SlideShare a Scribd company logo

Thoughts on Defensive Development for Sitecore

Download as PPTX, PDF
P
PINT Inc

Presentation given by Thomas Powell (tpowell@pint.com) and Joe Lima (jlima@port80software.com) - 2-15-2012 covering WebAppSec issues with an emphasis on concerns with the Sitecore CMS platform. Sorry for any small quirks in slideshare conversion.

TechnologyDesign
1 of 65
Thoughts on Defensive Web Development Today’s Flavor - Sitecore Thomas A. Powell tpowell@pint.com Joe Lima jlima@port80software.com
Before We Start • Getting “defensive” requires a mindset change • Serious threats really exist • They can happen to you • Much can be prevented • But…there is no such thing as absolute security
Todays Focus - Sitecore • First Question: Is Sitecore the target or is it a site run by Sitecore? • Oh BTW security isn‟t really as app specific as you might think • If it is you might have really big problems! • If you don‟t remember much today you won‟t act so … let‟s get memorable
OpenSource Fail? • It‟s open code to “hackers” too and if widely used becomes a big target
Zoinks!
Woohoo!
Careful… Did “they” turn on you yet and with what force?
There Be Web Orcs! I can SQL injectz you!
And They Cause Troubles
Why – Ego Defacement Relax – Faked This type of “tagging” for cred
Why - Hactivism All fun and games until LOIC is aimed at your site
Why – 4 Lulz Ok so it isn‟t funny to you but it is to them
Why – Spread Malware “Germs” Put malware on your home page to infect others
Why – ID Theft You (or your users) are a commodity (at least your id, IP or cc# is)
Why – Zombie Recruiting Grow and army and then… “Awake my Zombie army and attack!”
Why – For The $£¥€!
Yes - Bad people are real credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove And they‟re in your country too…
Build some walls
Man the defenses! “No worry, firewall is in place”
We‟re awake! and what exactly do you see?
Just another day on the Internetz
The Usual Suspects Input Tampering SQL Injection XSS CSRF RFI/LFI
The Toolbox is Overflowing
Attack #1 Stupid Bot Brigade - “Charge!” ../cmd.exe &1=1;droptable
Attack #2 “I‟m just a lowly peasant HTTP request , may I pass?”
Think like a bouncer? “Yer not on the list. Come on in?!”
The weak minded are easily tricked “These are not the requests you are looking for”
0-day to the Face! “To get our new signature files you need a valid support plan”
The Appearance of Security The Intent Thief: “How quaint a club!”
Real Security Tradeoffs This...
Security Tradeoffs ...or this?
I want it all!
Attack Surfaces are Growing and many more. Notice that these may be indirect
Many Targets Within
What‟s Your Password? Keys to the Sitecore (or any CMS) Kingdom
Finding the Right Door Is your Sitecore instance public IP accessible and at the standard path?
Psst….This isn‟t hidden
No Try Limit = No Security Eventually* No retry limits + No Easy Alerting Let a bot work on it
Policy Time! • Active Directory module for authentication can help leverage any better policies you may have already • Custom validators can (and should) be built • Enforcement is key
Keeping It Clean • Scan files with external services • Strip XSS triggers like <script> • Check for objectionable content
Hack There To Hack Here • Your security posture may be weaker on your other sites and...
Password Reuse + No Second Form = Fail “Take this key and believe you are secure”*
Who‟s Watching? • Enjoy your double cap, venti, packet captured browser session!
The Hijacker‟s Guide • Grab a few .NET and Sitecore cookies • Start in the middle of the login sequence • Keep replaying them and stay logged in forever!
Better SSL Your Sessions No SSL out in open = grab and go admin session cookie
Custom Risk • The CMS admin shell can be extended with custom ASP.NET applications • Watch out for expanded attack surfaces! • Remember to make sure that users have to be logged in to gain access • Sitecore.Shell.Web.UI.SecurePa
Custom Trouble • Reality: Customer often their own worst enemy • Excessive theme customization by non-security minded devs • Now in some third party components with their own troubles for good fun
Face Palm Customized templates without proper validation introduced XSS all over site
Double Face Palm Using pluploader for open source See upload of new aspx file into site‟s Web root
It‟s a 3 rd Party Security Party! <script src=“http://other.com/libs/whatcouldgowrong.js”> </script> <!-- Don‟t be such a hater everybody‟s doing it -->
Dangerous Domains? • CMS in its own domain by default • But public and private sites with shared content aren‟t • An easy fix -- if you remember to do it!
More XSS Fun Product reviews, forums, and blog comments are generally ripe for XSS trouble
XSS – Just Part of the • XSS site with cookie grabber Plan on review, blog comments, etc. • Do something to attract attention of site admin, like email saying problem on page X (the one with XSS) • Grab cookie for auth • Go back to admin or known URL of a backend – add user account, etc.
Cookies really are Yummy! Me likey the Web...everyone gives me COOKIES!!! Num num num num
Always Easiest to Attack People! Name : Jim LaFleur Occupation : Chief of Security Organization: Dharma Initiative • Find Jim‟s name/email in your site comments, Linkedin, Facebook, etc.
Spear Phish Scenario • Find XSS hole for reflection, search query, URL, etc. • Email as “end user” asking for support on the XSSable URL or get them to click on the XSS • Steal their cookie and login as them
Rise of DoSing & Electronic Sit Ins
DoS Attack Sadness • It can be „legit‟ traffic that just overwhelm with regular correct HTTP • Watch dynamic pages in particular • POSTs and writes in particular • They can crowd source it easily • Countermeasures cost you $ if attackers know how to do it right
Just Throw Money At IT • Sure it helps but there is no “silver bullet” box especially without a posture change
Wrap Your App • Reality is in some cases you just have to put a WAF in – no way to patch fast enough • WAFs have their issues though often not strong enough or too strong • WAFs are only a part of covering yourself
Tech Can‟t Solve This
Go Back to Dev School If Johnny builds a Web site he must not trust______ A) form inputs B) query strings C) cookies D) end users E) all of the above
Summary • Don‟t broadcast you use Sitecore (or .ASPX, IIS, etc.) • Remove backend from public access • Strengthen your auth – 2 factor if you can! • Avoid rich user submissions • Harden your sessions
Summary • Scrub your source • Add an App Firewall • Plan for DOS attacks • Talk to your people • And most importantly pay attention
Questions? Thomas A. Powell tpowell@pint.com Joe Lima jlima@port80software.com http://www.pint.com http://www.port80software.com Twitter: PINTSD Twitter: port80software

Recommended

Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
n|u - The Open Security Community
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Don't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesDon't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev Does
Liam O'Saurus
 
Be Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better SecurityBe Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better Security
securiously
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
Krishna T
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 

Recommended

Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
n|u - The Open Security Community
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Don't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesDon't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev Does
Liam O'Saurus
 
Be Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better SecurityBe Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better Security
securiously
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
Krishna T
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17
Nicholas Batik
 
Webinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityWebinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website Security
StopTheHacker
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security Plugins
Chris Burgess
 
Overview of information security
Overview of information securityOverview of information security
Overview of information security
Askao Ahmed Saad
 
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy LeeBeefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
Top Draw Inc.
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
Jeremiah Grossman
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn
 
Internet for everyone
Internet for everyoneInternet for everyone
Internet for everyone
Ashesh R
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Magno Logan
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
Zero Point Development
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
Manifest Creative
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
jakobkorherr
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP Meetup
Oyster Bay Marauders LLC
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
Krishna T
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
UltraUploader
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 

More Related Content

What's hot

Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17
Nicholas Batik
 
Webinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityWebinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website Security
StopTheHacker
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security Plugins
Chris Burgess
 
Overview of information security
Overview of information securityOverview of information security
Overview of information security
Askao Ahmed Saad
 
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy LeeBeefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
Top Draw Inc.
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
Jeremiah Grossman
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn
 
Internet for everyone
Internet for everyoneInternet for everyone
Internet for everyone
Ashesh R
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Magno Logan
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
Zero Point Development
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
Manifest Creative
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
jakobkorherr
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP Meetup
Oyster Bay Marauders LLC
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
Krishna T
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
UltraUploader
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
 

What's hot (20)

Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17
 
Webinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityWebinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website Security
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security Plugins
 
Overview of information security
Overview of information securityOverview of information security
Overview of information security
 
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy LeeBeefy WordPress Security Wordcamp 2012 by Tammy Lee
Beefy WordPress Security Wordcamp 2012 by Tammy Lee
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
Internet for everyone
Internet for everyoneInternet for everyone
Internet for everyone
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP Meetup
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 

Similar to Thoughts on Defensive Development for Sitecore

Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and Concerns
PINT Inc
 
Confidence web
Confidence webConfidence web
Confidence web
Dan Kaminsky
 
Head Slapping WordPress Security
Head Slapping WordPress SecurityHead Slapping WordPress Security
Head Slapping WordPress Security
Chris Burgess
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
Security Innovation
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
Prakashchand Suthar
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
Luis Grangeia
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
Luis Grangeia
 
Dmk sb2010 web_defense
Dmk sb2010 web_defenseDmk sb2010 web_defense
Dmk sb2010 web_defense
Dan Kaminsky
 
Computer Security
Computer SecurityComputer Security
Computer Security
Greater Noida Institute Of Technology
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
Abraham Aranguren
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
shendison
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
Michele Butcher-Jones
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
IMMUNIO
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Black opspki 2
Black opspki 2Black opspki 2
Black opspki 2
Dan Kaminsky
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
Christian Heilmann
 

Similar to Thoughts on Defensive Development for Sitecore (20)

Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and Concerns
 
Confidence web
Confidence webConfidence web
Confidence web
 
Head Slapping WordPress Security
Head Slapping WordPress SecurityHead Slapping WordPress Security
Head Slapping WordPress Security
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
Dmk sb2010 web_defense
Dmk sb2010 web_defenseDmk sb2010 web_defense
Dmk sb2010 web_defense
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Black opspki 2
Black opspki 2Black opspki 2
Black opspki 2
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
 

Recently uploaded

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 

Recently uploaded (20)

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 

Thoughts on Defensive Development for Sitecore

  • 1. Thoughts on Defensive Web Development Today’s Flavor - Sitecore Thomas A. Powell tpowell@pint.com Joe Lima jlima@port80software.com
  • 2. Before We Start • Getting “defensive” requires a mindset change • Serious threats really exist • They can happen to you • Much can be prevented • But…there is no such thing as absolute security
  • 3. Todays Focus - Sitecore • First Question: Is Sitecore the target or is it a site run by Sitecore? • Oh BTW security isn‟t really as app specific as you might think • If it is you might have really big problems! • If you don‟t remember much today you won‟t act so … let‟s get memorable
  • 4. OpenSource Fail? • It‟s open code to “hackers” too and if widely used becomes a big target
  • 7. Careful… Did “they” turn on you yet and with what force?
  • 8. There Be Web Orcs! I can SQL injectz you!
  • 9. And They Cause Troubles
  • 10. Why – Ego Defacement Relax – Faked This type of “tagging” for cred
  • 11. Why - Hactivism All fun and games until LOIC is aimed at your site
  • 12. Why – 4 Lulz Ok so it isn‟t funny to you but it is to them
  • 13. Why – Spread Malware “Germs” Put malware on your home page to infect others
  • 14. Why – ID Theft You (or your users) are a commodity (at least your id, IP or cc# is)
  • 15. Why – Zombie Recruiting Grow and army and then… “Awake my Zombie army and attack!”
  • 16. Why – For The $£¥€!
  • 17. Yes - Bad people are real credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove And they‟re in your country too…
  • 19. Man the defenses! “No worry, firewall is in place”
  • 20. We‟re awake! and what exactly do you see?
  • 21. Just another day on the Internetz
  • 22. The Usual Suspects Input Tampering SQL Injection XSS CSRF RFI/LFI
  • 23. The Toolbox is Overflowing
  • 24. Attack #1 Stupid Bot Brigade - “Charge!” ../cmd.exe &1=1;droptable
  • 25. Attack #2 “I‟m just a lowly peasant HTTP request , may I pass?”
  • 26. Think like a bouncer? “Yer not on the list. Come on in?!”
  • 27. The weak minded are easily tricked “These are not the requests you are looking for”
  • 28. 0-day to the Face! “To get our new signature files you need a valid support plan”
  • 29. The Appearance of Security The Intent Thief: “How quaint a club!”
  • 31. Security Tradeoffs ...or this?
  • 32. I want it all!
  • 33. Attack Surfaces are Growing and many more. Notice that these may be indirect
  • 35. What‟s Your Password? Keys to the Sitecore (or any CMS) Kingdom
  • 36. Finding the Right Door Is your Sitecore instance public IP accessible and at the standard path?
  • 38. No Try Limit = No Security Eventually* No retry limits + No Easy Alerting Let a bot work on it
  • 39. Policy Time! • Active Directory module for authentication can help leverage any better policies you may have already • Custom validators can (and should) be built • Enforcement is key
  • 40. Keeping It Clean • Scan files with external services • Strip XSS triggers like <script> • Check for objectionable content
  • 41. Hack There To Hack Here • Your security posture may be weaker on your other sites and...
  • 42. Password Reuse + No Second Form = Fail “Take this key and believe you are secure”*
  • 43. Who‟s Watching? • Enjoy your double cap, venti, packet captured browser session!
  • 44. The Hijacker‟s Guide • Grab a few .NET and Sitecore cookies • Start in the middle of the login sequence • Keep replaying them and stay logged in forever!
  • 45. Better SSL Your Sessions No SSL out in open = grab and go admin session cookie
  • 46. Custom Risk • The CMS admin shell can be extended with custom ASP.NET applications • Watch out for expanded attack surfaces! • Remember to make sure that users have to be logged in to gain access • Sitecore.Shell.Web.UI.SecurePa
  • 47. Custom Trouble • Reality: Customer often their own worst enemy • Excessive theme customization by non-security minded devs • Now in some third party components with their own troubles for good fun
  • 48. Face Palm Customized templates without proper validation introduced XSS all over site
  • 49. Double Face Palm Using pluploader for open source See upload of new aspx file into site‟s Web root
  • 50. It‟s a 3 rd Party Security Party! <script src=“http://other.com/libs/whatcouldgowrong.js”> </script> <!-- Don‟t be such a hater everybody‟s doing it -->
  • 51. Dangerous Domains? • CMS in its own domain by default • But public and private sites with shared content aren‟t • An easy fix -- if you remember to do it!
  • 52. More XSS Fun Product reviews, forums, and blog comments are generally ripe for XSS trouble
  • 53. XSS – Just Part of the • XSS site with cookie grabber Plan on review, blog comments, etc. • Do something to attract attention of site admin, like email saying problem on page X (the one with XSS) • Grab cookie for auth • Go back to admin or known URL of a backend – add user account, etc.
  • 54. Cookies really are Yummy! Me likey the Web...everyone gives me COOKIES!!! Num num num num
  • 55. Always Easiest to Attack People! Name : Jim LaFleur Occupation : Chief of Security Organization: Dharma Initiative • Find Jim‟s name/email in your site comments, Linkedin, Facebook, etc.
  • 56. Spear Phish Scenario • Find XSS hole for reflection, search query, URL, etc. • Email as “end user” asking for support on the XSSable URL or get them to click on the XSS • Steal their cookie and login as them
  • 57. Rise of DoSing & Electronic Sit Ins
  • 58. DoS Attack Sadness • It can be „legit‟ traffic that just overwhelm with regular correct HTTP • Watch dynamic pages in particular • POSTs and writes in particular • They can crowd source it easily • Countermeasures cost you $ if attackers know how to do it right
  • 59. Just Throw Money At IT • Sure it helps but there is no “silver bullet” box especially without a posture change
  • 60. Wrap Your App • Reality is in some cases you just have to put a WAF in – no way to patch fast enough • WAFs have their issues though often not strong enough or too strong • WAFs are only a part of covering yourself
  • 62. Go Back to Dev School If Johnny builds a Web site he must not trust______ A) form inputs B) query strings C) cookies D) end users E) all of the above
  • 63. Summary • Don‟t broadcast you use Sitecore (or .ASPX, IIS, etc.) • Remove backend from public access • Strengthen your auth – 2 factor if you can! • Avoid rich user submissions • Harden your sessions
  • 64. Summary • Scrub your source • Add an App Firewall • Plan for DOS attacks • Talk to your people • And most importantly pay attention
  • 65. Questions? Thomas A. Powell tpowell@pint.com Joe Lima jlima@port80software.com http://www.pint.com http://www.port80software.com Twitter: PINTSD Twitter: port80software

Editor's Notes

  1. Buying a box, list or service isn’t really going to secure that much if you aren’t aware and involved
  2. And we promise – there will be no cat pictures today. A single example of one of our products and a few candidates for world’s worst pie charts
  3. Secunia advisories for Drupal 6.x: http://secunia.com/advisories/product/17839/?task=advisories
  4. Secunia advisories for Sitecore 6.x:  http://secunia.com/advisories/product/25514/Good news for us? Or are we not of interest?
  5. We saw this happen to ModX CMS as soon as they hit mindshare … attacks. OSX is experience this as well. Hackers follow the lazy person, less work more gain as well
  6. This is the runner up in the worlds worst pie chart contestThe most common outcomes: 1) Information Leakage, 2) Downtime, 3) Defacement.Web Application Security Consortium (WebAppSec.org) Web Hacking Incident Database:http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  7. Relax I faked this … http://www.cornify.com/ - not real in this case but if you had an XSS hole don’t be surprised if the famous Konami code reveals this
  8. Common scheme seen it on sites where they hack wordpress to hack the database of a shared site to hack the home page to spread malware. You find out once Google starts blocking you
  9. All those 404s might be some nice poorly done hack attempts
  10. Here it is the world’s worst pie chart….The Big Three attack methods, according to WebAppSec.org: SQL Injection, XSS, and DoS.
  11. The top weaknesses according to WebAppSec.org include:Improper Input HandlingImproper Output HandlingInsufficient Anti-AutomationInsufficient AuthenticationSee also the OWASP Top Ten:https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project1: Injection 2: Cross-Site Scripting (XSS) 3: Broken Authentication and Session Management 4: Insecure Direct Object References 5: Cross-Site Request Forgery (CSRF) 6: Security Misconfiguration 7: Insecure Cryptographic Storage 8: Failure to Restrict URL Access 9: Insufficient Transport Layer Protection 10: Unvalidated Redirects and Forwards
  12. We found 24 sites from the customer list just within a few minutes of trying.GeoIP limitations at least? http://telecoms.toshiba.co.uk/sitecore/login/http://www.saralee.com/sitecore/login/http://www.mazda.com.au/sitecore/login/http://www.dollar.com/sitecore/login/http://annenberg.usc.edu/sitecore/login/http://www.ca.com/sitecore/login/http://www.avivaindia.com/sitecore/login/http://www.chcf.org/sitecore/login/http://www.fmctechnologies.com/sitecore/login/http://www.stokke.com/sitecore/login/http://www.fanucrobotics.eu/sitecore/login/http://www.traveloregon.com/sitecore/login/And 12 more 
http://www.mediq.com/sitecore/login/
http://www.suzukicycles.com/sitecore/login/
http://www.kia.co.uk/sitecore/login/
http://www.seas-nve.dk/sitecore/login/
http://www.micros-fidelio.eu/sitecore/login/
http://www.chyron.com/sitecore/login/
http://www.aarstiderne.com/sitecore/login/
http://uk.bm.dk/sitecore/login/
http://www.siouxfalls.org/sitecore/login/
http://www.baresports.com/sitecore/login/
http://www.stats.govt.nz/sitecore/login/
http://www.onr.navy.mil/sitecore/login/  
  13. Onceagain there are examples of this in the current Sitecore customer list…Even if these: http://www.company-a.com/sitecore/login/ http://www.company-b.com/sitecore/login/ don’t work, these still might: http://sitecore.company-a.com/sitecore/login/ http://cms.company-b.com/sitecore/login/
  14. Many of the sites we found with exposed login pages also failed to lock out a user after dozens of retries, open the door to dictionary attacks and brute forcing.
  15. For published Web sites that use authentication, you can also set password policies directly in ASP.NET (web.config), whether the membership provider is AD or SQL Server. See Sitecore CMS 6 Security API Cookbook (section 2.3)http://sdn.sitecore.net/upload/sitecore6/sc61keywords/security_api_cookbook_usletter.pdfAnd theMicrosoft here documentation:http://msdn.microsoft.com/en-us/library/whae3t94.aspx
  16. Besides locking down the CMS login, custom validators can enforce security in other ways.For a site with many content contributors, they can make sure the CMS itself isn’t a conduit for info leakage, XSS, defacement, etc.Sample code here: http://briancaos.wordpress.com/2009/02/23/sitecore-6-validators/
  17. Sadly these guys got hacked even … But even if you have second form…. Be careful where you go
  18. The mean streets of starbucks might be a bit meaner than you think….public WiFi is the hackers best friend these days
  19. How to hijack a Sitecore admin session (long version)…Step 1 - Grab come cookies in flight: ASP.NET_SessionIdsc_fvsc_pview_shuser .ASPXAUTH sitecore_userticketStep 2 - Start browsinghere:http://www.democompany.com/sitecore/shell/Applications/Login/Users/Users.aspx?su=/sitecore/shell/applications/clientusesoswindows.aspx?sc_lang=enStep 3 - Keep replaying thosecookies for unlimited access to the Sitecore backend.
  20. Meet Firesheep - http://en.wikipedia.org/wiki/Firesheep Easy to do this without but we keep lowering the bar for peopleWhy people don’t do SSL? Cert cost? Server scale
  21. See: http://learnsitecore.cmsuniverse.net/en/Blog/SecurePage-in-sitecore-apps.aspx
  22. A customer who shall not be named here.Uses Sitecore as their base CMS.External facing portal uses only a &quot;published view&quot;Sitecore admin and content generation performed from a separate system located behind the DMZ.Publishes pages to the outside portal
  23. This hole lead to remote command execution since you could upload arbitrary .ASPX code
  24. Since version 6 Sitecore has its own security domains (even without AD)This helps prevent info leakage by separating security context (users and perms)CMS and publishedsites are in separate security domains by default - GOODBut if you have a public and a private (intranet)site sharing content they’re not - BADFix it by puttingeach ‘site’ into its own security domain using the DOMAIN MANAGER.See: http://blog.nonlinearcreations.com/2009/01/cms-best-practices-security-for-the-sitecore-cms-and-websites-part-iii/
  25. Let’s assume we are going to avoid the impersonation move
  26. &lt;eet your friend the LOIC http://en.wikipedia.org/wiki/LOICStatic publishing helps A LOT