08448380779 Call Girls In Friends Colony Women Seeking Men
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
1. SC 103
Domino on the Web - Yes, It's
(Probably) Hackable
Darren Duke
2. About Me
• Ex co-host of This Week In Lotus podcast
• Current (?) co-co-host of WTF Tech podcast
• Sometime blogger https://blog.darrenduke.net
• Twitter snark fountain @darrenduke
• This maybe the best slide in the deck. Feel free
to leave right now…
3. Agenda
• What we will cover
– Then eternal battle of admin vs developer
– The simple things
– The less simple things
– The harder things
– The much harder things
4. Be Careful
• When you have a web server you are a target
– Do the simple things first
– Change one thing at time and test
• You will break something
• No, really you will
• No. For real. You will break something.
• I broke my blog search
• I broke iNotes clipboard pasting
5. The Eternal Battle
• Web server security, whose responsibility?
– Is it the application developer?
– Is it the web server administrator?
– Yes
• Developer
– Tell
• What is *your* required minimum security
• Administrator
– Ask
• What is the maximum level of security I can use?
• If no answer, start high and move down
6. Sanitize Input
• Developers, you must sanitize the input
uploaded by your web applications
– Input fields need to be cleaned on form
submission
• Ex, on submit check for an remove <script> tags in the
input
• This reduces the risk of a compromised server
– Try to hack your own applications
7. • The Domino HTTP stack
– Not the most up-to-date HTTP stack available
• I’m being nice
– Missing many modern features
• HTTP/2, SNI
• Yes, I’m sure Domino 10 will address this along with
world peace
– Complicated HTTP header use
– Sometimes TLS/SSL gets caught with pants down
• Poodle
• ROBOT
8. • So yes, you can do most of this in Domino
• I would use a reverse proxy
– Apache
– Nginx
• I use both
– Blog behind Nginx (on Prominic)
– iNotes, Traveler behind Apache (on-prem)
• Proxies can also HA and LB
– Try that in native Domino!
12. The Simple Things
• Make your Domino LTPA cookie more secure
– Require SSL
• Mitigate man-in-the-middle-attacks
– Restrict Use
• Prevent script access to cookie
• Mitigate XSS
13. The Simple Things
• Notes.ini Settings
– HSTS
• https://blog.darrenduke.net/darren/ddbz.nsf/dx/domino-
adds-hsts-to-its-security-arsenal.htm
– X-Frame Header Options
• http://www-
01.ibm.com/support/docview.wss?uid=swg21568598
• 9.0.1 FP6+ HTTPAdditionalRespHeader=X-Frame-Options:
SAMEORIGIN
– DominoValidateFramesetSRC=1
• Frame content must be from the same database
• https://www-
10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFrames
etSRC
14. The Simple Things
• Other Notes.ini Settings
– SSL_DISABLE_RENEGOTIATE=1
– HTTPEnableConnectorHeaders=0
– SSL_RESUMABLE_SESSIONS=0
– SSL_DISABLE_TLS_10=1
15. The Simple Things
• Upgrade to latest Fix Pack
– FP10 fixes ROBOT
– Each FP will deprecate weak/vulnerable ciphers
17. I’ll show mine, if you show yours
• HTTP Headers are your friend
• Prevents browser from doing stupid things
– Headers can be disabled in the browser!!!
– Implement with care
• For example line 5 breaks Domino blog
– Here is my starting header config for Apache
1. Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
2. Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains"
3. Header always append X-Frame-Options SAMEORIGIN
4. Header always set X-XSS-Protection "1; mode=block"
5. Header always set X-Content-Type-Options: nosniff
6. Header always set Server NotTelling
7. Header always set Referrer-Policy strict-origin-when-cross-origin
18. The Less Simple Things
• NginX Version
1. set_cookie_flag HttpOnly secure;
2. add_header Strict-Transport-Security 'max-age=63072000;
includeSubDomains; preload';
3. add_header X-Frame-Options "SAMEORIGIN";
4. add_header X-XSS-Protection "1; mode=block";
5. add_header X-Content-Type-Options "nosniff";
6. server_tokens off;
7. add_header Referrer-Policy "strict-origin-when-cross-origin";
• Note 1, line 1 requires module support in NginX.
• Note 2, line 6 only removes version and OS, it still says “nginx”. There are other ways but they
seem it and miss as you may have to compile module support into NginX.
more_clear_headers Server;
more_clear_headers Server;
19. The Less Simple Things
• You could put all those headers in Domino
– But you have to add each one at a time
– For each internet site
• Oh, yeah, you need to be using Internet Sites
• It may work with global, not tried it, YMMV
– You end up with a *lot* of web rule documents
• Much, much easier in a reverse proxy
21. The Harder Things
• There are more advanced headers
– Access-Control-Allow-Methods
– Access-Control-Allow-Headers
– Content-Security-Policy
– Access-Control-Allow-Origin
– Think of these as X-XSS-Protection on
steroids
22. The Harder Things
• The blog NginX headers
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS,HEAD';
add_header Access-Control-Allow-Headers 'DNT,X-CustomHeader,Keep-
Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-
Control,Content-Type';
add_header Content-Security-Policy "default-src 'self'; script-src
'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
https://fonts.googleapis.com; font-src 'self'
https://www.slideshare.net https://public.slidesharecdn.com
https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com
https://i.creativecommons.org https://licensebuttons.net; frame-src
https://www.slideshare.net";
add_header Access-Control-Allow-Origin
"https://public.slidesharecdn.com,https://www.slideshare.net";
24. The Harder Things
• Content-Security-Policy-Report-Only
– Allows testing of policy BEFORE implementing
• Clean up all the errors BEFORE turning on
– Shows content errors in browser development
tools console
26. The Much Harder Things
• ModSecurity
– Available for Apache and NginX
– Add-in module to prevent OWASP-known hacking
attempts
• OWASP - Open Web Application Security Project
– Use rules to allow or disallow certain URL patterns
and actions
• Known vulnerabilities get blocked/reported
– Use with caution
• You probably want to “report” before turning it on fully
• SecRuleEngine DetectionOnly
28. ModSecurity
• OWASP_TOP_10/A7
– Google it for a more in-depth description
• [tag
"OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"]
– Find out what the violation is
29. ModSecurity
• Most often than not, you will just end up
disabling the rule that hit because it’s not
applicable or a risk to your application/server
• In our example it is rule[id "920280"]
• Rules can be disabled per URI, web server or
for all servers
• Depending on your ModSec version exceptions
will be different, so Google it
31. Tools
• Warning
– Don’t scan a site you don’t have approval to scan
• Scanning without explicit approval could be crime in
your (or the servers) jurisdiction
– Don’t scan a site during busy times
• You could become the source of your own DDoS attack
• Fun times!
32. Tools
• Qualys
– Most of you will have used the free version
• Paid options to proactively scan your servers
– Scans external web sites for free and provides
detailed insight into SSL, ciphers, etc.
34. Tools
• SecurityHeaders.com
– Will scan a given site and return security related
header information
– Provides warnings and recommendations for the
different headers
36. Tools
• ZAP (Zed Attack Proxy)
– The official OWASP scanning tool
– Provides tons of information
– Free
37. Tools
• PenTest-Tools.com
– Like Qualys, except for penetration tests
– Online, no software to install
– Free version provides limited but useful
functionality
– Really cheap for the paid version (relatively)