WebSphere Portal FAQ
How do you know if an application is running on WebSphere Portal?
WebSphere Portal applications typically have very long URLs that begin with /wps/portal or /wps/myportal followed by encoded sections. For example:
http://myhost.com/wps/portal/internet/customers/home/!ut/p/b1/fY7BcoIwFAC_xS94T4QCx6Rpk6qlo20x5tIJShEIJoID0q-vnfFq97Yze1hQIEEddV8W-lzaozZ_rh6-HjkRfrhERBZ4-EKESBmde5ggzEEVxmbXNGW7-sIsKdgTW3c_B3xmpzBfnacLv6QuIfxVHKJGhmNfzToue8nWdKg4fx8jtaT9MJpB2zQPgqLp9GrADyey0tvvL1F9Snftm_y0cbuw8Xbmvg2NN6412wlsQP27GAa3AO9AEBJhmxxcnWHlk8kverBIBQ!!/dl4/d5/L2dBISEvZ0FBIS9nQSEh/
Which versions of WebSphere Portal are supported?
Versions 6.1 and later are supported.
Why does OpenText DAST require special settings to scan a WebSphere Portal application?
The encoded sections of the URL include what is called "navigation state," which contains information about how to display elements in the current page (similar to VIEWSTATE in .Net) plus the navigation history. It is this navigation history that is troublesome for automated crawlers. As the crawler visits each link, the navigation state is being updated. This causes links on a page that the crawler may have already visited to continuously change. Since these look like new links, the crawler visits them and becomes trapped in an endless cycle.
When the WebSphere Portal overlay is selected, OpenText DAST can decode the navigation state in a URL and determine if the URL has already been visited. This prevents the crawler from continuously visiting the same page over and over again.
How does OpenText DAST decode the navigation state?
WebSphere Portal 6.1 and later include a URL decoding service. When the WebSphere Portal overlay is selected, OpenText DAST can pass a URL to the decoding service and evaluate the response to determine if this URL has already been visited. Although the decoding service is on by default, it is possible to turn it off in your WebSphere Portal server configuration. To get a good scan of your site with OpenText DAST, the decoding service must be enabled.
Is the navigation state just a special kind of session ID?
No. Navigation state does not contain any session information. Session is maintained via cookies.
Any special instructions when recording a login macro?
Make sure that the cookies JSESSIONID and LtpaToken are set as state parameters.
Why does the site tree contain deeply nested folders?
OpenText DAST's site tree does not currently understand how to parse the navigation state in WebSphere Portal URLs. It treats each section as a directory. These are, of course, not real directories. You will generally need to drill down to the lowest level of each branch to see the real content.
Is there any limitation on what types of attacks OpenText DAST can perform on WebSphere Portal applications?
OpenText DAST can perform all manipulation attacks on WebSphere Portal applications. This includes (but is not limited to) XSS, SQL Injection, CSRF, RFI, LFI and others. OpenText DAST will not perform any site search attacks when scanning a WebSphere Portal site. These include searching for backup files (.bak, .old), hidden files, hidden directories and platform specific configuration files. The reason for this exclusion is because almost any request will result in a 200 response to the default portal view and so there is no way to distinguish between an error response and a valid response.
How can you tell if the crawler is working correctly on a WebSphere Portal site?
The WebSphere Portal decoding service must be enabled and reachable on the server for the crawler to perform optimally. You can confirm if this is working by manually decoding a URL. Copy a URL from your site and modify it like this:
http://myhost.com/wps/poc?uri=state: path with navigation state>&mode=download
You should get an xml response. Alternatively, start a scan of your site with the WebSphere Portal overlay selected. Enable Traffic Monitor or run the scan through the Web Proxy. You should see periodic requests to the decoder service in the following format:
http://myhost.com/wps/poc?uri=state: path with navigation state>&mode=download.
Another thing to consider is that the path of the decoding service can be changed on the server. If this is the case, you will need to modify your scan settings manually. Contact Customer Support for assistance.
It is also possible to modify the navigation state marker. By default this is !ut/p. If this is changed from the default on the server, you will need to modify your scan settings manually. Contact Customer Support for assistance.
For more information, see