Security of Web Technologies: WebObjects Keshava P Subramanya
Introduction to WebObjects “If You’re Writing Code, You’re Doing Something Wrong” Makes it easy to develop and deploy enterprise-level web services and Java server applications Gives you the agility to respond quickly to change.
What can I do with WebObjects? Database-backed Web Applications (Plug-in support for Images, PDF, SVG, SMIL, Java Applets) Java Applications. SOAP & XML-RPC Access (to create web-services)
WebObjects’ Design It was the first object-oriented application server
Technology Overview: WebObjects Frameworks Java-based Adheres to MVC paradigm Enterprise Objects Framework (EOF) Development tools IDE: XCode or Eclipse WebObjects Builder EOModeler Deployment tools
Technology Overview: WebObjects Architecture View - Web Component: HTML (.html) presentation Java class (.java): presentation logic Independent of HTML Bindings (.wod) bindings between HTML and logic Controller Application, Session, and DirectAction Manage flow between view and model Model Enterprise Objects (EO)
Technology Overview: Architecture
Security and WebObjects Can give away a lot of your setup to the visitor The CGI adaptor application listing Set username and password for the application listing. The web server resources listing Don't allow directory browsing on your web server The wotaskd config page (WO >= 4.5) The port 1085 should not be allowed through the firewall.
Security and WebObjects The Monitor Monitor should be unavailable, or at least password protected. The WOStatisticsStore default page The statistics page should be protected by a password (or off). The WOEventDisplay default page (WO >= 4.5) bin/WebObjects/$APPNAME.woa/wa/WOEventDisplay The events page should be be protected by a password (or off). Many many more…Many many more… and some moreand some more
Known Vulnerabilities XCode 1.5 and distcc 2.x Exploit Mar Distributed compiling module of Xcode 1.5 used Samba distcc module Allowed remote users to gain full control of system Fixed in the next release
Known Vulnerabilities Apple Xcode Openbase Multiple Privilege Escalation Vulnerabilities A local attacker can exploit these issues to gain superuser privileges
Known Vulnerabilities PHPX XCode Tag HTML Injection Vulnerability PHPX version is vulnerable Fixed in later version
Known Vulnerabilities PHPX Multiple Administrator Command Execution Vulnerability Versions 3.0 to Update fixes the bugs More at
Known Vulnerabilities WebObjects Remote Overflow Vulnerability An HTTP request sent with a long header (ie, over 4.1K), will crash webobjects Only in installations running under a development license POST /scripts/WebObjects.exe/EmptyProject HTTP/1.0 Accept: AAAAAAAAA.... (about 4.1K worth of A's) Content-Length: 16 uselessdata=dork
Unauthorized Remote Access Vulnerability Xcode Tools is prone to an unauthorized remote access vulnerability through the WebObjects plug-in This issue affects only those systems with the Xcode Tools WebObjects plug-in installed Upgrading fixes the problem
Demo How I put the pieces together OpenBase Hunt for online help