SlideShare a Scribd company logo

Let's shield Liferay

Download as PPTX, PDF
J
José A. Jiménez

A set of good practices in a Liferay project following some of the OWASP Top 10 Web Application Security Risks recommendations. The slides were used in a meetup of the Liferay User Group Spain. Follow @LUGSpain in twitter Author: @jajcampoy

Software
1 of 18
let’s shield liferay @jajcampoy José A. Jiménez
let’s take the security seriously Do you want to be involved? https://portal.liferay.dev/learn/security Reporting issues Send an email: security@liferay.com Open a ticket: https://issues.liferay.com Avoid details in any public channel
web application security risks Learn about the OWASP Top 10 Web Application Security Risks https://owasp.org/www-project-top-ten Risk > Threat > Vulnerability > Impact Safeguard Have in mind: > Code > Data > Infrastructure > Configuration
using components with known vulnerabilities Liferay Portal is a big platform, with a lot of features, multiple systems integrations and a lot of facilities for developing: libraries, frameworks and software modules that need to be updated Threat: It is easy to find already-written exploits for many known vulnerabilities. Other vulnerabilities require concentrated effort to develop a custom exploit. A vulnerable component can be exploited. Impact: Attack can facilitate serious data loss or server takeover or whatever Custom developments Liferay Safeguard: Update
https://portal.liferay.dev/learn/security/known-vulnerabilities
keep you liferay ce updated > Update your version 7.3 Rolling releases => <new> 7.3 GA3 7.2 GA2+ > 7.1, 7.0, 6.2 => diy Get the code https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1 Build patched versions https://portal.liferay.dev/learn/security/patching
routine Building our custom patches 10 REVIEW YOUR CODE 20 BUILD 30 BACKUP 40 DEPLOY 50 UPGRADE DB 60 TEST 70 END
community power - working together Dominike Marks - Complete guide and binaries https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches Arund Dask - Binaries for 6.2 https://liferay.dev/blogs/-/blogs/security-patches-for- liferay-portal-6-2-7-0-and-7-1 NOTE: Use binaries under your responsibility
Untrusted data is sent to the interpreter as part of a command or query. Threat: The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. SQL, NoSQL, OS, LDAP, XPath, etc. Impact: Lost/corruption of data, DoS injection Safeguard: Use parameterized APIs and tested tools- Finders created by Service Builder are parametrized. Custom SQLs and custom finders => prepared statements
Untrusted data in a web page without proper validation or escaping Threat: Attackers execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites cross-site scripting - xss Safeguard: Validate untrusted data before to store them and escape them in the web page taglibs <aui:input … /> com.liferay.portal.kernel.util.HtmlUtil > escape() > escapeAttribute() > escapeURL()
http://dom1.mycompanydomain.com/c/login?redirect=dom1.mycompanydomein.com unvalidated redirects and forwards > Explicit list of IPs or domains, examples: redirect.url.security.mode=ip redirect.url.ips.allowed=127.0.0.1,SERVER_IP,192.168.0.12,192.168.0.13,192.168.0.99 redirect.url.security.mode=domain redirect.url.domains.allowed=dom1.mycompany.com,dom2.mycompany.com redirect.url.security.mode=domain redirect.url.domains.allowed=*.mycompany.com
broken authentication Threat: a bad implemented authentication and/or session management, allowing attackers to compromise passwords, keys, or session tokens Impact: attackers assume other users’ identities temporarily or permanently > Use secure protocols for connections (SSL,TLS, etc) > A robust authentication mechanism: Second-factor authentication OOTB in Liferay 7.3 > Multi-factor authentication (work in progress) > OAUTH 2.0 to invoke your APIs / JAX-RS Web Services https://help.liferay.com/hc/articles/360028711432-OAuth-2-0
Threat: Web Apps or APIs do not properly protect sensitive data Impact: Attackers can steal or modify such weakly protected data. sensitive data exposure > Select a strong encryption algorithm. Are you upgrading? company.encryption.algorithm=AES company.encryption.key.size=12 passwords.encryption.algorithm=PBKDF2WithHmacSHA1/160/128000 #passwords.encryption.algorithm.legacy= > Review connections and protocols: Securize LDAP (ldaps) Securize Elasticsearch 7, available for CE in 7.2 and 7.3 > Strong password policy https://help.liferay.com/hc/articles/360028819212-Password-Policies
> Enable https and force it when authenticating or other accesses, and minimize the access having explicit IPs lists / ranges. company.security.auth.requires.https=false # {0} = main | json | atom | tunnel | webdav {0}.servlet.hosts.allowed= {0}.servlet.https.required=false rss.feeds.hosts.allowed= > Define Service Access Policies https://help.liferay.com/hc/articles/360028711272-Service-Access-Policies sensitive data exposure
Threat: an attack that tricks the victim into submitting a malicious request Impact: It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf cross-site request forgery - csrf > POST method for action requests > Multi-step transactions, captchas > Auth tokens for action URLs: p_auth & p_p_auth auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true > Configure CORS (Cross-Origin Resource Sharing) https://help.liferay.com/hc/es/articles/360030377272-Configuring-CORS
Monitorize the infrastructure and the users > Limited resources > Performance > DoS > CPU > MEM > Pool BBDD Example: Query no-cacheable in each request or users.update.last.login=true > Log access to sensitive data or special actions Users management: Control Panel > Configuration > Audit Other actions https://liferay.dev/blogs/-/blogs/auditing-liferay-dxp-who-has-done-what- and-when Insufficient logging and monitoring
> Do not execute processes with root (app server, patching tool, etc) > Define your default admin user default.admin.password=test default.admin.screen.name=test default.admin.email.address.prefix=test default.admin.first.name=Test default.admin.middle.name= default.admin.last.name=Test > Disable Unused SSO RememberMe: company.security.auto.login=false and many more…
thank you! @jajcampoy

Recommended

Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injection
Secure Code Warrior
 
Secure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusion
Secure Code Warrior
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
Siddharth Phatarphod
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
Secure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injection
Secure Code Warrior
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
Shreyas N
 
Web application security I
Web application security IWeb application security I
Web application security I
Md Syed Ahamad
 

Recommended

Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injection
Secure Code Warrior
 
Secure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusion
Secure Code Warrior
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
Siddharth Phatarphod
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
Secure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injection
Secure Code Warrior
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
Shreyas N
 
Web application security I
Web application security IWeb application security I
Web application security I
Md Syed Ahamad
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 JagjitJagjit Singh Brar
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
Terrance Medina
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practicesphanleson
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
OWASP
OWASPOWASP
OWASP
gehad hamdy
 
A Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 VulnerabilitiesA Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 Vulnerabilities
milagerova
 
t r
t rt r
t relectronicmingle01
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
Vasan Ramadoss
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
iphonepentest
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software EngineeringRohitha Liyanagama
 

More Related Content

What's hot

Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
Terrance Medina
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practicesphanleson
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
OWASP
OWASPOWASP
OWASP
gehad hamdy
 
A Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 VulnerabilitiesA Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 Vulnerabilities
milagerova
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
Vasan Ramadoss
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
iphonepentest
 

What's hot (20)

OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 Jagjit
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
OWASP
OWASPOWASP
OWASP
 
A Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 VulnerabilitiesA Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 Vulnerabilities
 
t r
t rt r
t r
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
 

Similar to Let's shield Liferay

Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Attques web
Attques webAttques web
Attques web
Tarek MOHAMED
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
SamsonMuoki
 
Cyber Securitygttt buj bi j Mini Project.pdf
Cyber Securitygttt buj bi j Mini Project.pdfCyber Securitygttt buj bi j Mini Project.pdf
Cyber Securitygttt buj bi j Mini Project.pdf
kartik061104
 
OWASP zabezpieczenia aplikacji - Top 10 ASR
OWASP zabezpieczenia aplikacji - Top 10 ASROWASP zabezpieczenia aplikacji - Top 10 ASR
OWASP zabezpieczenia aplikacji - Top 10 ASR
Laravel Poland MeetUp
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
Pankaj Kumar Sharma
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
CNSHacking
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
LokeshK66
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
Anatoliy Okhotnikov
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
Tommy Tracx Xaypanya
 

Similar to Let's shield Liferay (20)

Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Attques web
Attques webAttques web
Attques web
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
Cyber Securitygttt buj bi j Mini Project.pdf
Cyber Securitygttt buj bi j Mini Project.pdfCyber Securitygttt buj bi j Mini Project.pdf
Cyber Securitygttt buj bi j Mini Project.pdf
 
Rails Security
Rails SecurityRails Security
Rails Security
 
OWASP zabezpieczenia aplikacji - Top 10 ASR
OWASP zabezpieczenia aplikacji - Top 10 ASROWASP zabezpieczenia aplikacji - Top 10 ASR
OWASP zabezpieczenia aplikacji - Top 10 ASR
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 

Recently uploaded

May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
Google
 
Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
Roshan Dwivedi
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 

Recently uploaded (20)

May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
 
Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 

Let's shield Liferay

  • 2. let’s take the security seriously Do you want to be involved? https://portal.liferay.dev/learn/security Reporting issues Send an email: security@liferay.com Open a ticket: https://issues.liferay.com Avoid details in any public channel
  • 3. web application security risks Learn about the OWASP Top 10 Web Application Security Risks https://owasp.org/www-project-top-ten Risk > Threat > Vulnerability > Impact Safeguard Have in mind: > Code > Data > Infrastructure > Configuration
  • 4. using components with known vulnerabilities Liferay Portal is a big platform, with a lot of features, multiple systems integrations and a lot of facilities for developing: libraries, frameworks and software modules that need to be updated Threat: It is easy to find already-written exploits for many known vulnerabilities. Other vulnerabilities require concentrated effort to develop a custom exploit. A vulnerable component can be exploited. Impact: Attack can facilitate serious data loss or server takeover or whatever Custom developments Liferay Safeguard: Update
  • 6. keep you liferay ce updated > Update your version 7.3 Rolling releases => <new> 7.3 GA3 7.2 GA2+ > 7.1, 7.0, 6.2 => diy Get the code https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1 Build patched versions https://portal.liferay.dev/learn/security/patching
  • 7. routine Building our custom patches 10 REVIEW YOUR CODE 20 BUILD 30 BACKUP 40 DEPLOY 50 UPGRADE DB 60 TEST 70 END
  • 8. community power - working together Dominike Marks - Complete guide and binaries https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches Arund Dask - Binaries for 6.2 https://liferay.dev/blogs/-/blogs/security-patches-for- liferay-portal-6-2-7-0-and-7-1 NOTE: Use binaries under your responsibility
  • 9. Untrusted data is sent to the interpreter as part of a command or query. Threat: The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. SQL, NoSQL, OS, LDAP, XPath, etc. Impact: Lost/corruption of data, DoS injection Safeguard: Use parameterized APIs and tested tools- Finders created by Service Builder are parametrized. Custom SQLs and custom finders => prepared statements
  • 10. Untrusted data in a web page without proper validation or escaping Threat: Attackers execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites cross-site scripting - xss Safeguard: Validate untrusted data before to store them and escape them in the web page taglibs <aui:input … /> com.liferay.portal.kernel.util.HtmlUtil > escape() > escapeAttribute() > escapeURL()
  • 11. http://dom1.mycompanydomain.com/c/login?redirect=dom1.mycompanydomein.com unvalidated redirects and forwards > Explicit list of IPs or domains, examples: redirect.url.security.mode=ip redirect.url.ips.allowed=127.0.0.1,SERVER_IP,192.168.0.12,192.168.0.13,192.168.0.99 redirect.url.security.mode=domain redirect.url.domains.allowed=dom1.mycompany.com,dom2.mycompany.com redirect.url.security.mode=domain redirect.url.domains.allowed=*.mycompany.com
  • 12. broken authentication Threat: a bad implemented authentication and/or session management, allowing attackers to compromise passwords, keys, or session tokens Impact: attackers assume other users’ identities temporarily or permanently > Use secure protocols for connections (SSL,TLS, etc) > A robust authentication mechanism: Second-factor authentication OOTB in Liferay 7.3 > Multi-factor authentication (work in progress) > OAUTH 2.0 to invoke your APIs / JAX-RS Web Services https://help.liferay.com/hc/articles/360028711432-OAuth-2-0
  • 13. Threat: Web Apps or APIs do not properly protect sensitive data Impact: Attackers can steal or modify such weakly protected data. sensitive data exposure > Select a strong encryption algorithm. Are you upgrading? company.encryption.algorithm=AES company.encryption.key.size=12 passwords.encryption.algorithm=PBKDF2WithHmacSHA1/160/128000 #passwords.encryption.algorithm.legacy= > Review connections and protocols: Securize LDAP (ldaps) Securize Elasticsearch 7, available for CE in 7.2 and 7.3 > Strong password policy https://help.liferay.com/hc/articles/360028819212-Password-Policies
  • 14. > Enable https and force it when authenticating or other accesses, and minimize the access having explicit IPs lists / ranges. company.security.auth.requires.https=false # {0} = main | json | atom | tunnel | webdav {0}.servlet.hosts.allowed= {0}.servlet.https.required=false rss.feeds.hosts.allowed= > Define Service Access Policies https://help.liferay.com/hc/articles/360028711272-Service-Access-Policies sensitive data exposure
  • 15. Threat: an attack that tricks the victim into submitting a malicious request Impact: It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf cross-site request forgery - csrf > POST method for action requests > Multi-step transactions, captchas > Auth tokens for action URLs: p_auth & p_p_auth auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true > Configure CORS (Cross-Origin Resource Sharing) https://help.liferay.com/hc/es/articles/360030377272-Configuring-CORS
  • 16. Monitorize the infrastructure and the users > Limited resources > Performance > DoS > CPU > MEM > Pool BBDD Example: Query no-cacheable in each request or users.update.last.login=true > Log access to sensitive data or special actions Users management: Control Panel > Configuration > Audit Other actions https://liferay.dev/blogs/-/blogs/auditing-liferay-dxp-who-has-done-what- and-when Insufficient logging and monitoring
  • 17. > Do not execute processes with root (app server, patching tool, etc) > Define your default admin user default.admin.password=test default.admin.screen.name=test default.admin.email.address.prefix=test default.admin.first.name=Test default.admin.middle.name= default.admin.last.name=Test > Disable Unused SSO RememberMe: company.security.auto.login=false and many more…

Editor's Notes

  1. El Open Web Application Security Project (OWASP) es una fundación sin fines de lucro que trabaja para mejorar la seguridad del software. Suele ser la organización referente para todas las empresas de desarrarollo y comunidades de desarrolladores en cuanto a materia de Seguridad y Anualmente realizan una clasificación de los riesgos más importantes a tener en cuenta en nuestras aplicaciones web. Herramientas y recursos Comunidad y redes Educación y entrenamiento
  2. Dependiendo de los assets que esté protegiendo, tal vez este riesgo debería estar en la parte superior de la lista. Libraries, frameworks, software modules Sistemas etc. La prevalencia de este problema está muy extendida. Los patrones de desarrollo con muchos componentes pueden hacer que los equipos de desarrollo ni siquiera comprendan qué componentes usan en su aplicación o API, y mucho menos mantenerlos actualizados. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Algunos escáneres como retire.js ayudan en la detección, pero determinar la explotabilidad requiere un esfuerzo adicional. Si bien algunas vulnerabilidades conocidas provocan solo impactos menores, algunas de las violaciones más grandes hasta la fecha se han basado en la explotación de vulnerabilidades conocidas en los componentes.
  3. La prevalencia de este problema está muy extendida. Los patrones de desarrollo con muchos componentes pueden hacer que los equipos de desarrollo ni siquiera comprendan qué componentes usan en su aplicació, y mucho menos mantenerlos actualizados. Dependiendo de los assets que esté protegiendo, tal vez este riesgo debería estar en la parte superior de la lista. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Algunos escáneres como retire.js ayudan en la detección, pero determinar la explotabilidad requiere un esfuerzo adicional. Si bien algunas vulnerabilidades conocidas provocan solo impactos menores, algunas de las violaciones más grandes hasta la fecha se han basado en la explotación de vulnerabilidades conocidas en los componentes.
  4. Los datos no confiables se envían al intérprete como parte de un comando o consulta. Amenaza: los datos hostiles del atacante pueden engañar al intérprete para que ejecute comandos no deseados o acceda a los datos sin la autorización adecuada. SQL, NoSQL, OS, LDAP, XPath, etc. Impacto: pérdida / corrupción de datos, DoS Protección: utilice API parametrizadas y herramientas probadas: Los buscadores creados por Service Builder están parametrizados. SQL personalizados => declaraciones preparadas
  5. Datos no confiables en una página web sin una validación o escape adecuados Amenaza: los atacantes ejecutan scripts en el navegador de la víctima que pueden secuestrar sesiones de usuario, desfigurar sitios web o redirigir al usuario a sitios maliciosos
  6. Se produce La aplicación o las apis no protegen adecuadamente los datos sensibles tales como datos personales, tarjetas, credenciales, etc. Un atacante puede acceder a estos datos y los puede robar, usar a su antojo, modificar, etc. Salvaguarda: encriptado fuerte de datos, tanto en transporte, como en persistencia. Usar protocolos seguros, y algoritmos de cifrado fuertes. Fuertes políticas de contraseñas. > Tablas arcoiris, bases de datos de contraseñas fácilmente vulnerables, etc.
  7. La aplicación o las apis no protegen adecuadamente los datos sensibles tales como datos personales, tarjetas, credenciales, etc. Un atacante puede acceder a estos datos y los puede robar, usar a su antojo, modificar, etc. Salvaguarda: encriptado fuerte de datos, tanto en transporte, como en persistencia. Usar protocolos seguros, y algoritmos de cifrado fuertes. Fuertes políticas de contraseñas. > Tablas arcoiris, bases de datos de contraseñas fácilmente vulnerables, etc.
  8. Peticiones a servidores predecibles y fácilmente construibles XSRF, “Sea Surf”, Session Riding, Cross-Site Reference Forgery, and Hostile Linking, One-Click attack.
  9. Find a Portlet Preferences and update/store them as part of rendering a portlet in the Theme
  10. Service access policies comprise a layer of web service security that defines services or service methods that can be invoked remotely. Methods corresponding to a web service invocation request must be whitelisted by each service access policy that’s in effect. You can use wildcards to reduce the number of service classes and methods that must be explicitly whitelisted.
  11. Buenas tardes, soy José Ángel Jiménez, Jose, Jose Angel