Forums de discussion

Solving OWASP security vulnerabilities in Liferay 6.0.x

Ionut Negoita, modifié il y a 7 années.

Solving OWASP security vulnerabilities in Liferay 6.0.x

New Member Publications: 10 Date d'inscription: 27/08/12 Publications récentes
Hi guys,

I see a lot of topics out there regarding cookies and either the HttpOnly flag or the Secure flag. Besides these 2 issues that are security considered vulnerabilities, there are also some missing headers which present vulnerabilities like:

X­Frame­Options Header Not Set
Web Browser XSS Protection Not Enabled
X­Content­Type­Options Header Missing

I have successfully implemented fixes for all these issues and even passed through a security audit verifying the implementation.


Basically you need to create a new filter and add it to the stack of Liferay filters.
Here's a detailed description on how to do this: Solving OWASP security vulnerabilities in Liferay 6.0.x

I would love to hear comments from you guys, maybe if I'm missing something or if you have any questions.

kindest regards,
John (@codingdudecom)
thumbnail
David H Nebinger, modifié il y a 7 années.

RE: Solving OWASP security vulnerabilities in Liferay 6.0.x

Liferay Legend Publications: 14914 Date d'inscription: 02/09/06 Publications récentes
Thanks for the info.

6.0 is quite a bit dated, have you considered upgrading to a newer version that supports all of the new browsers?
Ionut Negoita, modifié il y a 7 années.

RE: Solving OWASP security vulnerabilities in Liferay 6.0.x

New Member Publications: 10 Date d'inscription: 27/08/12 Publications récentes
Hi David,

yes, it is outdated, and we did try to upgrade to Liferay 7. I've seen your article about OSGI modules and added a comment and another forum topic regarding the challenges we had with that. Bottom line is that we stopped trying to do that since it was becoming too expensive for us considering we did not get very far.
Probably an attempt to upgrade to version 6.2 should have been the course.
thumbnail
David H Nebinger, modifié il y a 7 années.

RE: Solving OWASP security vulnerabilities in Liferay 6.0.x

Liferay Legend Publications: 14914 Date d'inscription: 02/09/06 Publications récentes
6.2 will bring you forward, certainly, and these OWASP issues may already be resolved.

LR7 migration is going to be challenging for all of us because of the underlying and significant changes. We're all in the same boat there, so we're all learning the ropes at the same time, Ionut.

Don't give up, though, I'm sure you can make the change work...