SlideShare una empresa de Scribd logo

Enterprise Portals - Gateway to the Gold

Security B-Sides
Security B-Sides

Ian De Villiers ZaCon 2009 http://www.zacon.org.za/Archives/2009/slides/

Tecnología
1 de 16
Descargar para leer sin conexión
Enterprise Portals Gate to the Gold
`whoami` •  SensePost –  Specialist Security firm based in Pretoria –  Customers all over the globe –  Talks / Papers / Books •  ian@sensepost.com –  Associate security analyst –  I break stuff and write reports about breaking stuff •  Why this talk?
EP Vendors •  IBM WebSphere Portal •  SAP NetWeaver Portal •  Oracle Portal Products (PlumTree, BEA, SUN, ∞) •  OpenText Portal (Formerly Vignette) •  JBoss Portal •  Microsoft SharePoint Server •  Apache Jetspeed, Interwoven TeamPortal, …, ∞
EP Overview •  Frequent on intranets. •  Also frequent on the Internet… :) •  Framework for integrating information, people and processes** •  Consolidate and summarise diverse sources of information •  Provide customisable home-page for registered users **
EP Overview •  Popular platform for deployment of applications due to framework and built-in functionality •  Provide SDK’s for customisation and deployment of custom applications •  Support pluggable components called portlets •  Generally J2EE-based, but there are some alternate platforms (i.e.: .NET, PHP, ∞)
Portlet Overview •  Pluggable user interface components which are managed and displayed in a portal** •  Fragments of markup code (i.e: HTML / XML etc) which are aggregated in a portal page** •  Adhere to various standards –  WSRP (web services for remote portlets) –  Java Portlet Specification GET /moo?portlet=id&URI=http%3A%2F%2FHR%2Fbaa •  JSR168 HTTP 200 OK •  JSR268 •  Proprietary **
Functionality++ •  User Registration •  Portals are generally designed to share information – provide functionality for searching documents, users, ..., ∞ •  Workflow components •  Messaging / Social networking •  Configuration and administrative components
Common Shortcomings •  Generally cater for multiple portal applications –  May expose intranet applications to the Internet •  Frequently allow registration for public users – Functionality++ •  Due to complex installation of J2EE application servers and lazy sys-admins, frequently run with elevated privileges
Common Shortcomings •  Diverse log-in capabilities –  LDAP, XML, Database, ..., ∞, * == SSO •  Developers of custom applications deployed on portal platforms frequently have not considered the underlying functionality of the platform •  Custom error pages defined for platform •  Complexity++
Breaking Out •  Custom applications frequently exploit functionality of portal framework but don’t allow users direct access to framework functions… •  … or do they ?
Breaking Out •  Direct object access •  Google is your friend… :> •  Forcing errors to display generic portal error messages •  Accessing site-registration •  HTML source comments and JavaScript •  Once we can break out of the custom application, we expose the full functionality of the portal…
Finding Portals •  Google Hacks (nods at Johnny Long…) •  site:, insite:, inurl:, …, ∞ •  Demo… –  site:za –  inurl:/portal/site –  inurl:/template.REGISTER
Abusing Portlets •  Original Advisory pertaining to IBM WebSphere –  WebSphere – 2006/01/24 – EPAM Systems •  Port Scanning •  Accessing protected resources •  Attacks at third parties •  Blended Attack Scenarios –  Denial Of Service –  Brute-Force –  Attacks against other protocols
PortletSuite.tgz •  PortletScan.py –  Scan for open ports by abusing portlets •  Pikto.py –  Scan for common virtual directory names and web server misconfigurations •  PorProx.py –  Provides proxy server functionality tunnelling HTTP requests through remote portlets
PortletSuite.tgz •  http://www.sensepost.com/blog •  Demo… –  Breaking out –  Portlet-scanning –  Pikto –  Accessing protected resources –  PortletProx
Questions ? ian@sensepost.com

Recomendados

Portets to composite applications
Portets to composite applicationsPortets to composite applications
Portets to composite applications
Serge Huber
 
Forefront UAG
Forefront UAGForefront UAG
Forefront UAG
James Tramel
 
The Evolution of Webinjects
The Evolution of WebinjectsThe Evolution of Webinjects
The Evolution of Webinjects
jiboutin
 
Java Portal platforms presentation
Java Portal platforms presentationJava Portal platforms presentation
Java Portal platforms presentation
Rashedul Hasan Khan
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
Security B-Sides
 
Security YMCA
Security YMCASecurity YMCA
Security YMCA
Security BSides London
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atl
Security B-Sides
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6
Security B-Sides
 

Recomendados

Portets to composite applications
Portets to composite applicationsPortets to composite applications
Portets to composite applications
Serge Huber
 
Forefront UAG
Forefront UAGForefront UAG
Forefront UAG
James Tramel
 
The Evolution of Webinjects
The Evolution of WebinjectsThe Evolution of Webinjects
The Evolution of Webinjects
jiboutin
 
Java Portal platforms presentation
Java Portal platforms presentationJava Portal platforms presentation
Java Portal platforms presentation
Rashedul Hasan Khan
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
Security B-Sides
 
Security YMCA
Security YMCASecurity YMCA
Security YMCA
Security BSides London
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atl
Security B-Sides
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6
Security B-Sides
 
WebSphere Portal Technical Overview
WebSphere Portal Technical OverviewWebSphere Portal Technical Overview
WebSphere Portal Technical Overview
Vincent Perrin
 
Introduction to Portlets using Liferay Portal (Part 2)
Introduction to Portlets using Liferay Portal (Part 2)Introduction to Portlets using Liferay Portal (Part 2)
Introduction to Portlets using Liferay Portal (Part 2)
rivetlogic
 
GateIn - The Solution for Managing and Building Enterprise Web Apps
GateIn - The Solution for Managing and Building Enterprise Web AppsGateIn - The Solution for Managing and Building Enterprise Web Apps
GateIn - The Solution for Managing and Building Enterprise Web Apps
Wesley Hales
 
Introduction to Portlets Using Liferay Portal
Introduction to Portlets Using Liferay PortalIntroduction to Portlets Using Liferay Portal
Introduction to Portlets Using Liferay Portal
rivetlogic
 
01/2009 - Portral development with liferay
01/2009 - Portral development with liferay01/2009 - Portral development with liferay
01/2009 - Portral development with liferay
daveayan
 
Orion Introduction
Orion IntroductionOrion Introduction
Orion Introduction
Tomasz Zarna
 
Liferay Portal Introduction
Liferay Portal IntroductionLiferay Portal Introduction
Liferay Portal Introduction
Nguyen Tung
 
Shindig Apachecon Asia 09
Shindig Apachecon Asia 09Shindig Apachecon Asia 09
Shindig Apachecon Asia 09
Nuwan Bandara
 
Orion Introduction
Orion IntroductionOrion Introduction
Orion Introduction
Tomasz Zarna
 
Webcenter Portlal training...
Webcenter Portlal training...Webcenter Portlal training...
Webcenter Portlal training...
Vinay Kumar
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
chuckbt
 
2010 code camp rest for the rest of us
2010 code camp rest for the rest of us2010 code camp rest for the rest of us
2010 code camp rest for the rest of us
Ken Yagen
 
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
Jean Vanderdonckt
 
AMF Flash and .NET
AMF Flash and .NETAMF Flash and .NET
AMF Flash and .NET
Yaniv Uriel
 
Oracle web center
Oracle web centerOracle web center
Oracle web center
East Le
 
The Java Story
The Java StoryThe Java Story
The Java Story
David Parsons
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado
 
Polyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and morePolyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and more
DefconRussia
 
Phonegap 2.x
Phonegap 2.xPhonegap 2.x
Phonegap 2.x
Brian LeRoux
 
Codestrong 2012 breakout session introduction to mobile web and best practices
Codestrong 2012 breakout session introduction to mobile web and best practicesCodestrong 2012 breakout session introduction to mobile web and best practices
Codestrong 2012 breakout session introduction to mobile web and best practices
Axway Appcelerator
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
Security B-Sides
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Security B-Sides
 

Más contenido relacionado

Similar a Enterprise Portals - Gateway to the Gold

WebSphere Portal Technical Overview
WebSphere Portal Technical OverviewWebSphere Portal Technical Overview
WebSphere Portal Technical Overview
Vincent Perrin
 
01/2009 - Portral development with liferay
01/2009 - Portral development with liferay01/2009 - Portral development with liferay
01/2009 - Portral development with liferay
daveayan
 
2010 code camp rest for the rest of us
2010 code camp rest for the rest of us2010 code camp rest for the rest of us
2010 code camp rest for the rest of us
Ken Yagen
 
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
Jean Vanderdonckt
 
AMF Flash and .NET
AMF Flash and .NETAMF Flash and .NET
AMF Flash and .NET
Yaniv Uriel
 
Polyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and morePolyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and more
DefconRussia
 
Codestrong 2012 breakout session introduction to mobile web and best practices
Codestrong 2012 breakout session introduction to mobile web and best practicesCodestrong 2012 breakout session introduction to mobile web and best practices
Codestrong 2012 breakout session introduction to mobile web and best practices
Axway Appcelerator
 

Similar a Enterprise Portals - Gateway to the Gold (20)

WebSphere Portal Technical Overview
WebSphere Portal Technical OverviewWebSphere Portal Technical Overview
WebSphere Portal Technical Overview
 
Introduction to Portlets using Liferay Portal (Part 2)
Introduction to Portlets using Liferay Portal (Part 2)Introduction to Portlets using Liferay Portal (Part 2)
Introduction to Portlets using Liferay Portal (Part 2)
 
GateIn - The Solution for Managing and Building Enterprise Web Apps
GateIn - The Solution for Managing and Building Enterprise Web AppsGateIn - The Solution for Managing and Building Enterprise Web Apps
GateIn - The Solution for Managing and Building Enterprise Web Apps
 
Introduction to Portlets Using Liferay Portal
Introduction to Portlets Using Liferay PortalIntroduction to Portlets Using Liferay Portal
Introduction to Portlets Using Liferay Portal
 
01/2009 - Portral development with liferay
01/2009 - Portral development with liferay01/2009 - Portral development with liferay
01/2009 - Portral development with liferay
 
Orion Introduction
Orion IntroductionOrion Introduction
Orion Introduction
 
Liferay Portal Introduction
Liferay Portal IntroductionLiferay Portal Introduction
Liferay Portal Introduction
 
Shindig Apachecon Asia 09
Shindig Apachecon Asia 09Shindig Apachecon Asia 09
Shindig Apachecon Asia 09
 
Orion Introduction
Orion IntroductionOrion Introduction
Orion Introduction
 
Webcenter Portlal training...
Webcenter Portlal training...Webcenter Portlal training...
Webcenter Portlal training...
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
2010 code camp rest for the rest of us
2010 code camp rest for the rest of us2010 code camp rest for the rest of us
2010 code camp rest for the rest of us
 
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
 
AMF Flash and .NET
AMF Flash and .NETAMF Flash and .NET
AMF Flash and .NET
 
Oracle web center
Oracle web centerOracle web center
Oracle web center
 
The Java Story
The Java StoryThe Java Story
The Java Story
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Polyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and morePolyakov how i will break your enterprise. esb security and more
Polyakov how i will break your enterprise. esb security and more
 
Phonegap 2.x
Phonegap 2.xPhonegap 2.x
Phonegap 2.x
 
Codestrong 2012 breakout session introduction to mobile web and best practices
Codestrong 2012 breakout session introduction to mobile web and best practicesCodestrong 2012 breakout session introduction to mobile web and best practices
Codestrong 2012 breakout session introduction to mobile web and best practices
 

Más de Security B-Sides

2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
Security B-Sides
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Security B-Sides
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
Security B-Sides
 

Más de Security B-Sides (20)

2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike Bailey
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex Hutton
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett Hardin
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
 
2009 Zacon Haroon Meer
2009 Zacon Haroon Meer2009 Zacon Haroon Meer
2009 Zacon Haroon Meer
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?
 
Make Tea Not War
Make Tea Not WarMake Tea Not War
Make Tea Not War
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
 
Exploitation
ExploitationExploitation
Exploitation
 
Layer 2 Hackery
Layer 2 HackeryLayer 2 Hackery
Layer 2 Hackery
 
Efficient extraction of data using binary search and ordering information
Efficient extraction of data using binary search and ordering informationEfficient extraction of data using binary search and ordering information
Efficient extraction of data using binary search and ordering information
 
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
 
Vulnerability Management Scoring Systems
Vulnerability Management Scoring SystemsVulnerability Management Scoring Systems
Vulnerability Management Scoring Systems
 

Último

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Enterprise Portals - Gateway to the Gold

  • 2. `whoami` •  SensePost –  Specialist Security firm based in Pretoria –  Customers all over the globe –  Talks / Papers / Books •  ian@sensepost.com –  Associate security analyst –  I break stuff and write reports about breaking stuff •  Why this talk?
  • 3. EP Vendors •  IBM WebSphere Portal •  SAP NetWeaver Portal •  Oracle Portal Products (PlumTree, BEA, SUN, ∞) •  OpenText Portal (Formerly Vignette) •  JBoss Portal •  Microsoft SharePoint Server •  Apache Jetspeed, Interwoven TeamPortal, …, ∞
  • 4. EP Overview •  Frequent on intranets. •  Also frequent on the Internet… :) •  Framework for integrating information, people and processes** •  Consolidate and summarise diverse sources of information •  Provide customisable home-page for registered users **
  • 5. EP Overview •  Popular platform for deployment of applications due to framework and built-in functionality •  Provide SDK’s for customisation and deployment of custom applications •  Support pluggable components called portlets •  Generally J2EE-based, but there are some alternate platforms (i.e.: .NET, PHP, ∞)
  • 6. Portlet Overview •  Pluggable user interface components which are managed and displayed in a portal** •  Fragments of markup code (i.e: HTML / XML etc) which are aggregated in a portal page** •  Adhere to various standards –  WSRP (web services for remote portlets) –  Java Portlet Specification GET /moo?portlet=id&URI=http%3A%2F%2FHR%2Fbaa •  JSR168 HTTP 200 OK •  JSR268 •  Proprietary **
  • 7. Functionality++ •  User Registration •  Portals are generally designed to share information – provide functionality for searching documents, users, ..., ∞ •  Workflow components •  Messaging / Social networking •  Configuration and administrative components
  • 8. Common Shortcomings •  Generally cater for multiple portal applications –  May expose intranet applications to the Internet •  Frequently allow registration for public users – Functionality++ •  Due to complex installation of J2EE application servers and lazy sys-admins, frequently run with elevated privileges
  • 9. Common Shortcomings •  Diverse log-in capabilities –  LDAP, XML, Database, ..., ∞, * == SSO •  Developers of custom applications deployed on portal platforms frequently have not considered the underlying functionality of the platform •  Custom error pages defined for platform •  Complexity++
  • 10. Breaking Out •  Custom applications frequently exploit functionality of portal framework but don’t allow users direct access to framework functions… •  … or do they ?
  • 11. Breaking Out •  Direct object access •  Google is your friend… :> •  Forcing errors to display generic portal error messages •  Accessing site-registration •  HTML source comments and JavaScript •  Once we can break out of the custom application, we expose the full functionality of the portal…
  • 12. Finding Portals •  Google Hacks (nods at Johnny Long…) •  site:, insite:, inurl:, …, ∞ •  Demo… –  site:za –  inurl:/portal/site –  inurl:/template.REGISTER
  • 13. Abusing Portlets •  Original Advisory pertaining to IBM WebSphere –  WebSphere – 2006/01/24 – EPAM Systems •  Port Scanning •  Accessing protected resources •  Attacks at third parties •  Blended Attack Scenarios –  Denial Of Service –  Brute-Force –  Attacks against other protocols
  • 14. PortletSuite.tgz •  PortletScan.py –  Scan for open ports by abusing portlets •  Pikto.py –  Scan for common virtual directory names and web server misconfigurations •  PorProx.py –  Provides proxy server functionality tunnelling HTTP requests through remote portlets
  • 15. PortletSuite.tgz •  http://www.sensepost.com/blog •  Demo… –  Breaking out –  Portlet-scanning –  Pikto –  Accessing protected resources –  PortletProx