SlideShare a Scribd company logo

CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable

Download as PPTX, PDF
Darren Duke
Darren Duke

Collabsphere 2018 (formally MWLUG) presentation where Darren Duke outlines how to protect, test and enhance your Domino web security.

1 of 41
Downloaded 67 times
SC 103 Domino on the Web - Yes, It's (Probably) Hackable Darren Duke
About Me • Ex co-host of This Week In Lotus podcast • Current (?) co-co-host of WTF Tech podcast • Sometime blogger https://blog.darrenduke.net • Twitter snark fountain @darrenduke • This maybe the best slide in the deck. Feel free to leave right now…
Agenda • What we will cover – Then eternal battle of admin vs developer – The simple things – The less simple things – The harder things – The much harder things
Be Careful • When you have a web server you are a target – Do the simple things first – Change one thing at time and test • You will break something • No, really you will • No. For real. You will break something. • I broke my blog search • I broke iNotes clipboard pasting
The Eternal Battle • Web server security, whose responsibility? – Is it the application developer? – Is it the web server administrator? – Yes • Developer – Tell • What is *your* required minimum security • Administrator – Ask • What is the maximum level of security I can use? • If no answer, start high and move down
Sanitize Input • Developers, you must sanitize the input uploaded by your web applications – Input fields need to be cleaned on form submission • Ex, on submit check for an remove <script> tags in the input • This reduces the risk of a compromised server – Try to hack your own applications
• The Domino HTTP stack – Not the most up-to-date HTTP stack available • I’m being nice – Missing many modern features • HTTP/2, SNI • Yes, I’m sure Domino 10 will address this along with world peace – Complicated HTTP header use – Sometimes TLS/SSL gets caught with pants down • Poodle • ROBOT
• So yes, you can do most of this in Domino • I would use a reverse proxy – Apache – Nginx • I use both – Blog behind Nginx (on Prominic) – iNotes, Traveler behind Apache (on-prem) • Proxies can also HA and LB – Try that in native Domino!
The Simple Things…..
The Simple Things • More Secure Internet Passwords
The Simple Things • More Secure EXISTING Internet Passwords
The Simple Things • Make your Domino LTPA cookie more secure – Require SSL • Mitigate man-in-the-middle-attacks – Restrict Use • Prevent script access to cookie • Mitigate XSS
The Simple Things • Notes.ini Settings – HSTS • https://blog.darrenduke.net/darren/ddbz.nsf/dx/domino- adds-hsts-to-its-security-arsenal.htm – X-Frame Header Options • http://www- 01.ibm.com/support/docview.wss?uid=swg21568598 • 9.0.1 FP6+ HTTPAdditionalRespHeader=X-Frame-Options: SAMEORIGIN – DominoValidateFramesetSRC=1 • Frame content must be from the same database • https://www- 10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFrames etSRC
The Simple Things • Other Notes.ini Settings – SSL_DISABLE_RENEGOTIATE=1 – HTTPEnableConnectorHeaders=0 – SSL_RESUMABLE_SESSIONS=0 – SSL_DISABLE_TLS_10=1
The Simple Things • Upgrade to latest Fix Pack – FP10 fixes ROBOT – Each FP will deprecate weak/vulnerable ciphers
The Less Simple Things
I’ll show mine, if you show yours • HTTP Headers are your friend • Prevents browser from doing stupid things – Headers can be disabled in the browser!!! – Implement with care • For example line 5 breaks Domino blog – Here is my starting header config for Apache 1. Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 2. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" 3. Header always append X-Frame-Options SAMEORIGIN 4. Header always set X-XSS-Protection "1; mode=block" 5. Header always set X-Content-Type-Options: nosniff 6. Header always set Server NotTelling 7. Header always set Referrer-Policy strict-origin-when-cross-origin
The Less Simple Things • NginX Version 1. set_cookie_flag HttpOnly secure; 2. add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload'; 3. add_header X-Frame-Options "SAMEORIGIN"; 4. add_header X-XSS-Protection "1; mode=block"; 5. add_header X-Content-Type-Options "nosniff"; 6. server_tokens off; 7. add_header Referrer-Policy "strict-origin-when-cross-origin"; • Note 1, line 1 requires module support in NginX. • Note 2, line 6 only removes version and OS, it still says “nginx”. There are other ways but they seem it and miss as you may have to compile module support into NginX. more_clear_headers Server; more_clear_headers Server;
The Less Simple Things • You could put all those headers in Domino – But you have to add each one at a time – For each internet site • Oh, yeah, you need to be using Internet Sites • It may work with global, not tried it, YMMV – You end up with a *lot* of web rule documents • Much, much easier in a reverse proxy
The Harder Things
The Harder Things • There are more advanced headers – Access-Control-Allow-Methods – Access-Control-Allow-Headers – Content-Security-Policy – Access-Control-Allow-Origin – Think of these as X-XSS-Protection on steroids
The Harder Things • The blog NginX headers add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS,HEAD'; add_header Access-Control-Allow-Headers 'DNT,X-CustomHeader,Keep- Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache- Control,Content-Type'; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net"; add_header Access-Control-Allow-Origin "https://public.slidesharecdn.com,https://www.slideshare.net";
The Harder Things • Content-Security-Policy –default-src –script-src –font-src –img-src –frame-src add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net";
The Harder Things • Content-Security-Policy-Report-Only – Allows testing of policy BEFORE implementing • Clean up all the errors BEFORE turning on – Shows content errors in browser development tools console
The Much Harder Things
The Much Harder Things • ModSecurity – Available for Apache and NginX – Add-in module to prevent OWASP-known hacking attempts • OWASP - Open Web Application Security Project – Use rules to allow or disallow certain URL patterns and actions • Known vulnerabilities get blocked/reported – Use with caution • You probably want to “report” before turning it on fully • SecRuleEngine DetectionOnly
ModSecurity --d5cdc63e-H-- Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 192.168.0.195] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "localhost.localdomain"] [uri "/"] [unique_id "W1RiorhE-6pWl72XxvlgcAAAABg"] Stopwatch: 1532256930612640 6576 (- - -) Stopwatch2: 1532256930612640 6576; combined=5424, p1=635, p2=1014, p3=96, p4=3552, p5=126, sr=86, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2. Server: Apache/2.4.29 (Ubuntu) Engine-Mode: "DETECTION_ONLY" --d5cdc63e-Z--
ModSecurity • OWASP_TOP_10/A7 – Google it for a more in-depth description • [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] – Find out what the violation is
ModSecurity • Most often than not, you will just end up disabling the rule that hit because it’s not applicable or a risk to your application/server • In our example it is rule[id "920280"] • Rules can be disabled per URI, web server or for all servers • Depending on your ModSec version exceptions will be different, so Google it
Tools
Tools • Warning – Don’t scan a site you don’t have approval to scan • Scanning without explicit approval could be crime in your (or the servers) jurisdiction – Don’t scan a site during busy times • You could become the source of your own DDoS attack • Fun times!
Tools • Qualys – Most of you will have used the free version • Paid options to proactively scan your servers – Scans external web sites for free and provides detailed insight into SSL, ciphers, etc.
Qualys
Tools • SecurityHeaders.com – Will scan a given site and return security related header information – Provides warnings and recommendations for the different headers
SecurityHeaders.com
Tools • ZAP (Zed Attack Proxy) – The official OWASP scanning tool – Provides tons of information – Free
Tools • PenTest-Tools.com – Like Qualys, except for penetration tests – Online, no software to install – Free version provides limited but useful functionality – Really cheap for the paid version (relatively)
ZAP
Pentest-tools.com
Takeways • Know what the access the application needs • Implement the highest possible security whilst maintaining functionality • Scan often
Q&A • That was a lot • Question Time!

Recommended

dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptx
Ulrich Krause
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
Dylan Redfield
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
Jared Roberts
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query Language
Tim Davis
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
Ales Lichtenberg
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning
Vladislav Tatarincev
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
hemantnaik
 
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded
Christoph Adler
 
Cool features in The Domino Optimizer - v4.pdf
Cool features in The Domino Optimizer - v4.pdfCool features in The Domino Optimizer - v4.pdf
Cool features in The Domino Optimizer - v4.pdf
aosborne
 
DNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First LookDNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First Look
daniel_nashed
 
Domino policies deep dive
Domino policies deep diveDomino policies deep dive
Domino policies deep dive
Martijn de Jong
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
panagenda
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Edson Oliveira
 
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
BCC - Solutions for IBM Collaboration Software
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
Gabriella Davis
 
From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting Replication
Benedek Menesi
 
Improving notes addressing experience with recent contacts
Improving notes addressing experience with recent contactsImproving notes addressing experience with recent contacts
Improving notes addressing experience with recent contacts
Vinayak Tavargeri
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
Gabriella Davis
 
Learn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationLearn everything about IBM iNotes Customization
Learn everything about IBM iNotes Customization
IBM Connections Developers
 
RNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostRNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance Boost
Christoph Adler
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
Gabriella Davis
 
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehtsZusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
panagenda
 
jmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstartjmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstart
Bill Buchan
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routing
jayeshpar2006
 
HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTP
Ales Lichtenberg
 
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
HCL Sametime 12.0 on Docker - Step-By-Step.pdf HCL Sametime 12.0 on Docker - Step-By-Step.pdf
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
Ales Lichtenberg
 
Oracle Database Exadata Cloud Service Conference
Oracle Database Exadata Cloud Service ConferenceOracle Database Exadata Cloud Service Conference
Oracle Database Exadata Cloud Service Conference
Okcan Yasin Saygılı
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
devObjective
 

More Related Content

What's hot (20)

Cool features in The Domino Optimizer - v4.pdf
Cool features in The Domino Optimizer - v4.pdfCool features in The Domino Optimizer - v4.pdf
Cool features in The Domino Optimizer - v4.pdf
aosborne
 
DNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First LookDNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First Look
daniel_nashed
 
Domino policies deep dive
Domino policies deep diveDomino policies deep dive
Domino policies deep dive
Martijn de Jong
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
panagenda
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Edson Oliveira
 
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
BCC - Solutions for IBM Collaboration Software
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
Gabriella Davis
 
From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting Replication
Benedek Menesi
 
Improving notes addressing experience with recent contacts
Improving notes addressing experience with recent contactsImproving notes addressing experience with recent contacts
Improving notes addressing experience with recent contacts
Vinayak Tavargeri
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
Gabriella Davis
 
Learn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationLearn everything about IBM iNotes Customization
Learn everything about IBM iNotes Customization
IBM Connections Developers
 
RNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostRNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance Boost
Christoph Adler
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
Gabriella Davis
 
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehtsZusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
panagenda
 
jmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstartjmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstart
Bill Buchan
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routing
jayeshpar2006
 
HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTP
Ales Lichtenberg
 
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
HCL Sametime 12.0 on Docker - Step-By-Step.pdf HCL Sametime 12.0 on Docker - Step-By-Step.pdf
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
Ales Lichtenberg
 
Oracle Database Exadata Cloud Service Conference
Oracle Database Exadata Cloud Service ConferenceOracle Database Exadata Cloud Service Conference
Oracle Database Exadata Cloud Service Conference
Okcan Yasin Saygılı
 
Cool features in The Domino Optimizer - v4.pdf
Cool features in The Domino Optimizer - v4.pdfCool features in The Domino Optimizer - v4.pdf
Cool features in The Domino Optimizer - v4.pdf
aosborne
 
DNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First LookDNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First Look
daniel_nashed
 
Domino policies deep dive
Domino policies deep diveDomino policies deep dive
Domino policies deep dive
Martijn de Jong
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
panagenda
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Edson Oliveira
 
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
BCC - Solutions for IBM Collaboration Software
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
Gabriella Davis
 
From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting Replication
Benedek Menesi
 
Improving notes addressing experience with recent contacts
Improving notes addressing experience with recent contactsImproving notes addressing experience with recent contacts
Improving notes addressing experience with recent contacts
Vinayak Tavargeri
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
Gabriella Davis
 
Learn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationLearn everything about IBM iNotes Customization
Learn everything about IBM iNotes Customization
IBM Connections Developers
 
RNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostRNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance Boost
Christoph Adler
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
Gabriella Davis
 
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehtsZusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
panagenda
 
jmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstartjmp206 - Lotus Domino Web Services Jumpstart
jmp206 - Lotus Domino Web Services Jumpstart
Bill Buchan
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routing
jayeshpar2006
 
HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTP
Ales Lichtenberg
 
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
HCL Sametime 12.0 on Docker - Step-By-Step.pdf HCL Sametime 12.0 on Docker - Step-By-Step.pdf
HCL Sametime 12.0 on Docker - Step-By-Step.pdf
Ales Lichtenberg
 
Oracle Database Exadata Cloud Service Conference
Oracle Database Exadata Cloud Service ConferenceOracle Database Exadata Cloud Service Conference
Oracle Database Exadata Cloud Service Conference
Okcan Yasin Saygılı
 

Similar to CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable (20)

Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
devObjective
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
ColdFusionConference
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
Brian Layman
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
Peter Baylies
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
DefCamp
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
ColdFusionConference
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
Shaiffulnizam Mohamad
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
Think Media Inc.
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
Denis Kolegov
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
shendison
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
CodeFest
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
Dre Armeda
 
Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2
Stoyan Stefanov
 
10 tips to improve your website security
10 tips to improve your website security10 tips to improve your website security
10 tips to improve your website security
Sucuri
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
devObjective
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
ColdFusionConference
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
Brian Layman
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
Peter Baylies
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
DefCamp
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
ColdFusionConference
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
Shaiffulnizam Mohamad
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
Think Media Inc.
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
Denis Kolegov
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
shendison
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
CodeFest
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
Dre Armeda
 
Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2
Stoyan Stefanov
 
10 tips to improve your website security
10 tips to improve your website security10 tips to improve your website security
10 tips to improve your website security
Sucuri
 

More from Darren Duke (9)

Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Darren Duke
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptx
Darren Duke
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soup
Darren Duke
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015
Darren Duke
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101
Darren Duke
 
LS10 Show102
LS10 Show102LS10 Show102
LS10 Show102
Darren Duke
 
BES 4.1.x on Domino
BES 4.1.x on DominoBES 4.1.x on Domino
BES 4.1.x on Domino
Darren Duke
 
Domino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDomino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUG
Darren Duke
 
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Darren Duke
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptx
Darren Duke
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soup
Darren Duke
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015
Darren Duke
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101
Darren Duke
 
LS10 Show102
LS10 Show102LS10 Show102
LS10 Show102
Darren Duke
 
BES 4.1.x on Domino
BES 4.1.x on DominoBES 4.1.x on Domino
BES 4.1.x on Domino
Darren Duke
 
Domino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDomino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUG
Darren Duke
 

Recently uploaded (20)

Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 

CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable

  • 1. SC 103 Domino on the Web - Yes, It's (Probably) Hackable Darren Duke
  • 2. About Me • Ex co-host of This Week In Lotus podcast • Current (?) co-co-host of WTF Tech podcast • Sometime blogger https://blog.darrenduke.net • Twitter snark fountain @darrenduke • This maybe the best slide in the deck. Feel free to leave right now…
  • 3. Agenda • What we will cover – Then eternal battle of admin vs developer – The simple things – The less simple things – The harder things – The much harder things
  • 4. Be Careful • When you have a web server you are a target – Do the simple things first – Change one thing at time and test • You will break something • No, really you will • No. For real. You will break something. • I broke my blog search • I broke iNotes clipboard pasting
  • 5. The Eternal Battle • Web server security, whose responsibility? – Is it the application developer? – Is it the web server administrator? – Yes • Developer – Tell • What is *your* required minimum security • Administrator – Ask • What is the maximum level of security I can use? • If no answer, start high and move down
  • 6. Sanitize Input • Developers, you must sanitize the input uploaded by your web applications – Input fields need to be cleaned on form submission • Ex, on submit check for an remove <script> tags in the input • This reduces the risk of a compromised server – Try to hack your own applications
  • 7. • The Domino HTTP stack – Not the most up-to-date HTTP stack available • I’m being nice – Missing many modern features • HTTP/2, SNI • Yes, I’m sure Domino 10 will address this along with world peace – Complicated HTTP header use – Sometimes TLS/SSL gets caught with pants down • Poodle • ROBOT
  • 8. • So yes, you can do most of this in Domino • I would use a reverse proxy – Apache – Nginx • I use both – Blog behind Nginx (on Prominic) – iNotes, Traveler behind Apache (on-prem) • Proxies can also HA and LB – Try that in native Domino!
  • 10. The Simple Things • More Secure Internet Passwords
  • 11. The Simple Things • More Secure EXISTING Internet Passwords
  • 12. The Simple Things • Make your Domino LTPA cookie more secure – Require SSL • Mitigate man-in-the-middle-attacks – Restrict Use • Prevent script access to cookie • Mitigate XSS
  • 13. The Simple Things • Notes.ini Settings – HSTS • https://blog.darrenduke.net/darren/ddbz.nsf/dx/domino- adds-hsts-to-its-security-arsenal.htm – X-Frame Header Options • http://www- 01.ibm.com/support/docview.wss?uid=swg21568598 • 9.0.1 FP6+ HTTPAdditionalRespHeader=X-Frame-Options: SAMEORIGIN – DominoValidateFramesetSRC=1 • Frame content must be from the same database • https://www- 10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFrames etSRC
  • 14. The Simple Things • Other Notes.ini Settings – SSL_DISABLE_RENEGOTIATE=1 – HTTPEnableConnectorHeaders=0 – SSL_RESUMABLE_SESSIONS=0 – SSL_DISABLE_TLS_10=1
  • 15. The Simple Things • Upgrade to latest Fix Pack – FP10 fixes ROBOT – Each FP will deprecate weak/vulnerable ciphers
  • 16. The Less Simple Things
  • 17. I’ll show mine, if you show yours • HTTP Headers are your friend • Prevents browser from doing stupid things – Headers can be disabled in the browser!!! – Implement with care • For example line 5 breaks Domino blog – Here is my starting header config for Apache 1. Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 2. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" 3. Header always append X-Frame-Options SAMEORIGIN 4. Header always set X-XSS-Protection "1; mode=block" 5. Header always set X-Content-Type-Options: nosniff 6. Header always set Server NotTelling 7. Header always set Referrer-Policy strict-origin-when-cross-origin
  • 18. The Less Simple Things • NginX Version 1. set_cookie_flag HttpOnly secure; 2. add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload'; 3. add_header X-Frame-Options "SAMEORIGIN"; 4. add_header X-XSS-Protection "1; mode=block"; 5. add_header X-Content-Type-Options "nosniff"; 6. server_tokens off; 7. add_header Referrer-Policy "strict-origin-when-cross-origin"; • Note 1, line 1 requires module support in NginX. • Note 2, line 6 only removes version and OS, it still says “nginx”. There are other ways but they seem it and miss as you may have to compile module support into NginX. more_clear_headers Server; more_clear_headers Server;
  • 19. The Less Simple Things • You could put all those headers in Domino – But you have to add each one at a time – For each internet site • Oh, yeah, you need to be using Internet Sites • It may work with global, not tried it, YMMV – You end up with a *lot* of web rule documents • Much, much easier in a reverse proxy
  • 21. The Harder Things • There are more advanced headers – Access-Control-Allow-Methods – Access-Control-Allow-Headers – Content-Security-Policy – Access-Control-Allow-Origin – Think of these as X-XSS-Protection on steroids
  • 22. The Harder Things • The blog NginX headers add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS,HEAD'; add_header Access-Control-Allow-Headers 'DNT,X-CustomHeader,Keep- Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache- Control,Content-Type'; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net"; add_header Access-Control-Allow-Origin "https://public.slidesharecdn.com,https://www.slideshare.net";
  • 23. The Harder Things • Content-Security-Policy –default-src –script-src –font-src –img-src –frame-src add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net";
  • 24. The Harder Things • Content-Security-Policy-Report-Only – Allows testing of policy BEFORE implementing • Clean up all the errors BEFORE turning on – Shows content errors in browser development tools console
  • 25. The Much Harder Things
  • 26. The Much Harder Things • ModSecurity – Available for Apache and NginX – Add-in module to prevent OWASP-known hacking attempts • OWASP - Open Web Application Security Project – Use rules to allow or disallow certain URL patterns and actions • Known vulnerabilities get blocked/reported – Use with caution • You probably want to “report” before turning it on fully • SecRuleEngine DetectionOnly
  • 27. ModSecurity --d5cdc63e-H-- Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 192.168.0.195] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "localhost.localdomain"] [uri "/"] [unique_id "W1RiorhE-6pWl72XxvlgcAAAABg"] Stopwatch: 1532256930612640 6576 (- - -) Stopwatch2: 1532256930612640 6576; combined=5424, p1=635, p2=1014, p3=96, p4=3552, p5=126, sr=86, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2. Server: Apache/2.4.29 (Ubuntu) Engine-Mode: "DETECTION_ONLY" --d5cdc63e-Z--
  • 28. ModSecurity • OWASP_TOP_10/A7 – Google it for a more in-depth description • [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] – Find out what the violation is
  • 29. ModSecurity • Most often than not, you will just end up disabling the rule that hit because it’s not applicable or a risk to your application/server • In our example it is rule[id "920280"] • Rules can be disabled per URI, web server or for all servers • Depending on your ModSec version exceptions will be different, so Google it
  • 30. Tools
  • 31. Tools • Warning – Don’t scan a site you don’t have approval to scan • Scanning without explicit approval could be crime in your (or the servers) jurisdiction – Don’t scan a site during busy times • You could become the source of your own DDoS attack • Fun times!
  • 32. Tools • Qualys – Most of you will have used the free version • Paid options to proactively scan your servers – Scans external web sites for free and provides detailed insight into SSL, ciphers, etc.
  • 34. Tools • SecurityHeaders.com – Will scan a given site and return security related header information – Provides warnings and recommendations for the different headers
  • 36. Tools • ZAP (Zed Attack Proxy) – The official OWASP scanning tool – Provides tons of information – Free
  • 37. Tools • PenTest-Tools.com – Like Qualys, except for penetration tests – Online, no software to install – Free version provides limited but useful functionality – Really cheap for the paid version (relatively)
  • 38. ZAP
  • 40. Takeways • Know what the access the application needs • Implement the highest possible security whilst maintaining functionality • Scan often
  • 41. Q&A • That was a lot • Question Time!