Presentation about Sitecore and common security flaws that was given on the SUGCON conference in Copenhagen, Denmark. Find sources on https://github.com/BasLijten/Securitycore
7. What can you expect?
• No Sitecore vulnerabilities
• Small tips / tricks (references to my and other blogs)
• Explanation with some mitigations
• 3 demo’s
7
16. XSS –CrossSiteScripting
Possibility to inject client-side scripts into webpages
• Reflective
• Persistent
• Leads to other risks, such as Session Hijacking, browser
takeovers
16
Standard not much interaction
When adding customizations, this changes and security bugs might be introduced
Secure development
Sitecore
Largest insurance company of the Netherlands
Top 10 with most critical web application security flaws
Evilcore: with security flaws
Safecore: without
Setup via Pineapple WiFi
HTTPS login with the form being served over HTTP -> not safe
HTTPS:
* Free, SEO, Faster
What happens when a session will be fixated, using the evilcore implementation (I removed the session ID cookie on logout)
The identity doesn’t match the displayed content from the xDB
The Beef framework that exploits XSS vulnerabilities, in this case, I took a picture with the webcam
Standard Sitecore setup
Situation when a custom component has been added
Situation when that component has the same database permissions and resides in the same instance. Things WILL go wrong in case when you are vulnerable to SQL injection