How to enable penetration testing, and information about Developer Portal cookies
Many security features are available in the Developer Portal, but if you need to do a penetration test of your Developer Portal site, some of these features might block the scan that is required as part of the testing. This topic provides guidance on the security features that you might need to disable to allow penetration testing of your site, as well as information about Developer Portal cookies.
- If you run a pen test, and you give the automated test tool the admin credentials, the tool submits all of the administration configuration forms as well, and this action is likely to break the Portal site configuration. Best practice is to use different credentials for the testing.
- If you disable security modules, and then run security scans, your Portal site configuration might be broken by the scanning process. Before running any security testing, ensure that you have a valid backup of your Portal site.
- If your Portal site configuration is broken by the security testing, then you must delete the
Portal site from the API
Manager Catalog settings and re-create it, or restore it from a backup.For information about restoring your site, see the appropriate topic for your environment:
- Note that disabling of security modules makes it highly likely that you will find issues that are not actually vulnerabilities, because you have disabled the modules that are designed to protect against these vulnerabilities. Therefore, any issue that is found in these circumstances must be replicated in an environment without the security modules disabled, before contacting IBM Support.
- Do not use the
Enforced
mode of theContent Security Policy
, this mode is not supported and can break core Developer Portal functionality such as API rendering and the content editor. TheContent Security Policy
must be inReport only
mode.
Honeypot
module to
allow your penetration test to run. For more information, see Using Honeypot for spam protection.CAPTCHA and reCAPTCHA verifications
CAPTCHA and reCAPTCHA verifications are a type of challenge-response test that are used in web applications to check whether the user is human. By default, your Developer Portal site is configured with an Image based CAPTURE challenge enabled, but you can also configure a Math based CAPTCHA challenge, and Checkbox, Invisible, and Android reCAPTCHA challenges. If you need to disable these verifications before pen testing, see the following instructions.
- Log in to the Developer Portal as an administrator.
- If the administrator dashboard is not displayed, click Manage to display it.
- On the administrator dashboard, click .
- Search through the list of modules, and select the check boxes next to the Image CAPTCHA and reCAPTCHA modules.
- Click Disable, and click Disable again to confirm.
- On the Disable tab, select the check box next to the CAPTCHA module, and click Disable. The display shows the forms that the CAPTCHA configuration is removed from.
- Click Disable again to confirm. Note that the modules must be disabled in this order.
Drupal Perimeter Defense module
The Drupal Perimeter Defense module (machine name: perimeter) immediately bans the IP addresses of those users that send suspicious requests to your site, so any pen testing scans would be blocked. This module is enabled by default on the Developer Portal. For more information about the module, see the Drupal documentation Drupal Perimeter Defense module.
- Log in to the Developer Portal as an administrator.
- If the administrator dashboard is not displayed, click Manage to display it.
- On the administrator dashboard, click .
- Search through the list of modules, and select the check box next to the Drupal Perimeter Defense module.
- Click Disable, and click Disable again to confirm.
Login Security module
The Login Security module (machine name: login_security) enables the site administrator to improve the security options in the login operation of your Developer Portal site. For example, controlling the number of invalid login attempts before blocking users, and denying access by IP address. This module is enabled by default on the Developer Portal. For more information about the module, see the Drupal documentation Login Security module.
- Log in to the Developer Portal as an administrator.
- If the administrator dashboard is not displayed, click Manage to display it.
- On the administrator dashboard, click .
- In the Login Security window, update the security options according to your requirements.
- Click Save configuration to save your updates.
Developer Portal cookies
httponly
flag set. Thus, JavaScript can
delete the cookie whenever required. - Drupal session identifier cookie
- This is the main cookie that all of the Developer Portal
sites have, and it stores the session identification. The session cookie is named in the format
SSESSUUID, where
UUID is a randomly generated unique string of characters for
that session, and this is the session token itself. The session cookie is always marked with the
following flags as instructions to the browser client:
Secure
- means that the cookie is sent only over a secure connection (that is, over TLS).HttpOnly
- means that the browser adds this cookie on outbound requests only, and not provide the value to client side javascript.
- session_store.id cookie
- This cookie is used to store information on where a user is in the subscription flow, and any
options that they selected, if they haven't yet signed in, so the Developer Portal can
redirect them back there later. The session_store.id cookie is also marked with the
Secure
andHttpOnly
flags, and it does not contain any confidential information. - Drupal.visitor.startSubscriptionWizard cookie
- This cookie is used to store information on where a user started in the subscription flow if
they haven't yet signed in, so the Developer Portal can
redirect them back there later. The Drupal.visitor.startSubscriptionWizard cookie is also marked
with the
Secure
andHttpOnly
flags, and it does not contain any confidential information. - portal_web cookie
- This cookie is used to achieve session persistence, which it does by ensuring that web traffic
between the user and the Developer Portal is
correctly routed to the server. The portal_web cookie is used for both HTTP and HTTPS
communications, so that routing is meaningful irrespective of the transfer protocol, and ensuring
consistent behavior if the switching of protocols is required. The cookie contains only a hash of
the pod that served the traffic to maintain session persistence, and does not contain any
confidential information. The cookie is provided by the Portal ingress. This cookie is not marked as
Secure
orHttpOnly
, as the Kubernetes ingress does not yet support these attributes. - Other cookies
- In addition to the cookies listed previously, there are other (usually temporary) cookies that might be created depending on the configuration options of your Developer Portal site. For example, if the site uses OAuth for authentication, then during the OAuth token activation flow a JSON Web Token is sent to the browser. This token is stored in a cookie for a limited lifetime. This action is part of the normal function of an OAuth flow. As the creation of these other cookies depends on your particular Developer Portal configuration, we cannot provide a complete list of cookies here.
Should I test the Developer Portal for vulnerability to Distributed Denial of Service attacks?
When you run penetration testing, it's important to understand that individual systems are not responsible for (nor capable of dealing with) Distributed Denial of Service (DDoS) attacks. DDoS attacks are launched by huge numbers of external computers simultaneously, with a goal of using up all of the resources of a system, and thereby denying service to legitimate users. These kinds of attacks are usually defended against at the level of the network and edge gateways, and information about how to protect against them is out of the scope of this topic. Although the Developer Portal does have some capabilities, including the modules mentioned previously, for potentially mitigating some of the effects of a DDoS attack, do not rely on these capabilities as the first line of defense; rather they are designed to assist in dealing only with any elements of an attack that might have gotten through the outer network layers of protection.