Kyle Benson

As many of you have probably heard, there has been much discussion over the past few weeks regarding vulnerabilities in PeopleSoft's PS_TOKEN. The talk all started after a presentation from ERPScan , which basically said that a PeopleSoft node's password can be gained by brute force against a PS_TOKEN. This would allow someone to generate their own PS_TOKEN for any userid. Now, word is the Oracle plans to bump up it's SHA-1 salted encryption with PeopleTools 8.55. However, it is probably a long ways out before most of us get to 8.55. And when we do get there, who's to say how long this new encryption will be considered secure?  One option is to simply disable the PS_TOKEN, and therefore prevent this vulnerability altogether! The problem is, PeopleSoft does not give us the option to disable it. I decided to come up with a proof of concept for a custom solution to this issue. I wrote a Java servlet filter, called PSEatCookies, that will prevent a PS_TOKEN, or any othe