This is a guest post by a PeopleSoft security researcher. PeopleSoft has introduced a new parameter on Node Definitions called the CheckTokenID. This parameter is required if you plan on using PeopleSoft Single Signon. In this post we will take a look at what exactly this Check Token feature is,… Read More »Understanding the Check Token ID in PeopleTools 8.56
In Episode 6 of The PeopleSoft Administrator Podcast, Dan and Kyle talk about the TokenChpoken (or PS_TOKEN) vulnerability. We explain how the vulnerability works and how to mitigate it, Oracle CPU’s and Java Patching. Kyle shares a handy tip to clear end-user cache from the web profile. We want to… Read More »#6 – TokenChpoken and Other Security Issues
From Kyle Benson: a servlet filter to remove PS_TOKEN from the response cookie: One option is to simply disable the PS_TOKEN, and therefore prevent this vulnerability altogether! The problem is, PeopleSoft does not give us the option to disable it. I decided to come up with a proof of concept… Read More »PSEatCookies
Last week a presentation at Hack in the Box, “Oracle PeopleSoft Applications are Under Attack”, focused on vulnerabilities in PeopleSoft applications. The presentation showed a number of ways that hackers could get access to a system. While some of the issues need to be fixed by Oracle (like poor encryption),… Read More »Limit PeopleSoft Vulnerabilities