to Portlets Using Liferay Portal
Introduction to Portlets Using Liferay Portal
 
01/2009 - Portral development with liferay
01/2009 - Portral development with liferay01/2009 - Portral development with liferay
01/2009 - Portral development with liferay
 
Orion Introduction
Orion IntroductionOrion Introduction
Orion Introduction
 
Liferay Portal Introduction
Liferay Portal IntroductionLiferay Portal Introduction
Liferay Portal Introduction
 
Shindig Apachecon Asia 09
Shindig Apachecon Asia 09Shindig Apachecon Asia 09
Shindig Apachecon Asia 09
 
Orion Introduction
Orion IntroductionOrion Introduction
Orion Introduction
 
Webcenter Portlal training...
Webcenter Portlal training...Webcenter Portlal training...
Webcenter Portlal training...
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
2010 code camp rest for the rest of us
2010 code camp rest for the rest of us2010 code camp rest for the rest of us
2010 code camp rest for the rest of us
 
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
 
AMF Flash and .NET
AMF Flash and .NETAMF Flash and .NET
AMF Flash and .NET
 
Oracle web center
Oracle web centerOracle web center
Oracle web center
 
The Java Story
The Java StoryThe Java Story
The Java Story
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Polyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and morePolyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and more
 
Phonegap 2.x
Phonegap 2.xPhonegap 2.x
Phonegap 2.x
 
Codestrong 2012 breakout session introduction to mobile web and best practices
Codestrong 2012 breakout session introduction to mobile web and best practicesCodestrong 2012 breakout session introduction to mobile web and best practices
Codestrong 2012 breakout session introduction to mobile web and best practices
 

Plus de Security B-Sides

2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
Security B-Sides
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Security B-Sides
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
Security B-Sides
 

Plus de Security B-Sides (20)

2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike Bailey
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex Hutton
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett Hardin
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
 
2009 Zacon Haroon Meer
2009 Zacon Haroon Meer2009 Zacon Haroon Meer
2009 Zacon Haroon Meer
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?
 
Make Tea Not War
Make Tea Not WarMake Tea Not War
Make Tea Not War
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
 
Exploitation
ExploitationExploitation
Exploitation
 
Layer 2 Hackery
Layer 2 HackeryLayer 2 Hackery
Layer 2 Hackery
 
Efficient extraction of data using binary search and ordering information
Efficient extraction of data using binary search and ordering informationEfficient extraction of data using binary search and ordering information
Efficient extraction of data using binary search and ordering information
 
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
 
Vulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsVulnerability Management Scoring Systems
Vulnerability Management Scoring Systems
 

Dernier

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Enterprise Portals - Gateway to the Gold

  • 2. `whoami` •  SensePost –  Specialist Security firm based in Pretoria –  Customers all over the globe –  Talks / Papers / Books •  ian@sensepost.com –  Associate security analyst –  I break stuff and write reports about breaking stuff •  Why this talk?
  • 3. EP Vendors •  IBM WebSphere Portal •  SAP NetWeaver Portal •  Oracle Portal Products (PlumTree, BEA, SUN, ∞) •  OpenText Portal (Formerly Vignette) •  JBoss Portal •  Microsoft SharePoint Server •  Apache Jetspeed, Interwoven TeamPortal, …, ∞
  • 4. EP Overview •  Frequent on intranets. •  Also frequent on the Internet… :) •  Framework for integrating information, people and processes** •  Consolidate and summarise diverse sources of information •  Provide customisable home-page for registered users **
  • 5. EP Overview •  Popular platform for deployment of applications due to framework and built-in functionality •  Provide SDK’s for customisation and deployment of custom applications •  Support pluggable components called portlets •  Generally J2EE-based, but there are some alternate platforms (i.e.: .NET, PHP, ∞)
  • 6. Portlet Overview •  Pluggable user interface components which are managed and displayed in a portal** •  Fragments of markup code (i.e: HTML / XML etc) which are aggregated in a portal page** •  Adhere to various standards –  WSRP (web services for remote portlets) –  Java Portlet Specification GET /moo?portlet=id&URI=http%3A%2F%2FHR%2Fbaa •  JSR168 HTTP 200 OK •  JSR268 •  Proprietary **
  • 7. Functionality++ •  User Registration •  Portals are generally designed to share information – provide functionality for searching documents, users, ..., ∞ •  Workflow components •  Messaging / Social networking •  Configuration and administrative components
  • 8. Common Shortcomings •  Generally cater for multiple portal applications –  May expose intranet applications to the Internet •  Frequently allow registration for public users – Functionality++ •  Due to complex installation of J2EE application servers and lazy sys-admins, frequently run with elevated privileges
  • 9. Common Shortcomings •  Diverse log-in capabilities –  LDAP, XML, Database, ..., ∞, * == SSO •  Developers of custom applications deployed on portal platforms frequently have not considered the underlying functionality of the platform •  Custom error pages defined for platform •  Complexity++
  • 10. Breaking Out •  Custom applications frequently exploit functionality of portal framework but don’t allow users direct access to framework functions… •  … or do they ?
  • 11. Breaking Out •  Direct object access •  Google is your friend… :> •  Forcing errors to display generic portal error messages •  Accessing site-registration •  HTML source comments and JavaScript •  Once we can break out of the custom application, we expose the full functionality of the portal…
  • 12. Finding Portals •  Google Hacks (nods at Johnny Long…) •  site:, insite:, inurl:, …, ∞ •  Demo… –  site:za –  inurl:/portal/site –  inurl:/template.REGISTER
  • 13. Abusing Portlets •  Original Advisory pertaining to IBM WebSphere –  WebSphere – 2006/01/24 – EPAM Systems •  Port Scanning •  Accessing protected resources •  Attacks at third parties •  Blended Attack Scenarios –  Denial Of Service –  Brute-Force –  Attacks against other protocols
  • 14. PortletSuite.tgz •  PortletScan.py –  Scan for open ports by abusing portlets •  Pikto.py –  Scan for common virtual directory names and web server misconfigurations •  PorProx.py –  Provides proxy server functionality tunnelling HTTP requests through remote portlets
  • 15. PortletSuite.tgz •  http://www.sensepost.com/blog •  Demo… –  Breaking out –  Portlet-scanning –  Pikto –  Accessing protected resources –  PortletProx