Domino testing presentation

379 views
298 views

Published on

The slides for the Domino testing presentation delivered at AppSec DC.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
379
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Ari is the security guy Casey is the Domino guy
  • 374,000 hits from filetype:nsf – these are domino databases directly accessible from the web
  • Is Domino a web server, app server, or database server? The answer is it’s all three.
  • That’s right – you access the domino DB directly through the URL. This is probably the right place to talk about what each of these items is
  • This all assumed you have permissions….
  • This slide needs to be finished - Casey
  • Obviously you should check for all of these on a black or white box test
  • Domino testing presentation

    1. 1. Lotus Domino SecurityWhite and black box testingAri Elias-BachrachCasey Pike
    2. 2. Outline• Why is This Necessary?• Introduction to Domino• Domino Commands• Blackbox• Whitebox• Default Files• Architecture
    3. 3. Outline• Why is This Necessary?• Introduction to Domino• Domino Commands• Blackbox• Whitebox• Default Files• Architecture
    4. 4. Why is This Necessary?In January 2009,More Than Halfof FortuneGlobal 100 NowUsing LotusNotes/Domino*http://www-03.ibm.com/press/us/en/pressrelease/26480.wss
    5. 5. Why is This Necessary?• Domino is…..UniqueWeb App DB
    6. 6. Why is This Necessary?• Automated scanners seem to have a hardtime with Domino apps• Many “normal” attacks don’t work (SQLinjection)• There are many other attacks which willwork• Not a lot of good information out there
    7. 7. Outline• Why is This Necessary?• Introduction to Domino• Domino Commands• Blackbox• Whitebox• Default Files• Architecture
    8. 8. Introduction to Domino• Domino stores data in custom databasefiles with the .nsf extensionhttp://server/database.nsf/DominoObj?Action•View•Frameset•Form•Navigator•Agent•Document•Page
    9. 9. Introduction to Domino• Special Identifiers begin with $ and canreturn any domino objecthttp://server/database.nsf/$SpecialIdentifierhttp://server/database.nsf/$help?openhelp
    10. 10. Outline• Why is This Necessary?• Introduction to Domino• Domino Commands• Blackbox• Whitebox• Default Files• Architecture
    11. 11. Domino Commands• View• Openview – opens the view• ReadViewEntries – access the view data inXML format• $first – returns the first document in the view• $searchform?opensearchform – opens asearch form from which the view can besearchedhttp://server/database.nsf/myview?Openview
    12. 12. Domino Commandshttp://server/database.nsf/myform?OpenFormForm• OpenForm – opens the form• ReadForm – displays the form without itseditable fields.• CreateDocument – sent using an HTTP post.Domino will create a document with thecontents of the HTTP post packet.
    13. 13. Domino Commandshttp://server/db.nsf/myView/doc1?EditDocumentDocument• EditDcoument• SaveDocument – sent as an HTTP post.Domino will update the document with thecontents of the post.• DeleteDocument• OpenDocument• $file/name – returns doc’s attachment withthe name “name”
    14. 14. Domino Commandshttp://server/db.nsf/myAgent?OpenAgentNavigator• OpenNavigatorAgent• OpenAgentPage• OpenPageFramesetOpenframeset
    15. 15. Domino Commands• Special Items• ?Redirect – allows redirection to another database based onit’s ID.• ?openDatabse• /$about?OpenAbout – opens the “about this database”document• /$help?openhelp – opens the help document• /$icon?openicon – opens the icon for the database• /$defaultview – returns the default view (if there is one).• /$defaultform – returns the default form (if there is one).• /$defaultnav – returns the default navigator• ?openpreferences – opens the preferences setting.http://server/database.nsf/$about?OpenAbout
    16. 16. Domino Commands• Chaininghttp://host/db.nsf/$defaultview/$first?editdocument
    17. 17. Pause for Questions
    18. 18. Outline• Why is This Necessary?• Introduction to Domino• Domino Commands• Blackbox• Whitebox• Default Files• Architecture
    19. 19. Blackbox• Navigate the app - use the commands justdiscussed• Check all defaults/special identifiers• Try to edit docs (permissions checking)• Find (and use) search forms• Enumerate views (more on this later)
    20. 20. Blackbox• Views, Forms, and Agents all have anotesID. Assignment begins with 0x11Aand increments by 4 each time• http://host/database.nsf/11A• http://host/database.nsf/11E• http://host/database.nsf/122• http://host/database.nsf/126• http://host/database.nsf/12A
    21. 21. BlackboxEnumerate viewsOccurrences of view names in help files:135 - By Category36 - View A31 - All26 - Main23 - Categorized22 - Main View13 - All Documents6 - Topics
    22. 22. Outline• Why is This Necessary?• Introduction to Domino• Domino Commands• Blackbox• Whitebox• Default Files• Architecture
    23. 23. Whitebox• Levels of Access in Domino• Server• Database• Elements• Documents• Fields
    24. 24. Whitebox• Server access – Ask your administrator• Server Doc• Internet Site Doc• Configuration Doc• Person Docs – Internet passwords aresecure
    25. 25. Whitebox
    26. 26. Whitebox• Database access – ACLs for Web Access• Editor – Create and edit docs• Author – Create and edit own docs• Reader – Read docs• Depositor – Create docs• No access – Be careful public documents
    27. 27. WhiteboxACL Mistakes• Even though Anonymous is set to NoAccess, it is possible to overlook ReadPublic documents which will give access.• Common App – Mail File*• Do not overlook any setting
    28. 28. WhiteboxACL Mistakes• -Default- is any user who hasauthenticated. If allowed access, makesure to audit the Domino Directory fortest accounts or LDAP if directoryassistance is used.
    29. 29. Whitebox
    30. 30. WhiteboxElements access – Check them ALL• Forms, Views, Navigators, etc. - If theyare not used, hide them from the web.• Security Tab – Set who can access theelement based on ACL• Allow public access
    31. 31. Whitebox
    32. 32. Whitebox• Restrict more in-depth audits forelements that are exposed to the web• Views, Forms, Pages…• Ask to see config or profile documents(make sure they are protected)• Review All Agents – Can be called fromthe web to run code. Can write to DB2,SQL, FTP, basically do anything.
    33. 33. Whitebox• Checkpermissions onall designelements• Check actionswithin designelements
    34. 34. Whitebox• Field Access• Depending on howthe application iswritten, fields onpublic forms can behidden.
    35. 35. Outline• Why is This Necessary?• Introduction to Domino• Domino Commands• Blackbox• Whitebox• Default Files• Architecture
    36. 36. Default Files• Names.nsf – The most important database• Log.nsf – Shows events on server• WebAdmin.nsf – A web version of adminclient• Help Files – Should never be left on theserverWhen upgrade a server, it could re-adddatabases you thought you deleted!!!
    37. 37. Where to Start?• Talk to the Administrator – Learn aboutthe different documents (server, config,internet site) of the NAB• Learn the default ACL and how it isaudited.• Talk to the Developers – Its impossible togo through every element and to look atfield security. Establish security practices
    38. 38. Where to Start?Get a good tool• Team Studio – Build Manager to writechecks before a application is refreshedinto production. Preventive Security!• DominoScan II – NGS Software• AppDetectivePro – Application SecurityInc.• PowerTools and ScanEz – Admin Tools
    39. 39. Outline• Why is This Necessary?• Introduction to Domino• Domino Commands• Blackbox• Whitebox• Default Files• Architecture
    40. 40. Architecture• End users directlyenter DB commands• Cannot run arbitraryDB commands• Who sets up ACLs inyour org?
    41. 41. Questions? Comments?Insults?• ari@defensium.com• Twitter: @angelofsecurity• www.defensium.comCaseyPike@gmail.comhttp://www.defensium.com/domino/

    ×