Presented by:Bas Lijten - @BasLijten

Keeping Hackers out

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

#Sitecore SYMClick icon to add picture

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

3

#Sitecore SYMClick icon to add picture

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

#Sitecore SYM

Tracker.Current.Session.Identify

baslinkedin.com/in/baslijten

blog.baslijten.comTwitter.com/baslijten

Bas LijtenThe NetherlandsPrincipal Architect

What can you expect?• DEMOS!

Click to add logo

5

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

#Sitecore SYM

OWASP – reference card

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

8

#Sitecore SYM

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

#Sitecore SYM

Meet Evilcore™….

Download my security module on github.com/BasLijten/SitecoreSecurity

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

10

#Sitecore SYM

Bobby Hack

… and meet Bobby Hack - pwn the eXperience

https://twitter.com/bobbyhack_sc

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

#Sitecore SYM

11 of 127

Man in the middle attack

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

#Sitecore SYM

12 of 127

Man in the middle attack

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

13

#Sitecore SYM

Man in the middle attack

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

14

#Sitecore SYM

Pineapple WiFi

?? YES

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

15

#Sitecore SYM

Pineapple WiFi - Jasager

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

17

#Sitecore SYM

HTTP 1.1

It’s faster

HTTP 2

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

18

#Sitecore SYMIt’s better for SEO

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

19

#Sitecore SYM

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

20

#Sitecore SYMIt’s Free

http://blog.baslijten.com/sitecore-security-4-serve-your-site-securely-over-https-with-lets-encrypt/

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

22

#Sitecore SYM

Unsafe http to https redirects using a 301

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

23

#Sitecore SYM

HSTS – Internal 307 redirect

http://blog.baslijten.com/sitecore-security-2-secure-connections-and-how-to-force-the-browser-to-use-the-secure-connection/

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

24

#Sitecore SYM

• Don’t access public WiFi• Transport Layer Security• HTTP Strict Transport Security

Mitigations

XSS – Cross Site ScriptingPossibility to inject client-side scripts into webpages

• Reflective• Persistent

• Leads to other risks, such as Session Hijacking, browser takeovers

Click to add logo

25

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

26

#Sitecore SYM

XSS – Reflective XSS

$('#searchTerm').val(' searchterm ');

Trusted data Trusted dataUntrusted data

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

27

#Sitecore SYM

XSS – Reflective XSS

$('#searchTerm').val(' ');alert('pwned');// ');

Trusted data Trusted dataUntrusted data

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

31

#Sitecore SYM

Beef – capture video

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

32

#Sitecore SYM

Content Security Policy

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

33

#Sitecore SYM

XSS• Output encoding (CSS, Javascript, Xml, HTML)• Content Security Policy (

http://blog.baslijten.com/sitecore-security-3-prevent-xss-using-content-security-policy/)

Bad Session management• Don’t clear cookies• Change your Session ID after Login and Logout

XSS – mitigations & Bad Session Management

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

#Sitecore SYM

SQL Injection

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

35

#Sitecore SYM

Security Misconfiguration

coremasterweb

Sitecore

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

36

#Sitecore SYM

Security Misconfiguration

coremasterwebComments

Sitecorecomments

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

37

#Sitecore SYM

Same credentialsSame instance

Security Misconfiguration

coremasterwebComments

Sitecorecomments

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

38

#Sitecore SYM

Separate credentialsLeast privilege

Security Misconfiguration

coremasterwebComments

Sitecorecomments

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

39

#Sitecore SYM

Separate credentialsLeast privilegeSeparate instance

Security Misconfiguration

coremasterwebComments

Sitecorecomments

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

40

#Sitecore SYM

• Parameterize your queries• Use another service account• Separate custom databases from Sitecore

SQL Injection & Security Misconfiguration

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

41

#Sitecore SYM

Insufficient Transport Layer Protection• Use Transport Layer Security• Enforce HTTPS (HSTS header)

to prevent stripping

Summary

Broken authentication / session management• Session fixation• Don’t remove cookies

XSS (Reflective/Persistent)• Don’t trust data• Encode your (untrusted) data

SQL Injection• Parameterize queries• Use frameworks

Security Misconfiguration• Least privileges• Don’t share accounts for

connections

1

2 3

Next steps/Resources

42

What to do• Get to know the OWASP top 10• Follow pluralsight courses – Hack yourself first / OWASP• Three months – Write secure code

Resources available• Get educated (See resources)• Code on Github

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

43

#Sitecore SYM

Topic Url

Secure connections HSTS for SitecoreSecure connections Understanding HTTP Strict Transport SecuritySecure connections Serve your Sitecore site securely over https with letsencryptSecure connections Wifi PineappleSecure connections Certificate PinningXSS XSS Prevention Cheat SheetXSS Content Security Policy HeaderXSS Report-uri.ioXSS Content Security Policy for SitecoreSQL Injection SQL Injection Cheat SheetReplace password hashing mechanism Sitecore password hashing algorithmSecurity Misconfiguration OWASPBroken Session and Authentication Management

OWASP

Topic specific information

© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

44

#Sitecore SYM

Source DescriptionBas Lijten My blog ;)Securitycore My evilcore/safecore Github repositoryPluralsight Ethical hacking courses – 40+ hours on security trainingOWASP Open Web Application Security ProjectTroy hunt Security bloggerDale Meredith

Security blogger, author of ethical hacking coursesMicrosoft SDLC

Microsoft Secure Development LifecycleBeef Browser Exploitation Framework

General sources of Information

FOR DISCUSSION PURPOSES ONLY. Sitecore Confidential and Proprietary. © 2016 Sitecore Corporation A/S. All

rights reserved. Sitecore® and Own the Experience® are registered

trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their

respective owners.