SlideShare ist ein Scribd-Unternehmen logo

CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable

Als PPTX, PDF herunterladen
Darren Duke
Darren Duke

Collabsphere 2018 (formally MWLUG) presentation where Darren Duke outlines how to protect, test and enhance your Domino web security.

Technologie
1 von 41
SC 103 Domino on the Web - Yes, It's (Probably) Hackable Darren Duke
About Me • Ex co-host of This Week In Lotus podcast • Current (?) co-co-host of WTF Tech podcast • Sometime blogger https://blog.darrenduke.net • Twitter snark fountain @darrenduke • This maybe the best slide in the deck. Feel free to leave right now…
Agenda • What we will cover – Then eternal battle of admin vs developer – The simple things – The less simple things – The harder things – The much harder things
Be Careful • When you have a web server you are a target – Do the simple things first – Change one thing at time and test • You will break something • No, really you will • No. For real. You will break something. • I broke my blog search • I broke iNotes clipboard pasting
The Eternal Battle • Web server security, whose responsibility? – Is it the application developer? – Is it the web server administrator? – Yes • Developer – Tell • What is *your* required minimum security • Administrator – Ask • What is the maximum level of security I can use? • If no answer, start high and move down
Sanitize Input • Developers, you must sanitize the input uploaded by your web applications – Input fields need to be cleaned on form submission • Ex, on submit check for an remove <script> tags in the input • This reduces the risk of a compromised server – Try to hack your own applications
• The Domino HTTP stack – Not the most up-to-date HTTP stack available • I’m being nice – Missing many modern features • HTTP/2, SNI • Yes, I’m sure Domino 10 will address this along with world peace – Complicated HTTP header use – Sometimes TLS/SSL gets caught with pants down • Poodle • ROBOT
• So yes, you can do most of this in Domino • I would use a reverse proxy – Apache – Nginx • I use both – Blog behind Nginx (on Prominic) – iNotes, Traveler behind Apache (on-prem) • Proxies can also HA and LB – Try that in native Domino!
The Simple Things…..
The Simple Things • More Secure Internet Passwords
The Simple Things • More Secure EXISTING Internet Passwords
The Simple Things • Make your Domino LTPA cookie more secure – Require SSL • Mitigate man-in-the-middle-attacks – Restrict Use • Prevent script access to cookie • Mitigate XSS
The Simple Things • Notes.ini Settings – HSTS • https://blog.darrenduke.net/darren/ddbz.nsf/dx/domino- adds-hsts-to-its-security-arsenal.htm – X-Frame Header Options • http://www- 01.ibm.com/support/docview.wss?uid=swg21568598 • 9.0.1 FP6+ HTTPAdditionalRespHeader=X-Frame-Options: SAMEORIGIN – DominoValidateFramesetSRC=1 • Frame content must be from the same database • https://www- 10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFrames etSRC
The Simple Things • Other Notes.ini Settings – SSL_DISABLE_RENEGOTIATE=1 – HTTPEnableConnectorHeaders=0 – SSL_RESUMABLE_SESSIONS=0 – SSL_DISABLE_TLS_10=1
The Simple Things • Upgrade to latest Fix Pack – FP10 fixes ROBOT – Each FP will deprecate weak/vulnerable ciphers
The Less Simple Things
I’ll show mine, if you show yours • HTTP Headers are your friend • Prevents browser from doing stupid things – Headers can be disabled in the browser!!! – Implement with care • For example line 5 breaks Domino blog – Here is my starting header config for Apache 1. Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 2. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" 3. Header always append X-Frame-Options SAMEORIGIN 4. Header always set X-XSS-Protection "1; mode=block" 5. Header always set X-Content-Type-Options: nosniff 6. Header always set Server NotTelling 7. Header always set Referrer-Policy strict-origin-when-cross-origin
The Less Simple Things • NginX Version 1. set_cookie_flag HttpOnly secure; 2. add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload'; 3. add_header X-Frame-Options "SAMEORIGIN"; 4. add_header X-XSS-Protection "1; mode=block"; 5. add_header X-Content-Type-Options "nosniff"; 6. server_tokens off; 7. add_header Referrer-Policy "strict-origin-when-cross-origin"; • Note 1, line 1 requires module support in NginX. • Note 2, line 6 only removes version and OS, it still says “nginx”. There are other ways but they seem it and miss as you may have to compile module support into NginX. more_clear_headers Server; more_clear_headers Server;
The Less Simple Things • You could put all those headers in Domino – But you have to add each one at a time – For each internet site • Oh, yeah, you need to be using Internet Sites • It may work with global, not tried it, YMMV – You end up with a *lot* of web rule documents • Much, much easier in a reverse proxy
The Harder Things
The Harder Things • There are more advanced headers – Access-Control-Allow-Methods – Access-Control-Allow-Headers – Content-Security-Policy – Access-Control-Allow-Origin – Think of these as X-XSS-Protection on steroids
The Harder Things • The blog NginX headers add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS,HEAD'; add_header Access-Control-Allow-Headers 'DNT,X-CustomHeader,Keep- Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache- Control,Content-Type'; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net"; add_header Access-Control-Allow-Origin "https://public.slidesharecdn.com,https://www.slideshare.net";
The Harder Things • Content-Security-Policy –default-src –script-src –font-src –img-src –frame-src add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net";
The Harder Things • Content-Security-Policy-Report-Only – Allows testing of policy BEFORE implementing • Clean up all the errors BEFORE turning on – Shows content errors in browser development tools console
The Much Harder Things
The Much Harder Things • ModSecurity – Available for Apache and NginX – Add-in module to prevent OWASP-known hacking attempts • OWASP - Open Web Application Security Project – Use rules to allow or disallow certain URL patterns and actions • Known vulnerabilities get blocked/reported – Use with caution • You probably want to “report” before turning it on fully • SecRuleEngine DetectionOnly
ModSecurity --d5cdc63e-H-- Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 192.168.0.195] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "localhost.localdomain"] [uri "/"] [unique_id "W1RiorhE-6pWl72XxvlgcAAAABg"] Stopwatch: 1532256930612640 6576 (- - -) Stopwatch2: 1532256930612640 6576; combined=5424, p1=635, p2=1014, p3=96, p4=3552, p5=126, sr=86, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2. Server: Apache/2.4.29 (Ubuntu) Engine-Mode: "DETECTION_ONLY" --d5cdc63e-Z--
ModSecurity • OWASP_TOP_10/A7 – Google it for a more in-depth description • [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] – Find out what the violation is
ModSecurity • Most often than not, you will just end up disabling the rule that hit because it’s not applicable or a risk to your application/server • In our example it is rule[id "920280"] • Rules can be disabled per URI, web server or for all servers • Depending on your ModSec version exceptions will be different, so Google it
Tools
Tools • Warning – Don’t scan a site you don’t have approval to scan • Scanning without explicit approval could be crime in your (or the servers) jurisdiction – Don’t scan a site during busy times • You could become the source of your own DDoS attack • Fun times!
Tools • Qualys – Most of you will have used the free version • Paid options to proactively scan your servers – Scans external web sites for free and provides detailed insight into SSL, ciphers, etc.
Qualys
Tools • SecurityHeaders.com – Will scan a given site and return security related header information – Provides warnings and recommendations for the different headers
SecurityHeaders.com
Tools • ZAP (Zed Attack Proxy) – The official OWASP scanning tool – Provides tons of information – Free
Tools • PenTest-Tools.com – Like Qualys, except for penetration tests – Online, no software to install – Free version provides limited but useful functionality – Really cheap for the paid version (relatively)
ZAP
Pentest-tools.com
Takeways • Know what the access the application needs • Implement the highest possible security whilst maintaining functionality • Scan often
Q&A • That was a lot • Question Time!

Empfohlen

April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesHoward Greenberg
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsGabriella Davis
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin TipsGabriella Davis
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning Vladislav Tatarincev
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Serverpanagenda
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingjayeshpar2006
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configurationGabriella Davis
 

Empfohlen

April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesHoward Greenberg
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsGabriella Davis
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin TipsGabriella Davis
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning Vladislav Tatarincev
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Serverpanagenda
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingjayeshpar2006
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configurationGabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
How to Bring HCL Nomad Web and Domino Together Without SafeLinx
How to Bring HCL Nomad Web and Domino Together Without SafeLinxHow to Bring HCL Nomad Web and Domino Together Without SafeLinx
How to Bring HCL Nomad Web and Domino Together Without SafeLinxpanagenda
 
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesDomino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesChristoph Adler
 
Integrations - Thinking outside the box - Presentation Engage 2023 in Amsterdam
Integrations - Thinking outside the box - Presentation Engage 2023 in AmsterdamIntegrations - Thinking outside the box - Presentation Engage 2023 in Amsterdam
Integrations - Thinking outside the box - Presentation Engage 2023 in AmsterdamRoland Driesen
 
Daos
DaosDaos
DaosUlrich Krause
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365Dylan Redfield
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview hemantnaik
 
RNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostRNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostChristoph Adler
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino AdminblastGabriella Davis
 
Learn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationLearn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationIBM Connections Developers
 
Alles was Sie über HCL Notes 14 wissen müssen
Alles was Sie über HCL Notes 14 wissen müssenAlles was Sie über HCL Notes 14 wissen müssen
Alles was Sie über HCL Notes 14 wissen müssenpanagenda
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and ManagingGabriella Davis
 
HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTPAles Lichtenberg
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Webpanagenda
 
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessenAlles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessenpanagenda
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientChristoph Adler
 
Understanding domino memory 2017
Understanding domino memory 2017Understanding domino memory 2017
Understanding domino memory 2017mJOBrr
 
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxDarren Duke
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query LanguageTim Davis
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 

Weitere ähnliche Inhalte

Was ist angesagt?

HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
How to Bring HCL Nomad Web and Domino Together Without SafeLinx
How to Bring HCL Nomad Web and Domino Together Without SafeLinxHow to Bring HCL Nomad Web and Domino Together Without SafeLinx
How to Bring HCL Nomad Web and Domino Together Without SafeLinxpanagenda
 
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesDomino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesChristoph Adler
 
Integrations - Thinking outside the box - Presentation Engage 2023 in Amsterdam
Integrations - Thinking outside the box - Presentation Engage 2023 in AmsterdamIntegrations - Thinking outside the box - Presentation Engage 2023 in Amsterdam
Integrations - Thinking outside the box - Presentation Engage 2023 in AmsterdamRoland Driesen
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365Dylan Redfield
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview hemantnaik
 
RNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostRNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostChristoph Adler
 
Learn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationLearn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationIBM Connections Developers
 
Alles was Sie über HCL Notes 14 wissen müssen
Alles was Sie über HCL Notes 14 wissen müssenAlles was Sie über HCL Notes 14 wissen müssen
Alles was Sie über HCL Notes 14 wissen müssenpanagenda
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and ManagingGabriella Davis
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Webpanagenda
 
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessenAlles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessenpanagenda
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientChristoph Adler
 
Understanding domino memory 2017
Understanding domino memory 2017Understanding domino memory 2017
Understanding domino memory 2017mJOBrr
 
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxDarren Duke
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query LanguageTim Davis
 

Was ist angesagt? (20)

HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
How to Bring HCL Nomad Web and Domino Together Without SafeLinx
How to Bring HCL Nomad Web and Domino Together Without SafeLinxHow to Bring HCL Nomad Web and Domino Together Without SafeLinx
How to Bring HCL Nomad Web and Domino Together Without SafeLinx
 
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesDomino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
 
Integrations - Thinking outside the box - Presentation Engage 2023 in Amsterdam
Integrations - Thinking outside the box - Presentation Engage 2023 in AmsterdamIntegrations - Thinking outside the box - Presentation Engage 2023 in Amsterdam
Integrations - Thinking outside the box - Presentation Engage 2023 in Amsterdam
 
Daos
DaosDaos
Daos
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
 
RNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostRNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance Boost
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
 
Learn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationLearn everything about IBM iNotes Customization
Learn everything about IBM iNotes Customization
 
Alles was Sie über HCL Notes 14 wissen müssen
Alles was Sie über HCL Notes 14 wissen müssenAlles was Sie über HCL Notes 14 wissen müssen
Alles was Sie über HCL Notes 14 wissen müssen
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
 
HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTP
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Web
 
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessenAlles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
Alles, was Sie ueber HCL Notes 64-Bit Clients wissen muessen
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes Client
 
Understanding domino memory 2017
Understanding domino memory 2017Understanding domino memory 2017
Understanding domino memory 2017
 
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query Language
 

Ähnlich wie CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable

Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server SecurityPeter Baylies
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingColdFusionConference
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hostingshendison
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QACodeFest
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2Stoyan Stefanov
 
10 tips to improve your website security
10 tips to improve your website security10 tips to improve your website security
10 tips to improve your website securitySucuri
 

Ähnlich wie CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable (20)

Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2
 
10 tips to improve your website security
10 tips to improve your website security10 tips to improve your website security
10 tips to improve your website security
 

Mehr von Darren Duke

Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxDarren Duke
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soupDarren Duke
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
BES 4.1.x on Domino
BES 4.1.x on DominoBES 4.1.x on Domino
BES 4.1.x on DominoDarren Duke
 
Domino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDomino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDarren Duke
 

Mehr von Darren Duke (8)

Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptx
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soup
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101
 
LS10 Show102
LS10 Show102LS10 Show102
LS10 Show102
 
BES 4.1.x on Domino
BES 4.1.x on DominoBES 4.1.x on Domino
BES 4.1.x on Domino
 
Domino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDomino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUG
 

Kürzlich hochgeladen

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 

Kürzlich hochgeladen (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 

CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable

  • 1. SC 103 Domino on the Web - Yes, It's (Probably) Hackable Darren Duke
  • 2. About Me • Ex co-host of This Week In Lotus podcast • Current (?) co-co-host of WTF Tech podcast • Sometime blogger https://blog.darrenduke.net • Twitter snark fountain @darrenduke • This maybe the best slide in the deck. Feel free to leave right now…
  • 3. Agenda • What we will cover – Then eternal battle of admin vs developer – The simple things – The less simple things – The harder things – The much harder things
  • 4. Be Careful • When you have a web server you are a target – Do the simple things first – Change one thing at time and test • You will break something • No, really you will • No. For real. You will break something. • I broke my blog search • I broke iNotes clipboard pasting
  • 5. The Eternal Battle • Web server security, whose responsibility? – Is it the application developer? – Is it the web server administrator? – Yes • Developer – Tell • What is *your* required minimum security • Administrator – Ask • What is the maximum level of security I can use? • If no answer, start high and move down
  • 6. Sanitize Input • Developers, you must sanitize the input uploaded by your web applications – Input fields need to be cleaned on form submission • Ex, on submit check for an remove <script> tags in the input • This reduces the risk of a compromised server – Try to hack your own applications
  • 7. • The Domino HTTP stack – Not the most up-to-date HTTP stack available • I’m being nice – Missing many modern features • HTTP/2, SNI • Yes, I’m sure Domino 10 will address this along with world peace – Complicated HTTP header use – Sometimes TLS/SSL gets caught with pants down • Poodle • ROBOT
  • 8. • So yes, you can do most of this in Domino • I would use a reverse proxy – Apache – Nginx • I use both – Blog behind Nginx (on Prominic) – iNotes, Traveler behind Apache (on-prem) • Proxies can also HA and LB – Try that in native Domino!
  • 10. The Simple Things • More Secure Internet Passwords
  • 11. The Simple Things • More Secure EXISTING Internet Passwords
  • 12. The Simple Things • Make your Domino LTPA cookie more secure – Require SSL • Mitigate man-in-the-middle-attacks – Restrict Use • Prevent script access to cookie • Mitigate XSS
  • 13. The Simple Things • Notes.ini Settings – HSTS • https://blog.darrenduke.net/darren/ddbz.nsf/dx/domino- adds-hsts-to-its-security-arsenal.htm – X-Frame Header Options • http://www- 01.ibm.com/support/docview.wss?uid=swg21568598 • 9.0.1 FP6+ HTTPAdditionalRespHeader=X-Frame-Options: SAMEORIGIN – DominoValidateFramesetSRC=1 • Frame content must be from the same database • https://www- 10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFrames etSRC
  • 14. The Simple Things • Other Notes.ini Settings – SSL_DISABLE_RENEGOTIATE=1 – HTTPEnableConnectorHeaders=0 – SSL_RESUMABLE_SESSIONS=0 – SSL_DISABLE_TLS_10=1
  • 15. The Simple Things • Upgrade to latest Fix Pack – FP10 fixes ROBOT – Each FP will deprecate weak/vulnerable ciphers
  • 16. The Less Simple Things
  • 17. I’ll show mine, if you show yours • HTTP Headers are your friend • Prevents browser from doing stupid things – Headers can be disabled in the browser!!! – Implement with care • For example line 5 breaks Domino blog – Here is my starting header config for Apache 1. Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 2. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" 3. Header always append X-Frame-Options SAMEORIGIN 4. Header always set X-XSS-Protection "1; mode=block" 5. Header always set X-Content-Type-Options: nosniff 6. Header always set Server NotTelling 7. Header always set Referrer-Policy strict-origin-when-cross-origin
  • 18. The Less Simple Things • NginX Version 1. set_cookie_flag HttpOnly secure; 2. add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload'; 3. add_header X-Frame-Options "SAMEORIGIN"; 4. add_header X-XSS-Protection "1; mode=block"; 5. add_header X-Content-Type-Options "nosniff"; 6. server_tokens off; 7. add_header Referrer-Policy "strict-origin-when-cross-origin"; • Note 1, line 1 requires module support in NginX. • Note 2, line 6 only removes version and OS, it still says “nginx”. There are other ways but they seem it and miss as you may have to compile module support into NginX. more_clear_headers Server; more_clear_headers Server;
  • 19. The Less Simple Things • You could put all those headers in Domino – But you have to add each one at a time – For each internet site • Oh, yeah, you need to be using Internet Sites • It may work with global, not tried it, YMMV – You end up with a *lot* of web rule documents • Much, much easier in a reverse proxy
  • 21. The Harder Things • There are more advanced headers – Access-Control-Allow-Methods – Access-Control-Allow-Headers – Content-Security-Policy – Access-Control-Allow-Origin – Think of these as X-XSS-Protection on steroids
  • 22. The Harder Things • The blog NginX headers add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS,HEAD'; add_header Access-Control-Allow-Headers 'DNT,X-CustomHeader,Keep- Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache- Control,Content-Type'; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net"; add_header Access-Control-Allow-Origin "https://public.slidesharecdn.com,https://www.slideshare.net";
  • 23. The Harder Things • Content-Security-Policy –default-src –script-src –font-src –img-src –frame-src add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net";
  • 24. The Harder Things • Content-Security-Policy-Report-Only – Allows testing of policy BEFORE implementing • Clean up all the errors BEFORE turning on – Shows content errors in browser development tools console
  • 25. The Much Harder Things
  • 26. The Much Harder Things • ModSecurity – Available for Apache and NginX – Add-in module to prevent OWASP-known hacking attempts • OWASP - Open Web Application Security Project – Use rules to allow or disallow certain URL patterns and actions • Known vulnerabilities get blocked/reported – Use with caution • You probably want to “report” before turning it on fully • SecRuleEngine DetectionOnly
  • 27. ModSecurity --d5cdc63e-H-- Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 192.168.0.195] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "localhost.localdomain"] [uri "/"] [unique_id "W1RiorhE-6pWl72XxvlgcAAAABg"] Stopwatch: 1532256930612640 6576 (- - -) Stopwatch2: 1532256930612640 6576; combined=5424, p1=635, p2=1014, p3=96, p4=3552, p5=126, sr=86, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2. Server: Apache/2.4.29 (Ubuntu) Engine-Mode: "DETECTION_ONLY" --d5cdc63e-Z--
  • 28. ModSecurity • OWASP_TOP_10/A7 – Google it for a more in-depth description • [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] – Find out what the violation is
  • 29. ModSecurity • Most often than not, you will just end up disabling the rule that hit because it’s not applicable or a risk to your application/server • In our example it is rule[id "920280"] • Rules can be disabled per URI, web server or for all servers • Depending on your ModSec version exceptions will be different, so Google it
  • 30. Tools
  • 31. Tools • Warning – Don’t scan a site you don’t have approval to scan • Scanning without explicit approval could be crime in your (or the servers) jurisdiction – Don’t scan a site during busy times • You could become the source of your own DDoS attack • Fun times!
  • 32. Tools • Qualys – Most of you will have used the free version • Paid options to proactively scan your servers – Scans external web sites for free and provides detailed insight into SSL, ciphers, etc.
  • 34. Tools • SecurityHeaders.com – Will scan a given site and return security related header information – Provides warnings and recommendations for the different headers
  • 36. Tools • ZAP (Zed Attack Proxy) – The official OWASP scanning tool – Provides tons of information – Free
  • 37. Tools • PenTest-Tools.com – Like Qualys, except for penetration tests – Online, no software to install – Free version provides limited but useful functionality – Really cheap for the paid version (relatively)
  • 38. ZAP
  • 40. Takeways • Know what the access the application needs • Implement the highest possible security whilst maintaining functionality • Scan often
  • 41. Q&A • That was a lot • Question Time!