SlideShare ist ein Scribd-Unternehmen logo
1 von 35
Downloaden Sie, um offline zu lesen
Sitecore might be
secure,
butYOUR site isn’t
Bas Lijten
April 25th, 2016
#sugcon, @baslijten
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 2
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
Tracker.Current.Session.Identify
bas
linkedin.com/in/baslijten
blog.baslijten.com
Twitter.com/baslijten
Bas Lijten
The Netherlands
PrincipalArchitect
4
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
Meet Evilcore™ and Safecore™
Download it on GitHub/BasLijten!
What can you expect?
• No Sitecore vulnerabilities
• Small tips / tricks (references to my and other blogs)
• Explanation with some mitigations
• 3 demo’s
7
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 8 of 127
Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 9 of 127
Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 10
Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
11
Pineapple WiFi - Jasager
?? YES
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
12
Pineapple WiFi - Jasager
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
13
Pineapple WiFi - Jasager
1: GET 2: GET
3: RESPONSE:
HTML
FORM ACTION=“HTTPS://WWW.SUGCON.EU/LOGIN”
POST
USERNAME
PASSWORD
HTTPS://WWW.SUGCON.EU/LOGIN
Send Username/password via js
4: RESPONSE:
HTML
FORM ACTION=
HTTPS://WWW.SUGCON.EU/LOGIN
Inject malicious javascript
POST
USERNAME
PASSWORD
HTTPS://WWW.SUGCON.EU/LOGIN
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 14
Still think you don’t need HTTPS?
Faster
Free
SEO
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 15
• Don’t access publicWiFi
• Transport Layer Security
• HTTP StrictTransport Security
• Certificate Pinning
Mitigations
XSS –CrossSiteScripting
Possibility to inject client-side scripts into webpages
• Reflective
• Persistent
• Leads to other risks, such as Session Hijacking, browser
takeovers
16
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 17
XSS – Reflective XSS
$('#searchTerm').val(' searchterm ');
Trusted data Trusted dataUntrusted data
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 18
XSS – Reflective XSS
$('#searchTerm').val(' ');alert('pwned');// ');
Trusted data Trusted dataUntrusted data
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 19
Bad Session and Authentication management
Sitecore
1. Login &
Identify
xDB
Session
4. Return cookies
2. Get XDB data
3. Put XDB data in
Session
6. Send email with
malicious JavaScript
SessionID: XXX
5. Change Session ID to XXX
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 20
Bad Session and Authentication management
Sitecore
xDB
Session
4. Get XDB data
5. Put XDB data in
Session XXX:
- Bas Lijten
- Brabant
- Creditcard details
1. Open email
Session ID: XXXSession ID: XXX
2. Visit Link
Login
Send Session ID
6. Return response
3. Identification on Session ID XXX
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 21
Bad Session and Authentication management
Sitecore
xDB
Session2. Get XDB data for
Session XXX:
- Bas Lijten
- Brabant
- Creditcard details
Session ID: XXXSession ID: XXX
3. Identification on Session ID XXX
1. Refresh browser
3. Return victim’s data
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 22
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 24
XSS
• Output encoding (CSS, Javascript, Xml, HTML)
• Content Security Policy
Bad Session management
• Don’t clear cookies
• Change your Session ID after Login and Logout
XSS – mitigations & Bad Session Management
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
SQL Injection
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 26
Security Misconfiguration
coremasterweb
Sitecore
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 27
Security Misconfiguration
coremasterwebComments
Sitecore
comments
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 28
Security Misconfiguration
coremasterwebComments
Sitecore
comments
Same credentials
Same instance
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 29
Security Misconfiguration
coremasterwebComments
Sitecore
comments
Other credentials
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 30
Security Misconfiguration
coremasterwebComments
Sitecore
comments
Other credentials
Other instance
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 31
• Parameterize your queries
• Use different credentials
• Separate custom databases from Sitecore
SQL Injection & Security Misconfiguration
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 32
Insufficient Transport Layer Protection
• Don’t connect to public wifi
• UseTransport Layer Security
• Enforce HTTPS (HSTS header) to
prevent stripping
Broken authentication / session
management
• Session fixation
• XSS needed
• Don’t remove cookies
XSS (Reflective/Persistent)
• Don’t trust data
• Encode your (untrusted) data
• Use frameworks
Summary
SQL Injection
• Parameterize queries
• Use frameworks
Security Misconfiguration
• Least possible permissions
• Don’t share credentials
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 33
• How to change your authentication provider and use a
modern hashing algorithm
• Why mixing HTTP and HTTPS gives a false sense of
security
• Using HTTPS? Don’t forget to apply these settings!
Upcoming blogposts
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 34
Topic Url
Secure connections Still think you don’t need HTTPS?
Secure connections Understanding HTTP Strict Transport Security
Secure connections Wifi Pineapple
Secure connections Certificate Pinning
XSS XSS Prevention Cheat Sheet
XSS Content Security Policy Header
XSS Report-uri.io
XSS Beef
SQL Injection SQL Injection Cheat Sheet
SQL Injection SQL Map
Security Misconfiguration OWASP
Broken Session and Authentication
Management
OWASP
Topic specific information
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 35
General sources of Information
Source Description
Bas Lijten My blog ;)
Securitycore My evilcore/safecore Github repository
Pluralsight Ethical hacking courses – 40+ hours on security training
OWASP Open Web Application Security Project
Troy hunt Security blogger
Dale Meredith Security blogger, author of ethical hacking courses
Microsoft SDLC Microsoft Secure Development Lifecycle
Beef Browser Exploitation Framework
Thank you!
linkedin.com/in/baslijten
blog.baslijten.com
Twitter.com/baslijten

Weitere ähnliche Inhalte

Ähnlich wie Sitecore might be secure, but your site isn't

Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the NetworkCisco Canada
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8Allen Woods
 
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018   cloud and on premises collaboration security exp...Cisco Connect Toronto 2018   cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Canada
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureAchievers Tech
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Putting firepower into the next generation firewall
Putting firepower into the next generation firewallPutting firepower into the next generation firewall
Putting firepower into the next generation firewallCisco Canada
 
Blockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareBlockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareKai Wähner
 
Javaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixJavaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixBilly Yuen
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 

Ähnlich wie Sitecore might be secure, but your site isn't (20)

Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptx
 
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018   cloud and on premises collaboration security exp...Cisco Connect Toronto 2018   cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely Insecure
 
4.Xss
4.Xss4.Xss
4.Xss
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Putting firepower into the next generation firewall
Putting firepower into the next generation firewallPutting firepower into the next generation firewall
Putting firepower into the next generation firewall
 
Blockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareBlockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for Middleware
 
Javaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixJavaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with Hystrix
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 

Mehr von Bas Lijten

world's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on Azureworld's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on AzureBas Lijten
 
Keeping hackers out release to public
Keeping hackers out   release to publicKeeping hackers out   release to public
Keeping hackers out release to publicBas Lijten
 
Mind your step how to personalize your sitecore site with fitbit data - upl...
Mind your step   how to personalize your sitecore site with fitbit data - upl...Mind your step   how to personalize your sitecore site with fitbit data - upl...
Mind your step how to personalize your sitecore site with fitbit data - upl...Bas Lijten
 
How to use bi to improve your share point
How to use bi to improve your share pointHow to use bi to improve your share point
How to use bi to improve your share pointBas Lijten
 
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPISharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPIBas Lijten
 
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...Bas Lijten
 
Sp2013 apps with vs2013
Sp2013 apps with vs2013Sp2013 apps with vs2013
Sp2013 apps with vs2013Bas Lijten
 

Mehr von Bas Lijten (7)

world's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on Azureworld's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on Azure
 
Keeping hackers out release to public
Keeping hackers out   release to publicKeeping hackers out   release to public
Keeping hackers out release to public
 
Mind your step how to personalize your sitecore site with fitbit data - upl...
Mind your step   how to personalize your sitecore site with fitbit data - upl...Mind your step   how to personalize your sitecore site with fitbit data - upl...
Mind your step how to personalize your sitecore site with fitbit data - upl...
 
How to use bi to improve your share point
How to use bi to improve your share pointHow to use bi to improve your share point
How to use bi to improve your share point
 
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPISharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
 
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
 
Sp2013 apps with vs2013
Sp2013 apps with vs2013Sp2013 apps with vs2013
Sp2013 apps with vs2013
 

Kürzlich hochgeladen

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationBuild Intuit
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Which standard is best for your content?
Which standard is best for your content?Which standard is best for your content?
Which standard is best for your content?Rustici Software
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionDEEPRAJ PATHAK
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 

Kürzlich hochgeladen (20)

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientation
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Which standard is best for your content?
Which standard is best for your content?Which standard is best for your content?
Which standard is best for your content?
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile Evolution
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 

Sitecore might be secure, but your site isn't

  • 1. Sitecore might be secure, butYOUR site isn’t Bas Lijten April 25th, 2016 #sugcon, @baslijten
  • 2. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 2
  • 3. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. Tracker.Current.Session.Identify bas linkedin.com/in/baslijten blog.baslijten.com Twitter.com/baslijten Bas Lijten The Netherlands PrincipalArchitect
  • 4. 4
  • 5.
  • 6. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. Meet Evilcore™ and Safecore™ Download it on GitHub/BasLijten!
  • 7. What can you expect? • No Sitecore vulnerabilities • Small tips / tricks (references to my and other blogs) • Explanation with some mitigations • 3 demo’s 7
  • 8. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 8 of 127 Man in the middle attack
  • 9. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 9 of 127 Man in the middle attack
  • 10. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 10 Man in the middle attack
  • 11. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 11 Pineapple WiFi - Jasager ?? YES
  • 12. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 12 Pineapple WiFi - Jasager
  • 13. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 13 Pineapple WiFi - Jasager 1: GET 2: GET 3: RESPONSE: HTML FORM ACTION=“HTTPS://WWW.SUGCON.EU/LOGIN” POST USERNAME PASSWORD HTTPS://WWW.SUGCON.EU/LOGIN Send Username/password via js 4: RESPONSE: HTML FORM ACTION= HTTPS://WWW.SUGCON.EU/LOGIN Inject malicious javascript POST USERNAME PASSWORD HTTPS://WWW.SUGCON.EU/LOGIN
  • 14. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 14 Still think you don’t need HTTPS? Faster Free SEO
  • 15. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 15 • Don’t access publicWiFi • Transport Layer Security • HTTP StrictTransport Security • Certificate Pinning Mitigations
  • 16. XSS –CrossSiteScripting Possibility to inject client-side scripts into webpages • Reflective • Persistent • Leads to other risks, such as Session Hijacking, browser takeovers 16
  • 17. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 17 XSS – Reflective XSS $('#searchTerm').val(' searchterm '); Trusted data Trusted dataUntrusted data
  • 18. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 18 XSS – Reflective XSS $('#searchTerm').val(' ');alert('pwned');// '); Trusted data Trusted dataUntrusted data
  • 19. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 19 Bad Session and Authentication management Sitecore 1. Login & Identify xDB Session 4. Return cookies 2. Get XDB data 3. Put XDB data in Session 6. Send email with malicious JavaScript SessionID: XXX 5. Change Session ID to XXX
  • 20. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 20 Bad Session and Authentication management Sitecore xDB Session 4. Get XDB data 5. Put XDB data in Session XXX: - Bas Lijten - Brabant - Creditcard details 1. Open email Session ID: XXXSession ID: XXX 2. Visit Link Login Send Session ID 6. Return response 3. Identification on Session ID XXX
  • 21. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 21 Bad Session and Authentication management Sitecore xDB Session2. Get XDB data for Session XXX: - Bas Lijten - Brabant - Creditcard details Session ID: XXXSession ID: XXX 3. Identification on Session ID XXX 1. Refresh browser 3. Return victim’s data
  • 22. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 22
  • 23. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 24 XSS • Output encoding (CSS, Javascript, Xml, HTML) • Content Security Policy Bad Session management • Don’t clear cookies • Change your Session ID after Login and Logout XSS – mitigations & Bad Session Management
  • 24. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. SQL Injection
  • 25. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 26 Security Misconfiguration coremasterweb Sitecore
  • 26. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 27 Security Misconfiguration coremasterwebComments Sitecore comments
  • 27. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 28 Security Misconfiguration coremasterwebComments Sitecore comments Same credentials Same instance
  • 28. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 29 Security Misconfiguration coremasterwebComments Sitecore comments Other credentials
  • 29. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 30 Security Misconfiguration coremasterwebComments Sitecore comments Other credentials Other instance
  • 30. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 31 • Parameterize your queries • Use different credentials • Separate custom databases from Sitecore SQL Injection & Security Misconfiguration
  • 31. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 32 Insufficient Transport Layer Protection • Don’t connect to public wifi • UseTransport Layer Security • Enforce HTTPS (HSTS header) to prevent stripping Broken authentication / session management • Session fixation • XSS needed • Don’t remove cookies XSS (Reflective/Persistent) • Don’t trust data • Encode your (untrusted) data • Use frameworks Summary SQL Injection • Parameterize queries • Use frameworks Security Misconfiguration • Least possible permissions • Don’t share credentials
  • 32. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 33 • How to change your authentication provider and use a modern hashing algorithm • Why mixing HTTP and HTTPS gives a false sense of security • Using HTTPS? Don’t forget to apply these settings! Upcoming blogposts
  • 33. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 34 Topic Url Secure connections Still think you don’t need HTTPS? Secure connections Understanding HTTP Strict Transport Security Secure connections Wifi Pineapple Secure connections Certificate Pinning XSS XSS Prevention Cheat Sheet XSS Content Security Policy Header XSS Report-uri.io XSS Beef SQL Injection SQL Injection Cheat Sheet SQL Injection SQL Map Security Misconfiguration OWASP Broken Session and Authentication Management OWASP Topic specific information
  • 34. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 35 General sources of Information Source Description Bas Lijten My blog ;) Securitycore My evilcore/safecore Github repository Pluralsight Ethical hacking courses – 40+ hours on security training OWASP Open Web Application Security Project Troy hunt Security blogger Dale Meredith Security blogger, author of ethical hacking courses Microsoft SDLC Microsoft Secure Development Lifecycle Beef Browser Exploitation Framework

Hinweis der Redaktion

  1. Standard not much interaction When adding customizations, this changes and security bugs might be introduced
  2. Secure development Sitecore
  3. Largest insurance company of the Netherlands
  4. Top 10 with most critical web application security flaws
  5. Evilcore: with security flaws Safecore: without
  6. Setup via Pineapple WiFi
  7. HTTPS login with the form being served over HTTP -> not safe
  8. HTTPS: * Free, SEO, Faster
  9. What happens when a session will be fixated, using the evilcore implementation (I removed the session ID cookie on logout)
  10. The identity doesn’t match the displayed content from the xDB
  11. The Beef framework that exploits XSS vulnerabilities, in this case, I took a picture with the webcam
  12. Standard Sitecore setup
  13. Situation when a custom component has been added
  14. Situation when that component has the same database permissions and resides in the same instance. Things WILL go wrong in case when you are vulnerable to SQL injection