SlideShare una empresa de Scribd logo
1 de 41
SC 103
Domino on the Web - Yes, It's
(Probably) Hackable
Darren Duke
About Me
• Ex co-host of This Week In Lotus podcast
• Current (?) co-co-host of WTF Tech podcast
• Sometime blogger https://blog.darrenduke.net
• Twitter snark fountain @darrenduke
• This maybe the best slide in the deck. Feel free
to leave right now…
Agenda
• What we will cover
– Then eternal battle of admin vs developer
– The simple things
– The less simple things
– The harder things
– The much harder things
Be Careful
• When you have a web server you are a target
– Do the simple things first
– Change one thing at time and test
• You will break something
• No, really you will
• No. For real. You will break something.
• I broke my blog search
• I broke iNotes clipboard pasting
The Eternal Battle
• Web server security, whose responsibility?
– Is it the application developer?
– Is it the web server administrator?
– Yes
• Developer
– Tell
• What is *your* required minimum security
• Administrator
– Ask
• What is the maximum level of security I can use?
• If no answer, start high and move down
Sanitize Input
• Developers, you must sanitize the input
uploaded by your web applications
– Input fields need to be cleaned on form
submission
• Ex, on submit check for an remove <script> tags in the
input
• This reduces the risk of a compromised server
– Try to hack your own applications
• The Domino HTTP stack
– Not the most up-to-date HTTP stack available
• I’m being nice
– Missing many modern features
• HTTP/2, SNI
• Yes, I’m sure Domino 10 will address this along with
world peace
– Complicated HTTP header use
– Sometimes TLS/SSL gets caught with pants down
• Poodle
• ROBOT
• So yes, you can do most of this in Domino
• I would use a reverse proxy
– Apache
– Nginx
• I use both
– Blog behind Nginx (on Prominic)
– iNotes, Traveler behind Apache (on-prem)
• Proxies can also HA and LB
– Try that in native Domino!
The Simple Things…..
The Simple Things
• More Secure Internet Passwords
The Simple Things
• More Secure EXISTING Internet Passwords
The Simple Things
• Make your Domino LTPA cookie more secure
– Require SSL
• Mitigate man-in-the-middle-attacks
– Restrict Use
• Prevent script access to cookie
• Mitigate XSS
The Simple Things
• Notes.ini Settings
– HSTS
• https://blog.darrenduke.net/darren/ddbz.nsf/dx/domino-
adds-hsts-to-its-security-arsenal.htm
– X-Frame Header Options
• http://www-
01.ibm.com/support/docview.wss?uid=swg21568598
• 9.0.1 FP6+ HTTPAdditionalRespHeader=X-Frame-Options:
SAMEORIGIN
– DominoValidateFramesetSRC=1
• Frame content must be from the same database
• https://www-
10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFrames
etSRC
The Simple Things
• Other Notes.ini Settings
– SSL_DISABLE_RENEGOTIATE=1
– HTTPEnableConnectorHeaders=0
– SSL_RESUMABLE_SESSIONS=0
– SSL_DISABLE_TLS_10=1
The Simple Things
• Upgrade to latest Fix Pack
– FP10 fixes ROBOT
– Each FP will deprecate weak/vulnerable ciphers
The Less Simple Things
I’ll show mine, if you show yours
• HTTP Headers are your friend
• Prevents browser from doing stupid things
– Headers can be disabled in the browser!!!
– Implement with care
• For example line 5 breaks Domino blog
– Here is my starting header config for Apache
1. Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
2. Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains"
3. Header always append X-Frame-Options SAMEORIGIN
4. Header always set X-XSS-Protection "1; mode=block"
5. Header always set X-Content-Type-Options: nosniff
6. Header always set Server NotTelling
7. Header always set Referrer-Policy strict-origin-when-cross-origin
The Less Simple Things
• NginX Version
1. set_cookie_flag HttpOnly secure;
2. add_header Strict-Transport-Security 'max-age=63072000;
includeSubDomains; preload';
3. add_header X-Frame-Options "SAMEORIGIN";
4. add_header X-XSS-Protection "1; mode=block";
5. add_header X-Content-Type-Options "nosniff";
6. server_tokens off;
7. add_header Referrer-Policy "strict-origin-when-cross-origin";
• Note 1, line 1 requires module support in NginX.
• Note 2, line 6 only removes version and OS, it still says “nginx”. There are other ways but they
seem it and miss as you may have to compile module support into NginX.
more_clear_headers Server;
more_clear_headers Server;
The Less Simple Things
• You could put all those headers in Domino
– But you have to add each one at a time
– For each internet site
• Oh, yeah, you need to be using Internet Sites
• It may work with global, not tried it, YMMV
– You end up with a *lot* of web rule documents
• Much, much easier in a reverse proxy
The Harder Things
The Harder Things
• There are more advanced headers
– Access-Control-Allow-Methods
– Access-Control-Allow-Headers
– Content-Security-Policy
– Access-Control-Allow-Origin
– Think of these as X-XSS-Protection on
steroids
The Harder Things
• The blog NginX headers
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS,HEAD';
add_header Access-Control-Allow-Headers 'DNT,X-CustomHeader,Keep-
Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-
Control,Content-Type';
add_header Content-Security-Policy "default-src 'self'; script-src
'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
https://fonts.googleapis.com; font-src 'self'
https://www.slideshare.net https://public.slidesharecdn.com
https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com
https://i.creativecommons.org https://licensebuttons.net; frame-src
https://www.slideshare.net";
add_header Access-Control-Allow-Origin
"https://public.slidesharecdn.com,https://www.slideshare.net";
The Harder Things
• Content-Security-Policy
–default-src
–script-src
–font-src
–img-src
–frame-src
add_header Content-Security-Policy "default-src 'self';
script-src 'self' 'unsafe-inline'; style-src 'self'
'unsafe-inline' https://fonts.googleapis.com; font-src
'self' https://www.slideshare.net
https://public.slidesharecdn.com https://fonts.gstatic.com;
img-src 'self' https://www.gravatar.com
https://i.creativecommons.org https://licensebuttons.net;
frame-src https://www.slideshare.net";
The Harder Things
• Content-Security-Policy-Report-Only
– Allows testing of policy BEFORE implementing
• Clean up all the errors BEFORE turning on
– Shows content errors in browser development
tools console
The Much Harder Things
The Much Harder Things
• ModSecurity
– Available for Apache and NginX
– Add-in module to prevent OWASP-known hacking
attempts
• OWASP - Open Web Application Security Project
– Use rules to allow or disallow certain URL patterns
and actions
• Known vulnerabilities get blocked/reported
– Use with caution
• You probably want to “report” before turning it on fully
• SecRuleEngine DetectionOnly
ModSecurity
--d5cdc63e-H--
Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file
"/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line
"612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity
"WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag
"application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-
protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag
"WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 192.168.0.195]
ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file
"/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line
"612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity
"WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag
"application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-
protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag
"WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname
"localhost.localdomain"] [uri "/"] [unique_id "W1RiorhE-6pWl72XxvlgcAAAABg"]
Stopwatch: 1532256930612640 6576 (- - -)
Stopwatch2: 1532256930612640 6576; combined=5424, p1=635, p2=1014, p3=96, p4=3552,
p5=126, sr=86, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/);
OWASP_CRS/3.0.2.
Server: Apache/2.4.29 (Ubuntu)
Engine-Mode: "DETECTION_ONLY"
--d5cdc63e-Z--
ModSecurity
• OWASP_TOP_10/A7
– Google it for a more in-depth description
• [tag
"OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"]
– Find out what the violation is
ModSecurity
• Most often than not, you will just end up
disabling the rule that hit because it’s not
applicable or a risk to your application/server
• In our example it is rule[id "920280"]
• Rules can be disabled per URI, web server or
for all servers
• Depending on your ModSec version exceptions
will be different, so Google it
Tools
Tools
• Warning
– Don’t scan a site you don’t have approval to scan
• Scanning without explicit approval could be crime in
your (or the servers) jurisdiction
– Don’t scan a site during busy times
• You could become the source of your own DDoS attack
• Fun times!
Tools
• Qualys
– Most of you will have used the free version
• Paid options to proactively scan your servers
– Scans external web sites for free and provides
detailed insight into SSL, ciphers, etc.
Qualys
Tools
• SecurityHeaders.com
– Will scan a given site and return security related
header information
– Provides warnings and recommendations for the
different headers
SecurityHeaders.com
Tools
• ZAP (Zed Attack Proxy)
– The official OWASP scanning tool
– Provides tons of information
– Free
Tools
• PenTest-Tools.com
– Like Qualys, except for penetration tests
– Online, no software to install
– Free version provides limited but useful
functionality
– Really cheap for the paid version (relatively)
ZAP
Pentest-tools.com
Takeways
• Know what the access the application needs
• Implement the highest possible security whilst
maintaining functionality
• Scan often
Q&A
• That was a lot
• Question Time!

Más contenido relacionado

La actualidad más candente

The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Web
panagenda
 
RESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkRESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWork
John Dalsgaard
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
panagenda
 
DominoMigrationProposal
DominoMigrationProposalDominoMigrationProposal
DominoMigrationProposal
Lynn Levash
 
Domino policies deep dive
Domino policies deep diveDomino policies deep dive
Domino policies deep dive
Martijn de Jong
 
Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)
Ulrich Krause
 

La actualidad más candente (20)

HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Web
 
RESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkRESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWork
 
IBM Notes Performance Boost - Reloaded (DEV-1185)
IBM Notes Performance Boost - Reloaded (DEV-1185)IBM Notes Performance Boost - Reloaded (DEV-1185)
IBM Notes Performance Boost - Reloaded (DEV-1185)
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routing
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
 
dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptx
 
DominoMigrationProposal
DominoMigrationProposalDominoMigrationProposal
DominoMigrationProposal
 
Everything You Need to Know About HCL Notes 14
Everything You Need to Know About HCL Notes 14Everything You Need to Know About HCL Notes 14
Everything You Need to Know About HCL Notes 14
 
What is active directory
What is active directoryWhat is active directory
What is active directory
 
Domino policies deep dive
Domino policies deep diveDomino policies deep dive
Domino policies deep dive
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
Domino Server Health - Monitoring and Managing
 Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
 
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
 
From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting Replication
 
Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)
 

Similar a CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable

DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
DefCamp
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup   ehermits - how to keep your blog from being hacked 2012Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 

Similar a CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable (20)

Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup   ehermits - how to keep your blog from being hacked 2012Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2
 
10 tips to improve your website security
10 tips to improve your website security10 tips to improve your website security
10 tips to improve your website security
 

Más de Darren Duke

Más de Darren Duke (9)

Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptx
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soup
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101
 
LS10 Show102
LS10 Show102LS10 Show102
LS10 Show102
 
BES 4.1.x on Domino
BES 4.1.x on DominoBES 4.1.x on Domino
BES 4.1.x on Domino
 
Domino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDomino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUG
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 

CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable

  • 1. SC 103 Domino on the Web - Yes, It's (Probably) Hackable Darren Duke
  • 2. About Me • Ex co-host of This Week In Lotus podcast • Current (?) co-co-host of WTF Tech podcast • Sometime blogger https://blog.darrenduke.net • Twitter snark fountain @darrenduke • This maybe the best slide in the deck. Feel free to leave right now…
  • 3. Agenda • What we will cover – Then eternal battle of admin vs developer – The simple things – The less simple things – The harder things – The much harder things
  • 4. Be Careful • When you have a web server you are a target – Do the simple things first – Change one thing at time and test • You will break something • No, really you will • No. For real. You will break something. • I broke my blog search • I broke iNotes clipboard pasting
  • 5. The Eternal Battle • Web server security, whose responsibility? – Is it the application developer? – Is it the web server administrator? – Yes • Developer – Tell • What is *your* required minimum security • Administrator – Ask • What is the maximum level of security I can use? • If no answer, start high and move down
  • 6. Sanitize Input • Developers, you must sanitize the input uploaded by your web applications – Input fields need to be cleaned on form submission • Ex, on submit check for an remove <script> tags in the input • This reduces the risk of a compromised server – Try to hack your own applications
  • 7. • The Domino HTTP stack – Not the most up-to-date HTTP stack available • I’m being nice – Missing many modern features • HTTP/2, SNI • Yes, I’m sure Domino 10 will address this along with world peace – Complicated HTTP header use – Sometimes TLS/SSL gets caught with pants down • Poodle • ROBOT
  • 8. • So yes, you can do most of this in Domino • I would use a reverse proxy – Apache – Nginx • I use both – Blog behind Nginx (on Prominic) – iNotes, Traveler behind Apache (on-prem) • Proxies can also HA and LB – Try that in native Domino!
  • 10. The Simple Things • More Secure Internet Passwords
  • 11. The Simple Things • More Secure EXISTING Internet Passwords
  • 12. The Simple Things • Make your Domino LTPA cookie more secure – Require SSL • Mitigate man-in-the-middle-attacks – Restrict Use • Prevent script access to cookie • Mitigate XSS
  • 13. The Simple Things • Notes.ini Settings – HSTS • https://blog.darrenduke.net/darren/ddbz.nsf/dx/domino- adds-hsts-to-its-security-arsenal.htm – X-Frame Header Options • http://www- 01.ibm.com/support/docview.wss?uid=swg21568598 • 9.0.1 FP6+ HTTPAdditionalRespHeader=X-Frame-Options: SAMEORIGIN – DominoValidateFramesetSRC=1 • Frame content must be from the same database • https://www- 10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFrames etSRC
  • 14. The Simple Things • Other Notes.ini Settings – SSL_DISABLE_RENEGOTIATE=1 – HTTPEnableConnectorHeaders=0 – SSL_RESUMABLE_SESSIONS=0 – SSL_DISABLE_TLS_10=1
  • 15. The Simple Things • Upgrade to latest Fix Pack – FP10 fixes ROBOT – Each FP will deprecate weak/vulnerable ciphers
  • 16. The Less Simple Things
  • 17. I’ll show mine, if you show yours • HTTP Headers are your friend • Prevents browser from doing stupid things – Headers can be disabled in the browser!!! – Implement with care • For example line 5 breaks Domino blog – Here is my starting header config for Apache 1. Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 2. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" 3. Header always append X-Frame-Options SAMEORIGIN 4. Header always set X-XSS-Protection "1; mode=block" 5. Header always set X-Content-Type-Options: nosniff 6. Header always set Server NotTelling 7. Header always set Referrer-Policy strict-origin-when-cross-origin
  • 18. The Less Simple Things • NginX Version 1. set_cookie_flag HttpOnly secure; 2. add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload'; 3. add_header X-Frame-Options "SAMEORIGIN"; 4. add_header X-XSS-Protection "1; mode=block"; 5. add_header X-Content-Type-Options "nosniff"; 6. server_tokens off; 7. add_header Referrer-Policy "strict-origin-when-cross-origin"; • Note 1, line 1 requires module support in NginX. • Note 2, line 6 only removes version and OS, it still says “nginx”. There are other ways but they seem it and miss as you may have to compile module support into NginX. more_clear_headers Server; more_clear_headers Server;
  • 19. The Less Simple Things • You could put all those headers in Domino – But you have to add each one at a time – For each internet site • Oh, yeah, you need to be using Internet Sites • It may work with global, not tried it, YMMV – You end up with a *lot* of web rule documents • Much, much easier in a reverse proxy
  • 21. The Harder Things • There are more advanced headers – Access-Control-Allow-Methods – Access-Control-Allow-Headers – Content-Security-Policy – Access-Control-Allow-Origin – Think of these as X-XSS-Protection on steroids
  • 22. The Harder Things • The blog NginX headers add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS,HEAD'; add_header Access-Control-Allow-Headers 'DNT,X-CustomHeader,Keep- Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache- Control,Content-Type'; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net"; add_header Access-Control-Allow-Origin "https://public.slidesharecdn.com,https://www.slideshare.net";
  • 23. The Harder Things • Content-Security-Policy –default-src –script-src –font-src –img-src –frame-src add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net";
  • 24. The Harder Things • Content-Security-Policy-Report-Only – Allows testing of policy BEFORE implementing • Clean up all the errors BEFORE turning on – Shows content errors in browser development tools console
  • 25. The Much Harder Things
  • 26. The Much Harder Things • ModSecurity – Available for Apache and NginX – Add-in module to prevent OWASP-known hacking attempts • OWASP - Open Web Application Security Project – Use rules to allow or disallow certain URL patterns and actions • Known vulnerabilities get blocked/reported – Use with caution • You probably want to “report” before turning it on fully • SecRuleEngine DetectionOnly
  • 27. ModSecurity --d5cdc63e-H-- Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 192.168.0.195] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "localhost.localdomain"] [uri "/"] [unique_id "W1RiorhE-6pWl72XxvlgcAAAABg"] Stopwatch: 1532256930612640 6576 (- - -) Stopwatch2: 1532256930612640 6576; combined=5424, p1=635, p2=1014, p3=96, p4=3552, p5=126, sr=86, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2. Server: Apache/2.4.29 (Ubuntu) Engine-Mode: "DETECTION_ONLY" --d5cdc63e-Z--
  • 28. ModSecurity • OWASP_TOP_10/A7 – Google it for a more in-depth description • [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] – Find out what the violation is
  • 29. ModSecurity • Most often than not, you will just end up disabling the rule that hit because it’s not applicable or a risk to your application/server • In our example it is rule[id "920280"] • Rules can be disabled per URI, web server or for all servers • Depending on your ModSec version exceptions will be different, so Google it
  • 30. Tools
  • 31. Tools • Warning – Don’t scan a site you don’t have approval to scan • Scanning without explicit approval could be crime in your (or the servers) jurisdiction – Don’t scan a site during busy times • You could become the source of your own DDoS attack • Fun times!
  • 32. Tools • Qualys – Most of you will have used the free version • Paid options to proactively scan your servers – Scans external web sites for free and provides detailed insight into SSL, ciphers, etc.
  • 34. Tools • SecurityHeaders.com – Will scan a given site and return security related header information – Provides warnings and recommendations for the different headers
  • 36. Tools • ZAP (Zed Attack Proxy) – The official OWASP scanning tool – Provides tons of information – Free
  • 37. Tools • PenTest-Tools.com – Like Qualys, except for penetration tests – Online, no software to install – Free version provides limited but useful functionality – Really cheap for the paid version (relatively)
  • 38. ZAP
  • 40. Takeways • Know what the access the application needs • Implement the highest possible security whilst maintaining functionality • Scan often
  • 41. Q&A • That was a lot • Question Time!