Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable


Published on

Collabsphere 2018 (formally MWLUG) presentation where Darren Duke outlines how to protect, test and enhance your Domino web security.

Published in: Technology
  • Be the first to comment

CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable

  1. 1. SC 103 Domino on the Web - Yes, It's (Probably) Hackable Darren Duke
  2. 2. About Me • Ex co-host of This Week In Lotus podcast • Current (?) co-co-host of WTF Tech podcast • Sometime blogger • Twitter snark fountain @darrenduke • This maybe the best slide in the deck. Feel free to leave right now…
  3. 3. Agenda • What we will cover – Then eternal battle of admin vs developer – The simple things – The less simple things – The harder things – The much harder things
  4. 4. Be Careful • When you have a web server you are a target – Do the simple things first – Change one thing at time and test • You will break something • No, really you will • No. For real. You will break something. • I broke my blog search • I broke iNotes clipboard pasting
  5. 5. The Eternal Battle • Web server security, whose responsibility? – Is it the application developer? – Is it the web server administrator? – Yes • Developer – Tell • What is *your* required minimum security • Administrator – Ask • What is the maximum level of security I can use? • If no answer, start high and move down
  6. 6. Sanitize Input • Developers, you must sanitize the input uploaded by your web applications – Input fields need to be cleaned on form submission • Ex, on submit check for an remove <script> tags in the input • This reduces the risk of a compromised server – Try to hack your own applications
  7. 7. • The Domino HTTP stack – Not the most up-to-date HTTP stack available • I’m being nice – Missing many modern features • HTTP/2, SNI • Yes, I’m sure Domino 10 will address this along with world peace – Complicated HTTP header use – Sometimes TLS/SSL gets caught with pants down • Poodle • ROBOT
  8. 8. • So yes, you can do most of this in Domino • I would use a reverse proxy – Apache – Nginx • I use both – Blog behind Nginx (on Prominic) – iNotes, Traveler behind Apache (on-prem) • Proxies can also HA and LB – Try that in native Domino!
  9. 9. The Simple Things…..
  10. 10. The Simple Things • More Secure Internet Passwords
  11. 11. The Simple Things • More Secure EXISTING Internet Passwords
  12. 12. The Simple Things • Make your Domino LTPA cookie more secure – Require SSL • Mitigate man-in-the-middle-attacks – Restrict Use • Prevent script access to cookie • Mitigate XSS
  13. 13. The Simple Things • Notes.ini Settings – HSTS • adds-hsts-to-its-security-arsenal.htm – X-Frame Header Options • http://www- • 9.0.1 FP6+ HTTPAdditionalRespHeader=X-Frame-Options: SAMEORIGIN – DominoValidateFramesetSRC=1 • Frame content must be from the same database • https://www- etSRC
  14. 14. The Simple Things • Other Notes.ini Settings – SSL_DISABLE_RENEGOTIATE=1 – HTTPEnableConnectorHeaders=0 – SSL_RESUMABLE_SESSIONS=0 – SSL_DISABLE_TLS_10=1
  15. 15. The Simple Things • Upgrade to latest Fix Pack – FP10 fixes ROBOT – Each FP will deprecate weak/vulnerable ciphers
  16. 16. The Less Simple Things
  17. 17. I’ll show mine, if you show yours • HTTP Headers are your friend • Prevents browser from doing stupid things – Headers can be disabled in the browser!!! – Implement with care • For example line 5 breaks Domino blog – Here is my starting header config for Apache 1. Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 2. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" 3. Header always append X-Frame-Options SAMEORIGIN 4. Header always set X-XSS-Protection "1; mode=block" 5. Header always set X-Content-Type-Options: nosniff 6. Header always set Server NotTelling 7. Header always set Referrer-Policy strict-origin-when-cross-origin
  18. 18. The Less Simple Things • NginX Version 1. set_cookie_flag HttpOnly secure; 2. add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload'; 3. add_header X-Frame-Options "SAMEORIGIN"; 4. add_header X-XSS-Protection "1; mode=block"; 5. add_header X-Content-Type-Options "nosniff"; 6. server_tokens off; 7. add_header Referrer-Policy "strict-origin-when-cross-origin"; • Note 1, line 1 requires module support in NginX. • Note 2, line 6 only removes version and OS, it still says “nginx”. There are other ways but they seem it and miss as you may have to compile module support into NginX. more_clear_headers Server; more_clear_headers Server;
  19. 19. The Less Simple Things • You could put all those headers in Domino – But you have to add each one at a time – For each internet site • Oh, yeah, you need to be using Internet Sites • It may work with global, not tried it, YMMV – You end up with a *lot* of web rule documents • Much, much easier in a reverse proxy
  20. 20. The Harder Things
  21. 21. The Harder Things • There are more advanced headers – Access-Control-Allow-Methods – Access-Control-Allow-Headers – Content-Security-Policy – Access-Control-Allow-Origin – Think of these as X-XSS-Protection on steroids
  22. 22. The Harder Things • The blog NginX headers add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS,HEAD'; add_header Access-Control-Allow-Headers 'DNT,X-CustomHeader,Keep- Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache- Control,Content-Type'; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'; frame-src"; add_header Access-Control-Allow-Origin ",";
  23. 23. The Harder Things • Content-Security-Policy –default-src –script-src –font-src –img-src –frame-src add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'; frame-src";
  24. 24. The Harder Things • Content-Security-Policy-Report-Only – Allows testing of policy BEFORE implementing • Clean up all the errors BEFORE turning on – Shows content errors in browser development tools console
  25. 25. The Much Harder Things
  26. 26. The Much Harder Things • ModSecurity – Available for Apache and NginX – Add-in module to prevent OWASP-known hacking attempts • OWASP - Open Web Application Security Project – Use rules to allow or disallow certain URL patterns and actions • Known vulnerabilities get blocked/reported – Use with caution • You probably want to “report” before turning it on fully • SecRuleEngine DetectionOnly
  27. 27. ModSecurity --d5cdc63e-H-- Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "localhost.localdomain"] [uri "/"] [unique_id "W1RiorhE-6pWl72XxvlgcAAAABg"] Stopwatch: 1532256930612640 6576 (- - -) Stopwatch2: 1532256930612640 6576; combined=5424, p1=635, p2=1014, p3=96, p4=3552, p5=126, sr=86, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (; OWASP_CRS/3.0.2. Server: Apache/2.4.29 (Ubuntu) Engine-Mode: "DETECTION_ONLY" --d5cdc63e-Z--
  28. 28. ModSecurity • OWASP_TOP_10/A7 – Google it for a more in-depth description • [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] – Find out what the violation is
  29. 29. ModSecurity • Most often than not, you will just end up disabling the rule that hit because it’s not applicable or a risk to your application/server • In our example it is rule[id "920280"] • Rules can be disabled per URI, web server or for all servers • Depending on your ModSec version exceptions will be different, so Google it
  30. 30. Tools
  31. 31. Tools • Warning – Don’t scan a site you don’t have approval to scan • Scanning without explicit approval could be crime in your (or the servers) jurisdiction – Don’t scan a site during busy times • You could become the source of your own DDoS attack • Fun times!
  32. 32. Tools • Qualys – Most of you will have used the free version • Paid options to proactively scan your servers – Scans external web sites for free and provides detailed insight into SSL, ciphers, etc.
  33. 33. Qualys
  34. 34. Tools • – Will scan a given site and return security related header information – Provides warnings and recommendations for the different headers
  35. 35.
  36. 36. Tools • ZAP (Zed Attack Proxy) – The official OWASP scanning tool – Provides tons of information – Free
  37. 37. Tools • – Like Qualys, except for penetration tests – Online, no software to install – Free version provides limited but useful functionality – Really cheap for the paid version (relatively)
  38. 38. ZAP
  39. 39.
  40. 40. Takeways • Know what the access the application needs • Implement the highest possible security whilst maintaining functionality • Scan often
  41. 41. Q&A • That was a lot • Question Time!