Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Malicious Malicious contentcontent
in enterprise portalsin enterprise portals
OWASP IL mini-conference, Nov 13, 2006
Presented by Shalom Carmel
Why do we care?Why do we care?• Portals are more than Intranets• Portals getting common• Targeted applications• Multitude of content sources
– Many sources– Many formats– Many technologies
• Expensive to maintain
© Shalom Carmel, 2006
Content entry templatesContent entry templates• Just like in all CMS (Joomla, Mambo,
PHPNuke, Zope, Plone, Jetspeed,…)
© Shalom Carmel, 2006
Content entry templatesContent entry templatesProtection by web application firewall
© Shalom Carmel, 2006
Upload manual metadataUpload manual metadataProtection by web application firewall
© Shalom Carmel, 2006
Uploaded docs propertiesUploaded docs propertiesUploaded docs contentsUploaded docs contents
Protection by web application firewall
© Shalom Carmel, 2006
External web contentExternal web content• Meta-data• Portlets• iframe? reverse proxy? custom code?
© Shalom Carmel, 2006
Crawl and indexCrawl and index• Special case of external content• Web, file systems, email, databases
© Shalom Carmel, 2006
Search and retrieveSearch and retrieve• Federated search• More places to look for xss
© Shalom Carmel, 2006
Protection by web application Protection by web application firewallfirewall
NO*Search results
NO*Crawled content
NO*External content
MaybeUploaded docs contents
MaybeUploaded docs properties
YESUpload manual metadata
YESContent entry templates
© Shalom Carmel, 2006*Technically possible but very difficult implementation