1 / 16

Security of Web Technologies: WebObjects

Learn about the security of WebObjects, an enterprise-level web services and Java server application development tool. Discover known vulnerabilities and best practices to protect your web applications.

ecolon
Download Presentation

Security of Web Technologies: WebObjects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Web Technologies: WebObjects Keshava P Subramanya (keshava@cs.ucsb.edu)

  2. Introduction to WebObjects “If You’re Writing Code, You’re Doing Something Wrong” Makes it easy to develop and deploy enterprise-level web services and Java server applications Gives you the agility to respond quickly to change.

  3. What can I do with WebObjects?  Database-backed Web Applications (Plug-in support for Images, PDF, SVG, SMIL, Java Applets)  Java Applications.  SOAP & XML-RPC Access (to create web-services)

  4. WebObjects’ Design It was the first object-oriented application server

  5. Technology Overview: WebObjects  Frameworks  Java-based  Adheres to MVC paradigm  Enterprise Objects Framework (EOF)  Development tools  IDE: XCode or Eclipse  WebObjects Builder  EOModeler  Deployment tools

  6. Technology Overview: WebObjects Architecture  View - Web Component: HTML (.html)  presentation Java class (.java): presentation logic  Independent of HTML Bindings (.wod)  bindings between HTML and logic  Controller  Application, Session, and DirectAction  Manage flow between view and model  Model  Enterprise Objects (EO)

  7. Technology Overview: Architecture

  8. Security and WebObjects  Can give away a lot of your setup to the visitor  The CGI adaptor application listing http://$HOSTNAME/cgi-bin/WebObjects/ Set username and password for the application listing.  The web server resources listing http://$HOSTNAME/WebObjects/ Don't allow directory browsing on your web server  The wotaskd config page (WO >= 4.5) http://$HOSTNAME:1085/cgi-bin/WebObjects/wotaskd.woa/wa/woconfig The port 1085 should not be allowed through the firewall.

  9. Security and WebObjects  The Monitor http://$HOSTNAME/cgi-bin/WebObjects/Monitor Monitor should be unavailable, or at least password protected.  The WOStatisticsStore default page http://$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wa/WOStats The statistics page should be protected by a password (or off).  The WOEventDisplay default page (WO >= 4.5) http://$HOSTNAME/cgi- bin/WebObjects/$APPNAME.woa/wa/WOEventDisplay The events page should be be protected by a password (or off). and some more Many many more…

  10. Known Vulnerabilities  XCode 1.5 and distcc 2.x Exploit Mar 10 2005  Distributed compiling module of Xcode 1.5 used Samba distcc module  Allowed remote users to gain full control of system  Fixed in the next release

  11. Known Vulnerabilities  Apple Xcode Openbase Multiple Privilege Escalation Vulnerabilities  A local attacker can exploit these issues to gain superuser privileges  A local attacker can exploit these issues to gain superuser privileges

  12. Known Vulnerabilities  PHPX XCode Tag HTML Injection Vulnerability  PHPX version 3.5.9 is vulnerable  Fixed in later version

  13. Known Vulnerabilities  PHPX Multiple Administrator Command Execution Vulnerability  Versions 3.0 to 3.2.6  Update fixes the bugs  More at http://www.securityfocus.com/archive/1/362230

  14. Known Vulnerabilities  WebObjects Remote Overflow Vulnerability  An HTTP request sent with a long header (ie, over 4.1K), will crash webobjects POST /scripts/WebObjects.exe/EmptyProject HTTP/1.0 Accept: AAAAAAAAA.... (about 4.1K worth of A's) Content-Length: 16 uselessdata=dork  Only in installations running under a development license

  15. Unauthorized Remote Access Vulnerability  Xcode Tools is prone to an unauthorized remote access vulnerability through the WebObjects plug-in  This issue affects only those systems with the Xcode Tools WebObjects plug-in installed  Upgrading fixes the problem

  16. Demo  How I put the pieces together  OpenBase  Hunt for online help

More Related