SlideShare uma empresa Scribd logo

Sitecore might be secure, but your site isn't

Transferir como PPTX, PDF
Bas Lijten
Bas Lijten

Presentation about Sitecore and common security flaws that was given on the SUGCON conference in Copenhagen, Denmark. Find sources on https://github.com/BasLijten/Securitycore

Tecnologia
1 de 35
Sitecore might be secure, butYOUR site isn’t Bas Lijten April 25th, 2016 #sugcon, @baslijten
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 2
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. Tracker.Current.Session.Identify bas linkedin.com/in/baslijten blog.baslijten.com Twitter.com/baslijten Bas Lijten The Netherlands PrincipalArchitect
4
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. Meet Evilcore™ and Safecore™ Download it on GitHub/BasLijten!
What can you expect? • No Sitecore vulnerabilities • Small tips / tricks (references to my and other blogs) • Explanation with some mitigations • 3 demo’s 7
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 8 of 127 Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 9 of 127 Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 10 Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 11 Pineapple WiFi - Jasager ?? YES
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 12 Pineapple WiFi - Jasager
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 13 Pineapple WiFi - Jasager 1: GET 2: GET 3: RESPONSE: HTML FORM ACTION=“HTTPS://WWW.SUGCON.EU/LOGIN” POST USERNAME PASSWORD HTTPS://WWW.SUGCON.EU/LOGIN Send Username/password via js 4: RESPONSE: HTML FORM ACTION= HTTPS://WWW.SUGCON.EU/LOGIN Inject malicious javascript POST USERNAME PASSWORD HTTPS://WWW.SUGCON.EU/LOGIN
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 14 Still think you don’t need HTTPS? Faster Free SEO
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 15 • Don’t access publicWiFi • Transport Layer Security • HTTP StrictTransport Security • Certificate Pinning Mitigations
XSS –CrossSiteScripting Possibility to inject client-side scripts into webpages • Reflective • Persistent • Leads to other risks, such as Session Hijacking, browser takeovers 16
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 17 XSS – Reflective XSS $('#searchTerm').val(' searchterm '); Trusted data Trusted dataUntrusted data
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 18 XSS – Reflective XSS $('#searchTerm').val(' ');alert('pwned');// '); Trusted data Trusted dataUntrusted data
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 19 Bad Session and Authentication management Sitecore 1. Login & Identify xDB Session 4. Return cookies 2. Get XDB data 3. Put XDB data in Session 6. Send email with malicious JavaScript SessionID: XXX 5. Change Session ID to XXX
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 20 Bad Session and Authentication management Sitecore xDB Session 4. Get XDB data 5. Put XDB data in Session XXX: - Bas Lijten - Brabant - Creditcard details 1. Open email Session ID: XXXSession ID: XXX 2. Visit Link Login Send Session ID 6. Return response 3. Identification on Session ID XXX
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 21 Bad Session and Authentication management Sitecore xDB Session2. Get XDB data for Session XXX: - Bas Lijten - Brabant - Creditcard details Session ID: XXXSession ID: XXX 3. Identification on Session ID XXX 1. Refresh browser 3. Return victim’s data
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 22
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 24 XSS • Output encoding (CSS, Javascript, Xml, HTML) • Content Security Policy Bad Session management • Don’t clear cookies • Change your Session ID after Login and Logout XSS – mitigations & Bad Session Management
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. SQL Injection
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 26 Security Misconfiguration coremasterweb Sitecore
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 27 Security Misconfiguration coremasterwebComments Sitecore comments
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 28 Security Misconfiguration coremasterwebComments Sitecore comments Same credentials Same instance
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 29 Security Misconfiguration coremasterwebComments Sitecore comments Other credentials
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 30 Security Misconfiguration coremasterwebComments Sitecore comments Other credentials Other instance
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 31 • Parameterize your queries • Use different credentials • Separate custom databases from Sitecore SQL Injection & Security Misconfiguration
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 32 Insufficient Transport Layer Protection • Don’t connect to public wifi • UseTransport Layer Security • Enforce HTTPS (HSTS header) to prevent stripping Broken authentication / session management • Session fixation • XSS needed • Don’t remove cookies XSS (Reflective/Persistent) • Don’t trust data • Encode your (untrusted) data • Use frameworks Summary SQL Injection • Parameterize queries • Use frameworks Security Misconfiguration • Least possible permissions • Don’t share credentials
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 33 • How to change your authentication provider and use a modern hashing algorithm • Why mixing HTTP and HTTPS gives a false sense of security • Using HTTPS? Don’t forget to apply these settings! Upcoming blogposts
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 34 Topic Url Secure connections Still think you don’t need HTTPS? Secure connections Understanding HTTP Strict Transport Security Secure connections Wifi Pineapple Secure connections Certificate Pinning XSS XSS Prevention Cheat Sheet XSS Content Security Policy Header XSS Report-uri.io XSS Beef SQL Injection SQL Injection Cheat Sheet SQL Injection SQL Map Security Misconfiguration OWASP Broken Session and Authentication Management OWASP Topic specific information
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 35 General sources of Information Source Description Bas Lijten My blog ;) Securitycore My evilcore/safecore Github repository Pluralsight Ethical hacking courses – 40+ hours on security training OWASP Open Web Application Security Project Troy hunt Security blogger Dale Meredith Security blogger, author of ethical hacking courses Microsoft SDLC Microsoft Secure Development Lifecycle Beef Browser Exploitation Framework
Thank you! linkedin.com/in/baslijten blog.baslijten.com Twitter.com/baslijten

Recomendados

Design Patterns on Sitecore: The Good, the Bad and the Ugly
Design Patterns on Sitecore: The Good, the Bad and the UglyDesign Patterns on Sitecore: The Good, the Bad and the Ugly
Design Patterns on Sitecore: The Good, the Bad and the UglyMichael Reynolds
 
Drupal sec
Drupal secDrupal sec
Drupal secmnescot
 
Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & ComplianceNuno Godinho
 
CSF18 - Securing the Cloud - Karim El-Melhaoui
CSF18 - Securing the Cloud - Karim El-MelhaouiCSF18 - Securing the Cloud - Karim El-Melhaoui
CSF18 - Securing the Cloud - Karim El-MelhaouiNCCOMMS
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Stenio Ferreira
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
The future of Hadoop security and its evolution by Alejandro González at Big ...
The future of Hadoop security and its evolution by Alejandro González at Big ...The future of Hadoop security and its evolution by Alejandro González at Big ...
The future of Hadoop security and its evolution by Alejandro González at Big ...Big Data Spain
 
An Introduction to Druid
An Introduction to DruidAn Introduction to Druid
An Introduction to DruidRedBlackTree
 

Recomendados

Design Patterns on Sitecore: The Good, the Bad and the Ugly
Design Patterns on Sitecore: The Good, the Bad and the UglyDesign Patterns on Sitecore: The Good, the Bad and the Ugly
Design Patterns on Sitecore: The Good, the Bad and the UglyMichael Reynolds
 
Drupal sec
Drupal secDrupal sec
Drupal secmnescot
 
Windows Azure Security & Compliance
Windows Azure Security & ComplianceWindows Azure Security & Compliance
Windows Azure Security & ComplianceNuno Godinho
 
CSF18 - Securing the Cloud - Karim El-Melhaoui
CSF18 - Securing the Cloud - Karim El-MelhaouiCSF18 - Securing the Cloud - Karim El-Melhaoui
CSF18 - Securing the Cloud - Karim El-MelhaouiNCCOMMS
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Stenio Ferreira
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
The future of Hadoop security and its evolution by Alejandro González at Big ...
The future of Hadoop security and its evolution by Alejandro González at Big ...The future of Hadoop security and its evolution by Alejandro González at Big ...
The future of Hadoop security and its evolution by Alejandro González at Big ...Big Data Spain
 
An Introduction to Druid
An Introduction to DruidAn Introduction to Druid
An Introduction to DruidRedBlackTree
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the NetworkCisco Canada
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8Allen Woods
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptxmnaeemuetcs
 
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Canada
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureAchievers Tech
 
4.Xss
4.Xss4.Xss
4.Xssphanleson
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Putting firepower into the next generation firewall
Putting firepower into the next generation firewallPutting firepower into the next generation firewall
Putting firepower into the next generation firewallCisco Canada
 
Blockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareBlockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareKai Wähner
 
Javaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixJavaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixBilly Yuen
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
world's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on Azureworld's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on AzureBas Lijten
 
Keeping hackers out release to public
Keeping hackers out release to publicKeeping hackers out release to public
Keeping hackers out release to publicBas Lijten
 

Mais conteúdo relacionado

Semelhante a Sitecore might be secure, but your site isn't

Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the NetworkCisco Canada
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8Allen Woods
 
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Canada
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureAchievers Tech
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Putting firepower into the next generation firewall
Putting firepower into the next generation firewallPutting firepower into the next generation firewall
Putting firepower into the next generation firewallCisco Canada
 
Blockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareBlockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareKai Wähner
 
Javaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixJavaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixBilly Yuen
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 

Semelhante a Sitecore might be secure, but your site isn't (20)

Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?The Notorious 9: Is Your Data Secure in the Cloud?
The Notorious 9: Is Your Data Secure in the Cloud?
 
Leverage the Network
Leverage the NetworkLeverage the Network
Leverage the Network
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptx
 
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
Cisco Connect Toronto 2018 cloud and on premises collaboration security exp...
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely Insecure
 
4.Xss
4.Xss4.Xss
4.Xss
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Putting firepower into the next generation firewall
Putting firepower into the next generation firewallPutting firepower into the next generation firewall
Putting firepower into the next generation firewall
 
Blockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for MiddlewareBlockchain - The Next Big Thing for Middleware
Blockchain - The Next Big Thing for Middleware
 
Javaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with HystrixJavaone 2016 - Operational Excellence with Hystrix
Javaone 2016 - Operational Excellence with Hystrix
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 

Mais de Bas Lijten

world's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on Azureworld's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on AzureBas Lijten
 
Keeping hackers out release to public
Keeping hackers out release to publicKeeping hackers out release to public
Keeping hackers out release to publicBas Lijten
 
Mind your step how to personalize your sitecore site with fitbit data - upl...
Mind your step how to personalize your sitecore site with fitbit data - upl...Mind your step how to personalize your sitecore site with fitbit data - upl...
Mind your step how to personalize your sitecore site with fitbit data - upl...Bas Lijten
 
How to use bi to improve your share point
How to use bi to improve your share pointHow to use bi to improve your share point
How to use bi to improve your share pointBas Lijten
 
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPISharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPIBas Lijten
 
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...Bas Lijten
 
Sp2013 apps with vs2013
Sp2013 apps with vs2013Sp2013 apps with vs2013
Sp2013 apps with vs2013Bas Lijten
 

Mais de Bas Lijten (7)

world's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on Azureworld's fastest delivery pipeline for Sitecore on Azure
world's fastest delivery pipeline for Sitecore on Azure
 
Keeping hackers out release to public
Keeping hackers out release to publicKeeping hackers out release to public
Keeping hackers out release to public
 
Mind your step how to personalize your sitecore site with fitbit data - upl...
Mind your step how to personalize your sitecore site with fitbit data - upl...Mind your step how to personalize your sitecore site with fitbit data - upl...
Mind your step how to personalize your sitecore site with fitbit data - upl...
 
How to use bi to improve your share point
How to use bi to improve your share pointHow to use bi to improve your share point
How to use bi to improve your share point
 
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPISharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
SharePoint Saturyday Belgium - Building sp2013 apps with MVC, SignalR and WebAPI
 
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
Developing share point 2013 apps with mvc 5, signalr 2.0, webapi 2 and visual...
 
Sp2013 apps with vs2013
Sp2013 apps with vs2013Sp2013 apps with vs2013
Sp2013 apps with vs2013
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Último (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Sitecore might be secure, but your site isn't

  • 1. Sitecore might be secure, butYOUR site isn’t Bas Lijten April 25th, 2016 #sugcon, @baslijten
  • 2. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 2
  • 3. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. Tracker.Current.Session.Identify bas linkedin.com/in/baslijten blog.baslijten.com Twitter.com/baslijten Bas Lijten The Netherlands PrincipalArchitect
  • 4. 4
  • 5.
  • 6. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. Meet Evilcore™ and Safecore™ Download it on GitHub/BasLijten!
  • 7. What can you expect? • No Sitecore vulnerabilities • Small tips / tricks (references to my and other blogs) • Explanation with some mitigations • 3 demo’s 7
  • 8. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 8 of 127 Man in the middle attack
  • 9. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 9 of 127 Man in the middle attack
  • 10. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 10 Man in the middle attack
  • 11. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 11 Pineapple WiFi - Jasager ?? YES
  • 12. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 12 Pineapple WiFi - Jasager
  • 13. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 13 Pineapple WiFi - Jasager 1: GET 2: GET 3: RESPONSE: HTML FORM ACTION=“HTTPS://WWW.SUGCON.EU/LOGIN” POST USERNAME PASSWORD HTTPS://WWW.SUGCON.EU/LOGIN Send Username/password via js 4: RESPONSE: HTML FORM ACTION= HTTPS://WWW.SUGCON.EU/LOGIN Inject malicious javascript POST USERNAME PASSWORD HTTPS://WWW.SUGCON.EU/LOGIN
  • 14. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 14 Still think you don’t need HTTPS? Faster Free SEO
  • 15. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 15 • Don’t access publicWiFi • Transport Layer Security • HTTP StrictTransport Security • Certificate Pinning Mitigations
  • 16. XSS –CrossSiteScripting Possibility to inject client-side scripts into webpages • Reflective • Persistent • Leads to other risks, such as Session Hijacking, browser takeovers 16
  • 17. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 17 XSS – Reflective XSS $('#searchTerm').val(' searchterm '); Trusted data Trusted dataUntrusted data
  • 18. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 18 XSS – Reflective XSS $('#searchTerm').val(' ');alert('pwned');// '); Trusted data Trusted dataUntrusted data
  • 19. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 19 Bad Session and Authentication management Sitecore 1. Login & Identify xDB Session 4. Return cookies 2. Get XDB data 3. Put XDB data in Session 6. Send email with malicious JavaScript SessionID: XXX 5. Change Session ID to XXX
  • 20. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 20 Bad Session and Authentication management Sitecore xDB Session 4. Get XDB data 5. Put XDB data in Session XXX: - Bas Lijten - Brabant - Creditcard details 1. Open email Session ID: XXXSession ID: XXX 2. Visit Link Login Send Session ID 6. Return response 3. Identification on Session ID XXX
  • 21. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 21 Bad Session and Authentication management Sitecore xDB Session2. Get XDB data for Session XXX: - Bas Lijten - Brabant - Creditcard details Session ID: XXXSession ID: XXX 3. Identification on Session ID XXX 1. Refresh browser 3. Return victim’s data
  • 22. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 22
  • 23. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 24 XSS • Output encoding (CSS, Javascript, Xml, HTML) • Content Security Policy Bad Session management • Don’t clear cookies • Change your Session ID after Login and Logout XSS – mitigations & Bad Session Management
  • 24. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. SQL Injection
  • 25. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 26 Security Misconfiguration coremasterweb Sitecore
  • 26. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 27 Security Misconfiguration coremasterwebComments Sitecore comments
  • 27. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 28 Security Misconfiguration coremasterwebComments Sitecore comments Same credentials Same instance
  • 28. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 29 Security Misconfiguration coremasterwebComments Sitecore comments Other credentials
  • 29. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 30 Security Misconfiguration coremasterwebComments Sitecore comments Other credentials Other instance
  • 30. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 31 • Parameterize your queries • Use different credentials • Separate custom databases from Sitecore SQL Injection & Security Misconfiguration
  • 31. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 32 Insufficient Transport Layer Protection • Don’t connect to public wifi • UseTransport Layer Security • Enforce HTTPS (HSTS header) to prevent stripping Broken authentication / session management • Session fixation • XSS needed • Don’t remove cookies XSS (Reflective/Persistent) • Don’t trust data • Encode your (untrusted) data • Use frameworks Summary SQL Injection • Parameterize queries • Use frameworks Security Misconfiguration • Least possible permissions • Don’t share credentials
  • 32. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 33 • How to change your authentication provider and use a modern hashing algorithm • Why mixing HTTP and HTTPS gives a false sense of security • Using HTTPS? Don’t forget to apply these settings! Upcoming blogposts
  • 33. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 34 Topic Url Secure connections Still think you don’t need HTTPS? Secure connections Understanding HTTP Strict Transport Security Secure connections Wifi Pineapple Secure connections Certificate Pinning XSS XSS Prevention Cheat Sheet XSS Content Security Policy Header XSS Report-uri.io XSS Beef SQL Injection SQL Injection Cheat Sheet SQL Injection SQL Map Security Misconfiguration OWASP Broken Session and Authentication Management OWASP Topic specific information
  • 34. © 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 35 General sources of Information Source Description Bas Lijten My blog ;) Securitycore My evilcore/safecore Github repository Pluralsight Ethical hacking courses – 40+ hours on security training OWASP Open Web Application Security Project Troy hunt Security blogger Dale Meredith Security blogger, author of ethical hacking courses Microsoft SDLC Microsoft Secure Development Lifecycle Beef Browser Exploitation Framework

Notas do Editor

  1. Standard not much interaction When adding customizations, this changes and security bugs might be introduced
  2. Secure development Sitecore
  3. Largest insurance company of the Netherlands
  4. Top 10 with most critical web application security flaws
  5. Evilcore: with security flaws Safecore: without
  6. Setup via Pineapple WiFi
  7. HTTPS login with the form being served over HTTP -> not safe
  8. HTTPS: * Free, SEO, Faster
  9. What happens when a session will be fixated, using the evilcore implementation (I removed the session ID cookie on logout)
  10. The identity doesn’t match the displayed content from the xDB
  11. The Beef framework that exploits XSS vulnerabilities, in this case, I took a picture with the webcam
  12. Standard Sitecore setup
  13. Situation when a custom component has been added
  14. Situation when that component has the same database permissions and resides in the same instance. Things WILL go wrong in case when you are vulnerable to SQL injection