www.ambientia.net 1

Black-box* Security Testing(*for some definitions of black)

Jari Saukkonen

12.9.2013

www.ambientia.net 2

Jari Saukkonen

• Software Architect• Hands-on development and problem solving at

Ambientia since 1998• Involved in Liferay-based projects from Liferay

5.1 onwards• Hobby pianist, (astro)photographer, rhythm

game addict, and a fan of good tea.

12.9.2013

www.ambientia.net 3

Everyone knows this

• All nontrivial software has bugs• Keeping your software up-to-date is important

12.9.2013

www.ambientia.net 4

Why am I not up-to-date, then?

• You might not have the personnel or contractors to look after your installation

• The fixes might not be available for your (older) product version

• You might be using a Liferay-derivative product, making the version choice out of your control

• ”works for me”

12.9.2013

www.ambientia.net 5

Liferay CE vs. EE

• Community Security Team maintains patches for the latest CE version

• Liferay Support provides the latest security fixes for Liferay EE as they are implemented. You can choose individually which patches to apply.

• EE patches are backported to previous Liferay versions as long as they are supported

12.9.2013

www.ambientia.net 6

Patching Tool

• Liferay Enterprise Edition comes with a dedicated patching tool

• Finds out which patches are relevant for your installation and applies them

• Easy to use!

12.9.2013

www.ambientia.net 7

Black-box Testing

• Definition: Determine the functionality of a system without knowledge of its internal structures

• Automated (security scanners) or manual process

• Useful for testing unknown, possibly very customized systems

12.9.2013

www.ambientia.net 8

Automated security scanners

• Pros:• Press button, wait, receive results• Good for searching generic problems such as XSS

exploits or SQL injections

• Cons:• Liferay vulnerabilities not widely implemented in third

party products• Results always need interpretation, false positives are

common with certain types of searches

12.9.2013

www.ambientia.net 9

Manual testing

1. Find out your (more or less) exact Liferay version

2. Search http://issues.liferay.com for security issues affecting your version

3. Try to reproduce the issues in your environment

• This is not always easy..

12.9.2013

www.ambientia.net 10

Essential tools

• Browser debugger• Firebug• Chrome Developer Tools

• Request editing tool for custom GET/POST –requests• curl• Fiddler

• Creativity!

12.9.2013

www.ambientia.net 11

Typical security problems I

• LPS-8374, Access to the default view of all portlets

• Including /enterprise_admin/view that can display all user accounts on the server

• Since: 5.1.2, fixed in 5.2 EE SP4, 6.0 EE SP3, 6.1 CE GA2

12.9.2013

www.ambientia.net 12

Typical security problems II

• LPS-28222, Remote Denial of Service that prevents server startup

• Requires manual database cleanup to recover• Since: 5.2.3, fixed in 6.1.1 CE/EE GA2

• LPS-29268, Remote Denial of Service that fills the database with PortletPreferences

• Requires manual database cleanup to recover• Since: 6.0.6 GA, fixed in 6.1 CE/EE GA 3

12.9.2013

www.ambientia.net 13

Typical security problems III

• Various XSS issues• Portlet-specific problems, you need to use the portlet

to be vulnerable• Usually not very long-lived, but may be present in

older versions• OS-level problems, e.g. a vulnerable httpd

version

12.9.2013

www.ambientia.net 14

How to secure my server?

• EE customers can receive notices when security patches are released have a process in place to handle them in a timely manner

• https://www.liferay.com/community/security-team/known-vulnerabilities

• Security Advisories –forum on liferay.com

12.9.2013

www.ambientia.net 15

Vedä kuva paikkamerkkiin tai lisää napsauttamalla kuvaketta

Keep your Liferay safe!

12.9.2013

www.ambientia.net 16

Questions?

12.9.2013