Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Thoughts on Defensive Web  DevelopmentToday’s Flavor - Sitecore        Thomas A. Powell        tpowell@pint.com           ...
Before We Start• Getting “defensive” requires a mindset  change • Serious threats really exist • They can happen to you • ...
Todays Focus -           Sitecore•   First Question: Is Sitecore the target or is it    a site run by Sitecore?•   Oh BTW ...
OpenSource Fail?• It‟s open code to “hackers” too and if  widely used becomes a big target
Zoinks!
Woohoo!
Careful…Did “they” turn on you yet and with whatforce?
There Be Web Orcs!    I can SQL injectz you!
And They Cause   Troubles
Why – Ego         DefacementRelax – Faked This type of “tagging” for cred
Why - HactivismAll fun and games until LOIC is aimed at your site
Why – 4 LulzOk so it isn‟t funny to you but it is to them
Why – Spread      Malware “Germs”Put malware on your home page to infect others
Why – ID TheftYou (or your users) are a commodity    (at least your id, IP or cc# is)
Why – Zombie     Recruiting    Grow and army and then…“Awake my Zombie army and attack!”
Why – For The $£¥€!
Yes - Bad people are        real  credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmr...
Build some walls
Man the defenses! “No worry, firewall is in place”
We‟re awake!and what exactly do you see?
Just another day on the       Internetz
The Usual Suspects Input Tampering  SQL Injection      XSS      CSRF     RFI/LFI
The Toolbox is Overflowing
Attack #1Stupid Bot Brigade - “Charge!” ../cmd.exe &1=1;droptable
Attack #2“I‟m just a lowly peasant HTTP request              , may I pass?”
Think like a bouncer? “Yer not on the list. Come on in?!”
The weak minded are    easily tricked“These are not the requests you are looking                    for”
0-day to the Face!“To get our new signature files you    need a valid support plan”
The Appearance of      SecurityThe Intent Thief: “How quaint a club!”
Real Security Tradeoffs     This...
Security Tradeoffs      ...or this?
I want it all!
Attack Surfaces are     Growing   and many more. Notice that      these may be indirect
Many Targets Within
What‟s Your     Password?Keys to the Sitecore (or any CMS)Kingdom
Finding the Right         DoorIs your Sitecore instance publicIP accessible and at the standard path?
Psst….This isn‟t hidden
No Try Limit = NoSecurity Eventually*               No retry limits             + No Easy Alerting             Let a bot w...
Policy Time!    • Active Directory module for        authentication can help        leverage any better policies        yo...
Keeping It Clean• Scan files with external services• Strip XSS triggers like <script>• Check for objectionable content
Hack There To      Hack Here• Your security posture may be weaker  on your other sites and...
Password Reuse +      No Second Form =            Fail“Take this key and believeyou are secure”*
Who‟s Watching?• Enjoy your double cap, venti, packet  captured browser session!
The Hijacker‟s Guide• Grab a few .NET and Sitecore cookies• Start in the middle of the login sequence• Keep replaying them...
Better SSL Your             SessionsNo SSL out in open = grab and go admin session cookie
Custom Risk  • The CMS admin shell can be    extended with custom ASP.NET    applications  • Watch out for expanded attack...
Custom Trouble   • Reality: Customer often their     own worst enemy   • Excessive theme     customization by non-security...
Face PalmCustomized templates without propervalidation introduced XSS all over site
Double Face Palm      Using pluploader for open sourceSee upload of new aspx file into site‟s Web root
It‟s a        3 rd    Party Security Party!<script src=“http://other.com/libs/whatcouldgowrong.js”></script><!-- Don‟t be ...
Dangerous Domains?     • CMS in its own domain by       default     • But public and private sites with       shared conte...
More XSS FunProduct reviews, forums, and blogcomments are generally ripe for XSStrouble
XSS – Just Part of the       • XSS site with cookie grabber        Plan                 on review, blog comments,         ...
Cookies really are    Yummy!Me likey the Web...everyone gives me COOKIES!!! Num num num              num
Always Easiest to    Attack People!                        Name : Jim                         LaFleur                    O...
Spear Phish Scenario      • Find XSS hole for        reflection, search        query, URL, etc.      • Email as “end user”...
Rise of DoSing &Electronic Sit Ins
DoS Attack Sadness    • It can be „legit‟ traffic that just      overwhelm with regular correct      HTTP    • Watch dynam...
Just Throw Money At         IT• Sure it helps but there is no “silver  bullet” box especially without a posture  change
Wrap Your App    • Reality is in some cases      you just have to put a      WAF in – no way to patch      fast enough    ...
Tech Can‟t Solve     This
Go Back to Dev            SchoolIf Johnny builds a Web site he must nottrust______A) form inputs B) query strings C) cooki...
Summary• Don‟t broadcast you use Sitecore (or  .ASPX, IIS, etc.)• Remove backend from public access• Strengthen your auth ...
Summary• Scrub your source• Add an App Firewall• Plan for DOS attacks• Talk to your people• And most importantly pay atten...
Questions? Thomas A. Powell    tpowell@pint.com       Joe Lima jlima@port80software.com        http://www.pint.com http://...
Upcoming SlideShare
Loading in …5
×

Thoughts on Defensive Development for Sitecore

4,299 views

Published on

Presentation given by Thomas Powell (tpowell@pint.com) and Joe Lima (jlima@port80software.com) - 2-15-2012 covering WebAppSec issues with an emphasis on concerns with the Sitecore CMS platform.

Sorry for any small quirks in slideshare conversion.

Published in: Technology, Design
  • Be the first to comment

  • Be the first to like this

Thoughts on Defensive Development for Sitecore

  1. 1. Thoughts on Defensive Web DevelopmentToday’s Flavor - Sitecore Thomas A. Powell tpowell@pint.com Joe Lima jlima@port80software.com
  2. 2. Before We Start• Getting “defensive” requires a mindset change • Serious threats really exist • They can happen to you • Much can be prevented • But…there is no such thing as absolute security
  3. 3. Todays Focus - Sitecore• First Question: Is Sitecore the target or is it a site run by Sitecore?• Oh BTW security isn‟t really as app specific as you might think • If it is you might have really big problems!• If you don‟t remember much today you won‟t act so … let‟s get memorable
  4. 4. OpenSource Fail?• It‟s open code to “hackers” too and if widely used becomes a big target
  5. 5. Zoinks!
  6. 6. Woohoo!
  7. 7. Careful…Did “they” turn on you yet and with whatforce?
  8. 8. There Be Web Orcs! I can SQL injectz you!
  9. 9. And They Cause Troubles
  10. 10. Why – Ego DefacementRelax – Faked This type of “tagging” for cred
  11. 11. Why - HactivismAll fun and games until LOIC is aimed at your site
  12. 12. Why – 4 LulzOk so it isn‟t funny to you but it is to them
  13. 13. Why – Spread Malware “Germs”Put malware on your home page to infect others
  14. 14. Why – ID TheftYou (or your users) are a commodity (at least your id, IP or cc# is)
  15. 15. Why – Zombie Recruiting Grow and army and then…“Awake my Zombie army and attack!”
  16. 16. Why – For The $£¥€!
  17. 17. Yes - Bad people are real credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove And they‟re in your country too…
  18. 18. Build some walls
  19. 19. Man the defenses! “No worry, firewall is in place”
  20. 20. We‟re awake!and what exactly do you see?
  21. 21. Just another day on the Internetz
  22. 22. The Usual Suspects Input Tampering SQL Injection XSS CSRF RFI/LFI
  23. 23. The Toolbox is Overflowing
  24. 24. Attack #1Stupid Bot Brigade - “Charge!” ../cmd.exe &1=1;droptable
  25. 25. Attack #2“I‟m just a lowly peasant HTTP request , may I pass?”
  26. 26. Think like a bouncer? “Yer not on the list. Come on in?!”
  27. 27. The weak minded are easily tricked“These are not the requests you are looking for”
  28. 28. 0-day to the Face!“To get our new signature files you need a valid support plan”
  29. 29. The Appearance of SecurityThe Intent Thief: “How quaint a club!”
  30. 30. Real Security Tradeoffs This...
  31. 31. Security Tradeoffs ...or this?
  32. 32. I want it all!
  33. 33. Attack Surfaces are Growing and many more. Notice that these may be indirect
  34. 34. Many Targets Within
  35. 35. What‟s Your Password?Keys to the Sitecore (or any CMS)Kingdom
  36. 36. Finding the Right DoorIs your Sitecore instance publicIP accessible and at the standard path?
  37. 37. Psst….This isn‟t hidden
  38. 38. No Try Limit = NoSecurity Eventually* No retry limits + No Easy Alerting Let a bot work on it
  39. 39. Policy Time! • Active Directory module for authentication can help leverage any better policies you may have already • Custom validators can (and should) be built • Enforcement is key
  40. 40. Keeping It Clean• Scan files with external services• Strip XSS triggers like <script>• Check for objectionable content
  41. 41. Hack There To Hack Here• Your security posture may be weaker on your other sites and...
  42. 42. Password Reuse + No Second Form = Fail“Take this key and believeyou are secure”*
  43. 43. Who‟s Watching?• Enjoy your double cap, venti, packet captured browser session!
  44. 44. The Hijacker‟s Guide• Grab a few .NET and Sitecore cookies• Start in the middle of the login sequence• Keep replaying them and stay logged in forever!
  45. 45. Better SSL Your SessionsNo SSL out in open = grab and go admin session cookie
  46. 46. Custom Risk • The CMS admin shell can be extended with custom ASP.NET applications • Watch out for expanded attack surfaces! • Remember to make sure that users have to be logged in to gain access • Sitecore.Shell.Web.UI.SecurePa
  47. 47. Custom Trouble • Reality: Customer often their own worst enemy • Excessive theme customization by non-security minded devs • Now in some third party components with their own troubles for good fun
  48. 48. Face PalmCustomized templates without propervalidation introduced XSS all over site
  49. 49. Double Face Palm Using pluploader for open sourceSee upload of new aspx file into site‟s Web root
  50. 50. It‟s a 3 rd Party Security Party!<script src=“http://other.com/libs/whatcouldgowrong.js”></script><!-- Don‟t be such a hater everybody‟s doing it -->
  51. 51. Dangerous Domains? • CMS in its own domain by default • But public and private sites with shared content aren‟t • An easy fix -- if you remember to do it!
  52. 52. More XSS FunProduct reviews, forums, and blogcomments are generally ripe for XSStrouble
  53. 53. XSS – Just Part of the • XSS site with cookie grabber Plan on review, blog comments, etc. • Do something to attract attention of site admin, like email saying problem on page X (the one with XSS) • Grab cookie for auth • Go back to admin or known URL of a backend – add user account, etc.
  54. 54. Cookies really are Yummy!Me likey the Web...everyone gives me COOKIES!!! Num num num num
  55. 55. Always Easiest to Attack People! Name : Jim LaFleur Occupation : Chief of Security Organization: Dharma Initiative• Find Jim‟s name/email in your site comments, Linkedin, Facebook, etc.
  56. 56. Spear Phish Scenario • Find XSS hole for reflection, search query, URL, etc. • Email as “end user” asking for support on the XSSable URL or get them to click on the XSS • Steal their cookie and login as them
  57. 57. Rise of DoSing &Electronic Sit Ins
  58. 58. DoS Attack Sadness • It can be „legit‟ traffic that just overwhelm with regular correct HTTP • Watch dynamic pages in particular • POSTs and writes in particular • They can crowd source it easily • Countermeasures cost you $ if attackers know how to do it right
  59. 59. Just Throw Money At IT• Sure it helps but there is no “silver bullet” box especially without a posture change
  60. 60. Wrap Your App • Reality is in some cases you just have to put a WAF in – no way to patch fast enough • WAFs have their issues though often not strong enough or too strong • WAFs are only a part of covering yourself
  61. 61. Tech Can‟t Solve This
  62. 62. Go Back to Dev SchoolIf Johnny builds a Web site he must nottrust______A) form inputs B) query strings C) cookiesD) end users E) all of the above
  63. 63. Summary• Don‟t broadcast you use Sitecore (or .ASPX, IIS, etc.)• Remove backend from public access• Strengthen your auth – 2 factor if you can!• Avoid rich user submissions• Harden your sessions
  64. 64. Summary• Scrub your source• Add an App Firewall• Plan for DOS attacks• Talk to your people• And most importantly pay attention
  65. 65. Questions? Thomas A. Powell tpowell@pint.com Joe Lima jlima@port80software.com http://www.pint.com http://www.port80software.com Twitter: PINTSD Twitter: port80software

×