Security of Web Technologies: WebObjects Keshava P Subramanya

Slides:

Advertisements

Similar presentations

Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 

Advertisements

Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web server security Dr Jim Briggs WEBP security1.

Browser Exploitation Framework (BeEF) Lab

GreenSQL Yuli Stremovsky /MSN/Gtalk:

Chapter 6: Hostile Code Guide to Computer Network Security.

Apache Jakarta Tomcat Suh, Junho. Road Map Tomcat Overview Tomcat Overview History History What is Tomcat? What is Tomcat? Servlet Container.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.

SEEM4570: XAMPP, Eclipse, Summary of Html Kangfei Zhao Room 711,ERB

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.

Presentation 8: SOAP in a distributed object framework, Application Servers & AXIS SOAP.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

Honeypot and Intrusion Detection System

|Tecnologie Web L-A Anno Accademico Laboratorio di Tecnologie Web Introduzione ad Eclipse e Tomcat

Introduction to ASP.NET 1www.tech.findforinfo.com.

Web Server Administration Web Services XML SOAP. Overview What are web services and what do they do? What is XML? What is SOAP? How are they all connected?

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

WordFreak A Language Independent, Extensible Annotation Tool.

IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References.

Introduction to Model-Glue Rachel Lehman Perpetual Intermediate Designer-Developer Introduction to Model-Glue.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Arnold Geraldo Designing and Making of The Online Auction Website Using CakePHP Framework.

Module 4 : Installation Jong S. Bok

© 2009 IBM Corporation PHP na Systemu i - přehled Václav Matoušek IBM SSIS Czech Republic.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Remote Administration Remote Desktop Remote Desktop Gateway Remote Assistance Windows Remote Management Service Remote Server Administration Tools.

A Tale of Two Bugs. This Fall has been bad Let’s look at two CVE AKA “Shellshock” CVE AKA “Drupalgeddon”

CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.

Oracle Data Integrator Architecture Components.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.

Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.

ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.

Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

WebObjects Matt Aguirre Lally Singh. What Is It? A Java based development platform specifically designed for database-backed web applications.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.

Web Security. Introduction Webserver hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself These.

NJIT 1 Apache Tomcat (Version 6.0) THETOPPERSWAY.COM.

Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.

CPSC 372 John D. McGregor Module 6 Session 4 Sonar.

Introduction to ASP.NET development. Background ASP released in 1996 ASP supported for a minimum 10 years from Windows 8 release ASP.Net 1.0 released.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.

Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.

The Common Gateway Interface (CGI) Pat Morin COMP2405.

WebYaST Remote Web Based System Management

Progress Apama Fundamentals

Netscape Application Server

World Wide Web policy.

Play Framework: Introduction

Protecting Your Maps and Data when using ArcGIS Server

Web Server Administration

Riding Someone Else’s Wave with CSRF

Web Servers / Deployment

Lecture 3: Secure Network Architecture

HACKIN G CITRIX.

Module 3 Using Linux.

Presentation transcript:

Security of Web Technologies: WebObjects Keshava P Subramanya

Introduction to WebObjects “If You’re Writing Code, You’re Doing Something Wrong” Makes it easy to develop and deploy enterprise-level web services and Java server applications Gives you the agility to respond quickly to change.

What can I do with WebObjects? Database-backed Web Applications (Plug-in support for Images, PDF, SVG, SMIL, Java Applets) Java Applications. SOAP & XML-RPC Access (to create web-services)

WebObjects’ Design It was the first object-oriented application server

Technology Overview: WebObjects Frameworks  Java-based  Adheres to MVC paradigm  Enterprise Objects Framework (EOF) Development tools  IDE: XCode or Eclipse  WebObjects Builder  EOModeler Deployment tools

Technology Overview: WebObjects Architecture View - Web Component: HTML (.html)  presentation Java class (.java): presentation logic  Independent of HTML Bindings (.wod)  bindings between HTML and logic Controller  Application, Session, and DirectAction  Manage flow between view and model Model  Enterprise Objects (EO)

Technology Overview: Architecture

Security and WebObjects Can give away a lot of your setup to the visitor The CGI adaptor application listing Set username and password for the application listing. The web server resources listing Don't allow directory browsing on your web server The wotaskd config page (WO >= 4.5) The port 1085 should not be allowed through the firewall.

Security and WebObjects The Monitor Monitor should be unavailable, or at least password protected. The WOStatisticsStore default page The statistics page should be protected by a password (or off). The WOEventDisplay default page (WO >= 4.5) bin/WebObjects/$APPNAME.woa/wa/WOEventDisplay The events page should be be protected by a password (or off). Many many more…Many many more… and some moreand some more

Known Vulnerabilities XCode 1.5 and distcc 2.x Exploit Mar Distributed compiling module of Xcode 1.5 used Samba distcc module Allowed remote users to gain full control of system Fixed in the next release

Known Vulnerabilities Apple Xcode Openbase Multiple Privilege Escalation Vulnerabilities A local attacker can exploit these issues to gain superuser privileges

Known Vulnerabilities PHPX XCode Tag HTML Injection Vulnerability PHPX version is vulnerable Fixed in later version

Known Vulnerabilities PHPX Multiple Administrator Command Execution Vulnerability Versions 3.0 to Update fixes the bugs More at

Known Vulnerabilities WebObjects Remote Overflow Vulnerability An HTTP request sent with a long header (ie, over 4.1K), will crash webobjects Only in installations running under a development license POST /scripts/WebObjects.exe/EmptyProject HTTP/1.0 Accept: AAAAAAAAA.... (about 4.1K worth of A's) Content-Length: 16 uselessdata=dork

Unauthorized Remote Access Vulnerability Xcode Tools is prone to an unauthorized remote access vulnerability through the WebObjects plug-in This issue affects only those systems with the Xcode Tools WebObjects plug-in installed Upgrading fixes the problem

Demo How I put the pieces together OpenBase Hunt for online help