{"id":120,"date":"2008-09-25T12:34:24","date_gmt":"2008-09-25T17:34:24","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=120"},"modified":"2008-09-25T12:34:24","modified_gmt":"2008-09-25T17:34:24","slug":"lotus-notesdomino-web-application-security-owasp-appsec-nyc-2008","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2008\/09\/25\/lotus-notesdomino-web-application-security-owasp-appsec-nyc-2008\/","title":{"rendered":"Lotus Notes\/Domino Web Application Security &#8211; OWASP AppSec NYC 2008"},"content":{"rendered":"<p>This presentation was by Jian Hui Wang (girl) who is a security professional, but &#8220;a nobody in NYC&#8221;.\u00a0 Talking about Lotus Notes\/Domino web application architecture and security features, web application common development mistakes and fixes, and test methodology.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Lotus Notes\/Domino History<\/strong><\/span><\/p>\n<p>Lotus Notes is client and Domino is the server.\u00a0 Supports multiple protocols with one interface (HTTP, LDAP, SMTP\/POP\/IMAP, file sharing).\u00a0 Strong on workflow application and collaborative application.\u00a0 Used by .gov, .edu, .com.\u00a0 Google search shows 66 million notes databases facing the internet.\u00a0 People use it because it&#8217;s easy to develop and deploy a simple application, granular access control, good logging method, and it integrates well with e-mails.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Notes Databases<\/strong><\/span><\/p>\n<p>Notes databse is building block of Domino application (.nsf or .ntf).\u00a0 Notes Database is a container for data (document, message, web page), design elements (form, page, view, folder, navigator, agent, frameset, outline).<\/p>\n<p>Two components in Domino server architecture.\u00a0 There is an HTTP Server and a Domino Engine (URL Parser, Command Handler, and Database).<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Web Access Syntax<\/strong><\/span><\/p>\n<ul>\n<li>http:\/\/host\/data\/base\/NotesObject?Action&amp;Arguments<\/li>\n<li>Database = Notes Database<\/li>\n<li>NotesObject\u00a0 = the web accessible design element<\/li>\n<li>Action = the action on NotesObject<\/li>\n<li>Arguments = the qualifiers for the action (optional)<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Notes Database Access Control List (ACL)<\/strong><\/span><\/p>\n<ul>\n<li>Define users and groups access privileges on the database<\/li>\n<li>Seven access levels (manager, designer, editor, author, reader, depositor, and no access)<\/li>\n<li>Eight access options for each level (create\/delete documents, create\/delete folders\/views, create\/delete agents, create\/delete public documents)<\/li>\n<li>Anonymous and -Default-<\/li>\n<li>Maximum internet and password access: only works for name-password authentication but not for certificate authentication.\u00a0 A web user cannot get the access greater than the &#8220;Maximum&#8221; access even if the access explicitly given is higher<\/li>\n<li>Further restriction can be done by conjunction with reader field, author field, and access list of documents for granular read and write access control<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Notes Web Authentication<\/strong><\/span><\/p>\n<ul>\n<li>Anonymous user &#8211; who does not have Person documents in DOmino Directory (names.nsf)<\/li>\n<li>Authentication occurs if anonymous access is disabled on server configuration document and Notes objects<\/li>\n<li>Name-password authentication: user\/pass are authenticated to Person document and internet password in Domino directory (names.nsf).\u00a0 Basic authentication and session-based authentication.\u00a0 Internet password lockout function (Notes 8 only)<\/li>\n<li>SSL client certificate authentication<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Common Security Mistakes in Development<\/strong><\/span><\/p>\n<ol>\n<li>Unauthorized Access: Anonymous access.\u00a0 Anonymous privilege is assigned to Default access level if there is no anonymous group explicitly set.\u00a0 Default access level is Designer and Maximum Internet and Password Access is Editor of most built-in templates.\u00a0 Forceful browsing.\u00a0 Solutions are to setup anonymous group and assign it &#8220;no access&#8221;.\u00a0 Review the ACLs of all databases and confidential documents.<\/li>\n<li>Using Default Objects (Databases):\u00a0 Default databases are statrep.nsf, schema.nsf, reports.nsf, names.nsf, log.nsf, events.nsf, doladmin.nsf, dbdirman.nsf certsrv.nsf, certlog.nsf, admin4.nsf, &#8230;\u00a0 Anonymous users should not be allowed to access these databases.<\/li>\n<li>Default Objects (view): $DefautlView?OpenView, $DefaultNav?OpenNav, $DefaultForm?OpenForm, help?OpenHelp, $about?OpenAbout, $searchform?searchdomain, $searchform?searchsite, $searchform?searchview, $Icon?OpenIcon, $first, $file.\u00a0 Solutions are to use the URL redirection and mapping on server document, customize the default pages, and apply the appropriate access control.<\/li>\n<li>SQL Injection: Places to process User Input (@Commands, WebQueryOpen, WebQuerySave, WebQueryClose, @URLQueryString, OpenAgent, RunAgent).\u00a0 Solutions is input validation in fields by formula or lotus scripts<\/li>\n<li>Cross Site Scripting: Most cross site scripting vulnerabilities are persistent.\u00a0 Solutions are to use input validaton or to HTMLencode.<\/li>\n<li>Session Management: By default uses basic authentication.\u00a0 Username and password are sent in clear-text in teh packet of every request.\u00a0 Solution is to configure the server document to use session-based authentication.\u00a0 Do not append sensitive data to Querystring.<\/li>\n<li>Information Leakage: Hard coding username and password.\u00a0 Solutions are to remove the sensitive information from the source code and log and customize the error message.<\/li>\n<li>Operating System Interaction: LotusScript has system commands such as Shell, OSLoadProgram, OSLoadLibrary, FileCopy, Open, Kill, Get, Input, Close.\u00a0 Solution is to hardcode the path and validate the filename input.<\/li>\n<\/ol>\n<p>Testing security is challenging but it can be done:<\/p>\n<ul>\n<li>Lotus Notes Designer (Design Synopsis)<\/li>\n<li>Grep<\/li>\n<li>A good text editor<\/li>\n<li>Paros<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>References<\/strong><\/span><\/p>\n<ul>\n<li>Secure Domino Application<\/li>\n<li>Lotus Security Handbook<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This presentation was by Jian Hui Wang (girl) who is a security professional, but &#8220;a nobody in NYC&#8221;.\u00a0 Talking about Lotus Notes\/Domino web application architecture and security features, web application common development mistakes and fixes, and test methodology. Lotus Notes\/Domino History Lotus Notes is client and Domino is the server.\u00a0 Supports multiple protocols with one [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[127,4],"tags":[76,128,182,179,180,181,12,622],"class_list":["post-120","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-nyc-2008","category-web-app-sec","tag-application","tag-appsec","tag-domino","tag-ibm","tag-lotus","tag-notes","tag-owasp","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-1W","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=120"}],"version-history":[{"count":1,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":121,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/120\/revisions\/121"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}