sitecore might be secure, but your site isn't!

Sitecore might be secure, but YOUR site isn’t Bas Lijten

April 25th, 2016

#sugcon, @baslijten

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved.

Tracker.Current.Session.Identify

baslinkedin.com/in/baslijten

blog.baslijten.com

Twitter.com/baslijten

Bas Lijten

The Netherlands

Principal Architect


Meet Evilcore™ and Safecore™

Download it on GitHub/BasLijten!

https://github.com/BasLijten/Securitycore

What can you expect?

• No Sitecore vulnerabilities

• Small tips / tricks (references to my and other blogs)

• Explanation with some mitigations

• 3 demo’s

7

© 2016 Sitecore User Group Conference Europe and its respective speakers. All rights reserved. 8 of 127

Man in the middle attack


11

Pineapple WiFi - Jasager

?? YES


12



13


1: GET 2: GET

3: RESPONSE:

HTMLFORM ACTION=“HTTPS://WWW.SUGCON.EU/LOGIN”

POST

USERNAME

PASSWORD

HTTPS://WWW.SUGCON.EU/LOGIN

Send Username/password via js

4: RESPONSE:

HTMLFORM ACTION=


Inject malicious javascript

POST

USERNAME

PASSWORD


https://www.sugcon.eu/LOGIN

https://www.sugcon.eu/LOGIN


Still think you don’t need HTTPS?

FasterFree

SEO


• Don’t access public WiFi

• Transport Layer Security

• HTTP Strict Transport Security

• Certificate Pinning

Mitigations

XSS – Cross Site Scripting

Possibility to inject client-side scripts into webpages

• Reflective• Persistent

• Leads to other risks, such as Session Hijacking, browser takeovers

16


XSS – Reflective XSS

$('#searchTerm').val(' searchterm ');

Trusted data Trusted dataUntrusted data


XSS – Reflective XSS

$('#searchTerm').val(' ');alert('pwned');// ');

Trusted data Trusted dataUntrusted data


Bad Session and Authentication management

Sitecore

1. Login &

Identify

xDB

Session

4. Return cookies

2. Get XDB data

3. Put XDB data in

Session

6. Send email with

malicious JavaScript

SessionID: XXX

5. Change Session ID to XXX



Sitecore

xDB

Session

4. Get XDB data

5. Put XDB data in

Session XXX:

- Bas Lijten

- Brabant

- Creditcard details

1. Open emailSession ID: XXXSession ID: XXX

2. Visit Link

Login

Send Session ID

6. Return response

3. Identification on Session ID XXX



Sitecore

xDB

Session2. Get XDB data for

Session XXX:

- Bas Lijten

- Brabant

- Creditcard details

Session ID: XXXSession ID: XXX

3. Identification on Session ID XXX

1. Refresh browser

3. Return victim’s data


XSS

• Output encoding (CSS, Javascript, Xml, HTML)

• Content Security Policy

Bad Session management

• Don’t clear cookies

• Change your Session ID after Login and Logout

XSS – mitigations & Bad Session Management


SQL Injection


Security Misconfiguration

coremasterweb

Sitecore



coremasterwebComments

Sitecorecomments




Sitecorecomments

Same credentials

Same instance




Sitecorecomments

Other credentials




Sitecorecomments

Other credentials

Other instance


• Parameterize your queries

• Use different credentials

• Separate custom databases from Sitecore

SQL Injection & Security Misconfiguration


Insufficient Transport Layer Protection

• Don’t connect to public wifi

• Use Transport Layer Security

• Enforce HTTPS (HSTS header) to prevent stripping

Broken authentication / session management

• Session fixation

• XSS needed

• Don’t remove cookies

XSS (Reflective/Persistent)

• Don’t trust data

• Encode your (untrusted) data

• Use frameworks

Summary

SQL Injection

• Parameterize queries

• Use frameworks


• Least possible permissions

• Don’t share credentials


• How to change your authentication provider and use a modern hashing algorithm

• Why mixing HTTP and HTTPS gives a false sense of security

• Using HTTPS? Don’t forget to apply these settings!

Upcoming blogposts


Topic Url

Secure connections Still think you don’t need HTTPS?

Secure connections Understanding HTTP Strict Transport Security

Secure connections Wifi Pineapple

Secure connections Certificate Pinning

XSS XSS Prevention Cheat Sheet

XSS Content Security Policy Header

XSS Report-uri.io

XSS Beef

SQL Injection SQL Injection Cheat Sheet

SQL Injection SQL Map

Security Misconfiguration OWASP

Broken Session and Authentication

Management

OWASP

Topic specific information

https://scotthelme.co.uk/still-think-you-dont-need-https/

https://www.troyhunt.com/understanding-http-strict-transport/

https://www.wifipineapple.com/

https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

http://content-security-policy.com/

https://report-uri.io/

http://beefproject.com/

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration

https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management


General sources of Information

Source Description

Bas Lijten My blog ;)

Securitycore My evilcore/safecore Github repository

Pluralsight Ethical hacking courses – 40+ hours on security training

OWASP Open Web Application Security Project

Troy hunt Security blogger

Dale Meredith Security blogger, author of ethical hacking courses

Microsoft SDLC Microsoft Secure Development Lifecycle

Beef Browser Exploitation Framework

http://blog.baslijten.com/

https://github.com/BasLijten/Securitycore

https://www.pluralsight.com/search?q=ethical+hacking&categories=all

https://www.owasp.org/index.php/Main_Page

https://www.troyhunt.com/

http://www.dalemeredith.com/

https://www.microsoft.com/en-us/sdl/

http://beefproject.com/

Thank you!

linkedin.com/in/baslijten

blog.baslijten.com

Twitter.com/baslijten

sitecore might be secure, but your site isn't!

Documents