configuring security features in an emc® documentum® web ... · https (ssl) in documentum web...
TRANSCRIPT
White Paper
Abstract
This white paper explains the security configurations that can restrict upload of potentially malicious files into the repository and avoid Frame Hijacking and accepting secured Cookies over HTTPS (SSL) in Documentum Web Development Kit-based applications. September 2012
CONFIGURING
SECURITY FEATURES IN AN EMC® DOCUMENTUM® WEB DEVELOPMENT KIT-BASED WEB APPLICATION
2 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
All Rights Reserved.
nformation in this publication is accurate as bject to change
ed “as is.” EMC
epresentations or warranties of any kind ct to the information in this publication, and
specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. Part Number H11049
Copyright © 2012 EMC Corporation. EMC believes the iof its publication date. The information is suwithout notice.
The information in this publication is providCorporation makes no rwith respe
3 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
Table of Contents
Executive Summary ................................................................................................. 4 ...............................4
4
........................... 4
........................... 5 .............................................5
us files...................7 ...............................9 file as an .............................10
......................... 12 .............................12 .............................13 .............................13
......................... 15 Problem - Insecure cookies..............................................................................................15 Solution – make cookies secured.....................................................................................15
HttpOnly ............................................................................................................... 15 Problem............................................................................................................................15
Conclusion............................................................................................................ 16
Purpose...............................................................................................
Audience.................................................................................................................
Introduction .................................................................................
Restricting upload of potentially malicious files into the repositoryUse case 1: Restricting the file uploads through import .........
Use case 2: Multiple File Import containing Malicious and Non-malicio
Use case 3: Restricting Import of a malicious rendition file. .................
Use case 4: Restricting import of an email message that has maliciousattachment..........................................................................................
Frame Bursting .............................................................................Problem of frame hijacking or click jacking..........................................
Solution to frame hijacking or click hijacking.......................................
Configuration to avoid frame hijacking or click hijacking .....................
Configuring Secured Cookies over HTTPS (SSL)..............................
4 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
Executive Summary This white paper explains the various security configurations tovulnerabilities for the Documentum based wdk web application. intended to explain on how to restrict upload of potential
avoid Security This whitepaper is
ly malicious files into the tions available to
er https (SSL).
figurations to avoid frame hijacking and accepting unsecured cookies s for restricting duced in
and capabilities of its hardware and software.
this guide may not be supported by all the most up-to-date
es document.
roperly or does not function as described in this
he time of
repository. In addition, this whitepaper also explains the configuraavoid frame hijacking and accepting the secured cookies ov
The security conwere introduced in Documentum 6.7. The security configurationupload of potentially malicious files into the repository was introDocumentum 6.7 SP1.
As part of the effort to improve and enhance the performanceproduct line, EMC, from time to time releases revisions of its Therefore, some functions described inrevisions of the software or hardware currently in use. For information on product features, refer to your product Release Not
If a product does not function pdocument, please contact your EMC representative.
Note: We vouch that the content in this document is accurate at tpublication. However, as information is added, new versions of threleased to the EMC online support website. Chec
is document may be k the website to ensure that you are
using the latest version of this document.
Purpose
This document explains the process of configuring security featof potentially malicious files into the repository, avoid frame hijacking and accepting
ures to restrict upload
secured cookies over https (ssl) in WDK-based web applications.
sible for the roduction environment
with regard to WDK-based web applications. This document is intended for internal EMC personnel, partners, and customers.
Introduction As per the policy of one of the customers of EMC, every web application must handle security vulnerabilities.
The requirement to use the security configurations to restrict upload of potentially malicious files into the repository and to avoid frame hijacking and accepting
Audience The audience for this white paper comprises personnel responconfiguration and administration of the application server p
5 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
unsecure cookies in https mode is not restricted only to the Webtop application. It
accepting unsecured cookies in Documentum 6.7. The security configurations for restricting
upload of potentially malicious files into the repository was introduced in
Restricting upload of potentially malicious files into the
malicious files into the repository, through Webtop, by configuring the <web-app>/wdk/app.xml file.
formats that are not to be uploaded into the repository, in the <mali _list> element, of the <web-
using a comma as a delimiter.
extensions_list>
</malicious_file_extensions_list>
the upload of exe, bat and msi files into the repository. This feature is applicable only to files that are imported or checked
n 6.7 SP1.
should be available in other WDK-based applications also.
The security configurations to avoid frame hijacking andwere introduced
Documentum 6.7 SP1.
repository
We can restrict the upload of potentially
We must specify the filecious_file_extensions_list>.<extensions
app>/wdk/app.xml file,
<malicious_file_extensions_list>
<extensions_list>exe,bat,msi</
In the above configuration, we are restricting
into the repository, from Documentum versio
Note: By default, no file formats are specified in the <malicious_file_extensions_list>.<extensions_list> element. So, this feature is turned off by default.
Use case 1: Restricting the file uploads through import
1. Configure the <web-app>/wdk/app.xml file as shown below to restrict exe and bat files
6 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
2. Import a bat file or exe file through webtop
3. As bat file extension is configured in <malicious_file_extensions_list>.<extensions_list> element, Webtop does not allow us to perform import operation and displays an appropriate error message and restricts the user from uploading the malicious file type into the repository.
7 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
Use case 2: Multiple File Import containing Malicious and Non-malicious files
as shown below to restrict exe and bat files 1.Configure the <web-app>/wdk/app.xml file
2. Import a doc file and a bat file through webtop.
8 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
3. As bat file extension is configured in <malicious_file_extensions_list>.<extensions_list> element, Webtop displays an appropriate error message while processing the import operation for bat file and then it will proceeds the import operation for all other files.
The below screenshot refers the processing of import operation for non-malicious doc file.
9 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
Use case 3: Restricting Import of a malicious rendition file.
1. Configure the <web-app>/wdk/app.xml file as shown below to restrict exe and bat files
2. Import a malicious rendition file through Webtop.
10 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
4. As bat file extension is configured in ebtop does not allow
erform import operation and displays an appropriate error message and restricts the user from importing the email message that has malicious
Use case 4: Restricting import of an email message that has malicious file as an attachment.
1. Configure the <web-app>/wdk/app.xml file as shown below to restrict ppt files
<malicious_file_extensions_list>.<extensions_list> element, Wus to p
attachments into the repository
2. Import an email message that has malicious file (PPT) as an attachment
11 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
Import the email message through Webtop.
12 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
3. As ppt file extension is configured in <malicious_file_extensions_list>.<extensions_list> element, Webtop displays an appropriate error message while processing the email message import.
Frame Bursting
igates an iframe on a ese attacks are
pixel-perfect because navigating an iframe neither alters the location bar nor disturbs the lock icon.
Many security-sensitive pages, such as login pages, contain inline frames (iframes). For example, the password-entry field on Webtop login page, and many bank web sites are contained in iframes. These frames appear to be part of the parent page and do not have address bars (or any kind of security indicator). Because the user has no visible indication of the source of the content that appears in the iframe, the user implicitly trusts the parent page to fill the iframe with trustworthy content. Protecting the integrity of the frame's contents is critical to the security of these sites.
Problem of frame hijacking or click jacking
In a frame hijacking (clickjacking) attack, a malicious page navlegitimate site to malicious content, such as a fake login form. Th
13 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
Solution to frame hijacking or click hijacking
A framekiller (or framebuster or framebreaker) is a piece of JavaScprevents a Web page from being displayed within a frame. Aa Web browser window and can act like a smaller
ript code that frame is a subdivision of
window. This kind of script is often site being loaded from within a
ijacking, we can use the frame buster configuration through Webtop. We can enable the frame bursting flag in the file <web-
pp.xml by enabling the element u rame_bursting>.<enabled>
…..
……………………
rame_bursting>
<enabled>true</enabled>
</security_support>
Frame bursting feature is not available in Documentum 6.6 and as a result users can hijack the WDK-based application by configuring the javascript iframes.
used to prevent a frame from an external Web frameset without permission, often as part of click jacking attack.
Configuration to avoid frame hijacking or click hijacking
To avoid frame hijacking or click h
app>/wdk/a<sec rity_support>.<f
<security_support>
………………
<f
</frame_bursting>
14 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
If we enable the frame bursting feature in Documentum 6.7, then frame hijacking or click jacking is not possible with WDK-based applications.
After displaying the above hijacking page, application will automatically redirect to the Webtop main page in full browser window.
15 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
Configuring Secured Cookies over HTTPS (SSL)
even with rypted requests, even if they are generated in an application using SSL
attacker is able to intercept such requests, he can steal
ookies feature over HTTPS (SSL), the complete site (all pages)
ty_support> in <web-app>/wdk/app.xml file.
ke the cookie secure , if it is contents
lated via Man in the Middle attacks.
< t>
o use secured cookies feature complete site (all pages) should be secured ‐‐> <enabled>true</enabled> </secured_cookies_for_https_only> …………………………… ………………………… </security_support>
HttpOnly
Cookies with HTTPOnly attribute not set: If the HTTP-Only attribute is not set for a cookie, then it can be accessed and manipulated by JavaScript from the domain setting the cookie. The sensitive information contained in the cookie can be sent to a hacker's computer or Web site using a script-based attack such as Cross-Site Scripting.
The Http Only security vulnerability cannot be fixed yet due to third party product issue (JRE). This cannot be implemented yet as Oracle only seem to have a partial solution for IE in JRE 1.7 and no way to address the issue for firefox yet.
Problem - Insecure cookies
When a cookie is not set securely, then it is sent by the browserunencencryption otherwise. If anthe cookie.
Solution – make cookies secured
To configure secured cshould be secured. So, to achieve this, we need to enable the <secured_cookies_for_https_only> flag under <securi
Secured_cookies_for_https_only parameter is used to maset as true for delivering the cookies over HTTPS (SSL), and encrypting thesuch that they cannot be manipu
security_suppor
<!‐‐ T
<secured_cookies_for_https_only>
By default, this flag is disabled in wdk based application.
Problem
16 Security Configurations to Avoid Vulnerabilities in Documentum Web
Development Kit-based Web Applications
Conclusion This white paper explains the security configurations that can repotentially ma
strict upload of licious files into the repository and avoid Frame Hijacking and
accepting secured Cookies over HTTPS (SSL) in Documentum Web Development Kit-based applications.