Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Enterprise Portals




Gate to the Gold
`whoami`
•  SensePost
  –  Specialist Security firm based in
     Pretoria
  –  Customers all over the globe
  –  Talks / ...
EP Vendors
•  IBM WebSphere Portal
•  SAP NetWeaver Portal
•  Oracle Portal Products (PlumTree,
   BEA, SUN, ∞)
•  OpenTex...
EP Overview
•  Frequent on intranets.
•  Also frequent on the Internet… :)
•  Framework for integrating
   information, pe...
EP Overview
•  Popular platform for deployment of
   applications due to framework and
   built-in functionality
•  Provid...
Portlet Overview
            •  Pluggable user interface components
               which are managed and displayed in a
  ...
Functionality++
•  User Registration
•  Portals are generally designed to
   share information – provide
   functionality ...
Common Shortcomings
•  Generally cater for multiple portal
   applications
  –  May expose intranet applications to the
  ...
Common Shortcomings
•  Diverse log-in capabilities
  –  LDAP, XML, Database, ..., ∞, * == SSO
•  Developers of custom appl...
Breaking Out
•  Custom applications frequently
   exploit functionality of portal
   framework but don’t allow users
   di...
Breaking Out
•  Direct object access
•  Google is your friend… :>
•  Forcing errors to display generic
   portal error mes...
Finding Portals
•  Google Hacks (nods at Johnny
   Long…)
•  site:, insite:, inurl:, …, ∞
•  Demo…
  –  site:za
  –  inurl...
Abusing Portlets
•  Original Advisory pertaining to IBM
   WebSphere
     –  WebSphere – 2006/01/24 – EPAM Systems
•    Po...
PortletSuite.tgz
•  PortletScan.py
  –  Scan for open ports by abusing portlets
•  Pikto.py
  –  Scan for common virtual d...
PortletSuite.tgz
•  http://www.sensepost.com/blog
•  Demo…
  –  Breaking out
  –  Portlet-scanning
  –  Pikto
  –  Accessi...
Questions ?




ian@sensepost.com
Upcoming SlideShare
Loading in …5
×

Enterprise Portals - Gateway to the Gold

976 views

Published on

Ian De Villiers
ZaCon 2009
http://www.zacon.org.za/Archives/2009/slides/

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Enterprise Portals - Gateway to the Gold

  1. 1. Enterprise Portals Gate to the Gold
  2. 2. `whoami` •  SensePost –  Specialist Security firm based in Pretoria –  Customers all over the globe –  Talks / Papers / Books •  ian@sensepost.com –  Associate security analyst –  I break stuff and write reports about breaking stuff •  Why this talk?
  3. 3. EP Vendors •  IBM WebSphere Portal •  SAP NetWeaver Portal •  Oracle Portal Products (PlumTree, BEA, SUN, ∞) •  OpenText Portal (Formerly Vignette) •  JBoss Portal •  Microsoft SharePoint Server •  Apache Jetspeed, Interwoven TeamPortal, …, ∞
  4. 4. EP Overview •  Frequent on intranets. •  Also frequent on the Internet… :) •  Framework for integrating information, people and processes** •  Consolidate and summarise diverse sources of information •  Provide customisable home-page for registered users **
  5. 5. EP Overview •  Popular platform for deployment of applications due to framework and built-in functionality •  Provide SDK’s for customisation and deployment of custom applications •  Support pluggable components called portlets •  Generally J2EE-based, but there are some alternate platforms (i.e.: .NET, PHP, ∞)
  6. 6. Portlet Overview •  Pluggable user interface components which are managed and displayed in a portal** •  Fragments of markup code (i.e: HTML / XML etc) which are aggregated in a portal page** •  Adhere to various standards –  WSRP (web services for remote portlets) –  Java Portlet Specification GET /moo?portlet=id&URI=http%3A%2F%2FHR%2Fbaa •  JSR168 HTTP 200 OK •  JSR268 •  Proprietary **
  7. 7. Functionality++ •  User Registration •  Portals are generally designed to share information – provide functionality for searching documents, users, ..., ∞ •  Workflow components •  Messaging / Social networking •  Configuration and administrative components
  8. 8. Common Shortcomings •  Generally cater for multiple portal applications –  May expose intranet applications to the Internet •  Frequently allow registration for public users – Functionality++ •  Due to complex installation of J2EE application servers and lazy sys-admins, frequently run with elevated privileges
  9. 9. Common Shortcomings •  Diverse log-in capabilities –  LDAP, XML, Database, ..., ∞, * == SSO •  Developers of custom applications deployed on portal platforms frequently have not considered the underlying functionality of the platform •  Custom error pages defined for platform •  Complexity++
  10. 10. Breaking Out •  Custom applications frequently exploit functionality of portal framework but don’t allow users direct access to framework functions… •  … or do they ?
  11. 11. Breaking Out •  Direct object access •  Google is your friend… :> •  Forcing errors to display generic portal error messages •  Accessing site-registration •  HTML source comments and JavaScript •  Once we can break out of the custom application, we expose the full functionality of the portal…
  12. 12. Finding Portals •  Google Hacks (nods at Johnny Long…) •  site:, insite:, inurl:, …, ∞ •  Demo… –  site:za –  inurl:/portal/site –  inurl:/template.REGISTER
  13. 13. Abusing Portlets •  Original Advisory pertaining to IBM WebSphere –  WebSphere – 2006/01/24 – EPAM Systems •  Port Scanning •  Accessing protected resources •  Attacks at third parties •  Blended Attack Scenarios –  Denial Of Service –  Brute-Force –  Attacks against other protocols
  14. 14. PortletSuite.tgz •  PortletScan.py –  Scan for open ports by abusing portlets •  Pikto.py –  Scan for common virtual directory names and web server misconfigurations •  PorProx.py –  Provides proxy server functionality tunnelling HTTP requests through remote portlets
  15. 15. PortletSuite.tgz •  http://www.sensepost.com/blog •  Demo… –  Breaking out –  Portlet-scanning –  Pikto –  Accessing protected resources –  PortletProx
  16. 16. Questions ? ian@sensepost.com

×