Enterprise portals, gate to the gold


Published on

Presentation by Ian de Villiers at ZaCon 1 in 2009.

The presentation begins by naming a few enterprise portal vendors followed by a brief overview of enterprise portals. Common shortcomings of EP's are discussed, which leads on to discussions about using custom applications to expose the full functionality of a portal.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Enterprise portals, gate to the gold

  1. 1. Enterprise PortalsGate to the Gold
  2. 2. `whoami`•  SensePost –  Specialist Security firm based in Pretoria –  Customers all over the globe –  Talks / Papers / Books•  ian@sensepost.com –  Associate security analyst –  I break stuff and write reports about breaking stuff•  Why this talk?
  3. 3. EP Vendors•  IBM WebSphere Portal•  SAP NetWeaver Portal•  Oracle Portal Products (PlumTree, BEA, SUN, ∞)•  OpenText Portal (Formerly Vignette)•  JBoss Portal•  Microsoft SharePoint Server•  Apache Jetspeed, Interwoven TeamPortal, …, ∞
  4. 4. EP Overview•  Frequent on intranets.•  Also frequent on the Internet… :)•  Framework for integrating information, people and processes**•  Consolidate and summarise diverse sources of information•  Provide customisable home-page for registered users**
  5. 5. EP Overview•  Popular platform for deployment of applications due to framework and built-in functionality•  Provide SDK’s for customisation and deployment of custom applications•  Support pluggable components called portlets•  Generally J2EE-based, but there are some alternate platforms (i.e.: .NET, PHP, ∞)
  6. 6. Portlet Overview •  Pluggable user interface components which are managed and displayed in a portal** •  Fragments of markup code (i.e: HTML / XML etc) which are aggregated in a portal page** •  Adhere to various standards –  WSRP (web services for remote portlets) –  Java Portlet SpecificationGET /moo?portlet=id&URI=http%3A%2F%2FHR%2Fbaa •  JSR168 HTTP 200 OK •  JSR268 •  Proprietary **
  7. 7. Functionality++•  User Registration•  Portals are generally designed to share information – provide functionality for searching documents, users, ..., ∞•  Workflow components•  Messaging / Social networking•  Configuration and administrative components
  8. 8. Common Shortcomings•  Generally cater for multiple portal applications –  May expose intranet applications to the Internet•  Frequently allow registration for public users – Functionality++•  Due to complex installation of J2EE application servers and lazy sys-admins, frequently run with elevated privileges
  9. 9. Common Shortcomings•  Diverse log-in capabilities –  LDAP, XML, Database, ..., ∞, * == SSO•  Developers of custom applications deployed on portal platforms frequently have not considered the underlying functionality of the platform•  Custom error pages defined for platform•  Complexity++
  10. 10. Breaking Out•  Custom applications frequently exploit functionality of portal framework but don’t allow users direct access to framework functions…•  … or do they ?
  11. 11. Breaking Out•  Direct object access•  Google is your friend… :>•  Forcing errors to display generic portal error messages•  Accessing site-registration•  HTML source comments and JavaScript•  Once we can break out of the custom application, we expose the full functionality of the portal…
  12. 12. Finding Portals•  Google Hacks (nods at Johnny Long…)•  site:, insite:, inurl:, …, ∞•  Demo… –  site:za –  inurl:/portal/site –  inurl:/template.REGISTER
  13. 13. Abusing Portlets•  Original Advisory pertaining to IBM WebSphere –  WebSphere – 2006/01/24 – EPAM Systems•  Port Scanning•  Accessing protected resources•  Attacks at third parties•  Blended Attack Scenarios –  Denial Of Service –  Brute-Force –  Attacks against other protocols
  14. 14. PortletSuite.tgz•  PortletScan.py –  Scan for open ports by abusing portlets•  Pikto.py –  Scan for common virtual directory names and web server misconfigurations•  PorProx.py –  Provides proxy server functionality tunnelling HTTP requests through remote portlets
  15. 15. PortletSuite.tgz•  http://www.sensepost.com/blog•  Demo… –  Breaking out –  Portlet-scanning –  Pikto –  Accessing protected resources –  PortletProx
  16. 16. Questions ?ian@sensepost.com