handling security threats in kentico cms karol jarkovsky sr. solution architect kentico software ...
TRANSCRIPT
![Page 1: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/1.jpg)
Handling Security Threats in Kentico CMS
Karol JarkovskySr. Solution ArchitectKentico Software
http://devnet.kentico.com/Blogs/Karol-Jarkovsky.aspx [email protected]
![Page 2: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/2.jpg)
Agenda
1. XSS,
2. SQL Injection,
3. Argument Injection,
4. Session Attacks.
NOTE: More information on security threat details and their handling can be found in Kentico CMS Security White Paper available on http://devnet.kentico.com/downloads/Kentico-CMS_Security-White-Paper.pdf - in addition to above also discussses the Code Injection, XPath Injection, XSRF, Directory Traversal, Unvalidated Redirects & Forwards and DoS on Application Layer.
![Page 3: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/3.jpg)
XSSWhat is XSS:
• Cross-site scripting (XSS) is website vulnerability when evil input is rendered as a part of HTML page or such evil input is by rendering used to stole sensitive user data,
• XSS types:
1. Persistent XSS – evil input stored by system,
2. Non-persistent XSS – evil input displayed on the output directly,
3. DOM XSS attacks – type of non-persistent XSS with input usually processed on client-side (no contact with web server),
• Security threats caused by XSS - website inconsistence, user-experience degradation, stealing user auth cookies - MySpace Worm exploit.
![Page 4: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/4.jpg)
XSS
DEMO – XSS I
![Page 5: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/5.jpg)
XSSHow to avoid XSS:
• Whatever text is being displayed by the front-end should be encoded,
• Strings from external sources should be encoded as well,
• Use pre-defined Kentico API methods to handle possible XSS entries:
1. HTMLHelper.HTMLEncode() - to explicitly encode output string,
2. QueryHelper.GetText() - for values coming from URL query string and is rendered to the output directly,
3. ScriptHelper.GetString() – to safely treat strings rendered as dynamic parts of the JavaScript code,
• DO NOT allow rendering any string in JavaScript code directly without proper handling on server side.
![Page 6: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/6.jpg)
XSS
DEMO – XSS II
![Page 7: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/7.jpg)
SQL InjectionWhat is SQL Injection:
• Executing harmful SQL code as a part of system executed query,
• Controlled SQL injections vs. Un-controlled (blind) injections,
• SQL Injection vulnerable website allows attacker execute the same queries as system does,
• Whatever commands are supported on T-SQL level are exposed to the attacker through the SQL injection hole – including xp_cmdshell()
![Page 8: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/8.jpg)
SQL Injection
DEMO – SQL Injection I
![Page 9: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/9.jpg)
SQL InjectionHow to avoid SQL Injection:
• Two options – SQL parameters and escaping single quotes,
• For SELECT, INSERT, UPDATE, DELETE use parameters wherever possible,
• When building WHERE conditions dynamically using input as string data type from external sources always replace apostrophes using ‘.Replace(“ ’ ”, “ ’’ ”),
• Applies also to selection lists and arrays coming in post back – actual values of selection options may be changed through the JavaScript,
• When building WHERE conditions using input different from string data type try to convert it to target data type first – it doesn’t make sense to use replace technique to protect non-string data types,
• Avoid building T-SQL queries on SQL level from input coming from data layer and executing those by exec() statement
![Page 10: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/10.jpg)
SQL Injection
DEMO – SQL Injection II
![Page 11: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/11.jpg)
Argument InjectionWhat is Argument Injection:
• Type of attack based on supplying modified page input parameters used by page logic to display data or perform action with input provided,
• Any page that reads input from URL query string (or any external source, e.g. user’s form input) and process information in any way without any validation mechanism is vulnerable,
• Allows attackers to read sensitive data they’re not allowed to see or perform actions with objects they’re not allowed to perform.
![Page 12: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/12.jpg)
Argument Injection
DEMO – Argument Injection I
![Page 13: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/13.jpg)
Argument InjectionHow to avoid Argument Injection:
• The core of the Argument Injection issue is that data displayed/ modified are identified by parameter passed in the URL – make it difficult to guess identifier for data processed by page – GUIDs secured with hash,
• Use QueryHelper.GetHash() to generate hash for generated URL,• Use QueryHelper.ValidateHash() to validate hash passed in the
URL,
• If possible use context information supplied by Kentico CMSContext class instead of parameters passed in URL – DO NOT need to check hash then,
• Check permissions when manipulating objects identified by parameters - http://devnet.kentico.com/docs/devguide/checking_user_permissions.htm.
![Page 14: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/14.jpg)
Argument Injection
DEMO – Argument Injection II
![Page 15: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/15.jpg)
Session AttacksWhat are Session Attacks:
• Today’s web application solve issues related to fact that HTTP protocol is stateless mostly through by using the session – storage for information on state/ context of user’s interaction with the website,
• User’s session is identified by session ID which is generated on website access and send back and forth with each request - the session ID is key to sensitive user data,
• Most common session related vulnerabilities are:
• Session stealing – achieved through the XSS attacks – stealing ASP.NET_SessionId cookie,
• Session prediction – ASP .NET using 120 bit random number – quite safe,
• Session fixation – tampering attackers session ID to the regular user to gain same state as user.
![Page 16: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/16.jpg)
Session AttacksHow to avoid Session Attacks:
• Do not store any sensitive user related data in the session,
• Protect website from XSS vulnerabilities,
• Manually regenerate session ID once user logs in.
![Page 17: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/17.jpg)
?Questions & Answers
![Page 18: Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software karolj@kentico.com](https://reader036.vdocument.in/reader036/viewer/2022082610/56649da25503460f94a8ec85/html5/thumbnails/18.jpg)
Thank you!