2 Replies Latest reply on Oct 31, 2019 8:38 AM by 4015860

    webcenter portal 12c(12.2.1.3) information needed for security testing.

    4015860

      Hi Experts,

       

      Below some interesting questions has been raised by our security testing team, i was unable answer them..

       

      please help to know default portal setting/valus of these questions:

       

       

      • List of approved file types from applications?--i'm allowing only pdf,doc,docx while uploading files in ucm from portal.
      • Max allowed URL length,
      • Allowed extensions?
      • Allowed HTTP Methods?
      • Allowed response codes from the servers?
      • Maximum cookie header length?
      • Allowed cookies?
      • Allowed Meta characters ?

       

       

      where i can find information for these kind of questions.

       

      Please provide information..plz let me know if you need any other information.

       

      Thanks in advance.

        • 1. Re: webcenter portal 12c(12.2.1.3) information needed for security testing.
          Daniel Merchán

          Hi,

           

          Some of the answers depends on how you have configured your infrastructure, Load Balancer, Web Servers etc... I will try to answer each one:

          • List of approved file types from applications?
            • This depends on your configuration of Load Balancer, Web Server (if they are restricting specific Mime-Types)
            • If you develped any filter on top of Oracle WebCenter Portal / Content to restrict the file types
            • If you have developed any Custom Component or Rule while Check-In in WebCenter Content
          • Max allowed URL length,
          • Allowed extensions?
            • Check Load Balancer, Web Server restrictions you may setup for allowed extensions.
          • Allowed HTTP Methods?
            • You can invoke an OPTIONS methods to check in LB or Web Server which are the HTTP Allowed Methods your infrastructure is supporting.
          • Allowed response codes from the servers?
            • WebCenter Portal by default response 200, 301, 403, 404 and 500 depending on the scenarios. If there are other response codes, check your customizations
          • Maximum cookie header length?
            • WebCenter Portal does not restrict the cookie length unless you did somethign manual. This is a Browser specific thing. Browser Cookie Limits
          • Allowed cookies?
            • WebCenter Portal writes cookies under /webcenter. The allowance and security can be configured in many layes, Load Balancer, Web Server or the weblogic.xml of the app itsefl.
          • Allowed Meta characters ?
            • This is also somehting WebCneter portal does not restrict. Check your infrastructure configuration (Load Balancer, Web Server).

           

          I hope this information helps.

           

          Kind regards.

          1 person found this helpful