SlideShare ist ein Scribd-Unternehmen logo

Sitecore might be secure, but your site isn't

‱Als PPTX, PDF herunterladen‱
‱
Bas Lijten
Bas Lijten

Presentation about Sitecore and common security flaws that was given on the SUGCON conference in Copenhagen, Denmark. Find sources on https://github.com/BasLijten/Securitycore

Technologie
1 von 35
Sitecore might be secure, butYOUR site isn’t Bas Lijten April 25th, 2016 #sugcon, @baslijten
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 2
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. Tracker.Current.Session.Identify bas linkedin.com/in/baslijten blog.baslijten.com Twitter.com/baslijten Bas Lijten The Netherlands PrincipalArchitect
4
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. Meet Evilcoreℱ and Safecoreℱ Download it on GitHub/BasLijten!
What can you expect? ‱ No Sitecore vulnerabilities ‱ Small tips / tricks (references to my and other blogs) ‱ Explanation with some mitigations ‱ 3 demo’s 7
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 8 of 127 Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 9 of 127 Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 10 Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 11 Pineapple WiFi - Jasager ?? YES
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 12 Pineapple WiFi - Jasager
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 13 Pineapple WiFi - Jasager 1: GET 2: GET 3: RESPONSE: HTML FORM ACTION=“HTTPS://WWW.SUGCON.EU/LOGIN” POST USERNAME PASSWORD HTTPS://WWW.SUGCON.EU/LOGIN Send Username/password via js 4: RESPONSE: HTML FORM ACTION= HTTPS://WWW.SUGCON.EU/LOGIN Inject malicious javascript POST USERNAME PASSWORD HTTPS://WWW.SUGCON.EU/LOGIN
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 14 Still think you don’t need HTTPS? Faster Free SEO
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 15 ‱ Don’t access publicWiFi ‱ Transport Layer Security ‱ HTTP StrictTransport Security ‱ Certificate Pinning Mitigations
XSS –CrossSiteScripting Possibility to inject client-side scripts into webpages ‱ Reflective ‱ Persistent ‱ Leads to other risks, such as Session Hijacking, browser takeovers 16
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 17 XSS – Reflective XSS $('#searchTerm').val(' searchterm '); Trusted data Trusted dataUntrusted data
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 18 XSS – Reflective XSS $('#searchTerm').val(' ');alert('pwned');// '); Trusted data Trusted dataUntrusted data
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 19 Bad Session and Authentication management Sitecore 1. Login & Identify xDB Session 4. Return cookies 2. Get XDB data 3. Put XDB data in Session 6. Send email with malicious JavaScript SessionID: XXX 5. Change Session ID to XXX
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 20 Bad Session and Authentication management Sitecore xDB Session 4. Get XDB data 5. Put XDB data in Session XXX: - Bas Lijten - Brabant - Creditcard details 1. Open email Session ID: XXXSession ID: XXX 2. Visit Link Login Send Session ID 6. Return response 3. Identification on Session ID XXX
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 21 Bad Session and Authentication management Sitecore xDB Session2. Get XDB data for Session XXX: - Bas Lijten - Brabant - Creditcard details Session ID: XXXSession ID: XXX 3. Identification on Session ID XXX 1. Refresh browser 3. Return victim’s data
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 22
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 24 XSS ‱ Output encoding (CSS, Javascript, Xml, HTML) ‱ Content Security Policy Bad Session management ‱ Don’t clear cookies ‱ Change your Session ID after Login and Logout XSS – mitigations & Bad Session Management
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. SQL Injection
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 26 Security Misconfiguration coremasterweb Sitecore
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 27 Security Misconfiguration coremasterwebComments Sitecore comments
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 28 Security Misconfiguration coremasterwebComments Sitecore comments Same credentials Same instance
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 29 Security Misconfiguration coremasterwebComments Sitecore comments Other credentials
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 30 Security Misconfiguration coremasterwebComments Sitecore comments Other credentials Other instance
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 31 ‱ Parameterize your queries ‱ Use different credentials ‱ Separate custom databases from Sitecore SQL Injection & Security Misconfiguration
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 32 Insufficient Transport Layer Protection ‱ Don’t connect to public wifi ‱ UseTransport Layer Security ‱ Enforce HTTPS (HSTS header) to prevent stripping Broken authentication / session management ‱ Session fixation ‱ XSS needed ‱ Don’t remove cookies XSS (Reflective/Persistent) ‱ Don’t trust data ‱ Encode your (untrusted) data ‱ Use frameworks Summary SQL Injection ‱ Parameterize queries ‱ Use frameworks Security Misconfiguration ‱ Least possible permissions ‱ Don’t share credentials
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 33 ‱ How to change your authentication provider and use a modern hashing algorithm ‱ Why mixing HTTP and HTTPS gives a false sense of security ‱ Using HTTPS? Don’t forget to apply these settings! Upcoming blogposts
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 34 Topic Url Secure connections Still think you don’t need HTTPS? Secure connections Understanding HTTP Strict Transport Security Secure connections Wifi Pineapple Secure connections Certificate Pinning XSS XSS Prevention Cheat Sheet XSS Content Security Policy Header XSS Report-uri.io XSS Beef SQL Injection SQL Injection Cheat Sheet SQL Injection SQL Map Security Misconfiguration OWASP Broken Session and Authentication Management OWASP Topic specific information
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 35 General sources of Information Source Description Bas Lijten My blog ;) Securitycore My evilcore/safecore Github repository Pluralsight Ethical hacking courses – 40+ hours on security training OWASP Open Web Application Security Project Troy hunt Security blogger Dale Meredith Security blogger, author of ethical hacking courses Microsoft SDLC Microsoft Secure Development Lifecycle Beef Browser Exploitation Framework
Thank you! linkedin.com/in/baslijten blog.baslijten.com Twitter.com/baslijten

Empfohlen

Design Patterns on Sitecore: The Good, the Bad and the Ugly
Design Patterns on Sitecore: The Good, the Bad and the UglyDesign Patterns on Sitecore: The Good, the Bad and the Ugly
Design Patterns on Sitecore: The Good, the Bad and the UglyMichael Reynolds
 
Drupal sec
Drupal secDrupal sec
Drupal secmnescot
 
Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & ComplianceNuno Godinho
 
CSF18 - Securing the Cloud - Karim El-Melhaoui
CSF18 - Securing the Cloud - Karim El-MelhaouiCSF18 - Securing the Cloud - Karim El-Melhaoui
CSF18 - Securing the Cloud - Karim El-MelhaouiNCCOMMS
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Stenio Ferreira
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
The future of Hadoop security and its evolution by Alejandro GonzĂĄlez at Big ...
The future of Hadoop security and its evolution by Alejandro GonzĂĄlez at Big ...The future of Hadoop security and its evolution by Alejandro GonzĂĄlez at Big ...
The future of Hadoop security and its evolution by Alejandro GonzĂĄlez at Big ...Big Data Spain
 
An Introduction to Druid
An Introduction to DruidAn Introduction to Druid
An Introduction to DruidRedBlackTree
 

Empfohlen

Design Patterns on Sitecore: The Good, the Bad and the Ugly
Design Patterns on Sitecore: The Good, the Bad and the UglyDesign Patterns on Sitecore: The Good, the Bad and the Ugly
Design Patterns on Sitecore: The Good, the Bad and the UglyMichael Reynolds
 
Drupal sec
Drupal secDrupal sec
Drupal secmnescot
 
Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & ComplianceNuno Godinho
 
CSF18 - Securing the Cloud - Karim El-Melhaoui
CSF18 - Securing the Cloud - Karim El-MelhaouiCSF18 - Securing the Cloud - Karim El-Melhaoui
CSF18 - Securing the Cloud - Karim El-MelhaouiNCCOMMS
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Stenio Ferreira
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
The future of Hadoop security and its evolution by Alejandro GonzĂĄlez at Big ...
The future of Hadoop security and its evolution by Alejandro GonzĂĄlez at Big ...The future of Hadoop security and its evolution by Alejandro GonzĂĄlez at Big ...
The future of Hadoop security and its evolution by Alejandro GonzĂĄlez at Big ...Big Data Spain
 
An Introduction to Druid
An Introduction to DruidAn Introduction to Druid
An Introduction to DruidRedBlackTree
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the NetworkCisco Canada
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8Allen Woods
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptxmnaeemuetcs
 
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Canada
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureAchievers Tech
 
4.Xss
4.Xss4.Xss
4.Xssphanleson
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Putting firepower into the next generation firewall
Putting firepower into the next generation firewallPutting firepower into the next generation firewall
Putting firepower into the next generation firewallCisco Canada
 
Blockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareBlockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareKai WĂ€hner
 
Javaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixJavaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixBilly Yuen
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
world's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on Azureworld's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on AzureBas Lijten
 
Keeping hackers out release to public
Keeping hackers out release to publicKeeping hackers out release to public
Keeping hackers out release to publicBas Lijten
 

Weitere Àhnliche Inhalte

Ähnlich wie Sitecore might be secure, but your site isn't

Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the NetworkCisco Canada
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8Allen Woods
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptxmnaeemuetcs
 
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Canada
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureAchievers Tech
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Putting firepower into the next generation firewall
Putting firepower into the next generation firewallPutting firepower into the next generation firewall
Putting firepower into the next generation firewallCisco Canada
 
Blockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareBlockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareKai WĂ€hner
 
Javaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixJavaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixBilly Yuen
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 

Ähnlich wie Sitecore might be secure, but your site isn't (20)

Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptx
 
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely Insecure
 
4.Xss
4.Xss4.Xss
4.Xss
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Putting firepower into the next generation firewall
Putting firepower into the next generation firewallPutting firepower into the next generation firewall
Putting firepower into the next generation firewall
 
Blockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareBlockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for Middleware
 
Javaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixJavaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with Hystrix
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 

Mehr von Bas Lijten

world's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on Azureworld's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on AzureBas Lijten
 
Keeping hackers out release to public
Keeping hackers out release to publicKeeping hackers out release to public
Keeping hackers out release to publicBas Lijten
 
Mind your step how to personalize your sitecore site with fitbit data - upl...
Mind your step how to personalize your sitecore site with fitbit data - upl...Mind your step how to personalize your sitecore site with fitbit data - upl...
Mind your step how to personalize your sitecore site with fitbit data - upl...Bas Lijten
 
How to use bi to improve your share point
How to use bi to improve your share pointHow to use bi to improve your share point
How to use bi to improve your share pointBas Lijten
 
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPISharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPIBas Lijten
 
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...Bas Lijten
 
Sp2013 apps with vs2013
Sp2013 apps with vs2013Sp2013 apps with vs2013
Sp2013 apps with vs2013Bas Lijten
 

Mehr von Bas Lijten (7)

world's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on Azureworld's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on Azure
 
Keeping hackers out release to public
Keeping hackers out release to publicKeeping hackers out release to public
Keeping hackers out release to public
 
Mind your step how to personalize your sitecore site with fitbit data - upl...
Mind your step how to personalize your sitecore site with fitbit data - upl...Mind your step how to personalize your sitecore site with fitbit data - upl...
Mind your step how to personalize your sitecore site with fitbit data - upl...
 
How to use bi to improve your share point
How to use bi to improve your share pointHow to use bi to improve your share point
How to use bi to improve your share point
 
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPISharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
 
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
 
Sp2013 apps with vs2013
Sp2013 apps with vs2013Sp2013 apps with vs2013
Sp2013 apps with vs2013
 

KĂŒrzlich hochgeladen

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

KĂŒrzlich hochgeladen (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Sitecore might be secure, but your site isn't

  • 1. Sitecore might be secure, butYOUR site isn’t Bas Lijten April 25th, 2016 #sugcon, @baslijten
  • 2. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 2
  • 3. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. Tracker.Current.Session.Identify bas linkedin.com/in/baslijten blog.baslijten.com Twitter.com/baslijten Bas Lijten The Netherlands PrincipalArchitect
  • 4. 4
  • 5.
  • 6. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. Meet Evilcoreℱ and Safecoreℱ Download it on GitHub/BasLijten!
  • 7. What can you expect? ‱ No Sitecore vulnerabilities ‱ Small tips / tricks (references to my and other blogs) ‱ Explanation with some mitigations ‱ 3 demo’s 7
  • 8. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 8 of 127 Man in the middle attack
  • 9. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 9 of 127 Man in the middle attack
  • 10. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 10 Man in the middle attack
  • 11. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 11 Pineapple WiFi - Jasager ?? YES
  • 12. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 12 Pineapple WiFi - Jasager
  • 13. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 13 Pineapple WiFi - Jasager 1: GET 2: GET 3: RESPONSE: HTML FORM ACTION=“HTTPS://WWW.SUGCON.EU/LOGIN” POST USERNAME PASSWORD HTTPS://WWW.SUGCON.EU/LOGIN Send Username/password via js 4: RESPONSE: HTML FORM ACTION= HTTPS://WWW.SUGCON.EU/LOGIN Inject malicious javascript POST USERNAME PASSWORD HTTPS://WWW.SUGCON.EU/LOGIN
  • 14. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 14 Still think you don’t need HTTPS? Faster Free SEO
  • 15. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 15 ‱ Don’t access publicWiFi ‱ Transport Layer Security ‱ HTTP StrictTransport Security ‱ Certificate Pinning Mitigations
  • 16. XSS –CrossSiteScripting Possibility to inject client-side scripts into webpages ‱ Reflective ‱ Persistent ‱ Leads to other risks, such as Session Hijacking, browser takeovers 16
  • 17. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 17 XSS – Reflective XSS $('#searchTerm').val(' searchterm '); Trusted data Trusted dataUntrusted data
  • 18. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 18 XSS – Reflective XSS $('#searchTerm').val(' ');alert('pwned');// '); Trusted data Trusted dataUntrusted data
  • 19. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 19 Bad Session and Authentication management Sitecore 1. Login & Identify xDB Session 4. Return cookies 2. Get XDB data 3. Put XDB data in Session 6. Send email with malicious JavaScript SessionID: XXX 5. Change Session ID to XXX
  • 20. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 20 Bad Session and Authentication management Sitecore xDB Session 4. Get XDB data 5. Put XDB data in Session XXX: - Bas Lijten - Brabant - Creditcard details 1. Open email Session ID: XXXSession ID: XXX 2. Visit Link Login Send Session ID 6. Return response 3. Identification on Session ID XXX
  • 21. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 21 Bad Session and Authentication management Sitecore xDB Session2. Get XDB data for Session XXX: - Bas Lijten - Brabant - Creditcard details Session ID: XXXSession ID: XXX 3. Identification on Session ID XXX 1. Refresh browser 3. Return victim’s data
  • 22. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 22
  • 23. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 24 XSS ‱ Output encoding (CSS, Javascript, Xml, HTML) ‱ Content Security Policy Bad Session management ‱ Don’t clear cookies ‱ Change your Session ID after Login and Logout XSS – mitigations & Bad Session Management
  • 24. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. SQL Injection
  • 25. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 26 Security Misconfiguration coremasterweb Sitecore
  • 26. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 27 Security Misconfiguration coremasterwebComments Sitecore comments
  • 27. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 28 Security Misconfiguration coremasterwebComments Sitecore comments Same credentials Same instance
  • 28. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 29 Security Misconfiguration coremasterwebComments Sitecore comments Other credentials
  • 29. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 30 Security Misconfiguration coremasterwebComments Sitecore comments Other credentials Other instance
  • 30. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 31 ‱ Parameterize your queries ‱ Use different credentials ‱ Separate custom databases from Sitecore SQL Injection & Security Misconfiguration
  • 31. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 32 Insufficient Transport Layer Protection ‱ Don’t connect to public wifi ‱ UseTransport Layer Security ‱ Enforce HTTPS (HSTS header) to prevent stripping Broken authentication / session management ‱ Session fixation ‱ XSS needed ‱ Don’t remove cookies XSS (Reflective/Persistent) ‱ Don’t trust data ‱ Encode your (untrusted) data ‱ Use frameworks Summary SQL Injection ‱ Parameterize queries ‱ Use frameworks Security Misconfiguration ‱ Least possible permissions ‱ Don’t share credentials
  • 32. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 33 ‱ How to change your authentication provider and use a modern hashing algorithm ‱ Why mixing HTTP and HTTPS gives a false sense of security ‱ Using HTTPS? Don’t forget to apply these settings! Upcoming blogposts
  • 33. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 34 Topic Url Secure connections Still think you don’t need HTTPS? Secure connections Understanding HTTP Strict Transport Security Secure connections Wifi Pineapple Secure connections Certificate Pinning XSS XSS Prevention Cheat Sheet XSS Content Security Policy Header XSS Report-uri.io XSS Beef SQL Injection SQL Injection Cheat Sheet SQL Injection SQL Map Security Misconfiguration OWASP Broken Session and Authentication Management OWASP Topic specific information
  • 34. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 35 General sources of Information Source Description Bas Lijten My blog ;) Securitycore My evilcore/safecore Github repository Pluralsight Ethical hacking courses – 40+ hours on security training OWASP Open Web Application Security Project Troy hunt Security blogger Dale Meredith Security blogger, author of ethical hacking courses Microsoft SDLC Microsoft Secure Development Lifecycle Beef Browser Exploitation Framework

Hinweis der Redaktion

  1. Standard not much interaction When adding customizations, this changes and security bugs might be introduced
  2. Secure development Sitecore
  3. Largest insurance company of the Netherlands
  4. Top 10 with most critical web application security flaws
  5. Evilcore: with security flaws Safecore: without
  6. Setup via Pineapple WiFi
  7. HTTPS login with the form being served over HTTP -> not safe
  8. HTTPS: * Free, SEO, Faster
  9. What happens when a session will be fixated, using the evilcore implementation (I removed the session ID cookie on logout)
  10. The identity doesn’t match the displayed content from the xDB
  11. The Beef framework that exploits XSS vulnerabilities, in this case, I took a picture with the webcam
  12. Standard Sitecore setup
  13. Situation when a custom component has been added
  14. Situation when that component has the same database permissions and resides in the same instance. Things WILL go wrong in case when you are vulnerable to SQL injection