mwlug2013 - can your xpage codes stand up to hackers?
DESCRIPTION
Presentation at the 2013 MWLUG (Midwest Lotus User's Group) regional meeting. - Explore vulnerabilities in current Dominos sites. - Describe why it is important for Xpage developers to be aware of security issues - Show simple remediation steps.TRANSCRIPT
Can your Xpage App Stand Up to Criminals?
Bernie Leung
MESA TechnologyBernie Leung
MESA Technology
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Not another Domino Security Talk, Right?
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Not another Domino Security Talk, Right?
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
How to Secure Domino Server
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Then what are these doing here?
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Controlled Environment ? …. No More
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Vulnerability
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Topics:
1. XSS2. Security by Obscurity3. What can we do about it?
And DEMOS's - open your laptop and follow
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Anatomy of Xpages Web App
<xp: ..... >
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Anatomy of XPages
<xp: ..... >
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Cross Site Scripting
Why is it Bad?
demo.
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
XSS – non persistent
For example, consider a site that has a welcome notice " Welcome %username% " and a download link
Instead you enterhttp://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName("a"); AllLinks[0].href = "http://badexample.com/malicious.exe"; }</script>
*Sample copied from OWASP
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
XSS – persistent
User form input, stored and later retrieved by others
*Sample copied from OWASP
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
In jsp,
Include JSTL (java standard tag lib)And output via c:out value="${outputWords}”
In Domino,
Add to NOTES.ini DominoValidateFramesetSRC=1
Fixing the Vulnerability
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
How Many other Libraries Do You Use?
Are you bringing in vulnerabilities?
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Security by Obscurity
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Another Common Vulnerability
Sensitive nsf open to public
Google is our frien-emy
inurl:/ibmsxpresinurl:/names.nsfinurl:/todo.nsf
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
DEMO
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Keeping Up with the Bad Guys
IBM AppScan
Open Source
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
DEMO
How I Found the VulnerabilitiesUsing IBM AppScan
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Thank You and Be Safe.
Contact Bernie Leung [email protected]