logo

New Response

« Return to the blog entry

You are replying to:

    • avatar
    • Dragon Cotterill
    • Posted on Thu 4 Nov 2010 03:32 PM

    Woah, did I just open a can of worms here? I put a quick little comment on here during a coffee break and then get accused of running away whilst I do some work.

    Nathan I have every respect for you as one of the leading Domino developers, but don't go saying it is fud. I'm not going to justify myself by saying I know this stuff you don't. You do know it. But like most developers it is easily overlooked and often forgotten.

    As to telling people about the attacks, unfortunately I live and work in the UK. Now before you go saying "so what?" there is a distinct stupidity we have here in the UK called the Police and Justice Act 2006. More specifically there is a section in there which states something along the lines of (para phrasing as I don't have a link handy) "It is an offence to distribute programs or data that detail how to compromise security".

    So I can tell people how to defend against attacks, but not how to actually do the attacks themselves. It's a fine line, but one which is damned difficult to deal with.

    It's a big headache which most people ignore. Even more people don't even know it exists. However in my job it's something I have to worry about as Security plays a HUGE part. (I work for a certain mobile phone company that is so secure that some countries have decided to issue bans against using the devices because they cannot crack or intercept the messages... go figure).

    Ben said it best a little further down... "As a Domino developer, if you don't know your job, you will produce insecure applications, end of story." This is the major point here. Normal Domino development has been around since the year dot. Most developers know how to solve issues on this platform.

    Developing under XPages is just the same, except now if you screw up you have a really powerful platform for the black hat brigade to utilise. A perfect platform for initiating all sorts of attacks, both inwards and outwards. And don't forget that underneath the gloss of XPages, you still have all the basic Domino structure. So now you have to do twice as much work to make sure your assets are covered.

    XPages (and normal Domino applications) are secure, mostly because of the ID signing, ACL and ECL, and by the fact that most hackers tend to ignore them as they are not often major targets. But security by obscurity is no security at all.

    "Cyber crooks are increasingly operating like successful businesses, deploying the same tools legitimate companies use to boost their profits."

    http://news.bbc.co.uk/1/hi/technology/8149034.stm

    Computer based fraud is a £4bn/year Industry...

    ... in the UK alone.

    Want a quick round up of basic tricks?

    1) Always validate user submitted data. Never display it directly in the form that it was submitted.

    2) Never allow a Domino error message to be displayed directly without catching it via an error form.

    3) Always use Form Formulae on web views.

    4) $$ViewTemplateDefault should never display a view. Nor should $$SearchTemplateDefault.

    5) Don't use website redirection documents to protect against $$defaultview/form, $first, $last, Navigateto etc.

    6) There is no protection against ?ReadViewEntries - so don't do lookups into views.

    7) Never store important customer/client data on the database to which it was submitted.

    8) Reader fields are your friends.

    I'm not saying the exact attacks which you can use to get at the various bits of data (see above) but I can pretty much guarantee that most developers completely miss a lot of the above. And thats just basic stuff before we get to the XPages fun and games.

    XPages:

    9) Protect against JavaScript injection to the page via browsers. ie. Dragonfly, Firebug. etc.

    10) Sandbox your XPages app by specifically denying it access to important databases.

    11) Just because you have a .xsp at the end of the URL, don't ignore the basic Domino requests.

    12) The person who signed the XPages app should not have Admin privileges on the server.

    13) The encoding of an XPage does not hide the variable names used in your data structures.

    And as two overall guiding principal items:

    Don't be complacent.

    Never trust user submitted data.

    As always, feel free to drop me a line at any of my email addresses. It's very easy to figure out what my address is with just 2 seconds of thought or a google.

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment: