Malicious Malicious content content in enterprise portals in enterprise portals OWASP IL mini-conference, Nov 13, 2006 Presented by Shalom Carmel [email protected]
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Malicious Malicious contentcontent
in enterprise portalsin enterprise portals
OWASP IL mini-conference, Nov 13, 2006
Presented by Shalom Carmel
Why do we care?Why do we care?• Portals are more than Intranets• Portals getting common• Targeted applications• Multitude of content sources
– Many sources– Many formats– Many technologies
• Expensive to maintain
© Shalom Carmel, 2006
ContentContentDelivery
ConsumerSource
© Shalom Carmel, 2006
Where does content come Where does content come from?from?
Portal
© Shalom Carmel, 2006
Content entry templatesContent entry templates• Just like in all CMS (Joomla, Mambo,
PHPNuke, Zope, Plone, Jetspeed,…)
© Shalom Carmel, 2006
Content entry templatesContent entry templatesProtection by web application firewall
© Shalom Carmel, 2006
Uploaded filesUploaded filesPoisoned at birth
© Shalom Carmel, 2006
Result of uploadResult of upload
© Shalom Carmel, 2006
Upload manual metadataUpload manual metadataProtection by web application firewall
© Shalom Carmel, 2006
Uploaded filesUploaded filesDocument metadata portal
metadata
© Shalom Carmel, 2006
Uploaded filesUploaded filesPoisoned at conception - ms office
© Shalom Carmel, 2006
Uploaded filesUploaded filesPoisoned at conception - acrobat
© Shalom Carmel, 2006
Uploaded filesUploaded filesPoisoned at conception - html
© Shalom Carmel, 2006
Uploaded filesUploaded filesWebDav
Oracle File SystemSharePoint
© Shalom Carmel, 2006
Uploaded docs propertiesUploaded docs propertiesUploaded docs contentsUploaded docs contents
Protection by web application firewall
© Shalom Carmel, 2006
External web contentExternal web content
Until now we had some control!
© Shalom Carmel, 2006
External web contentExternal web content• Meta-data• Portlets• iframe? reverse proxy? custom code?
© Shalom Carmel, 2006
External web contentExternal web content• reverse proxy example
© Shalom Carmel, 2006
External contentExternal contentProtection by web application firewall
© Shalom Carmel, 2006
Crawl and indexCrawl and index• Special case of external content• Web, file systems, email, databases
© Shalom Carmel, 2006
Crawled contentCrawled contentProtection by web application firewall
© Shalom Carmel, 2006
Search and retrieveSearch and retrieve• Federated search• More places to look for xss
© Shalom Carmel, 2006
Search resultsSearch resultsProtection by web application firewall
© Shalom Carmel, 2006
Protection by web application Protection by web application firewallfirewall
NO*Search results
NO*Crawled content
NO*External content
MaybeUploaded docs contents
MaybeUploaded docs properties
YESUpload manual metadata
YESContent entry templates
© Shalom Carmel, 2006*Technically possible but very difficult implementation
Related Documents
