Bas Lijten, profile picture
Uploaded byBas Lijten
PPTX, PDF135 views

Keeping hackers out release to public

The document covers various aspects of web security, specifically focusing on preventing common vulnerabilities such as XSS, SQL injection, and security misconfigurations. It provides guidelines for best practices including the use of HTTPS, proper session management, and educational resources for further learning. Additionally, it introduces tools and references for enhancing security in Sitecore applications.

Embed presentation

Download to read offline
Presented by: Bas Lijten - @BasLijten Keeping Hackers out
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 3
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYMTracker.Current.Session.Identify bas linkedin.com/in/baslijten blog.baslijten.com Twitter.com/baslijten Bas Lijten The Netherlands PrincipalArchitect
What can you expect? • DEMOS! 5
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYMOWASP – reference card
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 8
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYMMeet Evilcore™…. Download my security module on github.com/BasLijten/SitecoreSecurity
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 10 Bobby Hack … and meet Bobby Hack - pwn the eXperience https://twitter.com/bobbyhack_sc
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 11 of 127 Man in the middle attack
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 12 of 127 Man in the middle attack
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 13 Man in the middle attack
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 14 PineappleWiFi ?? YES
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 15 PineappleWiFi - Jasager
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 17 HTTP 1.1 It’s faster HTTP 2
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 18 It’s better for SEO
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 19 https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 20 It’s Free http://blog.baslijten.com/sitecore-security-4-serve-your-site-securely-over-https-with-lets-encrypt/
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 22 Unsafe http to https redirects using a 301
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 23 HSTS – Internal 307 redirect http://blog.baslijten.com/sitecore-security-2-secure-connections-and-how- to-force-the-browser-to-use-the-secure-connection/
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 24 • Don’t access publicWiFi • Transport Layer Security • HTTP StrictTransport Security Mitigations
XSS –CrossSiteScripting Possibility to inject client-side scripts into webpages • Reflective • Persistent • Leads to other risks, such as Session Hijacking, browser takeovers 25
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 26 XSS – Reflective XSS $('#searchTerm').val(' searchterm '); Trusted data Trusted dataUntrusted data
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 27 XSS – Reflective XSS $('#searchTerm').val(' ');alert('pwned');// '); Trusted data Trusted dataUntrusted data
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 31 Beef – capture video
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 32 Content Security Policy
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 33 XSS • Output encoding (CSS, Javascript, Xml, HTML) • Content Security Policy (http://blog.baslijten.com/sitecore-security-3- prevent-xss-using-content-security-policy/) Bad Session management • Don’t clear cookies • Change your Session ID after Login and Logout XSS – mitigations & Bad Session Management
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYMSQL Injection
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 35 Security Misconfiguration coremasterweb Sitecore
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 36 Security Misconfiguration coremasterwebComments Sitecore comments
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 37 Same credentials Same instance Security Misconfiguration coremasterwebComments Sitecore comments
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 38 Separate credentials Least privilege Security Misconfiguration coremasterwebComments Sitecore comments
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 39 Separate credentials Least privilege Separate instance Security Misconfiguration coremasterwebComments Sitecore comments
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 40 • Parameterize your queries • Use another service account • Separate custom databases from Sitecore SQL Injection & Security Misconfiguration
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 41 Insufficient Transport Layer Protection • UseTransport Layer Security • Enforce HTTPS (HSTS header) to prevent stripping Summary Broken authentication / session management • Session fixation • Don’t remove cookies XSS (Reflective/Persistent) • Don’t trust data • Encode your (untrusted) data SQL Injection • Parameterize queries • Use frameworks Security Misconfiguration • Least privileges • Don’t share accounts for connections
Next steps/Resources 42 What to do • Get to know the OWASP top 10 • Follow pluralsight courses – Hack yourself first / OWASP • Three months –Write secure code Resources available • Get educated (See resources) • Code on Github
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 43 Topic Url Secure connections HSTS for Sitecore Secure connections Understanding HTTP Strict Transport Security Secure connections Serve your Sitecore site securely over https with letsencrypt Secure connections Wifi Pineapple Secure connections Certificate Pinning XSS XSS Prevention Cheat Sheet XSS Content Security Policy Header XSS Report-uri.io XSS Content Security Policy for Sitecore SQL Injection SQL Injection Cheat Sheet Replace password hashing mechanism Sitecore password hashing algorithm Security Misconfiguration OWASP Broken Session and Authentication Management OWASP Topic specific information
© 2001-2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 44 Source Description Bas Lijten My blog ;) Securitycore My evilcore/safecore Github repository Pluralsight Ethical hacking courses – 40+ hours on security training OWASP Open Web Application Security Project Troy hunt Security blogger Dale Meredith Security blogger, author of ethical hacking courses Microsoft SDLC Microsoft Secure Development Lifecycle Beef Browser Exploitation Framework General sources of Information
FOR DISCUSSION PURPOSESONLY. Sitecore Confidential and Proprietary. © 2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

More Related Content

PPTX
Romancing the Customer Experience | Sitecore Symposium 2016
byDelphic Digital
 
PPTX
Sitecore might be secure, but your site isn't
byBas Lijten
 
PPTX
Mind your step how to personalize your sitecore site with fitbit data - upl...
byBas Lijten
 
PDF
Context Marketing on a Microsoft Scale
bySitecore
 
PPTX
Sitecore Symposium 2018 - Supercharge Your Author Experience With Machine Lea...
byMark Stiles
 
PDF
Johannes Zijlstra - Sitecore 9 and GDPR
bySagittarius
 
PPTX
Provoke: Agile Marcoms - Strategies & Technologies
byMando
 
PPTX
The Odd Couple: Technology & Marketing Working in Harmony | Sitecore Virtual ...
byDelphic Digital
 
Romancing the Customer Experience | Sitecore Symposium 2016
byDelphic Digital
 
Sitecore might be secure, but your site isn't
byBas Lijten
 
Mind your step how to personalize your sitecore site with fitbit data - upl...
byBas Lijten
 
Context Marketing on a Microsoft Scale
bySitecore
 
Sitecore Symposium 2018 - Supercharge Your Author Experience With Machine Lea...
byMark Stiles
 
Johannes Zijlstra - Sitecore 9 and GDPR
bySagittarius
 
Provoke: Agile Marcoms - Strategies & Technologies
byMando
 
The Odd Couple: Technology & Marketing Working in Harmony | Sitecore Virtual ...
byDelphic Digital
 

Similar to Keeping hackers out release to public

PDF
An Intro to Sitecore 9 & GDPR Compliancy
bySagittarius
 
PPTX
Meet your new best friend: The Sitecore rules engine
byJeffrey Rondeau
 
PDF
SUGMEA - Sitecore Experience Platform - what's new in 9.3 preview
bydharmeshharji
 
PPTX
Sitecore Experience Commerce Architecture
byRob Earlam
 
PPTX
Track 4 - How the avalanche of available customer data can help create more e...
byedynamic
 
PDF
An Under-the-Hood Tour of Sitecore Experience Accelerator
bySitecore
 
PDF
Destination Dollywood! Optimizing the Digital Experience
bySitecore
 
PDF
Gathering Customer Insights with Sitecore - Xamarin Experience 2017
byXpand IT
 
PPTX
world's fastest delivery pipeline for Sitecore on Azure
byBas Lijten
 
PPTX
Context Marketing - Customer Experience b2b Marketing Briefing - 2016-04-21
byLEWIS Purestone
 
PDF
גיא אילון Websense
bylihig
 
PDF
Data Mining with Sitecore xDB
byashiga
 
PPTX
Thoughts on Defensive Development for Sitecore
byPINT Inc
 
PPTX
Morgenmøde business intelligence sitecore-website
byIsaLindbaek
 
PDF
Sitecore: Session recommendation engine
byVarunNehra
 
PPTX
Automate Everything!
byAndy Parry
 
PDF
Tweet Your Heart Out Sitecore Symposium 2017
byJacqueline Baxter
 
PDF
Getting Started: Automation
bySitecore
 
PDF
Sitecores' Cortex
bySagittarius
 
PDF
Sitecore - Omnichannel Marketing in the age of the Omniconsumer
bySagittarius
 
An Intro to Sitecore 9 & GDPR Compliancy
bySagittarius
 
Meet your new best friend: The Sitecore rules engine
byJeffrey Rondeau
 
SUGMEA - Sitecore Experience Platform - what's new in 9.3 preview
bydharmeshharji
 
Sitecore Experience Commerce Architecture
byRob Earlam
 
Track 4 - How the avalanche of available customer data can help create more e...
byedynamic
 
An Under-the-Hood Tour of Sitecore Experience Accelerator
bySitecore
 
Destination Dollywood! Optimizing the Digital Experience
bySitecore
 
Gathering Customer Insights with Sitecore - Xamarin Experience 2017
byXpand IT
 
world's fastest delivery pipeline for Sitecore on Azure
byBas Lijten
 
Context Marketing - Customer Experience b2b Marketing Briefing - 2016-04-21
byLEWIS Purestone
 
גיא אילון Websense
bylihig
 
Data Mining with Sitecore xDB
byashiga
 
Thoughts on Defensive Development for Sitecore
byPINT Inc
 
Morgenmøde business intelligence sitecore-website
byIsaLindbaek
 
Sitecore: Session recommendation engine
byVarunNehra
 
Automate Everything!
byAndy Parry
 
Tweet Your Heart Out Sitecore Symposium 2017
byJacqueline Baxter
 
Getting Started: Automation
bySitecore
 
Sitecores' Cortex
bySagittarius
 
Sitecore - Omnichannel Marketing in the age of the Omniconsumer
bySagittarius
 

Recently uploaded

PDF
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PDF
software architecture for busy developers
byMuhammadAwaisQaisran
 
PDF
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
PDF
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
PDF
Project Tracking in Software Project Management
bySahanaBarveen1
 
PDF
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
PPTX
Edison MuleSoft Meetup : Vibe Coding | MuleSoft Meetups
bySravan Lingam
 
PDF
apidays Amsterdam 2025 | Making AI work for you as an API Product Manager
byapidays
 
PDF
On Demand Grocery Delivery App Development
byV3CUBE TECHNOLABS
 
PDF
Attendance Dashboard – Time & Attendance Analytics
byHajir Pro
 
PDF
Build a Scalable On-Demand Courier Service App
byV3CUBE TECHNOLABS
 
PPTX
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PPTX
Salesforce Spring '26 Release presentation - Melbourne Salesforce User Group
byAnne N
 
PDF
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
PPTX
Device Repair and Maintenance Management
byAxisTechnolabs
 
PPTX
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
PDF
Animated Safety Induction: A Smarter Way to Onboard for Workplace Safety
byTECH EHS Solution
 
PDF
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
software architecture for busy developers
byMuhammadAwaisQaisran
 
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
Project Tracking in Software Project Management
bySahanaBarveen1
 
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
Edison MuleSoft Meetup : Vibe Coding | MuleSoft Meetups
bySravan Lingam
 
apidays Amsterdam 2025 | Making AI work for you as an API Product Manager
byapidays
 
On Demand Grocery Delivery App Development
byV3CUBE TECHNOLABS
 
Attendance Dashboard – Time & Attendance Analytics
byHajir Pro
 
Build a Scalable On-Demand Courier Service App
byV3CUBE TECHNOLABS
 
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
Salesforce Spring '26 Release presentation - Melbourne Salesforce User Group
byAnne N
 
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
Device Repair and Maintenance Management
byAxisTechnolabs
 
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
Animated Safety Induction: A Smarter Way to Onboard for Workplace Safety
byTECH EHS Solution
 
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 

Keeping hackers out release to public

  • 1.
    Presented by: Bas Lijten- @BasLijten Keeping Hackers out
  • 2.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM
  • 3.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 3
  • 4.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYMTracker.Current.Session.Identify bas linkedin.com/in/baslijten blog.baslijten.com Twitter.com/baslijten Bas Lijten The Netherlands PrincipalArchitect
  • 5.
    What can youexpect? • DEMOS! 5
  • 7.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYMOWASP – reference card
  • 8.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 8
  • 9.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYMMeet Evilcore™…. Download my security module on github.com/BasLijten/SitecoreSecurity
  • 10.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 10 Bobby Hack … and meet Bobby Hack - pwn the eXperience https://twitter.com/bobbyhack_sc
  • 11.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 11 of 127 Man in the middle attack
  • 12.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 12 of 127 Man in the middle attack
  • 13.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 13 Man in the middle attack
  • 14.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 14 PineappleWiFi ?? YES
  • 15.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 15 PineappleWiFi - Jasager
  • 16.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 17 HTTP 1.1 It’s faster HTTP 2
  • 17.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 18 It’s better for SEO
  • 18.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 19 https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
  • 19.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 20 It’s Free http://blog.baslijten.com/sitecore-security-4-serve-your-site-securely-over-https-with-lets-encrypt/
  • 20.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 22 Unsafe http to https redirects using a 301
  • 21.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 23 HSTS – Internal 307 redirect http://blog.baslijten.com/sitecore-security-2-secure-connections-and-how- to-force-the-browser-to-use-the-secure-connection/
  • 22.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 24 • Don’t access publicWiFi • Transport Layer Security • HTTP StrictTransport Security Mitigations
  • 23.
    XSS –CrossSiteScripting Possibility toinject client-side scripts into webpages • Reflective • Persistent • Leads to other risks, such as Session Hijacking, browser takeovers 25
  • 24.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 26 XSS – Reflective XSS $('#searchTerm').val(' searchterm '); Trusted data Trusted dataUntrusted data
  • 25.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 27 XSS – Reflective XSS $('#searchTerm').val(' ');alert('pwned');// '); Trusted data Trusted dataUntrusted data
  • 26.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 31 Beef – capture video
  • 27.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 32 Content Security Policy
  • 28.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 33 XSS • Output encoding (CSS, Javascript, Xml, HTML) • Content Security Policy (http://blog.baslijten.com/sitecore-security-3- prevent-xss-using-content-security-policy/) Bad Session management • Don’t clear cookies • Change your Session ID after Login and Logout XSS – mitigations & Bad Session Management
  • 29.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYMSQL Injection
  • 30.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 35 Security Misconfiguration coremasterweb Sitecore
  • 31.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 36 Security Misconfiguration coremasterwebComments Sitecore comments
  • 32.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 37 Same credentials Same instance Security Misconfiguration coremasterwebComments Sitecore comments
  • 33.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 38 Separate credentials Least privilege Security Misconfiguration coremasterwebComments Sitecore comments
  • 34.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 39 Separate credentials Least privilege Separate instance Security Misconfiguration coremasterwebComments Sitecore comments
  • 35.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 40 • Parameterize your queries • Use another service account • Separate custom databases from Sitecore SQL Injection & Security Misconfiguration
  • 36.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 41 Insufficient Transport Layer Protection • UseTransport Layer Security • Enforce HTTPS (HSTS header) to prevent stripping Summary Broken authentication / session management • Session fixation • Don’t remove cookies XSS (Reflective/Persistent) • Don’t trust data • Encode your (untrusted) data SQL Injection • Parameterize queries • Use frameworks Security Misconfiguration • Least privileges • Don’t share accounts for connections
  • 37.
    Next steps/Resources 42 What todo • Get to know the OWASP top 10 • Follow pluralsight courses – Hack yourself first / OWASP • Three months –Write secure code Resources available • Get educated (See resources) • Code on Github
  • 38.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 43 Topic Url Secure connections HSTS for Sitecore Secure connections Understanding HTTP Strict Transport Security Secure connections Serve your Sitecore site securely over https with letsencrypt Secure connections Wifi Pineapple Secure connections Certificate Pinning XSS XSS Prevention Cheat Sheet XSS Content Security Policy Header XSS Report-uri.io XSS Content Security Policy for Sitecore SQL Injection SQL Injection Cheat Sheet Replace password hashing mechanism Sitecore password hashing algorithm Security Misconfiguration OWASP Broken Session and Authentication Management OWASP Topic specific information
  • 39.
    © 2001-2016 SitecoreCorporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners. #Sitecore SYM 44 Source Description Bas Lijten My blog ;) Securitycore My evilcore/safecore Github repository Pluralsight Ethical hacking courses – 40+ hours on security training OWASP Open Web Application Security Project Troy hunt Security blogger Dale Meredith Security blogger, author of ethical hacking courses Microsoft SDLC Microsoft Secure Development Lifecycle Beef Browser Exploitation Framework General sources of Information
  • 40.
    FOR DISCUSSION PURPOSESONLY.Sitecore Confidential and Proprietary. © 2016 Sitecore Corporation A/S. All rights reserved. Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S. All other brand and product names are the property of their respective owners.

Editor's Notes

  • #3 68m https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach
  • #4 164m
  • #5 Secure development Sitecore
  • #7 Top 10 with most critical web application security flaws
  • #15 Setup via Pineapple WiFi
  • #17 HTTPS login with the form being served over HTTP -> not safe
  • #18 Note: Only Windows 10/Windows server 2016
  • #21 Screenshots on how stuff works
  • #25 HSTS – blogpost + security module
  • #36 Standard Sitecore setup
  • #37 Situation when a custom component has been added
  • #38 Situation when that component has the same database permissions and resides in the same instance. Things WILL go wrong in case when you are vulnerable to SQL injection