Enterprise Portals

Gate to the Gold

`whoami`

•  SensePost – Specialist Security firm based in

Pretoria – Customers all over the globe – Talks / Papers / Books

•  ian@sensepost.com – Associate security analyst –  I break stuff and write reports about

breaking stuff •  Why this talk?

EP Vendors

•  IBM WebSphere Portal •  SAP NetWeaver Portal •  Oracle Portal Products (PlumTree,

BEA, SUN, ∞) •  OpenText Portal (Formerly Vignette) •  JBoss Portal •  Microsoft SharePoint Server •  Apache Jetspeed, Interwoven

TeamPortal, …, ∞

EP Overview

•  Frequent on intranets. •  Also frequent on the Internet… :) •  Framework for integrating

information, people and processes** •  Consolidate and summarise diverse

sources of information •  Provide customisable home-page for

registered users

**

EP Overview

•  Popular platform for deployment of applications due to framework and built-in functionality

•  Provide SDK’s for customisation and deployment of custom applications

•  Support pluggable components called portlets

•  Generally J2EE-based, but there are some alternate platforms (i.e.: .NET, PHP, ∞)

Portlet Overview •  Pluggable user interface components

which are managed and displayed in a portal**

•  Fragments of markup code (i.e: HTML / XML etc) which are aggregated in a portal page**

•  Adhere to various standards –  WSRP (web services for remote portlets) –  Java Portlet Specification

•  JSR168 •  JSR268 •  Proprietary

**

GET /moo?portlet=id&URI=http%3A%2F%2FHR%2Fbaa

HTTP 200 OK

Functionality++

•  User Registration •  Portals are generally designed to

share information – provide functionality for searching documents, users, ..., ∞

•  Workflow components •  Messaging / Social networking •  Configuration and administrative

components

Common Shortcomings

•  Generally cater for multiple portal applications – May expose intranet applications to the

Internet •  Frequently allow registration for

public users – Functionality++ •  Due to complex installation of J2EE

application servers and lazy sys-admins, frequently run with elevated privileges

Common Shortcomings

•  Diverse log-in capabilities – LDAP, XML, Database, ..., ∞, * == SSO

•  Developers of custom applications deployed on portal platforms frequently have not considered the underlying functionality of the platform

•  Custom error pages defined for platform

•  Complexity++

Breaking Out

•  Custom applications frequently exploit functionality of portal framework but don’t allow users direct access to framework functions…

•  … or do they ?

Breaking Out

•  Direct object access •  Google is your friend… :> •  Forcing errors to display generic

portal error messages •  Accessing site-registration •  HTML source comments and

JavaScript •  Once we can break out of the

custom application, we expose the full functionality of the portal…

Finding Portals

•  Google Hacks (nods at Johnny Long…)

•  site:, insite:, inurl:, …, ∞ •  Demo…

– site:za –  inurl:/portal/site –  inurl:/template.REGISTER

Abusing Portlets •  Original Advisory pertaining to IBM

WebSphere –  WebSphere – 2006/01/24 – EPAM Systems

•  Port Scanning •  Accessing protected resources •  Attacks at third parties •  Blended Attack Scenarios

–  Denial Of Service –  Brute-Force –  Attacks against other protocols

PortletSuite.tgz

•  PortletScan.py – Scan for open ports by abusing portlets

•  Pikto.py – Scan for common virtual directory

names and web server misconfigurations

•  PorProx.py – Provides proxy server functionality

tunnelling HTTP requests through remote portlets

PortletSuite.tgz

•  http://www.sensepost.com/blog •  Demo…

– Breaking out – Portlet-scanning – Pikto – Accessing protected resources – PortletProx

Questions ?

ian@sensepost.com