Forum Stats

  • 3,852,452 Users
  • 2,264,105 Discussions
  • 7,905,069 Comments

Discussions

webcenter portal 12c(12.2.1.3) information needed for security testing.

User_112YD
User_112YD Member Posts: 12 Green Ribbon
edited Oct 31, 2019 4:38AM in WebCenter Portal

Hi Experts,

Below some interesting questions has been raised by our security testing team, i was unable answer them..

please help to know default portal setting/valus of these questions:

  • List of approved file types from applications?--i'm allowing only pdf,doc,docx while uploading files in ucm from portal.
  • Max allowed URL length,
  • Allowed extensions?
  • Allowed HTTP Methods?
  • Allowed response codes from the servers?
  • Maximum cookie header length?
  • Allowed cookies?
  • Allowed Meta characters ?

where i can find information for these kind of questions.

Please provide information..plz let me know if you need any other information.

Thanks in advance.

Answers

  • Daniel Merchán
    Daniel Merchán Enterprise Achitect Member Posts: 2,192 Gold Trophy
    edited Oct 28, 2019 4:16AM

    Hi,

    Some of the answers depends on how you have configured your infrastructure, Load Balancer, Web Servers etc... I will try to answer each one:

    • List of approved file types from applications?
      • This depends on your configuration of Load Balancer, Web Server (if they are restricting specific Mime-Types)
      • If you develped any filter on top of Oracle WebCenter Portal / Content to restrict the file types
      • If you have developed any Custom Component or Rule while Check-In in WebCenter Content
    • Max allowed URL length,
    • Allowed extensions?
      • Check Load Balancer, Web Server restrictions you may setup for allowed extensions.
    • Allowed HTTP Methods?
      • You can invoke an OPTIONS methods to check in LB or Web Server which are the HTTP Allowed Methods your infrastructure is supporting.
    • Allowed response codes from the servers?
      • WebCenter Portal by default response 200, 301, 403, 404 and 500 depending on the scenarios. If there are other response codes, check your customizations
    • Maximum cookie header length?
      • WebCenter Portal does not restrict the cookie length unless you did somethign manual. This is a Browser specific thing. Browser Cookie Limits
    • Allowed cookies?
      • WebCenter Portal writes cookies under /webcenter. The allowance and security can be configured in many layes, Load Balancer, Web Server or the weblogic.xml of the app itsefl.
    • Allowed Meta characters ?
      • This is also somehting WebCneter portal does not restrict. Check your infrastructure configuration (Load Balancer, Web Server).

    I hope this information helps.

    Kind regards.

    User_112YD
  • User_112YD
    User_112YD Member Posts: 12 Green Ribbon
    edited Oct 31, 2019 4:38AM

    Hi Daniel,

    Thanks for response.