Penetration Testing mailing list archives
IBM Websphere Portal pentest
From: pentestb0y () fastmail fm
Date: Sat, 21 Mar 2009 04:48:53 -0700
Hi list, I'm doing a pentest for a company with web application built on top of IBM Websphere portal. So far, I managed to get the admin password to the portal. My analysis suggest that their current setup looks like this: Their using WebSEAL reverse proxy which handles the authentication and access control on the Portal's resources served by an IBM HTTP Server with LDAP user directory. So far, that's all I know. I've read a few manuals and ebooks about this whole Portal thing and realized that this is one complex collection of different applications. I only have few days to do the testings so I don't have much time to figure out what else I can do given that I was able to obtain the Portal admin login credentials. I'm trying to build a case on what an attacker can do once he gets admin access to the Portal. Is it possible to enumerate the internal Directory and Databases through the Portal? I've read a short tutorial on how one can create a Portlet and upload it to the Portal. I'm thinking this could probably one should go about it. Before I tell the client that it is game over for them once an attacker gets portal admin rights, I have to explain how an attacker can leverage this situation. Any idea? -- pentestb0y () fastmail fm -- http://www.fastmail.fm - Email service worth paying for. Try it for free ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- IBM Websphere Portal pentest pentestb0y (Mar 23)
- Re: IBM Websphere Portal pentest Jeremy Brown (Mar 23)