Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Sitecore might be
secure,
butYOUR site isn’t
Bas Lijten
April 25th, 2016
#sugcon, @baslijten
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 2
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
Tracker.Current.Session.Ide...
4
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
Meet Evilcore™ and Safecore...
What can you expect?
• No Sitecore vulnerabilities
• Small tips / tricks (references to my and other blogs)
• Explanation ...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 8 of 127
Man in the middle ...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 9 of 127
Man in the middle ...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 10
Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
11
Pineapple WiFi - Jasager...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
12
Pineapple WiFi - Jasager
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
13
Pineapple WiFi - Jasager...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 14
Still think you don’t ne...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 15
• Don’t access publicWiF...
XSS –CrossSiteScripting
Possibility to inject client-side scripts into webpages
• Reflective
• Persistent
• Leads to other...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 17
XSS – Reflective XSS
$('...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 18
XSS – Reflective XSS
$('...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 19
Bad Session and Authenti...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 20
Bad Session and Authenti...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 21
Bad Session and Authenti...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 22
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 24
XSS
• Output encoding (C...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
SQL Injection
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 26
Security Misconfiguratio...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 27
Security Misconfiguratio...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 28
Security Misconfiguratio...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 29
Security Misconfiguratio...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 30
Security Misconfiguratio...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 31
• Parameterize your quer...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 32
Insufficient Transport L...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 33
• How to change your aut...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 34
Topic Url
Secure connect...
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 35
General sources of Infor...
Thank you!
linkedin.com/in/baslijten
blog.baslijten.com
Twitter.com/baslijten
Sitecore might be secure, but your site isn't
Nächste SlideShare
Wird geladen in …5
×

Sitecore might be secure, but your site isn't

589 Aufrufe

Veröffentlicht am

Presentation about Sitecore and common security flaws that was given on the SUGCON conference in Copenhagen, Denmark. Find sources on https://github.com/BasLijten/Securitycore

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Sitecore might be secure, but your site isn't

  1. 1. Sitecore might be secure, butYOUR site isn’t Bas Lijten April 25th, 2016 #sugcon, @baslijten
  2. 2. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 2
  3. 3. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. Tracker.Current.Session.Identify bas linkedin.com/in/baslijten blog.baslijten.com Twitter.com/baslijten Bas Lijten The Netherlands PrincipalArchitect
  4. 4. 4
  5. 5. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. Meet Evilcore™ and Safecore™ Download it on GitHub/BasLijten!
  6. 6. What can you expect? • No Sitecore vulnerabilities • Small tips / tricks (references to my and other blogs) • Explanation with some mitigations • 3 demo’s 7
  7. 7. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 8 of 127 Man in the middle attack
  8. 8. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 9 of 127 Man in the middle attack
  9. 9. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 10 Man in the middle attack
  10. 10. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 11 Pineapple WiFi - Jasager ?? YES
  11. 11. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 12 Pineapple WiFi - Jasager
  12. 12. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 13 Pineapple WiFi - Jasager 1: GET 2: GET 3: RESPONSE: HTML FORM ACTION=“HTTPS://WWW.SUGCON.EU/LOGIN” POST USERNAME PASSWORD HTTPS://WWW.SUGCON.EU/LOGIN Send Username/password via js 4: RESPONSE: HTML FORM ACTION= HTTPS://WWW.SUGCON.EU/LOGIN Inject malicious javascript POST USERNAME PASSWORD HTTPS://WWW.SUGCON.EU/LOGIN
  13. 13. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 14 Still think you don’t need HTTPS? Faster Free SEO
  14. 14. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 15 • Don’t access publicWiFi • Transport Layer Security • HTTP StrictTransport Security • Certificate Pinning Mitigations
  15. 15. XSS –CrossSiteScripting Possibility to inject client-side scripts into webpages • Reflective • Persistent • Leads to other risks, such as Session Hijacking, browser takeovers 16
  16. 16. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 17 XSS – Reflective XSS $('#searchTerm').val(' searchterm '); Trusted data Trusted dataUntrusted data
  17. 17. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 18 XSS – Reflective XSS $('#searchTerm').val(' ');alert('pwned');// '); Trusted data Trusted dataUntrusted data
  18. 18. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 19 Bad Session and Authentication management Sitecore 1. Login & Identify xDB Session 4. Return cookies 2. Get XDB data 3. Put XDB data in Session 6. Send email with malicious JavaScript SessionID: XXX 5. Change Session ID to XXX
  19. 19. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 20 Bad Session and Authentication management Sitecore xDB Session 4. Get XDB data 5. Put XDB data in Session XXX: - Bas Lijten - Brabant - Creditcard details 1. Open email Session ID: XXXSession ID: XXX 2. Visit Link Login Send Session ID 6. Return response 3. Identification on Session ID XXX
  20. 20. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 21 Bad Session and Authentication management Sitecore xDB Session2. Get XDB data for Session XXX: - Bas Lijten - Brabant - Creditcard details Session ID: XXXSession ID: XXX 3. Identification on Session ID XXX 1. Refresh browser 3. Return victim’s data
  21. 21. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 22
  22. 22. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 24 XSS • Output encoding (CSS, Javascript, Xml, HTML) • Content Security Policy Bad Session management • Don’t clear cookies • Change your Session ID after Login and Logout XSS – mitigations & Bad Session Management
  23. 23. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. SQL Injection
  24. 24. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 26 Security Misconfiguration coremasterweb Sitecore
  25. 25. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 27 Security Misconfiguration coremasterwebComments Sitecore comments
  26. 26. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 28 Security Misconfiguration coremasterwebComments Sitecore comments Same credentials Same instance
  27. 27. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 29 Security Misconfiguration coremasterwebComments Sitecore comments Other credentials
  28. 28. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 30 Security Misconfiguration coremasterwebComments Sitecore comments Other credentials Other instance
  29. 29. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 31 • Parameterize your queries • Use different credentials • Separate custom databases from Sitecore SQL Injection & Security Misconfiguration
  30. 30. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 32 Insufficient Transport Layer Protection • Don’t connect to public wifi • UseTransport Layer Security • Enforce HTTPS (HSTS header) to prevent stripping Broken authentication / session management • Session fixation • XSS needed • Don’t remove cookies XSS (Reflective/Persistent) • Don’t trust data • Encode your (untrusted) data • Use frameworks Summary SQL Injection • Parameterize queries • Use frameworks Security Misconfiguration • Least possible permissions • Don’t share credentials
  31. 31. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 33 • How to change your authentication provider and use a modern hashing algorithm • Why mixing HTTP and HTTPS gives a false sense of security • Using HTTPS? Don’t forget to apply these settings! Upcoming blogposts
  32. 32. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 34 Topic Url Secure connections Still think you don’t need HTTPS? Secure connections Understanding HTTP Strict Transport Security Secure connections Wifi Pineapple Secure connections Certificate Pinning XSS XSS Prevention Cheat Sheet XSS Content Security Policy Header XSS Report-uri.io XSS Beef SQL Injection SQL Injection Cheat Sheet SQL Injection SQL Map Security Misconfiguration OWASP Broken Session and Authentication Management OWASP Topic specific information
  33. 33. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 35 General sources of Information Source Description Bas Lijten My blog ;) Securitycore My evilcore/safecore Github repository Pluralsight Ethical hacking courses – 40+ hours on security training OWASP Open Web Application Security Project Troy hunt Security blogger Dale Meredith Security blogger, author of ethical hacking courses Microsoft SDLC Microsoft Secure Development Lifecycle Beef Browser Exploitation Framework
  34. 34. Thank you! linkedin.com/in/baslijten blog.baslijten.com Twitter.com/baslijten

×