2. `whoami`
• SensePost
– Specialist Security firm based in
Pretoria
– Customers all over the globe
– Talks / Papers / Books
• ian@sensepost.com
– Associate security analyst
– I break stuff and write reports about
breaking stuff
• Why this talk?
3. EP Vendors
• IBM WebSphere Portal
• SAP NetWeaver Portal
• Oracle Portal Products (PlumTree,
BEA, SUN, ∞)
• OpenText Portal (Formerly Vignette)
• JBoss Portal
• Microsoft SharePoint Server
• Apache Jetspeed, Interwoven
TeamPortal, …, ∞
4. EP Overview
• Frequent on intranets.
• Also frequent on the Internet… :)
• Framework for integrating
information, people and processes**
• Consolidate and summarise diverse
sources of information
• Provide customisable home-page for
registered users
**
5. EP Overview
• Popular platform for deployment of
applications due to framework and
built-in functionality
• Provide SDK’s for customisation and
deployment of custom applications
• Support pluggable components
called portlets
• Generally J2EE-based, but there are
some alternate platforms (i.e.: .NET,
PHP, ∞)
6. Portlet Overview
• Pluggable user interface components
which are managed and displayed in a
portal**
• Fragments of markup code (i.e: HTML /
XML etc) which are aggregated in a portal
page**
• Adhere to various standards
– WSRP (web services for remote portlets)
– Java Portlet Specification
GET /moo?portlet=id&URI=http%3A%2F%2FHR%2Fbaa
• JSR168
HTTP 200 OK
• JSR268
• Proprietary
**
7. Functionality++
• User Registration
• Portals are generally designed to
share information – provide
functionality for searching
documents, users, ..., ∞
• Workflow components
• Messaging / Social networking
• Configuration and administrative
components
8. Common Shortcomings
• Generally cater for multiple portal
applications
– May expose intranet applications to the
Internet
• Frequently allow registration for
public users – Functionality++
• Due to complex installation of J2EE
application servers and lazy
sys-admins, frequently run with
elevated privileges
9. Common Shortcomings
• Diverse log-in capabilities
– LDAP, XML, Database, ..., ∞, * == SSO
• Developers of custom applications
deployed on portal platforms
frequently have not considered the
underlying functionality of the
platform
• Custom error pages defined for
platform
• Complexity++
10. Breaking Out
• Custom applications frequently
exploit functionality of portal
framework but don’t allow users
direct access to framework
functions…
• … or do they ?
11. Breaking Out
• Direct object access
• Google is your friend… :>
• Forcing errors to display generic
portal error messages
• Accessing site-registration
• HTML source comments and
JavaScript
• Once we can break out of the
custom application, we expose the
full functionality of the portal…
12. Finding Portals
• Google Hacks (nods at Johnny
Long…)
• site:, insite:, inurl:, …, ∞
• Demo…
– site:za
– inurl:/portal/site
– inurl:/template.REGISTER
13. Abusing Portlets
• Original Advisory pertaining to IBM
WebSphere
– WebSphere – 2006/01/24 – EPAM Systems
• Port Scanning
• Accessing protected resources
• Attacks at third parties
• Blended Attack Scenarios
– Denial Of Service
– Brute-Force
– Attacks against other protocols
14. PortletSuite.tgz
• PortletScan.py
– Scan for open ports by abusing portlets
• Pikto.py
– Scan for common virtual directory
names and web server
misconfigurations
• PorProx.py
– Provides proxy server functionality
tunnelling HTTP requests through
remote portlets