sitecore might be secure, but your site isn't!
Post on 14-Feb-2017
218 Views
Preview:
TRANSCRIPT
Sitecore might be secure, but YOUR site isn’t Bas Lijten
April 25th, 2016
#sugcon, @baslijten
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 2
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
Tracker.Current.Session.Identify
baslinkedin.com/in/baslijten
blog.baslijten.com
Twitter.com/baslijten
Bas Lijten
The Netherlands
Principal Architect
4
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
Meet Evilcore™ and Safecore™
Download it on GitHub/BasLijten!
What can you expect?
• No Sitecore vulnerabilities
• Small tips / tricks (references to my and other blogs)
• Explanation with some mitigations
• 3 demo’s
7
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 8 of 127
Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 9 of 127
Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 10
Man in the middle attack
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
11
Pineapple WiFi - Jasager
?? YES
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
12
Pineapple WiFi - Jasager
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
13
Pineapple WiFi - Jasager
1: GET 2: GET
3: RESPONSE:
HTMLFORM ACTION=“HTTPS://WWW.SUGCON.EU/LOGIN”
POST
USERNAME
PASSWORD
HTTPS://WWW.SUGCON.EU/LOGIN
Send Username/password via js
4: RESPONSE:
HTMLFORM ACTION=
HTTPS://WWW.SUGCON.EU/LOGIN
Inject malicious javascript
POST
USERNAME
PASSWORD
HTTPS://WWW.SUGCON.EU/LOGIN
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 14
Still think you don’t need HTTPS?
FasterFree
SEO
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 15
• Don’t access public WiFi
• Transport Layer Security
• HTTP Strict Transport Security
• Certificate Pinning
Mitigations
XSS – Cross Site Scripting
Possibility to inject client-side scripts into webpages
• Reflective• Persistent
• Leads to other risks, such as Session Hijacking, browser takeovers
16
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 17
XSS – Reflective XSS
$('#searchTerm').val(' searchterm ');
Trusted data Trusted dataUntrusted data
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 18
XSS – Reflective XSS
$('#searchTerm').val(' ');alert('pwned');// ');
Trusted data Trusted dataUntrusted data
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 19
Bad Session and Authentication management
Sitecore
1. Login &
Identify
xDB
Session
4. Return cookies
2. Get XDB data
3. Put XDB data in
Session
6. Send email with
malicious JavaScript
SessionID: XXX
5. Change Session ID to XXX
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 20
Bad Session and Authentication management
Sitecore
xDB
Session
4. Get XDB data
5. Put XDB data in
Session XXX:
- Bas Lijten
- Brabant
- Creditcard details
1. Open emailSession ID: XXXSession ID: XXX
2. Visit Link
Login
Send Session ID
6. Return response
3. Identification on Session ID XXX
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 21
Bad Session and Authentication management
Sitecore
xDB
Session2. Get XDB data for
Session XXX:
- Bas Lijten
- Brabant
- Creditcard details
Session ID: XXXSession ID: XXX
3. Identification on Session ID XXX
1. Refresh browser
3. Return victim’s data
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 22
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 24
XSS
• Output encoding (CSS, Javascript, Xml, HTML)
• Content Security Policy
Bad Session management
• Don’t clear cookies
• Change your Session ID after Login and Logout
XSS – mitigations & Bad Session Management
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.
SQL Injection
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 26
Security Misconfiguration
coremasterweb
Sitecore
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 27
Security Misconfiguration
coremasterwebComments
Sitecorecomments
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 28
Security Misconfiguration
coremasterwebComments
Sitecorecomments
Same credentials
Same instance
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 29
Security Misconfiguration
coremasterwebComments
Sitecorecomments
Other credentials
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 30
Security Misconfiguration
coremasterwebComments
Sitecorecomments
Other credentials
Other instance
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 31
• Parameterize your queries
• Use different credentials
• Separate custom databases from Sitecore
SQL Injection & Security Misconfiguration
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 32
Insufficient Transport Layer Protection
• Don’t connect to public wifi
• Use Transport Layer Security
• Enforce HTTPS (HSTS header) to prevent stripping
Broken authentication / session management
• Session fixation
• XSS needed
• Don’t remove cookies
XSS (Reflective/Persistent)
• Don’t trust data
• Encode your (untrusted) data
• Use frameworks
Summary
SQL Injection
• Parameterize queries
• Use frameworks
Security Misconfiguration
• Least possible permissions
• Don’t share credentials
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 33
• How to change your authentication provider and use a modern hashing algorithm
• Why mixing HTTP and HTTPS gives a false sense of security
• Using HTTPS? Don’t forget to apply these settings!
Upcoming blogposts
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 34
Topic Url
Secure connections Still think you don’t need HTTPS?
Secure connections Understanding HTTP Strict Transport Security
Secure connections Wifi Pineapple
Secure connections Certificate Pinning
XSS XSS Prevention Cheat Sheet
XSS Content Security Policy Header
XSS Report-uri.io
XSS Beef
SQL Injection SQL Injection Cheat Sheet
SQL Injection SQL Map
Security Misconfiguration OWASP
Broken Session and Authentication
Management
OWASP
Topic specific information
© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 35
General sources of Information
Source Description
Bas Lijten My blog ;)
Securitycore My evilcore/safecore Github repository
Pluralsight Ethical hacking courses – 40+ hours on security training
OWASP Open Web Application Security Project
Troy hunt Security blogger
Dale Meredith Security blogger, author of ethical hacking courses
Microsoft SDLC Microsoft Secure Development Lifecycle
Beef Browser Exploitation Framework
Thank you!
linkedin.com/in/baslijten
blog.baslijten.com
Twitter.com/baslijten
top related