Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security of Web Technologies: WebObjects Keshava P Subramanya

Published byLoren Arnold Modified over 8 years ago

Similar presentations

Presentation on theme: "Security of Web Technologies: WebObjects Keshava P Subramanya"— Presentation transcript:

1 Security of Web Technologies: WebObjects Keshava P Subramanya (keshava@cs.ucsb.edu)

2 Introduction to WebObjects “If You’re Writing Code, You’re Doing Something Wrong” Makes it easy to develop and deploy enterprise-level web services and Java server applications Gives you the agility to respond quickly to change.

3 What can I do with WebObjects? Database-backed Web Applications (Plug-in support for Images, PDF, SVG, SMIL, Java Applets) Java Applications. SOAP & XML-RPC Access (to create web-services)

4 WebObjects’ Design It was the first object-oriented application server

5 Technology Overview: WebObjects Frameworks  Java-based  Adheres to MVC paradigm  Enterprise Objects Framework (EOF) Development tools  IDE: XCode or Eclipse  WebObjects Builder  EOModeler Deployment tools

6 Technology Overview: WebObjects Architecture View - Web Component: HTML (.html)  presentation Java class (.java): presentation logic  Independent of HTML Bindings (.wod)  bindings between HTML and logic Controller  Application, Session, and DirectAction  Manage flow between view and model Model  Enterprise Objects (EO)

7 Technology Overview: Architecture

8 Security and WebObjects Can give away a lot of your setup to the visitor The CGI adaptor application listing http://$HOSTNAME/cgi-bin/WebObjects/ Set username and password for the application listing. The web server resources listing http://$HOSTNAME/WebObjects/ http://$HOSTNAME/WebObjects/ Don't allow directory browsing on your web server The wotaskd config page (WO >= 4.5) http://$HOSTNAME:1085/cgi-bin/WebObjects/wotaskd.woa/wa/woconfig The port 1085 should not be allowed through the firewall.

9 Security and WebObjects The Monitor http://$HOSTNAME/cgi-bin/WebObjects/Monitor Monitor should be unavailable, or at least password protected. The WOStatisticsStore default page http://$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wa/WOStats The statistics page should be protected by a password (or off). The WOEventDisplay default page (WO >= 4.5) http://$HOSTNAME/cgi- bin/WebObjects/$APPNAME.woa/wa/WOEventDisplay The events page should be be protected by a password (or off). Many many more…Many many more… and some moreand some more

10 Known Vulnerabilities XCode 1.5 and distcc 2.x Exploit Mar 10 2005 Distributed compiling module of Xcode 1.5 used Samba distcc module Allowed remote users to gain full control of system Fixed in the next release

11 Known Vulnerabilities Apple Xcode Openbase Multiple Privilege Escalation Vulnerabilities A local attacker can exploit these issues to gain superuser privileges

12 Known Vulnerabilities PHPX XCode Tag HTML Injection Vulnerability PHPX version 3.5.9 is vulnerable Fixed in later version

13 Known Vulnerabilities PHPX Multiple Administrator Command Execution Vulnerability Versions 3.0 to 3.2.6 Update fixes the bugs More at http://www.securityfocus.com/archive/1/362230 http://www.securityfocus.com/archive/1/362230

14 Known Vulnerabilities WebObjects Remote Overflow Vulnerability An HTTP request sent with a long header (ie, over 4.1K), will crash webobjects Only in installations running under a development license POST /scripts/WebObjects.exe/EmptyProject HTTP/1.0 Accept: AAAAAAAAA.... (about 4.1K worth of A's) Content-Length: 16 uselessdata=dork

15 Unauthorized Remote Access Vulnerability Xcode Tools is prone to an unauthorized remote access vulnerability through the WebObjects plug-in This issue affects only those systems with the Xcode Tools WebObjects plug-in installed Upgrading fixes the problem

16 Demo How I put the pieces together OpenBase Hunt for online help

Download ppt "Security of Web Technologies: WebObjects Keshava P Subramanya"

Similar presentations

Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 

Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 
Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)

Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
GreenSQL Yuli Stremovsky /MSN/Gtalk:

GreenSQL Yuli Stremovsky /MSN/Gtalk:
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Apache Jakarta Tomcat 20041058 Suh, Junho. Road Map Tomcat Overview Tomcat Overview History History What is Tomcat? What is Tomcat? Servlet Container.

Apache Jakarta Tomcat Suh, Junho. Road Map Tomcat Overview Tomcat Overview History History What is Tomcat? What is Tomcat? Servlet Container.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.
SEEM4570: XAMPP, Eclipse, Summary of Html Kangfei Zhao Room 711,ERB

SEEM4570: XAMPP, Eclipse, Summary of Html Kangfei Zhao Room 711,ERB
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.

Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.
Presentation 8: SOAP in a distributed object framework, Application Servers & AXIS SOAP.

Presentation 8: SOAP in a distributed object framework, Application Servers & AXIS SOAP.
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
|Tecnologie Web L-A Anno Accademico 2007-2008 Laboratorio di Tecnologie Web Introduzione ad Eclipse e Tomcat

|Tecnologie Web L-A Anno Accademico Laboratorio di Tecnologie Web Introduzione ad Eclipse e Tomcat

Similar presentations

Ads by Google