Embed Size (px)
Citation preview
Malicious Malicious contentcontent
in enterprise portalsin enterprise portals
OWASP IL mini-conference, Nov 13, 2006
Presented by Shalom Carmel
Why do we care?Why do we care?• Portals are more than Intranets• Portals getting common• Targeted applications• Multitude of content sources
– Many sources– Many formats– Many technologies
• Expensive to maintain
© Shalom Carmel, 2006
ContentContentDelivery
ConsumerSource
© Shalom Carmel, 2006
Where does content come Where does content come from?from?
Portal
© Shalom Carmel, 2006
Content entry templatesContent entry templates• Just like in all CMS (Joomla, Mambo,
PHPNuke, Zope, Plone, Jetspeed,…)
© Shalom Carmel, 2006
Content entry templatesContent entry templatesProtection by web application firewall
© Shalom Carmel, 2006
Uploaded filesUploaded filesPoisoned at birth
© Shalom Carmel, 2006
Result of uploadResult of upload
© Shalom Carmel, 2006
Upload manual metadataUpload manual metadataProtection by web application firewall
© Shalom Carmel, 2006
Uploaded filesUploaded filesDocument metadata portal
metadata
© Shalom Carmel, 2006
Uploaded filesUploaded filesPoisoned at conception - ms office
© Shalom Carmel, 2006
Uploaded filesUploaded filesPoisoned at conception - acrobat
© Shalom Carmel, 2006
Uploaded filesUploaded filesPoisoned at conception - html
© Shalom Carmel, 2006
Uploaded filesUploaded filesWebDav
Oracle File SystemSharePoint
© Shalom Carmel, 2006
Uploaded docs propertiesUploaded docs propertiesUploaded docs contentsUploaded docs contents
Protection by web application firewall
© Shalom Carmel, 2006
External web contentExternal web content
Until now we had some control!
© Shalom Carmel, 2006
External web contentExternal web content• Meta-data• Portlets• iframe? reverse proxy? custom code?
© Shalom Carmel, 2006
External web contentExternal web content• reverse proxy example
© Shalom Carmel, 2006
External contentExternal contentProtection by web application firewall
© Shalom Carmel, 2006
Crawl and indexCrawl and index• Special case of external content• Web, file systems, email, databases
© Shalom Carmel, 2006
Crawled contentCrawled contentProtection by web application firewall
© Shalom Carmel, 2006
Search and retrieveSearch and retrieve• Federated search• More places to look for xss
© Shalom Carmel, 2006
Search resultsSearch resultsProtection by web application firewall
© Shalom Carmel, 2006
Protection by web application Protection by web application firewallfirewall
NO*Search results
NO*Crawled content
NO*External content
MaybeUploaded docs contents
MaybeUploaded docs properties
YESUpload manual metadata
YESContent entry templates
© Shalom Carmel, 2006*Technically possible but very difficult implementation
