sitecore might be secure, but your site isn't!

Sitecore might be secure, but YOUR site isn’t Bas Lijten

April 25th, 2016

#sugcon, @baslijten

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 2

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.

Tracker.Current.Session.Identify

baslinkedin.com/in/baslijten

blog.baslijten.com

Twitter.com/baslijten

Bas Lijten

The Netherlands

Principal Architect

4

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.

Meet Evilcore™ and Safecore™

Download it on GitHub/BasLijten!

What can you expect?

• No Sitecore vulnerabilities

• Small tips / tricks (references to my and other blogs)

• Explanation with some mitigations

• 3 demo’s

7

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 8 of 127

Man in the middle attack

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 9 of 127

Man in the middle attack

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 10

Man in the middle attack

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.

11

Pineapple WiFi - Jasager

?? YES

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.

12

Pineapple WiFi - Jasager

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.

13

Pineapple WiFi - Jasager

1: GET 2: GET

3: RESPONSE:

HTMLFORM ACTION=“HTTPS://WWW.SUGCON.EU/LOGIN”

POST

USERNAME

PASSWORD

HTTPS://WWW.SUGCON.EU/LOGIN

Send Username/password via js

4: RESPONSE:

HTMLFORM ACTION=

HTTPS://WWW.SUGCON.EU/LOGIN

Inject malicious javascript

POST

USERNAME

PASSWORD

HTTPS://WWW.SUGCON.EU/LOGIN

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 14

Still think you don’t need HTTPS?

FasterFree

SEO

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 15

• Don’t access public WiFi

• Transport Layer Security

• HTTP Strict Transport Security

• Certificate Pinning

Mitigations

XSS – Cross Site Scripting

Possibility to inject client-side scripts into webpages

• Reflective• Persistent

• Leads to other risks, such as Session Hijacking, browser takeovers

16

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 17

XSS – Reflective XSS

$('#searchTerm').val(' searchterm ');

Trusted data Trusted dataUntrusted data

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 18

XSS – Reflective XSS

$('#searchTerm').val(' ');alert('pwned');// ');

Trusted data Trusted dataUntrusted data

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 19

Bad Session and Authentication management

Sitecore

1. Login &

Identify

xDB

Session

4. Return cookies

2. Get XDB data

3. Put XDB data in

Session

6. Send email with

malicious JavaScript

SessionID: XXX

5. Change Session ID to XXX

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 20

Bad Session and Authentication management

Sitecore

xDB

Session

4. Get XDB data

5. Put XDB data in

Session XXX:

- Bas Lijten

- Brabant

- Creditcard details

1. Open emailSession ID: XXXSession ID: XXX

2. Visit Link

Login

Send Session ID

6. Return response

3. Identification on Session ID XXX

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 21

Bad Session and Authentication management

Sitecore

xDB

Session2. Get XDB data for

Session XXX:

- Bas Lijten

- Brabant

- Creditcard details

Session ID: XXXSession ID: XXX

3. Identification on Session ID XXX

1. Refresh browser

3. Return victim’s data

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 22

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 24

XSS

• Output encoding (CSS, Javascript, Xml, HTML)

• Content Security Policy

Bad Session management

• Don’t clear cookies

• Change your Session ID after Login and Logout

XSS – mitigations & Bad Session Management

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.

SQL Injection

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 26

Security Misconfiguration

coremasterweb

Sitecore

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 27

Security Misconfiguration

coremasterwebComments

Sitecorecomments

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 28

Security Misconfiguration

coremasterwebComments

Sitecorecomments

Same credentials

Same instance

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 29

Security Misconfiguration

coremasterwebComments

Sitecorecomments

Other credentials

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 30

Security Misconfiguration

coremasterwebComments

Sitecorecomments

Other credentials

Other instance

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 31

• Parameterize your queries

• Use different credentials

• Separate custom databases from Sitecore

SQL Injection & Security Misconfiguration

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 32

Insufficient Transport Layer Protection

• Don’t connect to public wifi

• Use Transport Layer Security

• Enforce HTTPS (HSTS header) to prevent stripping

Broken authentication / session management

• Session fixation

• XSS needed

• Don’t remove cookies

XSS (Reflective/Persistent)

• Don’t trust data

• Encode your (untrusted) data

• Use frameworks

Summary

SQL Injection

• Parameterize queries

• Use frameworks

Security Misconfiguration

• Least possible permissions

• Don’t share credentials

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 33

• How to change your authentication provider and use a modern hashing algorithm

• Why mixing HTTP and HTTPS gives a false sense of security

• Using HTTPS? Don’t forget to apply these settings!

Upcoming blogposts

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 34

Topic Url

Secure connections Still think you don’t need HTTPS?

Secure connections Understanding HTTP Strict Transport Security

Secure connections Wifi Pineapple

Secure connections Certificate Pinning

XSS XSS Prevention Cheat Sheet

XSS Content Security Policy Header

XSS Report-uri.io

XSS Beef

SQL Injection SQL Injection Cheat Sheet

SQL Injection SQL Map

Security Misconfiguration OWASP

Broken Session and Authentication

Management

OWASP

Topic specific information

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 35

General sources of Information

Source Description

Bas Lijten My blog ;)

Securitycore My evilcore/safecore Github repository

Pluralsight Ethical hacking courses – 40+ hours on security training

OWASP Open Web Application Security Project

Troy hunt Security blogger

Dale Meredith Security blogger, author of ethical hacking courses

Microsoft SDLC Microsoft Secure Development Lifecycle

Beef Browser Exploitation Framework

Thank you!

linkedin.com/in/baslijten

blog.baslijten.com

Twitter.com/baslijten