Post on 15-May-2015
description
Enterprise Portals
Gate to the Gold
`whoami`
• SensePost – Specialist Security firm based in
Pretoria – Customers all over the globe – Talks / Papers / Books
• ian@sensepost.com – Associate security analyst – I break stuff and write reports about
breaking stuff • Why this talk?
EP Vendors
• IBM WebSphere Portal • SAP NetWeaver Portal • Oracle Portal Products (PlumTree,
BEA, SUN, ∞) • OpenText Portal (Formerly Vignette) • JBoss Portal • Microsoft SharePoint Server • Apache Jetspeed, Interwoven
TeamPortal, …, ∞
EP Overview
• Frequent on intranets. • Also frequent on the Internet… :) • Framework for integrating
information, people and processes** • Consolidate and summarise diverse
sources of information • Provide customisable home-page for
registered users
**
EP Overview
• Popular platform for deployment of applications due to framework and built-in functionality
• Provide SDK’s for customisation and deployment of custom applications
• Support pluggable components called portlets
• Generally J2EE-based, but there are some alternate platforms (i.e.: .NET, PHP, ∞)
Portlet Overview • Pluggable user interface components
which are managed and displayed in a portal**
• Fragments of markup code (i.e: HTML / XML etc) which are aggregated in a portal page**
• Adhere to various standards – WSRP (web services for remote portlets) – Java Portlet Specification
• JSR168 • JSR268 • Proprietary
**
GET /moo?portlet=id&URI=http%3A%2F%2FHR%2Fbaa
HTTP 200 OK
Functionality++
• User Registration • Portals are generally designed to
share information – provide functionality for searching documents, users, ..., ∞
• Workflow components • Messaging / Social networking • Configuration and administrative
components
Common Shortcomings
• Generally cater for multiple portal applications – May expose intranet applications to the
Internet • Frequently allow registration for
public users – Functionality++ • Due to complex installation of J2EE
application servers and lazy sys-admins, frequently run with elevated privileges
Common Shortcomings
• Diverse log-in capabilities – LDAP, XML, Database, ..., ∞, * == SSO
• Developers of custom applications deployed on portal platforms frequently have not considered the underlying functionality of the platform
• Custom error pages defined for platform
• Complexity++
Breaking Out
• Custom applications frequently exploit functionality of portal framework but don’t allow users direct access to framework functions…
• … or do they ?
Breaking Out
• Direct object access • Google is your friend… :> • Forcing errors to display generic
portal error messages • Accessing site-registration • HTML source comments and
JavaScript • Once we can break out of the
custom application, we expose the full functionality of the portal…
Finding Portals
• Google Hacks (nods at Johnny Long…)
• site:, insite:, inurl:, …, ∞ • Demo…
– site:za – inurl:/portal/site – inurl:/template.REGISTER
Abusing Portlets • Original Advisory pertaining to IBM
WebSphere – WebSphere – 2006/01/24 – EPAM Systems
• Port Scanning • Accessing protected resources • Attacks at third parties • Blended Attack Scenarios
– Denial Of Service – Brute-Force – Attacks against other protocols
PortletSuite.tgz
• PortletScan.py – Scan for open ports by abusing portlets
• Pikto.py – Scan for common virtual directory
names and web server misconfigurations
• PorProx.py – Provides proxy server functionality
tunnelling HTTP requests through remote portlets
PortletSuite.tgz
• http://www.sensepost.com/blog • Demo…
– Breaking out – Portlet-scanning – Pikto – Accessing protected resources – PortletProx
Questions ?
ian@sensepost.com