Keeping hackers out release to public
-
Upload
bas-lijten -
Category
Software
-
view
40 -
download
0
Transcript of Keeping hackers out release to public
Presented by:Bas Lijten - @BasLijten
Keeping Hackers out
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
#Sitecore SYMClick icon to add picture
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
3
#Sitecore SYMClick icon to add picture
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
#Sitecore SYM
Tracker.Current.Session.Identify
baslinkedin.com/in/baslijten
blog.baslijten.comTwitter.com/baslijten
Bas LijtenThe NetherlandsPrincipal Architect
What can you expect?• DEMOS!
Click to add logo
5
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
#Sitecore SYM
OWASP – reference card
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
8
#Sitecore SYM
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
#Sitecore SYM
Meet Evilcore™….
Download my security module on github.com/BasLijten/SitecoreSecurity
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
10
#Sitecore SYM
Bobby Hack
… and meet Bobby Hack - pwn the eXperience
https://twitter.com/bobbyhack_sc
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
#Sitecore SYM
11 of 127
Man in the middle attack
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
#Sitecore SYM
12 of 127
Man in the middle attack
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
13
#Sitecore SYM
Man in the middle attack
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
14
#Sitecore SYM
Pineapple WiFi
?? YES
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
15
#Sitecore SYM
Pineapple WiFi - Jasager
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
17
#Sitecore SYM
HTTP 1.1
It’s faster
HTTP 2
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
18
#Sitecore SYMIt’s better for SEO
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
19
#Sitecore SYM
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
20
#Sitecore SYMIt’s Free
http://blog.baslijten.com/sitecore-security-4-serve-your-site-securely-over-https-with-lets-encrypt/
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
22
#Sitecore SYM
Unsafe http to https redirects using a 301
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
23
#Sitecore SYM
HSTS – Internal 307 redirect
http://blog.baslijten.com/sitecore-security-2-secure-connections-and-how-to-force-the-browser-to-use-the-secure-connection/
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
24
#Sitecore SYM
• Don’t access public WiFi• Transport Layer Security• HTTP Strict Transport Security
Mitigations
XSS – Cross Site ScriptingPossibility to inject client-side scripts into webpages
• Reflective• Persistent
• Leads to other risks, such as Session Hijacking, browser takeovers
Click to add logo
25
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
26
#Sitecore SYM
XSS – Reflective XSS
$('#searchTerm').val(' searchterm ');
Trusted data Trusted dataUntrusted data
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
27
#Sitecore SYM
XSS – Reflective XSS
$('#searchTerm').val(' ');alert('pwned');// ');
Trusted data Trusted dataUntrusted data
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
31
#Sitecore SYM
Beef – capture video
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
32
#Sitecore SYM
Content Security Policy
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
33
#Sitecore SYM
XSS• Output encoding (CSS, Javascript, Xml, HTML)• Content Security Policy (
http://blog.baslijten.com/sitecore-security-3-prevent-xss-using-content-security-policy/)
Bad Session management• Don’t clear cookies• Change your Session ID after Login and Logout
XSS – mitigations & Bad Session Management
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
#Sitecore SYM
SQL Injection
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
35
#Sitecore SYM
Security Misconfiguration
coremasterweb
Sitecore
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
36
#Sitecore SYM
Security Misconfiguration
coremasterwebComments
Sitecorecomments
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
37
#Sitecore SYM
Same credentialsSame instance
Security Misconfiguration
coremasterwebComments
Sitecorecomments
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
38
#Sitecore SYM
Separate credentialsLeast privilege
Security Misconfiguration
coremasterwebComments
Sitecorecomments
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
39
#Sitecore SYM
Separate credentialsLeast privilegeSeparate instance
Security Misconfiguration
coremasterwebComments
Sitecorecomments
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
40
#Sitecore SYM
• Parameterize your queries• Use another service account• Separate custom databases from Sitecore
SQL Injection & Security Misconfiguration
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
41
#Sitecore SYM
Insufficient Transport Layer Protection• Use Transport Layer Security• Enforce HTTPS (HSTS header)
to prevent stripping
Summary
Broken authentication / session management• Session fixation• Don’t remove cookies
XSS (Reflective/Persistent)• Don’t trust data• Encode your (untrusted) data
SQL Injection• Parameterize queries• Use frameworks
Security Misconfiguration• Least privileges• Don’t share accounts for
connections
1
2 3
Next steps/Resources
42
What to do• Get to know the OWASP top 10• Follow pluralsight courses – Hack yourself first / OWASP• Three months – Write secure code
Resources available• Get educated (See resources)• Code on Github
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
43
#Sitecore SYM
Topic Url
Secure connections HSTS for SitecoreSecure connections Understanding HTTP Strict Transport SecuritySecure connections Serve your Sitecore site securely over https with letsencryptSecure connections Wifi PineappleSecure connections Certificate PinningXSS XSS Prevention Cheat SheetXSS Content Security Policy HeaderXSS Report-uri.ioXSS Content Security Policy for SitecoreSQL Injection SQL Injection Cheat SheetReplace password hashing mechanism Sitecore password hashing algorithmSecurity Misconfiguration OWASPBroken Session and Authentication Management
OWASP
Topic specific information
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.
44
#Sitecore SYM
Source DescriptionBas Lijten My blog ;)Securitycore My evilcore/safecore Github repositoryPluralsight Ethical hacking courses – 40+ hours on security trainingOWASP Open Web Application Security ProjectTroy hunt Security bloggerDale Meredith
Security blogger, author of ethical hacking coursesMicrosoft SDLC
Microsoft Secure Development LifecycleBeef Browser Exploitation Framework
General sources of Information
FOR DISCUSSION PURPOSES ONLY. Sitecore Confidential and Proprietary. © 2016 Sitecore Corporation A/S. All
rights reserved. Sitecore® and Own the Experience® are registered
trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their
respective owners.