Date post: | 01-Nov-2014 |
Category: |
Technology |
Upload: | ambientia |
View: | 490 times |
Download: | 4 times |
www.ambientia.net 1
Black-box* Security Testing(*for some definitions of black)
Jari Saukkonen
12.9.2013
www.ambientia.net 2
Jari Saukkonen
• Software Architect• Hands-on development and problem solving at
Ambientia since 1998• Involved in Liferay-based projects from Liferay
5.1 onwards• Hobby pianist, (astro)photographer, rhythm
game addict, and a fan of good tea.
12.9.2013
www.ambientia.net 3
Everyone knows this
• All nontrivial software has bugs• Keeping your software up-to-date is important
12.9.2013
www.ambientia.net 4
Why am I not up-to-date, then?
• You might not have the personnel or contractors to look after your installation
• The fixes might not be available for your (older) product version
• You might be using a Liferay-derivative product, making the version choice out of your control
• ”works for me”
12.9.2013
www.ambientia.net 5
Liferay CE vs. EE
• Community Security Team maintains patches for the latest CE version
• Liferay Support provides the latest security fixes for Liferay EE as they are implemented. You can choose individually which patches to apply.
• EE patches are backported to previous Liferay versions as long as they are supported
12.9.2013
www.ambientia.net 6
Patching Tool
• Liferay Enterprise Edition comes with a dedicated patching tool
• Finds out which patches are relevant for your installation and applies them
• Easy to use!
12.9.2013
www.ambientia.net 7
Black-box Testing
• Definition: Determine the functionality of a system without knowledge of its internal structures
• Automated (security scanners) or manual process
• Useful for testing unknown, possibly very customized systems
12.9.2013
www.ambientia.net 8
Automated security scanners
• Pros:• Press button, wait, receive results• Good for searching generic problems such as XSS
exploits or SQL injections
• Cons:• Liferay vulnerabilities not widely implemented in third
party products• Results always need interpretation, false positives are
common with certain types of searches
12.9.2013
www.ambientia.net 9
Manual testing
1. Find out your (more or less) exact Liferay version
2. Search http://issues.liferay.com for security issues affecting your version
3. Try to reproduce the issues in your environment
• This is not always easy..
12.9.2013
www.ambientia.net 10
Essential tools
• Browser debugger• Firebug• Chrome Developer Tools
• Request editing tool for custom GET/POST –requests• curl• Fiddler
• Creativity!
12.9.2013
www.ambientia.net 11
Typical security problems I
• LPS-8374, Access to the default view of all portlets
• Including /enterprise_admin/view that can display all user accounts on the server
• Since: 5.1.2, fixed in 5.2 EE SP4, 6.0 EE SP3, 6.1 CE GA2
12.9.2013
www.ambientia.net 12
Typical security problems II
• LPS-28222, Remote Denial of Service that prevents server startup
• Requires manual database cleanup to recover• Since: 5.2.3, fixed in 6.1.1 CE/EE GA2
• LPS-29268, Remote Denial of Service that fills the database with PortletPreferences
• Requires manual database cleanup to recover• Since: 6.0.6 GA, fixed in 6.1 CE/EE GA 3
12.9.2013
www.ambientia.net 13
Typical security problems III
• Various XSS issues• Portlet-specific problems, you need to use the portlet
to be vulnerable• Usually not very long-lived, but may be present in
older versions• OS-level problems, e.g. a vulnerable httpd
version
12.9.2013
www.ambientia.net 14
How to secure my server?
• EE customers can receive notices when security patches are released have a process in place to handle them in a timely manner
• https://www.liferay.com/community/security-team/known-vulnerabilities
• Security Advisories –forum on liferay.com
12.9.2013
www.ambientia.net 15
Vedä kuva paikkamerkkiin tai lisää napsauttamalla kuvaketta
Keep your Liferay safe!
12.9.2013
www.ambientia.net 16
Questions?
12.9.2013