Sitefinity Security and Best Practices



Similar documents
Where every interaction matters.

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

OWASP AND APPLICATION SECURITY

What is Web Security? Motivation

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Magento Security and Vulnerabilities. Roman Stepanov

OWASP Top Ten Tools and Tactics

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Criteria for web application security check. Version

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

05.0 Application Development

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Columbia University Web Security Standards and Practices. Objective and Scope

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Check list for web developers

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Adobe Systems Incorporated

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Network Security Exercise #8

How To Protect A Web Application From Attack From A Trusted Environment

Essential IT Security Testing

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Overview of the Penetration Test Implementation and Service. Peter Kanters

Web Application Penetration Testing

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Web Application Security Assessment and Vulnerability Mitigation Tests

OWASP TOP 10 ILIA

FileCloud Security FAQ

Sichere Software- Entwicklung für Java Entwickler

Guidelines for Web applications protection with dedicated Web Application Firewall

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

CS5008: Internet Computing

elearning for Secure Application Development

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Thick Client Application Security

Table of Contents. Page 2/13

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

QuickBooks Online: Security & Infrastructure

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Database Security Guide

Web Application Security

Data Breaches and Web Servers: The Giant Sucking Sound

Passing PCI Compliance How to Address the Application Security Mandates

Web Plus Security Features and Recommendations

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Web application security

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Web Application Security

Barracuda Web Site Firewall Ensures PCI DSS Compliance

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

GFI White Paper PCI-DSS compliance and GFI Software products

The Top Web Application Attacks: Are you vulnerable?

Security features of ZK Framework

Using Free Tools To Test Web Application Security

Rational AppScan & Ounce Products

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Högskoleexamen. Web application Security. Sektionen för informationsvetenskap, data- och elektroteknik. Rapport för Högskoleexamen, January 2013

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Web App Security Audit Services

Network Security: Introduction

WEB APPLICATION SECURITY

Web Application Report

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Penetration Test Report

Columbia University Web Application Security Standards and Practices. Objective and Scope

Web Engineering Web Application Security Issues

Web Application Firewall on SonicWALL SSL VPN

Cloud Security:Threats & Mitgations

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Application Firewall on SonicWALL SRA

Ruby on Rails Secure Coding Recommendations

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

The Trivial Cisco IP Phones Compromise

Attack Vector Detail Report Atlassian

(WAPT) Web Application Penetration Testing

Using Foundstone CookieDigger to Analyze Web Session Management

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Integrating Security Testing into Quality Control

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Web Application Guidelines

Global Partner Management Notice

Transcription:

Sitefinity Security and Best Practices

Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery Security Misconfiguration Insecure Cryptographic Storage Failure to restrict URL access Insufficient Transport Layer Protection Invalidated Redirects and Forwards General Best Practices Securing Your Network Web Server security Other countermeasures Conclusion

Overview Many large organizations rely on Sitefinity for delivering their web presence - from government agencies, financial institutions and Fortune 500 companies to various businesses all over the world. Security is one of the aspects that no organization can compromise with and this is reflected in the CMS evaluation process. Often times we have received a great spectrum of questions about the Security in Sitefinity. This whitepaper aims to look at these questions by listing the most common threats that organizations face today, explaining what they are, what Sitefinity is doing to prevent them and what extra steps are available in order to make your environment more secure. In the first part of this document we will be looking in the most common threats that any Web Application faces today and how Sitefinity handles these kinds of threats. The Open Web Application Security Project (OWASP) has compiled an extensive list of the top 10 vulnerabilities that Web Applications expose today. In the first part of this whitepaper we explain each one of those vulnerabilities and how Sitefinity responds to ensure the security of your system. The second part contains checklists that cover a larger set of best practices to secure your application and our production environment, and to make them comply with the highest industry standards following best practices. The Ten Most Critical Web Application Security Risks Any Web Application in general can expose many different ways for attackers to get unauthorized access or compromise its integrity. Some of those threats have become widely popular and discussed the top ten security risks have been compiled in an extensive list provided by the Open Web Application Security Project (OWASP). You can find the full list and analysis in the OWASP Top 10 full report (read PDF). Here is a summary of those threats and vulnerabilities in the context of Sitefinity Security. Injection An SQL injection is often used to attack the security of a website by inputting SQL statements in a web form. The main purpose of a SQL injection is to get a badly designed website to perform operations on the database that were not intended by the designer of the system (for example to dump information stored in the database and expose it to an attacker). An application is vulnerable when data provided by user input can be executed. The preferred option for SQL injection prevention is for applications to provide an API that ether avoids the use of the interpreter or exposes an entirely parameterized interface. Sitefinity is a combination between those two. Sitefinity does not execute a single Native SQL statement. It calls upon underlying provider that manages data

access through OpenAccess ORM an enterprise level object relational mapping tool. On top of this OpenAccess internally provides an entirely parameterized interface. Furthermore, the security API is on the provider level, ensuring that not a single method can be executed without privileges. Cross-Site-Scripting (XSS) Cross Site Scripting or XSS is one of the most common attacks to web applications today. It enables attackers to inject client side script into web pages (usually using an encoded parameter in an URL that they send out to victims). A cross site scripting attack can be used to manipulate server output, store malicious data, get a hold of an authentication cookie or manipulate the DOM. Vulnerabilities can be exposed when there is no proper user input validation or proper escaping of input, before it s included in the output page. Most simply explained, if your application does not escape > to > this character can be inputted on the pages and used to include a <script> tag and execute any client-side script on the user s browser. From then on it s all in the hands of the attacker s imagination. Both Sitefinity and ASP.NET expose mechanisms to successfully remove such areas vulnerable to XSS attacks. Sitefinity uses the ASP.NET server side and client side validation wherever applicable and escapes untrusted data and symbols. On top of this the Sitefinity authentication cookie is not accessible via client side code. Furthermore, Sitefinity also uses various JavaScript libraries for client side validation. Broken Authentication and Session Management This happens when a system exposes vulnerabilities that allow an attacker to guess or get a hold of credentials or a session. An application is vulnerable when credentials are not encrypted or are poorly encrypted, the applications uses weak session IDs, exposes session IDs in the URL through URL rewriting, the passwords are weak and can be guessed or timeouts are not properly handled to allow a malicious attacker to get a hold of a session that hasn t timed out. Sitefinity provides an extensive set of measures in order to prevent such attacks. The passwords are stored in an encrypted format. The application provides two authentication models that comply with the highest ASP.NET and Federal Security standards. Authentication is securely done either through an encrypted cookie in the case of Forms authentication, or through a digitally signed identity token issued by a Secured Token Service in the case of Claims Based authentication. The basic settings in Sitefinity require a minimum of 7 characters per passwords and secure timeout settings. Those settings can be overridden in order to enforce a much more strict security and password policy.

Insecure Direct Object References This vulnerability allows attackers to get a hold of data that they don t have access to view. An application is vulnerable when it provides direct references to restricted resources and does not always verify that the user is authorized to access the exact resources, in other words it doesn t enforce access control checks for all resources at all times. Sitefinity checks for authentication permissions for each create, retrieve, update and delete operation. Surpassing security checks is impossible externally through any mechanism URL, Service Call or API. Cross-Site Request Forgery Cross-site request forgery (CSRF), also known as a one-click attack or session riding is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that a website trusts. Unlike cross-site scripting (XSS), which exploits a user's trust for a particular site, CSRF exploits the trust that a site has in a user's browser. A good example for this would be tricking a privileged user of a system to visit a malicious site that includes <img> tags that call handlers for the targeted website through URL. If the website trusts this user, this potentially could lead to unwanted side effects. Sitefinity checks authentication and the referrer header for each request and also utilizes the Claims model of authentication with verified techniques for prevention of CSRF. Security Misconfiguration A security misconfiguration is a type of vulnerability in the system setup outdated OS, outdated framework, unnecessary system features, default account passwords etc. While some aspects of this are in the scope of system administrators and not the application itself, Sitefinity provides an easy infrastructure for deployment and applying updates to a secured environment. The system also runs on the latest and greatest security features provided by the.net 4.0 Framework. On top of this, the application is run through independent audits through VeraCode security in order to ensure top-line security standards and best practices. Insecure Cryptographic Storage These vulnerabilities would allow unauthorized users to get access to decrypted security information such as data, credit card information or passwords. This happens when the access control is not enforced or the encryption algorithm is weak.

Sitefinity does not store credit card details by default and relies upon secure external payment providers. It also uses strong standard algorithms to store hashed values of the passwords or digitally sign security tokens. Sitefinity is PCI and FIPS compliant in all areas where user credentials are stored. Failure to restrict URL access This type of attack occurs in the simple case where no additional access checks or authentication is required to access a page. If a malicious user gets a hold of the URL he can access a restricted area without authenticating. Each object in Sitefinity, Page, Control or Content, is a secured object with an applied permission set. Irrelevant to how an object is accessed via URL, API or a RESTful service call - the system ensures an access control check for each operation. Insufficient Transport Layer Protection These types of attacks involve packet sniffing on the transport layer. An attacker can listen to all network traffic and get a hold of sensitive information if it is sent in plain text or weakly encrypted. The transport layer security is a much wider topic and there are many precautions that you can take into account. The best way to prevent this on an application level is to provide good encryption mechanisms and wrap all sensitive transactions with SSL. Sitefinity makes a lot of steps necessary to provide protection for these kinds of attacks. SSL can be required not only for the entire site, but on a per-page basis, the secure flag is set on all authentication cookies, the encryption algorithms are Federal Information Processing Standard (FIPS) compliant. Invalidated Redirects and Forwards These attacks occur where an application allows redirects and forwards that utilize a parameter for the redirect URL. This URL can point to a malicious site or a copy-cat site that performs phishing, installs malware or tricks the user into providing confidential data. By simply avoiding the use redirects and forwards. All redirects in the system are handled by the system through permissions or validation, thus ensuring an attacker cannot inject a third party site in a parameter and trick a user to be redirected to it.

General best practices We ve talked about the top 10 common attacks that are directed towards any web application and the top-line countermeasures that Sitefinity takes in order to prevent them. In reality there are a lot of other layers, devices and systems, where you would have to enforce security, and a lot of best practices you should be aware of. Most of those countermeasures have to do with lower level software and protocols. The list of possible software and network vulnerabilities is long and the first and most important task that any attacker would have is to learn as much about your system, specifics and topology as possible. Here we are going to look at common attacks and best practices. Securing Your Network Network Security has many different aspects computer systems, access control, preventing unauthorized information gathering, firewalls, physical security, detection and response to unwanted incursions. The most common attacks that physical networks face today are information gathering, sniffing, spoofing and session hijacking. A great number of vulnerabilities would enable these kind of attacks which could have a very wide set of unacceptable consequences these vulnerabilities include exposed ports, services, protocols, poorly encrypted data, weak physical security and the inherently insecure nature of the TCP/IP protocol. Here is a checklist of best practices that you can follow in order to build a more solid defense for these attacks: Enforce strong physical security of your network this is in general a wide topic and measures could vary from locking machines that are not in use, to access cards or biometric access Do not give out custom errors, configuration information and software versions Apply the latest patches and updates to your OS, routers, switches and firewalls Disable ports and services that are not used Use firewalls between your DMZ and the public network and between your internal LAN network and your DMZ that mask all internal services Encrypt Credentials and application traffic over the network Apply ingress and egress filtering on perimeter routers to prevent from spoofing Apply stateful inspection at the firewall. Distributed Denial of Service (DDoS) attacks have become a powerful weapon in any attacker s toolset. While a lot of prevention methods exist the best way to handle those attacks is at a firewall level Filter broadcast and ICMP requests Apply strong password policies Centralize logging on all allowed and denied activities and have auditing against unusual patterns in place

Web Server security A secure IIS 6.0+ instance can provide a solid foundation to hosting your Sitefinity application. While there are a lot of considerations, measures and resources on the topic of IIS security, this checklist once again aims to give you a brief summary of the best practices that help you prevent some of the most common attacks and vulnerabilities. The main threats that your server can face include profiling, unauthorized access, elevation of privileges, viruses and worms etc. Block all unnecessary ports, ICMP traffic and unnecessary protocols and services. This will prevent port scans and ping sweeps that may give out information or locate doors open for exploits. Apply the latest system patches and updates frequently Use separate application pool identities for each instance of Sitefinity you are hosting Do not give administrative rights to the application pool identity. It must have access only to the web application files rather than the entire server Reject URLs with../ to prevent path traversal Run processes using least privileged accounts Remove unnecessary file shares Disable unused ISAPI filters. Properly configure the UrlScan tool, if you are utilizing it. Carefully analyze the default and installed IIS Services and disable those that are not need by the system as defined by our installation guide. Disable FTP, SMTP and NNTP, unless you require them Define the IP range that is allowed to access Sitefinity s back-end and lock the ~/Sitefinity folder by IP. Since ~/App_Data/Sitefinity is mapped to the /Sitefinity virtual folder you can either change this virtual mapping or transfer all public resources (static CSS, JavaScript and images) to a folder different from this one. Install SQL Server (or any of the other supported databases) to a separate, dedicated, physically secured, patched and updated server. All unnecessary tools, debug symbols are not installed on the production server. Other countermeasures There are other good practices that should be considered whenever you deploy Sitefinity. Do not use your server as a workstation Give out as little information about your system as possible. In the case of Sitefinity the first step you should do prior to deploying your system is enabling friendly error pages. Any attacker loves as much information that they can get their hands on. Monitor the Sitefinity logs for any unusual patterns and errors

If the Forms Authentication mode is not required for backwards compatibility, utilize the Claims Based Authentication mode in Sitefinity 5.0 or higher. In a more general sense we always recommend upgrading to the newest version of the software. Take a look at our Hosting Recommendations and Setup to review some of the most advanced best practices for infrastructure and deployment on highly secure and highly scalable environments Consider the password policy you want to imply for your users - front-end users as well as CMS users. Sitefinity enables a wide set of measures including minimal password length, validating against a regular expression and maximal password attempts in order to make a brute force attack technically impossible. These restrictions are not too limiting by default to ensure ease of use, but they can also be tailored to fit your very strict security policy. Sitefinity natively supports Windows Authentication and Active Directory integration; therefore you can avoid maintaining a separate user base and password policy for your CMS and enforce this at a system level in your organization. Sitefinity is secure and based on best practices out of the box. But as with any other systems, you have to be careful with how you extend it. As a powerful framework Sitefinity allows you to plug any custom functionality to the system. Make sure that you follow the patterns and practices that would make your application secure when developing in order to avoid Injection, XSS attacks etc. Utilize the tools and libraries that Sitefinity provides you with, as they are secure by design, and ensure stable best-practice driven implementation throughout your custom functionality. Conclusion Security is probably the most sensitive and important subjects in today s digital world and an application like Sitefinity can provide a stable platform for your entire online presence. By following the best practices and guidelines for network security and applying measured project-specific and system specific prevention mechanisms, Sitefinity enables you to have a powerful, scalable and secure solution to power your organization. Read more about security. Get in touch with us to discuss your specific security needs at sales@sitefinity.com References OWASP Top Ten Project Best Practices for Production ASP.NET applications Improving Web Application Security - Threats and Countermeasures

About Sitefinity Sitefinity is a modern CMS platform designed to help organizations pursue their online goals. Today the system powers over 10000 websites worldwide across various industries from Financial and Government Services, to Communications, Retail, and Entertainment. Thanks to Sitefinity s flexible architecture and scalability, you can create successful commercial websites, community portals or intranets. Sitefinity offers a revolutionary easy-touse interface, simplicity, scalability and unmatched performance everything you need, beautifully crafted in one product. Sitefinity Around the World NORTH AMERICA +1-888-365-2779 BULGARIA +359-2-8099850 UNITED KINGDOM +44-20-7291-0580 GERMANY +49-89-2441642-70 AUSTRALIA +61-2-8090-1465

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information