Black-box* Security Testing
(*for some definitions of black)
Jari Saukkonen
12.9.2013 www.ambientia.net 1
Jari Saukkonen
• Software Architect
• Hands-on development and problem solving at
Ambientia since 1998
• Involved in Lifer...
Everyone knows this
• All nontrivial software has bugs
• Keeping your software up-to-date is important
12.9.2013 www.ambie...
Why am I not up-to-date, then?
• You might not have the personnel or contractors
to look after your installation
• The fix...
Liferay CE vs. EE
• Community Security Team maintains patches for
the latest CE version
• Liferay Support provides the lat...
Patching Tool
• Liferay Enterprise Edition comes with a
dedicated patching tool
• Finds out which patches are relevant for...
Black-box Testing
• Definition: Determine the functionality of a
system without knowledge of its internal
structures
• Aut...
Automated security scanners
• Pros:
• Press button, wait, receive results
• Good for searching generic problems such as XS...
Manual testing
1. Find out your (more or less) exact Liferay
version
2. Search http://issues.liferay.com for security
issu...
Essential tools
• Browser debugger
• Firebug
• Chrome Developer Tools
• Request editing tool for custom GET/POST –
request...
Typical security problems I
• LPS-8374, Access to the default view of all
portlets
• Including /enterprise_admin/view that...
Typical security problems II
• LPS-28222, Remote Denial of Service that
prevents server startup
• Requires manual database...
Typical security problems III
• Various XSS issues
• Portlet-specific problems, you need to use the portlet
to be vulnerab...
How to secure my server?
• EE customers can receive notices when security
patches are released  have a process in place
t...
Keep your Liferay safe!
12.9.2013 www.ambientia.net 15
Questions?
12.9.2013 www.ambientia.net 16
Black box security testing
Upcoming SlideShare
Loading in …5
×

Black box security testing

479 views

Published on

Liferay Road Show 12.9.2013, Jari Saukkonen, Ambientia

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
479
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
11
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Black box security testing

  1. 1. Black-box* Security Testing (*for some definitions of black) Jari Saukkonen 12.9.2013 www.ambientia.net 1
  2. 2. Jari Saukkonen • Software Architect • Hands-on development and problem solving at Ambientia since 1998 • Involved in Liferay-based projects from Liferay 5.1 onwards • Hobby pianist, (astro)photographer, rhythm game addict, and a fan of good tea. 12.9.2013 www.ambientia.net 2
  3. 3. Everyone knows this • All nontrivial software has bugs • Keeping your software up-to-date is important 12.9.2013 www.ambientia.net 3
  4. 4. Why am I not up-to-date, then? • You might not have the personnel or contractors to look after your installation • The fixes might not be available for your (older) product version • You might be using a Liferay-derivative product, making the version choice out of your control • ”works for me” 12.9.2013 www.ambientia.net 4
  5. 5. Liferay CE vs. EE • Community Security Team maintains patches for the latest CE version • Liferay Support provides the latest security fixes for Liferay EE as they are implemented. You can choose individually which patches to apply. • EE patches are backported to previous Liferay versions as long as they are supported 12.9.2013 www.ambientia.net 5
  6. 6. Patching Tool • Liferay Enterprise Edition comes with a dedicated patching tool • Finds out which patches are relevant for your installation and applies them • Easy to use! 12.9.2013 www.ambientia.net 6
  7. 7. Black-box Testing • Definition: Determine the functionality of a system without knowledge of its internal structures • Automated (security scanners) or manual process • Useful for testing unknown, possibly very customized systems 12.9.2013 www.ambientia.net 7
  8. 8. Automated security scanners • Pros: • Press button, wait, receive results • Good for searching generic problems such as XSS exploits or SQL injections • Cons: • Liferay vulnerabilities not widely implemented in third party products • Results always need interpretation, false positives are common with certain types of searches 12.9.2013 www.ambientia.net 8
  9. 9. Manual testing 1. Find out your (more or less) exact Liferay version 2. Search http://issues.liferay.com for security issues affecting your version 3. Try to reproduce the issues in your environment • This is not always easy.. 12.9.2013 www.ambientia.net 9
  10. 10. Essential tools • Browser debugger • Firebug • Chrome Developer Tools • Request editing tool for custom GET/POST – requests • curl • Fiddler • Creativity! 12.9.2013 www.ambientia.net 10
  11. 11. Typical security problems I • LPS-8374, Access to the default view of all portlets • Including /enterprise_admin/view that can display all user accounts on the server • Since: 5.1.2, fixed in 5.2 EE SP4, 6.0 EE SP3, 6.1 CE GA2 12.9.2013 www.ambientia.net 11
  12. 12. Typical security problems II • LPS-28222, Remote Denial of Service that prevents server startup • Requires manual database cleanup to recover • Since: 5.2.3, fixed in 6.1.1 CE/EE GA2 • LPS-29268, Remote Denial of Service that fills the database with PortletPreferences • Requires manual database cleanup to recover • Since: 6.0.6 GA, fixed in 6.1 CE/EE GA 3 12.9.2013 www.ambientia.net 12
  13. 13. Typical security problems III • Various XSS issues • Portlet-specific problems, you need to use the portlet to be vulnerable • Usually not very long-lived, but may be present in older versions • OS-level problems, e.g. a vulnerable httpd version 12.9.2013 www.ambientia.net 13
  14. 14. How to secure my server? • EE customers can receive notices when security patches are released  have a process in place to handle them in a timely manner • https://www.liferay.com/community/security- team/known-vulnerabilities • Security Advisories –forum on liferay.com 12.9.2013 www.ambientia.net 14
  15. 15. Keep your Liferay safe! 12.9.2013 www.ambientia.net 15
  16. 16. Questions? 12.9.2013 www.ambientia.net 16

×