Let's shield Liferay

let’s shield liferay
@jajcampoy José A. Jiménez

let’s take the security seriously
Do you want to be involved? https://portal.liferay.dev/learn/security
Reporting issues
Send an email: security@liferay.com
Open a ticket: https://issues.liferay.com
Avoid details in any public channel

web application security risks
Learn about the OWASP Top 10 Web Application Security Risks
https://owasp.org/www-project-top-ten
Risk > Threat > Vulnerability > Impact
Safeguard
Have in mind:
> Code
> Data
> Infrastructure
> Configuration

using components with known vulnerabilities
Liferay Portal is a big platform, with a lot of features, multiple
systems integrations and a lot of facilities for developing:
libraries, frameworks and software modules that need to be updated
Threat: It is easy to find already-written exploits for many known
vulnerabilities. Other vulnerabilities require concentrated effort to
develop a custom exploit. A vulnerable component can be exploited.
Impact: Attack can facilitate serious data loss or server takeover or
whatever
Custom developments Liferay
Safeguard: Update

https://portal.liferay.dev/learn/security/known-vulnerabilities

keep you liferay ce updated
> Update your version
7.3 Rolling releases => <new> 7.3 GA3
7.2 GA2+
> 7.1, 7.0, 6.2 => diy
Get the code
https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1
Build patched versions
https://portal.liferay.dev/learn/security/patching

routine
Building our custom patches
10 REVIEW YOUR CODE
20 BUILD
30 BACKUP
40 DEPLOY
50 UPGRADE DB
60 TEST
70 END

community power - working together
Dominike Marks - Complete guide and binaries
https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches
Arund Dask - Binaries for 6.2 https://liferay.dev/blogs/-/blogs/security-patches-for-
liferay-portal-6-2-7-0-and-7-1
NOTE: Use binaries under your responsibility

Untrusted data is sent to the interpreter as part of a command or query.
Threat: The attacker’s hostile data can trick the interpreter into
executing unintended commands or accessing data without proper
authorization.
SQL, NoSQL, OS, LDAP, XPath, etc.
Impact: Lost/corruption of data, DoS
injection
Safeguard: Use parameterized APIs and tested tools-
Finders created by Service Builder are parametrized.
Custom SQLs and custom finders => prepared statements

Untrusted data in a web page without proper validation or escaping
Threat: Attackers execute scripts in the victim’s browser which can
hijack user sessions, deface web sites, or redirect the user to
malicious sites
cross-site scripting - xss
Safeguard: Validate untrusted data before to store them and escape them
in the web page
taglibs <aui:input … />
com.liferay.portal.kernel.util.HtmlUtil > escape()
> escapeAttribute()
> escapeURL()

http://dom1.mycompanydomain.com/c/login?redirect=dom1.mycompanydomein.com
unvalidated redirects and forwards
> Explicit list of IPs or domains, examples:
redirect.url.security.mode=ip
redirect.url.ips.allowed=127.0.0.1,SERVER_IP,192.168.0.12,192.168.0.13,192.168.0.99
redirect.url.security.mode=domain
redirect.url.domains.allowed=dom1.mycompany.com,dom2.mycompany.com
redirect.url.security.mode=domain
redirect.url.domains.allowed=*.mycompany.com

broken authentication
Threat: a bad implemented authentication and/or session management,
allowing attackers to compromise passwords, keys, or session tokens
Impact: attackers assume other users’ identities temporarily or
permanently
> Use secure protocols for connections (SSL,TLS, etc)
> A robust authentication mechanism: Second-factor authentication OOTB
in Liferay 7.3 > Multi-factor authentication (work in progress)
> OAUTH 2.0 to invoke your APIs / JAX-RS Web Services
https://help.liferay.com/hc/articles/360028711432-OAuth-2-0

Threat: Web Apps or APIs do not properly protect sensitive data
Impact: Attackers can steal or modify such weakly protected data.
sensitive data exposure
> Select a strong encryption algorithm. Are you upgrading?
company.encryption.algorithm=AES
company.encryption.key.size=12
passwords.encryption.algorithm=PBKDF2WithHmacSHA1/160/128000
#passwords.encryption.algorithm.legacy=
> Review connections and protocols:
Securize LDAP (ldaps)
Securize Elasticsearch 7, available for CE in 7.2 and 7.3
> Strong password policy
https://help.liferay.com/hc/articles/360028819212-Password-Policies

> Enable https and force it when authenticating or other accesses, and
minimize the access having explicit IPs lists / ranges.
company.security.auth.requires.https=false
# {0} = main | json | atom | tunnel | webdav
{0}.servlet.hosts.allowed=
{0}.servlet.https.required=false
rss.feeds.hosts.allowed=
> Define Service Access Policies
https://help.liferay.com/hc/articles/360028711272-Service-Access-Policies
sensitive data exposure

Threat: an attack that tricks the victim into submitting a malicious
request
Impact: It inherits the identity and privileges of the victim to perform
an undesired function on the victim’s behalf
cross-site request forgery - csrf
> POST method for action requests
> Multi-step transactions, captchas
> Auth tokens for action URLs: p_auth & p_p_auth
auth.token.check.enabled=true
portlet.add.default.resource.check.enabled=true
> Configure CORS (Cross-Origin Resource Sharing)
https://help.liferay.com/hc/es/articles/360030377272-Configuring-CORS

Monitorize the infrastructure and the users
> Limited resources > Performance > DoS
> CPU
> MEM
> Pool BBDD
Example: Query no-cacheable in each request or users.update.last.login=true
> Log access to sensitive data or special actions
Users management: Control Panel > Configuration > Audit
Other actions https://liferay.dev/blogs/-/blogs/auditing-liferay-dxp-who-has-done-what-
and-when
Insufficient logging and monitoring

> Do not execute processes with root (app server, patching tool, etc)
> Define your default admin user
default.admin.password=test
default.admin.screen.name=test
default.admin.email.address.prefix=test
default.admin.first.name=Test
default.admin.middle.name=
default.admin.last.name=Test
> Disable Unused SSO
RememberMe:
company.security.auto.login=false
and many more…

Let's shield Liferay

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Let's shield Liferay

Similaire à Let's shield Liferay (20)

Dernier

Dernier (20)

Let's shield Liferay

Notes de l'éditeur