fear factor : how secure is ADP self-service secure portal?!

March 23, 2007 in the late afternoon · Filed under JAVA, ecommerce, information security

Last night when I pointed my Mozilla Firefox 2.0.0.2 browser to ADP’s self-service portal at https://portal.adp.com, a code segment was returned on the top of the page. Internet explorer didn’t show these code. Both has the code segment in the source (’view source’ option under Tools) though. It shocked me very much, considering how much corporate payroll and benefits are now serviced by ADP’s self-service portal. This, by the way, also helps to approve that HTTPS (HTTP+SSL/TLS) alone won’t secure your server as I wrote earlier.

<% // Need to reconstruct the client’s URL, which may have come through a firewall. String firewallName = request.getHeader(”x-forwarded-host”); String returnURL = “”; if (firewallName != null) { // The client came through a firewall to get to this page. // The https needs to be hardcoded - no way to derive it. returnURL = “https://” + firewallName + request.getRequestURI(); } else { // The client came to this page directly. returnURL = request.getRequestURL().toString(); } %>

When I viewed the HTML source of the page, sure enough, the code segment is right there between HEAD section and BODY section.

</head>
<%
	// Need to reconstruct the client's URL, which may have come through a firewall.
	String firewallName = request.getHeader("x-forwarded-host");
	String returnURL = "";

	if (firewallName != null) {
		// The client came through a firewall to get to this page.
		// The https needs to be hardcoded - no way to derive it.
		returnURL = "https://" + firewallName + request.getRequestURI
();
	}
	else {
		// The client came to this page directly.
		returnURL = request.getRequestURL().toString();
	}
%>
<body bgColor
=#ffffff leftMargin=0 topMargin=0 
marginwidth="0" marginheight="0">

Somewhere down there, it did it again, with a twist.

<%–
<object classid=”clsid:D27CDB6E-AE6D-11cf-96B8-444553540000″ codebase=” http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0” width=”250″ height=”250″>
<param name=”movie” value=”images/splash_image.swf“>
<param name=quality value=high>
</object>
–%>

Talking with a friend last night, he complained about the poor QA people at work know only to stare at the browser screen. It seems ADP’s site could not even pass that poor man’s test. No wonder at the bottom of a pretty flash, it states “This site requires Microsoft Internet Explorer Version 5.5 or higher”.

IE 7 (Internet Explorer) is very tolerant, since it didn’t display anything funky. Firefox, being more standard-compliant, showed those raw JSP code meant to commented out. The level of skill or knowledge to have it code wrong is shocking. Even more shocking is the subsequent absence or inadequateness of security scrutiny or procedures to catch it in test/QA and prevent this to become publicly visible.

It has became nearly common sense that today’s Internet is not a friendly place as in the good old days. This makes you wonder how much you can trust these so called secure portals? If they can’t do it correctly & securely on public facing portals, how much should you trust its associated back-end systems?

32 Comments »

  1. Frank Smith said,

    March 26, 2007 @ 7:40 pm

    Let me get this straight - you found some stray JSP comments in an HTML document and you’re ready to declare an entire site insecure? Is it a stupid programmer trick? Sure. But is it a huge security hole? Hardly. Looks like you have some anti-ADP axe to grind.

  2. experts8 said,

    March 26, 2007 @ 9:29 pm

    no, I don’t have an ax to grind against ADP, just its insecure coding practice on the first page of its “secure portal”.
    The mere appearance of valid or invalid JSP code in the HTML source generated from a JSP is a clear indication of best security coding practice not followed. Since this is the foremost page of the portal and the error is so obvious & rudimentary or stupid, it casted some doubts on the coding quality of the entire portal, at least by the InfoSec standards.

  3. experts8 said,

    June 13, 2007 @ 10:40 pm

    Curiously enough, the bug had been fixed. Visiting the same ADP secure portal using Firefox browser doesn’t give these symptoms now. I noticed this a while back but couldn’t remember to add a note here. Ah, getting old as everybody else ;)
    Not sure whether this is an upgrade on its own. The shameful IE-only banner now requires “IE 6 and above”, while it used to be “IE 5.5 and above”.

  4. Top Internet Business said,

    November 28, 2007 @ 5:08 am

    Top Internet Business

    I couldn’t understand some parts of this article, but it sounds interesting

  5. d4890332ae1d3325adf1 said,

    December 16, 2007 @ 11:10 am

    d4890332ae1d3325adf1

    d4890332ae1d

  6. amoxicillin no prescription said,

    December 16, 2007 @ 7:41 pm

    amoxicillin no prescription

    news

  7. side effects of percocet said,

    December 16, 2007 @ 7:45 pm

    side effects of percocet

    news

  8. percocet said,

    December 17, 2007 @ 8:13 pm

    percocet

    news

  9. adderall xr said,

    December 17, 2007 @ 8:19 pm

    adderall xr

    news

  10. pro and cons on ritalin said,

    December 17, 2007 @ 8:25 pm

    pro and cons on ritalin

    news

  11. viagra said,

    December 17, 2007 @ 8:31 pm

    viagra

    news

  12. taking viagra with cialis said,

    December 18, 2007 @ 7:05 pm

    taking viagra with cialis

    news

  13. buy ephedra online said,

    December 19, 2007 @ 1:42 am

    buy ephedra online

    news

  14. adderall without prescription said,

    December 19, 2007 @ 7:16 pm

    adderall without prescription

    news

  15. hydrocodone extraction said,

    December 19, 2007 @ 7:20 pm

    hydrocodone extraction

    news

  16. danger of ephedrine said,

    December 20, 2007 @ 7:27 pm

    danger of ephedrine

    news

  17. advanced book by fioricet guest powered said,

    December 21, 2007 @ 8:01 pm

    advanced book by fioricet guest powered

    news

  18. anxiety and wellbutrin said,

    December 21, 2007 @ 8:08 pm

    anxiety and wellbutrin

    news

  19. cheap viagra said,

    December 24, 2007 @ 8:05 pm

    cheap viagra

    news

  20. propecia side effects bad said,

    December 24, 2007 @ 8:13 pm

    propecia side effects bad

    news

  21. hartford ephedra lawyers said,

    December 25, 2007 @ 8:13 pm

    hartford ephedra lawyers

    news

  22. adderall side effects said,

    December 25, 2007 @ 8:22 pm

    adderall side effects

    news

  23. amoxicillin pregnancy said,

    December 27, 2007 @ 8:07 pm

    amoxicillin pregnancy

    news

  24. snorting adderall said,

    December 28, 2007 @ 8:27 pm

    snorting adderall

    news

  25. long-term side effects of ritalin said,

    December 28, 2007 @ 8:30 pm

    long-term side effects of ritalin

    news

  26. hartford ephedra attorneys said,

    December 29, 2007 @ 8:26 pm

    hartford ephedra attorneys

    news

  27. hydrocodone online said,

    December 29, 2007 @ 8:36 pm

    hydrocodone online

    news

  28. soma addiction and lying said,

    December 30, 2007 @ 8:11 pm

    soma addiction and lying

    news

  29. buy tramadol blog said,

    March 25, 2008 @ 10:42 am

    buy tramadol

    buy tramadol

  30. cheap phentermine blog said,

    April 14, 2008 @ 11:01 am

    cheap phentermine

    cheap phentermine

  31. adderall xr blog said,

    April 16, 2008 @ 7:17 pm

    adderall xr

    adderall xr

  32. Buy Ultram said,

    October 14, 2008 @ 7:29 pm

    Ultram online…

    Buy Ultram online without prescription…

RSS feed for comments on this post · TrackBack URI

Leave a Comment

Powered by WP Hashcash