Liferay Road Show 12.9.2013, Jari Saukkonen, Ambientia

1. Black-box* Security Testing
(*for some definitions of black)
Jari Saukkonen
12.9.2013 www.ambientia.net 1

2. Jari Saukkonen
• Software Architect
• Hands-on development and problem solving at
Ambientia since 1998
• Involved in Liferay-based projects from Liferay
5.1 onwards
• Hobby pianist, (astro)photographer, rhythm
game addict, and a fan of good tea.
12.9.2013 www.ambientia.net 2

3. Everyone knows this
• All nontrivial software has bugs
• Keeping your software up-to-date is important
12.9.2013 www.ambientia.net 3

4. Why am I not up-to-date, then?
• You might not have the personnel or contractors
to look after your installation
• The fixes might not be available for your (older)
product version
• You might be using a Liferay-derivative product,
making the version choice out of your control
• ”works for me”
12.9.2013 www.ambientia.net 4

5. Liferay CE vs. EE
• Community Security Team maintains patches for
the latest CE version
• Liferay Support provides the latest security fixes
for Liferay EE as they are implemented. You can
choose individually which patches to apply.
• EE patches are backported to previous Liferay
versions as long as they are supported
12.9.2013 www.ambientia.net 5

6. Patching Tool
• Liferay Enterprise Edition comes with a
dedicated patching tool
• Finds out which patches are relevant for your
installation and applies them
• Easy to use!
12.9.2013 www.ambientia.net 6

7. Black-box Testing
• Definition: Determine the functionality of a
system without knowledge of its internal
structures
• Automated (security scanners) or manual
process
• Useful for testing unknown, possibly very
customized systems
12.9.2013 www.ambientia.net 7

8. Automated security scanners
• Pros:
• Press button, wait, receive results
• Good for searching generic problems such as XSS
exploits or SQL injections
• Cons:
• Liferay vulnerabilities not widely implemented in third
party products
• Results always need interpretation, false positives are
common with certain types of searches
12.9.2013 www.ambientia.net 8

9. Manual testing
1. Find out your (more or less) exact Liferay
version
2. Search http://issues.liferay.com for security
issues affecting your version
3. Try to reproduce the issues in your
environment
• This is not always easy..
12.9.2013 www.ambientia.net 9

10. Essential tools
• Browser debugger
• Firebug
• Chrome Developer Tools
• Request editing tool for custom GET/POST –
requests
• curl
• Fiddler
• Creativity!
12.9.2013 www.ambientia.net 10

11. Typical security problems I
• LPS-8374, Access to the default view of all
portlets
• Including /enterprise_admin/view that can
display all user accounts on the server
• Since: 5.1.2, fixed in 5.2 EE SP4, 6.0 EE SP3,
6.1 CE GA2
12.9.2013 www.ambientia.net 11

12. Typical security problems II
• LPS-28222, Remote Denial of Service that
prevents server startup
• Requires manual database cleanup to recover
• Since: 5.2.3, fixed in 6.1.1 CE/EE GA2
• LPS-29268, Remote Denial of Service that fills
the database with PortletPreferences
• Requires manual database cleanup to recover
• Since: 6.0.6 GA, fixed in 6.1 CE/EE GA 3
12.9.2013 www.ambientia.net 12

13. Typical security problems III
• Various XSS issues
• Portlet-specific problems, you need to use the portlet
to be vulnerable
• Usually not very long-lived, but may be present in
older versions
• OS-level problems, e.g. a vulnerable httpd
version
12.9.2013 www.ambientia.net 13

14. How to secure my server?
• EE customers can receive notices when security
patches are released  have a process in place
to handle them in a timely manner
• https://www.liferay.com/community/security-
team/known-vulnerabilities
• Security Advisories –forum on liferay.com
12.9.2013 www.ambientia.net 14

15. Keep your Liferay safe!
12.9.2013 www.ambientia.net 15

16. Questions?
12.9.2013 www.ambientia.net 16