SlideShare a Scribd company logo

Domino testing presentation

Download as PPT, PDF
Ari Elias-Bachrach
Ari Elias-Bachrach

This document discusses security testing for Lotus Domino applications. It covers why security testing is necessary given Domino's unique architecture as a web application database. It then provides an introduction to Domino and outlines common Domino commands that can be used for blackbox and whitebox testing. The document discusses best practices for testing access controls, default files, and the overall Domino architecture.

1 of 41
Lotus Domino Security White and black box testing Ari Elias-Bachrach Casey Pike
Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
Why is This Necessary? In January 2009, More Than Half of Fortune Global 100 Now Using Lotus Notes/Domino* http://www-03.ibm.com/press/us/en/pressrelease/26480.wss
Why is This Necessary? • Domino is….. Unique Web App DB
Why is This Necessary? • Automated scanners seem to have a hard time with Domino apps • Many “normal” attacks don’t work (SQL injection) • There are many other attacks which will work • Not a lot of good information out there
Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
Introduction to Domino • Domino stores data in custom database files with the .nsf extension http://server/database.nsf/DominoObj?Action •View •Frameset •Form •Navigator •Agent •Document •Page
Introduction to Domino • Special Identifiers begin with $ and can return any domino object http://server/database.nsf/$SpecialIdentifier http://server/database.nsf/$help?openhelp
Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
Domino Commands • View • Openview – opens the view • ReadViewEntries – access the view data in XML format • $first – returns the first document in the view • $searchform?opensearchform – opens a search form from which the view can be searched http://server/database.nsf/myview?Openview
Domino Commands http://server/database.nsf/myform?OpenForm Form • OpenForm – opens the form • ReadForm – displays the form without its editable fields. • CreateDocument – sent using an HTTP post. Domino will create a document with the contents of the HTTP post packet.
Domino Commands http://server/db.nsf/myView/doc1?EditDocument Document • EditDcoument • SaveDocument – sent as an HTTP post. Domino will update the document with the contents of the post. • DeleteDocument • OpenDocument • $file/name – returns doc’s attachment with the name “name”
Domino Commands http://server/db.nsf/myAgent?OpenAgent Navigator • OpenNavigator Agent • OpenAgent Page • OpenPage Frameset Openframeset
Domino Commands • Special Items • ?Redirect – allows redirection to another database based on it’s ID. • ?openDatabse • /$about?OpenAbout – opens the “about this database” document • /$help?openhelp – opens the help document • /$icon?openicon – opens the icon for the database • /$defaultview – returns the default view (if there is one). • /$defaultform – returns the default form (if there is one). • /$defaultnav – returns the default navigator • ?openpreferences – opens the preferences setting. http://server/database.nsf/$about?OpenAbout
Domino Commands • Chaining http://host/db.nsf/$defaultview/$first?editdocument
Pause for Questions
Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
Blackbox • Navigate the app - use the commands just discussed • Check all defaults/special identifiers • Try to edit docs (permissions checking) • Find (and use) search forms • Enumerate views (more on this later)
Blackbox • Views, Forms, and Agents all have a notesID. Assignment begins with 0x11A and increments by 4 each time • http://host/database.nsf/11A • http://host/database.nsf/11E • http://host/database.nsf/122 • http://host/database.nsf/126 • http://host/database.nsf/12A
Blackbox Enumerate views Occurrences of view names in help files: 135 - By Category 36 - View A 31 - All 26 - Main 23 - Categorized 22 - Main View 13 - All Documents 6 - Topics
Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
Whitebox • Levels of Access in Domino • Server • Database • Elements • Documents • Fields
Whitebox • Server access – Ask your administrator • Server Doc • Internet Site Doc • Configuration Doc • Person Docs – Internet passwords are secure
Whitebox
Whitebox • Database access – ACLs for Web Access • Editor – Create and edit docs • Author – Create and edit own docs • Reader – Read docs • Depositor – Create docs • No access – Be careful public documents
Whitebox ACL Mistakes • Even though Anonymous is set to No Access, it is possible to overlook Read Public documents which will give access. • Common App – Mail File* • Do not overlook any setting
Whitebox ACL Mistakes • -Default- is any user who has authenticated. If allowed access, make sure to audit the Domino Directory for test accounts or LDAP if directory assistance is used.
Whitebox
Whitebox Elements access – Check them ALL • Forms, Views, Navigators, etc. - If they are not used, hide them from the web. • Security Tab – Set who can access the element based on ACL • Allow public access
Whitebox
Whitebox • Restrict more in-depth audits for elements that are exposed to the web • Views, Forms, Pages… • Ask to see config or profile documents (make sure they are protected) • Review All Agents – Can be called from the web to run code. Can write to DB2, SQL, FTP, basically do anything.
Whitebox • Check permissions on all design elements • Check actions within design elements
Whitebox • Field Access • Depending on how the application is written, fields on public forms can be hidden.
Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
Default Files • Names.nsf – The most important database • Log.nsf – Shows events on server • WebAdmin.nsf – A web version of admin client • Help Files – Should never be left on the server When upgrade a server, it could re-add databases you thought you deleted!!!
Where to Start? • Talk to the Administrator – Learn about the different documents (server, config, internet site) of the NAB • Learn the default ACL and how it is audited. • Talk to the Developers – Its impossible to go through every element and to look at field security. Establish security practices
Where to Start? Get a good tool • Team Studio – Build Manager to write checks before a application is refreshed into production. Preventive Security! • DominoScan II – NGS Software • AppDetectivePro – Application Security Inc. • PowerTools and ScanEz – Admin Tools
Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
Architecture • End users directly enter DB commands • Cannot run arbitrary DB commands • Who sets up ACLs in your org?
Questions? Comments? Insults? • ari@defensium.com • Twitter: @angelofsecurity • www.defensium.com CaseyPike@gmail.com http://www.defensium.com/domino/

Recommended

Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
Nico Meisenzahl
 
Challenges of Simple Documents: When Basic isn't so Basic - Cassandra Targett...
Challenges of Simple Documents: When Basic isn't so Basic - Cassandra Targett...Challenges of Simple Documents: When Basic isn't so Basic - Cassandra Targett...
Challenges of Simple Documents: When Basic isn't so Basic - Cassandra Targett...
Lucidworks
 
Favourite Cloud Apps
Favourite Cloud AppsFavourite Cloud Apps
Favourite Cloud Apps
Michael Rees
 
Node and Azure
Node and AzureNode and Azure
Node and Azure
Jason Gerard
 
Unboxing HCL Notes/Domino v12!
Unboxing HCL Notes/Domino v12!Unboxing HCL Notes/Domino v12!
Unboxing HCL Notes/Domino v12!
panagenda
 
Replacing Your Shared Drive with Alfresco - Open Source ECM
Replacing Your Shared Drive with Alfresco - Open Source ECMReplacing Your Shared Drive with Alfresco - Open Source ECM
Replacing Your Shared Drive with Alfresco - Open Source ECM
Alfresco Software
 
SOCCNX11 All you need to know about Orient Me
SOCCNX11 All you need to know about Orient MeSOCCNX11 All you need to know about Orient Me
SOCCNX11 All you need to know about Orient Me
Nico Meisenzahl
 
RESTful Services
RESTful ServicesRESTful Services
RESTful Services
Jason Gerard
 

Recommended

Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
Soccnx11 Two wrongs don't make a right - Troubleshooting Connections
Nico Meisenzahl
 
Challenges of Simple Documents: When Basic isn't so Basic - Cassandra Targett...
Challenges of Simple Documents: When Basic isn't so Basic - Cassandra Targett...Challenges of Simple Documents: When Basic isn't so Basic - Cassandra Targett...
Challenges of Simple Documents: When Basic isn't so Basic - Cassandra Targett...
Lucidworks
 
Favourite Cloud Apps
Favourite Cloud AppsFavourite Cloud Apps
Favourite Cloud Apps
Michael Rees
 
Node and Azure
Node and AzureNode and Azure
Node and Azure
Jason Gerard
 
Unboxing HCL Notes/Domino v12!
Unboxing HCL Notes/Domino v12!Unboxing HCL Notes/Domino v12!
Unboxing HCL Notes/Domino v12!
panagenda
 
Replacing Your Shared Drive with Alfresco - Open Source ECM
Replacing Your Shared Drive with Alfresco - Open Source ECMReplacing Your Shared Drive with Alfresco - Open Source ECM
Replacing Your Shared Drive with Alfresco - Open Source ECM
Alfresco Software
 
SOCCNX11 All you need to know about Orient Me
SOCCNX11 All you need to know about Orient MeSOCCNX11 All you need to know about Orient Me
SOCCNX11 All you need to know about Orient Me
Nico Meisenzahl
 
RESTful Services
RESTful ServicesRESTful Services
RESTful Services
Jason Gerard
 
Oxford DrupalCamp 2012 - The things we found in your website
Oxford DrupalCamp 2012 - The things we found in your websiteOxford DrupalCamp 2012 - The things we found in your website
Oxford DrupalCamp 2012 - The things we found in your websitehernanibf
 
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
panagenda
 
Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the Problem
ColdFusionConference
 
Intro to drupal
Intro to drupalIntro to drupal
Intro to drupal
hernanibf
 
The things we found in your website
The things we found in your websiteThe things we found in your website
The things we found in your websitehernanibf
 
Expert guide for PHP
Expert guide for PHPExpert guide for PHP
Expert guide for PHP
Steve Fort
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
Dylan Redfield
 
Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23
BIWUG
 
My site is slow
My site is slowMy site is slow
My site is slow
hernanibf
 
Domino V10 and How to Get There - IBM Think 2019
Domino V10 and How to Get There - IBM Think 2019Domino V10 and How to Get There - IBM Think 2019
Domino V10 and How to Get There - IBM Think 2019
Dylan Redfield
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
stk_jj
 
Intro apache
Intro apacheIntro apache
Intro apache
koppenolski
 
Building Advanced RESTFul services
Building Advanced RESTFul servicesBuilding Advanced RESTFul services
Building Advanced RESTFul services
Ortus Solutions, Corp
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshop
Boston WordPress
 
Domino 365 DNUG 2020
Domino 365 DNUG 2020Domino 365 DNUG 2020
Domino 365 DNUG 2020
Dylan Redfield
 
Deployer - Deployment tool for PHP
Deployer - Deployment tool for PHPDeployer - Deployment tool for PHP
Deployer - Deployment tool for PHP
hernanibf
 
Fedora4
Fedora4Fedora4
Fedora4Yinlin Chen
 
Drupal architectures for flexible content - Drupalcon Barcelona
Drupal architectures for flexible content - Drupalcon BarcelonaDrupal architectures for flexible content - Drupalcon Barcelona
Drupal architectures for flexible content - Drupalcon Barcelona
hernanibf
 
From Zero to ZF: Your first zend framework project on ibm i
From Zero to ZF: Your first zend framework project on ibm iFrom Zero to ZF: Your first zend framework project on ibm i
From Zero to ZF: Your first zend framework project on ibm i
Alan Seiden
 
Markup languages and warp-speed documentation
Markup languages and warp-speed documentationMarkup languages and warp-speed documentation
Markup languages and warp-speed documentation
Lois Patterson
 
Unittesting Bad-Practices by Example
Unittesting Bad-Practices by ExampleUnittesting Bad-Practices by Example
Unittesting Bad-Practices by Example
Benjamin Eberlei
 
User Testing by Example
User Testing by ExampleUser Testing by Example
User Testing by Example
Jeremy Horn
 

More Related Content

What's hot

Oxford DrupalCamp 2012 - The things we found in your website
Oxford DrupalCamp 2012 - The things we found in your websiteOxford DrupalCamp 2012 - The things we found in your website
Oxford DrupalCamp 2012 - The things we found in your websitehernanibf
 
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
panagenda
 
Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the Problem
ColdFusionConference
 
Intro to drupal
Intro to drupalIntro to drupal
Intro to drupal
hernanibf
 
The things we found in your website
The things we found in your websiteThe things we found in your website
The things we found in your websitehernanibf
 
Expert guide for PHP
Expert guide for PHPExpert guide for PHP
Expert guide for PHP
Steve Fort
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
Dylan Redfield
 
Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23
BIWUG
 
My site is slow
My site is slowMy site is slow
My site is slow
hernanibf
 
Domino V10 and How to Get There - IBM Think 2019
Domino V10 and How to Get There - IBM Think 2019Domino V10 and How to Get There - IBM Think 2019
Domino V10 and How to Get There - IBM Think 2019
Dylan Redfield
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
stk_jj
 
Intro apache
Intro apacheIntro apache
Intro apache
koppenolski
 
Building Advanced RESTFul services
Building Advanced RESTFul servicesBuilding Advanced RESTFul services
Building Advanced RESTFul services
Ortus Solutions, Corp
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshop
Boston WordPress
 
Domino 365 DNUG 2020
Domino 365 DNUG 2020Domino 365 DNUG 2020
Domino 365 DNUG 2020
Dylan Redfield
 
Deployer - Deployment tool for PHP
Deployer - Deployment tool for PHPDeployer - Deployment tool for PHP
Deployer - Deployment tool for PHP
hernanibf
 
Drupal architectures for flexible content - Drupalcon Barcelona
Drupal architectures for flexible content - Drupalcon BarcelonaDrupal architectures for flexible content - Drupalcon Barcelona
Drupal architectures for flexible content - Drupalcon Barcelona
hernanibf
 
From Zero to ZF: Your first zend framework project on ibm i
From Zero to ZF: Your first zend framework project on ibm iFrom Zero to ZF: Your first zend framework project on ibm i
From Zero to ZF: Your first zend framework project on ibm i
Alan Seiden
 
Markup languages and warp-speed documentation
Markup languages and warp-speed documentationMarkup languages and warp-speed documentation
Markup languages and warp-speed documentation
Lois Patterson
 

What's hot (20)

Oxford DrupalCamp 2012 - The things we found in your website
Oxford DrupalCamp 2012 - The things we found in your websiteOxford DrupalCamp 2012 - The things we found in your website
Oxford DrupalCamp 2012 - The things we found in your website
 
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
 
Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the Problem
 
Intro to drupal
Intro to drupalIntro to drupal
Intro to drupal
 
The things we found in your website
The things we found in your websiteThe things we found in your website
The things we found in your website
 
Expert guide for PHP
Expert guide for PHPExpert guide for PHP
Expert guide for PHP
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
 
Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23
 
My site is slow
My site is slowMy site is slow
My site is slow
 
Domino V10 and How to Get There - IBM Think 2019
Domino V10 and How to Get There - IBM Think 2019Domino V10 and How to Get There - IBM Think 2019
Domino V10 and How to Get There - IBM Think 2019
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
 
Intro apache
Intro apacheIntro apache
Intro apache
 
Building Advanced RESTFul services
Building Advanced RESTFul servicesBuilding Advanced RESTFul services
Building Advanced RESTFul services
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshop
 
Domino 365 DNUG 2020
Domino 365 DNUG 2020Domino 365 DNUG 2020
Domino 365 DNUG 2020
 
Deployer - Deployment tool for PHP
Deployer - Deployment tool for PHPDeployer - Deployment tool for PHP
Deployer - Deployment tool for PHP
 
Fedora4
Fedora4Fedora4
Fedora4
 
Drupal architectures for flexible content - Drupalcon Barcelona
Drupal architectures for flexible content - Drupalcon BarcelonaDrupal architectures for flexible content - Drupalcon Barcelona
Drupal architectures for flexible content - Drupalcon Barcelona
 
From Zero to ZF: Your first zend framework project on ibm i
From Zero to ZF: Your first zend framework project on ibm iFrom Zero to ZF: Your first zend framework project on ibm i
From Zero to ZF: Your first zend framework project on ibm i
 
Markup languages and warp-speed documentation
Markup languages and warp-speed documentationMarkup languages and warp-speed documentation
Markup languages and warp-speed documentation
 

Viewers also liked

Unittesting Bad-Practices by Example
Unittesting Bad-Practices by ExampleUnittesting Bad-Practices by Example
Unittesting Bad-Practices by Example
Benjamin Eberlei
 
User Testing by Example
User Testing by ExampleUser Testing by Example
User Testing by Example
Jeremy Horn
 
Bad test, good test
Bad test, good testBad test, good test
Bad test, good test
Seb Rose
 
Specification by Example
Specification by ExampleSpecification by Example
Specification by Example
Sergey Shishkin
 
Unit-Testing Bad-Practices by Example
Unit-Testing Bad-Practices by ExampleUnit-Testing Bad-Practices by Example
Unit-Testing Bad-Practices by ExampleBenjamin Eberlei
 
Specifications For Enterprise Testing
Specifications For Enterprise TestingSpecifications For Enterprise Testing
Specifications For Enterprise Testing
Sathyan Sethumadhavan
 
7 1-1 soap-developers_guide
7 1-1 soap-developers_guide7 1-1 soap-developers_guide
7 1-1 soap-developers_guide
Nugroho Hermanto
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
Moving Towards Zero Defects with Specification by Example
Moving Towards Zero Defects with Specification by ExampleMoving Towards Zero Defects with Specification by Example
Moving Towards Zero Defects with Specification by Example
Steve Rogalsky
 
Learn SoapUI
Learn SoapUILearn SoapUI
Learn SoapUI
David Ionut
 
Agile Testing by Example
Agile Testing by ExampleAgile Testing by Example
Agile Testing by Example
Mikalai Alimenkou
 
Types of Software Testing
Types of Software TestingTypes of Software Testing
Types of Software TestingNishant Worah
 
Testing concepts ppt
Testing concepts pptTesting concepts ppt
Testing concepts pptRathna Priya
 
Introduction to Agile software testing
Introduction to Agile software testingIntroduction to Agile software testing
Introduction to Agile software testing
KMS Technology
 
Agile Testing Process
Agile Testing ProcessAgile Testing Process
Agile Testing ProcessIntetics
 
Software Testing Fundamentals
Software Testing FundamentalsSoftware Testing Fundamentals
Software Testing FundamentalsChankey Pathak
 
The Minimum Loveable Product
The Minimum Loveable ProductThe Minimum Loveable Product
The Minimum Loveable Product
The Happy Startup School
 

Viewers also liked (20)

Unittesting Bad-Practices by Example
Unittesting Bad-Practices by ExampleUnittesting Bad-Practices by Example
Unittesting Bad-Practices by Example
 
User Testing by Example
User Testing by ExampleUser Testing by Example
User Testing by Example
 
Postgresql and ror
Postgresql and rorPostgresql and ror
Postgresql and ror
 
Bad test, good test
Bad test, good testBad test, good test
Bad test, good test
 
Specification by Example
Specification by ExampleSpecification by Example
Specification by Example
 
Unit-Testing Bad-Practices by Example
Unit-Testing Bad-Practices by ExampleUnit-Testing Bad-Practices by Example
Unit-Testing Bad-Practices by Example
 
Testing
TestingTesting
Testing
 
Specifications For Enterprise Testing
Specifications For Enterprise TestingSpecifications For Enterprise Testing
Specifications For Enterprise Testing
 
7 1-1 soap-developers_guide
7 1-1 soap-developers_guide7 1-1 soap-developers_guide
7 1-1 soap-developers_guide
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Moving Towards Zero Defects with Specification by Example
Moving Towards Zero Defects with Specification by ExampleMoving Towards Zero Defects with Specification by Example
Moving Towards Zero Defects with Specification by Example
 
Learn SoapUI
Learn SoapUILearn SoapUI
Learn SoapUI
 
Agile Testing by Example
Agile Testing by ExampleAgile Testing by Example
Agile Testing by Example
 
Manual testing ppt
Manual testing pptManual testing ppt
Manual testing ppt
 
Types of Software Testing
Types of Software TestingTypes of Software Testing
Types of Software Testing
 
Testing concepts ppt
Testing concepts pptTesting concepts ppt
Testing concepts ppt
 
Introduction to Agile software testing
Introduction to Agile software testingIntroduction to Agile software testing
Introduction to Agile software testing
 
Agile Testing Process
Agile Testing ProcessAgile Testing Process
Agile Testing Process
 
Software Testing Fundamentals
Software Testing FundamentalsSoftware Testing Fundamentals
Software Testing Fundamentals
 
The Minimum Loveable Product
The Minimum Loveable ProductThe Minimum Loveable Product
The Minimum Loveable Product
 

Similar to Domino testing presentation

Domino testing presentation
Domino testing presentationDomino testing presentation
Domino testing presentationdominion
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
Sam Bowne
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X Systems
Sam Bowne
 
SharePoint 2014: Where to save my data, for devs!
SharePoint 2014: Where to save my data, for devs!SharePoint 2014: Where to save my data, for devs!
SharePoint 2014: Where to save my data, for devs!Ben Steinhauser
 
Stress Free Deployment - Confoo 2011
Stress Free Deployment - Confoo 2011Stress Free Deployment - Confoo 2011
Stress Free Deployment - Confoo 2011Bachkoutou Toutou
 
SilverStripe From a Developer's Perspective
SilverStripe From a Developer's PerspectiveSilverStripe From a Developer's Perspective
SilverStripe From a Developer's Perspective
ajshort
 
The Dev-Admin Chimera: Customising Connections (with Gab Davis)
The Dev-Admin Chimera: Customising Connections (with Gab Davis)The Dev-Admin Chimera: Customising Connections (with Gab Davis)
The Dev-Admin Chimera: Customising Connections (with Gab Davis)
Mark Myers
 
Technical track-afterimaging Progress Database
Technical track-afterimaging Progress DatabaseTechnical track-afterimaging Progress Database
Technical track-afterimaging Progress Database
Vinh Nguyen
 
Documenting metadata application profiles and vocabularies
Documenting metadata application profiles and vocabulariesDocumenting metadata application profiles and vocabularies
Documenting metadata application profiles and vocabularies
Paul Walk
 
AHUG Presentation: Fun with Hadoop File Systems
AHUG Presentation: Fun with Hadoop File SystemsAHUG Presentation: Fun with Hadoop File Systems
AHUG Presentation: Fun with Hadoop File Systems
Infochimps, a CSC Big Data Business
 
Soccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM ConnectionsSoccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM Connections
panagenda
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X Systems
Sam Bowne
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Uklug 2014 connections dev faq
Uklug 2014 connections dev faqUklug 2014 connections dev faq
Uklug 2014 connections dev faq
Mark Myers
 
Nagios XI Best Practices
Nagios XI Best PracticesNagios XI Best Practices
Nagios XI Best Practices
Nagios
 
DrupalCon 2011 Highlight
DrupalCon 2011 HighlightDrupalCon 2011 Highlight
DrupalCon 2011 Highlight
Supakit Kiatrungrit
 
Lessons from a Dying CMS
Lessons from a Dying CMSLessons from a Dying CMS
Lessons from a Dying CMS
Sandy Smith
 
A Case Study of NoSQL Adoption: What Drove Wordnik Non-Relational?
A Case Study of NoSQL Adoption: What Drove Wordnik Non-Relational?A Case Study of NoSQL Adoption: What Drove Wordnik Non-Relational?
A Case Study of NoSQL Adoption: What Drove Wordnik Non-Relational?DATAVERSITY
 
Microsoft Offical Course 20410C_10
Microsoft Offical Course 20410C_10Microsoft Offical Course 20410C_10
Microsoft Offical Course 20410C_10
gameaxt
 

Similar to Domino testing presentation (20)

Domino testing presentation
Domino testing presentationDomino testing presentation
Domino testing presentation
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X Systems
 
SharePoint 2014: Where to save my data, for devs!
SharePoint 2014: Where to save my data, for devs!SharePoint 2014: Where to save my data, for devs!
SharePoint 2014: Where to save my data, for devs!
 
Stress Free Deployment - Confoo 2011
Stress Free Deployment - Confoo 2011Stress Free Deployment - Confoo 2011
Stress Free Deployment - Confoo 2011
 
SilverStripe From a Developer's Perspective
SilverStripe From a Developer's PerspectiveSilverStripe From a Developer's Perspective
SilverStripe From a Developer's Perspective
 
The Dev-Admin Chimera: Customising Connections (with Gab Davis)
The Dev-Admin Chimera: Customising Connections (with Gab Davis)The Dev-Admin Chimera: Customising Connections (with Gab Davis)
The Dev-Admin Chimera: Customising Connections (with Gab Davis)
 
Technical track-afterimaging Progress Database
Technical track-afterimaging Progress DatabaseTechnical track-afterimaging Progress Database
Technical track-afterimaging Progress Database
 
Documenting metadata application profiles and vocabularies
Documenting metadata application profiles and vocabulariesDocumenting metadata application profiles and vocabularies
Documenting metadata application profiles and vocabularies
 
AHUG Presentation: Fun with Hadoop File Systems
AHUG Presentation: Fun with Hadoop File SystemsAHUG Presentation: Fun with Hadoop File Systems
AHUG Presentation: Fun with Hadoop File Systems
 
Soccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM ConnectionsSoccnx10: Best and worst practices deploying IBM Connections
Soccnx10: Best and worst practices deploying IBM Connections
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X Systems
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Uklug 2014 connections dev faq
Uklug 2014 connections dev faqUklug 2014 connections dev faq
Uklug 2014 connections dev faq
 
Nagios XI Best Practices
Nagios XI Best PracticesNagios XI Best Practices
Nagios XI Best Practices
 
DrupalCon 2011 Highlight
DrupalCon 2011 HighlightDrupalCon 2011 Highlight
DrupalCon 2011 Highlight
 
Lessons from a Dying CMS
Lessons from a Dying CMSLessons from a Dying CMS
Lessons from a Dying CMS
 
A Case Study of NoSQL Adoption: What Drove Wordnik Non-Relational?
A Case Study of NoSQL Adoption: What Drove Wordnik Non-Relational?A Case Study of NoSQL Adoption: What Drove Wordnik Non-Relational?
A Case Study of NoSQL Adoption: What Drove Wordnik Non-Relational?
 
Microsoft Offical Course 20410C_10
Microsoft Offical Course 20410C_10Microsoft Offical Course 20410C_10
Microsoft Offical Course 20410C_10
 

Recently uploaded

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 

Recently uploaded (20)

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 

Domino testing presentation

  • 1. Lotus Domino Security White and black box testing Ari Elias-Bachrach Casey Pike
  • 2. Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
  • 3. Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
  • 4. Why is This Necessary? In January 2009, More Than Half of Fortune Global 100 Now Using Lotus Notes/Domino* http://www-03.ibm.com/press/us/en/pressrelease/26480.wss
  • 5. Why is This Necessary? • Domino is….. Unique Web App DB
  • 6. Why is This Necessary? • Automated scanners seem to have a hard time with Domino apps • Many “normal” attacks don’t work (SQL injection) • There are many other attacks which will work • Not a lot of good information out there
  • 7. Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
  • 8. Introduction to Domino • Domino stores data in custom database files with the .nsf extension http://server/database.nsf/DominoObj?Action •View •Frameset •Form •Navigator •Agent •Document •Page
  • 9. Introduction to Domino • Special Identifiers begin with $ and can return any domino object http://server/database.nsf/$SpecialIdentifier http://server/database.nsf/$help?openhelp
  • 10. Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
  • 11. Domino Commands • View • Openview – opens the view • ReadViewEntries – access the view data in XML format • $first – returns the first document in the view • $searchform?opensearchform – opens a search form from which the view can be searched http://server/database.nsf/myview?Openview
  • 12. Domino Commands http://server/database.nsf/myform?OpenForm Form • OpenForm – opens the form • ReadForm – displays the form without its editable fields. • CreateDocument – sent using an HTTP post. Domino will create a document with the contents of the HTTP post packet.
  • 13. Domino Commands http://server/db.nsf/myView/doc1?EditDocument Document • EditDcoument • SaveDocument – sent as an HTTP post. Domino will update the document with the contents of the post. • DeleteDocument • OpenDocument • $file/name – returns doc’s attachment with the name “name”
  • 15. Domino Commands • Special Items • ?Redirect – allows redirection to another database based on it’s ID. • ?openDatabse • /$about?OpenAbout – opens the “about this database” document • /$help?openhelp – opens the help document • /$icon?openicon – opens the icon for the database • /$defaultview – returns the default view (if there is one). • /$defaultform – returns the default form (if there is one). • /$defaultnav – returns the default navigator • ?openpreferences – opens the preferences setting. http://server/database.nsf/$about?OpenAbout
  • 18. Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
  • 19. Blackbox • Navigate the app - use the commands just discussed • Check all defaults/special identifiers • Try to edit docs (permissions checking) • Find (and use) search forms • Enumerate views (more on this later)
  • 20. Blackbox • Views, Forms, and Agents all have a notesID. Assignment begins with 0x11A and increments by 4 each time • http://host/database.nsf/11A • http://host/database.nsf/11E • http://host/database.nsf/122 • http://host/database.nsf/126 • http://host/database.nsf/12A
  • 21. Blackbox Enumerate views Occurrences of view names in help files: 135 - By Category 36 - View A 31 - All 26 - Main 23 - Categorized 22 - Main View 13 - All Documents 6 - Topics
  • 22. Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
  • 23. Whitebox • Levels of Access in Domino • Server • Database • Elements • Documents • Fields
  • 24. Whitebox • Server access – Ask your administrator • Server Doc • Internet Site Doc • Configuration Doc • Person Docs – Internet passwords are secure
  • 26. Whitebox • Database access – ACLs for Web Access • Editor – Create and edit docs • Author – Create and edit own docs • Reader – Read docs • Depositor – Create docs • No access – Be careful public documents
  • 27. Whitebox ACL Mistakes • Even though Anonymous is set to No Access, it is possible to overlook Read Public documents which will give access. • Common App – Mail File* • Do not overlook any setting
  • 28. Whitebox ACL Mistakes • -Default- is any user who has authenticated. If allowed access, make sure to audit the Domino Directory for test accounts or LDAP if directory assistance is used.
  • 30. Whitebox Elements access – Check them ALL • Forms, Views, Navigators, etc. - If they are not used, hide them from the web. • Security Tab – Set who can access the element based on ACL • Allow public access
  • 32. Whitebox • Restrict more in-depth audits for elements that are exposed to the web • Views, Forms, Pages… • Ask to see config or profile documents (make sure they are protected) • Review All Agents – Can be called from the web to run code. Can write to DB2, SQL, FTP, basically do anything.
  • 33. Whitebox • Check permissions on all design elements • Check actions within design elements
  • 34. Whitebox • Field Access • Depending on how the application is written, fields on public forms can be hidden.
  • 35. Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
  • 36. Default Files • Names.nsf – The most important database • Log.nsf – Shows events on server • WebAdmin.nsf – A web version of admin client • Help Files – Should never be left on the server When upgrade a server, it could re-add databases you thought you deleted!!!
  • 37. Where to Start? • Talk to the Administrator – Learn about the different documents (server, config, internet site) of the NAB • Learn the default ACL and how it is audited. • Talk to the Developers – Its impossible to go through every element and to look at field security. Establish security practices
  • 38. Where to Start? Get a good tool • Team Studio – Build Manager to write checks before a application is refreshed into production. Preventive Security! • DominoScan II – NGS Software • AppDetectivePro – Application Security Inc. • PowerTools and ScanEz – Admin Tools
  • 39. Outline • Why is This Necessary? • Introduction to Domino • Domino Commands • Blackbox • Whitebox • Default Files • Architecture
  • 40. Architecture • End users directly enter DB commands • Cannot run arbitrary DB commands • Who sets up ACLs in your org?
  • 41. Questions? Comments? Insults? • ari@defensium.com • Twitter: @angelofsecurity • www.defensium.com CaseyPike@gmail.com http://www.defensium.com/domino/

Editor's Notes

  1. Ari is the security guy Casey is the Domino guy
  2. 374,000 hits from filetype:nsf – these are domino databases directly accessible from the web
  3. Is Domino a web server, app server, or database server? The answer is it’s all three.
  4. That’s right – you access the domino DB directly through the URL. This is probably the right place to talk about what each of these items is
  5. This all assumed you have permissions….
  6. This slide needs to be finished - Casey
  7. Obviously you should check for all of these on a black or white box test