configuring security features in an emc® documentum® web ... · https (ssl) in documentum web...

White Paper

Abstract

This white paper explains the security configurations that can restrict upload of potentially malicious files into the repository and avoid Frame Hijacking and accepting secured Cookies over HTTPS (SSL) in Documentum Web Development Kit-based applications. September 2012

CONFIGURING

SECURITY FEATURES IN AN EMC® DOCUMENTUM® WEB DEVELOPMENT KIT-BASED WEB APPLICATION

2 Security Configurations to Avoid Vulnerabilities in Documentum Web

Development Kit-based Web Applications

All Rights Reserved.

nformation in this publication is accurate as bject to change

ed “as is.” EMC

epresentations or warranties of any kind ct to the information in this publication, and

specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. Part Number H11049

Copyright © 2012 EMC Corporation. EMC believes the iof its publication date. The information is suwithout notice.

The information in this publication is providCorporation makes no rwith respe



Table of Contents

Executive Summary ................................................................................................. 4 ...............................4

4

........................... 4

........................... 5 .............................................5

us files...................7 ...............................9 file as an .............................10

......................... 12 .............................12 .............................13 .............................13

......................... 15 Problem - Insecure cookies..............................................................................................15 Solution – make cookies secured.....................................................................................15

HttpOnly ............................................................................................................... 15 Problem............................................................................................................................15

Conclusion............................................................................................................ 16

Purpose...............................................................................................

Audience.................................................................................................................

Introduction .................................................................................

Restricting upload of potentially malicious files into the repositoryUse case 1: Restricting the file uploads through import .........

Use case 2: Multiple File Import containing Malicious and Non-malicio

Use case 3: Restricting Import of a malicious rendition file. .................

Use case 4: Restricting import of an email message that has maliciousattachment..........................................................................................

Frame Bursting .............................................................................Problem of frame hijacking or click jacking..........................................

Solution to frame hijacking or click hijacking.......................................

Configuration to avoid frame hijacking or click hijacking .....................

Configuring Secured Cookies over HTTPS (SSL)..............................



Executive Summary This white paper explains the various security configurations tovulnerabilities for the Documentum based wdk web application. intended to explain on how to restrict upload of potential

avoid Security This whitepaper is

ly malicious files into the tions available to

er https (SSL).

figurations to avoid frame hijacking and accepting unsecured cookies s for restricting duced in

and capabilities of its hardware and software.

this guide may not be supported by all the most up-to-date

es document.

roperly or does not function as described in this

he time of

repository. In addition, this whitepaper also explains the configuraavoid frame hijacking and accepting the secured cookies ov

The security conwere introduced in Documentum 6.7. The security configurationupload of potentially malicious files into the repository was introDocumentum 6.7 SP1.

As part of the effort to improve and enhance the performanceproduct line, EMC, from time to time releases revisions of its Therefore, some functions described inrevisions of the software or hardware currently in use. For information on product features, refer to your product Release Not

If a product does not function pdocument, please contact your EMC representative.

Note: We vouch that the content in this document is accurate at tpublication. However, as information is added, new versions of threleased to the EMC online support website. Chec

is document may be k the website to ensure that you are

using the latest version of this document.

Purpose

This document explains the process of configuring security featof potentially malicious files into the repository, avoid frame hijacking and accepting

ures to restrict upload

secured cookies over https (ssl) in WDK-based web applications.

sible for the roduction environment

with regard to WDK-based web applications. This document is intended for internal EMC personnel, partners, and customers.

Introduction As per the policy of one of the customers of EMC, every web application must handle security vulnerabilities.

The requirement to use the security configurations to restrict upload of potentially malicious files into the repository and to avoid frame hijacking and accepting

Audience The audience for this white paper comprises personnel responconfiguration and administration of the application server p



unsecure cookies in https mode is not restricted only to the Webtop application. It

accepting unsecured cookies in Documentum 6.7. The security configurations for restricting

upload of potentially malicious files into the repository was introduced in

Restricting upload of potentially malicious files into the

malicious files into the repository, through Webtop, by configuring the <web-app>/wdk/app.xml file.

formats that are not to be uploaded into the repository, in the <mali _list> element, of the <web-

using a comma as a delimiter.

extensions_list>

</malicious_file_extensions_list>

the upload of exe, bat and msi files into the repository. This feature is applicable only to files that are imported or checked

n 6.7 SP1.

should be available in other WDK-based applications also.

The security configurations to avoid frame hijacking andwere introduced

Documentum 6.7 SP1.

repository

We can restrict the upload of potentially

We must specify the filecious_file_extensions_list>.<extensions

app>/wdk/app.xml file,

<malicious_file_extensions_list>

<extensions_list>exe,bat,msi</

In the above configuration, we are restricting

into the repository, from Documentum versio

Note: By default, no file formats are specified in the <malicious_file_extensions_list>.<extensions_list> element. So, this feature is turned off by default.

Use case 1: Restricting the file uploads through import

1. Configure the <web-app>/wdk/app.xml file as shown below to restrict exe and bat files



2. Import a bat file or exe file through webtop

3. As bat file extension is configured in <malicious_file_extensions_list>.<extensions_list> element, Webtop does not allow us to perform import operation and displays an appropriate error message and restricts the user from uploading the malicious file type into the repository.



Use case 2: Multiple File Import containing Malicious and Non-malicious files

as shown below to restrict exe and bat files 1.Configure the <web-app>/wdk/app.xml file

2. Import a doc file and a bat file through webtop.



3. As bat file extension is configured in <malicious_file_extensions_list>.<extensions_list> element, Webtop displays an appropriate error message while processing the import operation for bat file and then it will proceeds the import operation for all other files.

The below screenshot refers the processing of import operation for non-malicious doc file.



Use case 3: Restricting Import of a malicious rendition file.

1. Configure the <web-app>/wdk/app.xml file as shown below to restrict exe and bat files

2. Import a malicious rendition file through Webtop.



4. As bat file extension is configured in ebtop does not allow

erform import operation and displays an appropriate error message and restricts the user from importing the email message that has malicious

Use case 4: Restricting import of an email message that has malicious file as an attachment.

1. Configure the <web-app>/wdk/app.xml file as shown below to restrict ppt files

<malicious_file_extensions_list>.<extensions_list> element, Wus to p

attachments into the repository

2. Import an email message that has malicious file (PPT) as an attachment



Import the email message through Webtop.



3. As ppt file extension is configured in <malicious_file_extensions_list>.<extensions_list> element, Webtop displays an appropriate error message while processing the email message import.

Frame Bursting

igates an iframe on a ese attacks are

pixel-perfect because navigating an iframe neither alters the location bar nor disturbs the lock icon.

Many security-sensitive pages, such as login pages, contain inline frames (iframes). For example, the password-entry field on Webtop login page, and many bank web sites are contained in iframes. These frames appear to be part of the parent page and do not have address bars (or any kind of security indicator). Because the user has no visible indication of the source of the content that appears in the iframe, the user implicitly trusts the parent page to fill the iframe with trustworthy content. Protecting the integrity of the frame's contents is critical to the security of these sites.

Problem of frame hijacking or click jacking

In a frame hijacking (clickjacking) attack, a malicious page navlegitimate site to malicious content, such as a fake login form. Th



Solution to frame hijacking or click hijacking

A framekiller (or framebuster or framebreaker) is a piece of JavaScprevents a Web page from being displayed within a frame. Aa Web browser window and can act like a smaller

ript code that frame is a subdivision of

window. This kind of script is often site being loaded from within a

ijacking, we can use the frame buster configuration through Webtop. We can enable the frame bursting flag in the file <web-

pp.xml by enabling the element u rame_bursting>.<enabled>

…..

……………………

rame_bursting>

<enabled>true</enabled>

</security_support>

Frame bursting feature is not available in Documentum 6.6 and as a result users can hijack the WDK-based application by configuring the javascript iframes.

used to prevent a frame from an external Web frameset without permission, often as part of click jacking attack.

Configuration to avoid frame hijacking or click hijacking

To avoid frame hijacking or click h

app>/wdk/a<sec rity_support>.<f

<security_support>

………………

<f

</frame_bursting>



If we enable the frame bursting feature in Documentum 6.7, then frame hijacking or click jacking is not possible with WDK-based applications.

After displaying the above hijacking page, application will automatically redirect to the Webtop main page in full browser window.



Configuring Secured Cookies over HTTPS (SSL)

even with rypted requests, even if they are generated in an application using SSL

attacker is able to intercept such requests, he can steal

ookies feature over HTTPS (SSL), the complete site (all pages)

ty_support> in <web-app>/wdk/app.xml file.

ke the cookie secure , if it is contents

lated via Man in the Middle attacks.

< t>

o use secured cookies feature complete site (all pages) should be secured ‐‐> <enabled>true</enabled> </secured_cookies_for_https_only> …………………………… ………………………… </security_support>

HttpOnly

Cookies with HTTPOnly attribute not set: If the HTTP-Only attribute is not set for a cookie, then it can be accessed and manipulated by JavaScript from the domain setting the cookie. The sensitive information contained in the cookie can be sent to a hacker's computer or Web site using a script-based attack such as Cross-Site Scripting.

The Http Only security vulnerability cannot be fixed yet due to third party product issue (JRE). This cannot be implemented yet as Oracle only seem to have a partial solution for IE in JRE 1.7 and no way to address the issue for firefox yet.

Problem - Insecure cookies

When a cookie is not set securely, then it is sent by the browserunencencryption otherwise. If anthe cookie.

Solution – make cookies secured

To configure secured cshould be secured. So, to achieve this, we need to enable the <secured_cookies_for_https_only> flag under <securi

Secured_cookies_for_https_only parameter is used to maset as true for delivering the cookies over HTTPS (SSL), and encrypting thesuch that they cannot be manipu

security_suppor

<!‐‐ T

<secured_cookies_for_https_only>

By default, this flag is disabled in wdk based application.

Problem



Conclusion This white paper explains the security configurations that can repotentially ma

strict upload of licious files into the repository and avoid Frame Hijacking and

accepting secured Cookies over HTTPS (SSL) in Documentum Web Development Kit-based applications.

configuring security features in an emc® documentum® web ... · https (ssl) in documentum web...

Documents