securing your umbraco - code garden 15
TRANSCRIPT
C H R I S G A S K E LL
@ CG A S K E LL
C H R I S @ D E TA N G LE D -D I G I TA L . C OM
– K EV I N M I TN I C K
“Companies spend millions of dollars on firewalls, encryption and secure access
devices, and it’s money wasted, because none of these measures address the weakest
link in the security chain.”
HTTP S : / /W W W. OWA S P. OR G
T H I S P R E S E N TAT I O N I S P O W E R E D BY
OWASPA N D M Y
E X P E R I E N C E S
#1
C AS E S TUDY
Umbraco 4.7 running on an un patched Windows 2008 Server
This vulnerability was reported by Umbraco HQ and patches made available
immediately.
#1U P G RA D E UPGRADE U PG RA D E
• Upgrade Umbraco
• Upgrade servers operating system
• Upgrade the .NET framework
• Upgrade your packages (Umbraco and Nuget)
• Upgrade your front end frameworks
#2
F R O N T E N D
Ensure HTTP requests are redirected to HTTPS.
To redirect the entire site why not use the URL REWRITE module for IIS.
#2
BAC K OF F I C E - W E B . C O N F I G
Make sure that all of the requests in the back office are called over HTTPS instead of
HTTP
#2
F R O N T E N D
Switch a URL from HTTP to HTTPS based on the document-type (alias), node id or
template alias with help from @leekelleher
G I THUB . C OM /LEEK ELLEHER /UM BRAC O - HTT P S -R ED I R EC T
#2
S E C U R E BY N -T I E R I N F RA S T R U C T U R E
1 - 4. Request ARR
5. ARR ‘Offloads’ SSL
6. HTTP request to application server
7 - 9. Application server responding to ARR on HTTP
10. ARR encrypts response and sends to client
#3H A N D L I N G YO U R E R R O R S - 4 0 4
1. Update UmbracoSettings.config with the content node you wish to serve as your error page
2. IIS7+You may find IIS handles the error. Add the following key to your web.config just before the closing tag of the system.webServer section.
#3H A N D L I N G YO U R E R R O R S - 5 0 0
1. Tell IIS to pass the error to Umbraco (same setting for the 404)
2. Set the CustomErrors section of the web.config
#4R E S T R I C T AC C E S S
Restrict access to ‘/umbraco' by IP using IIS Rewrite.
<rewrite> <rules> <rule name="Restrict URL" enabled="true" stopProcessing="true" > <match url="^umbraco($|/)" /> <conditions logicalGrouping="MatchAll"> <!-- Use REMOTE_ADDR if your server is NOT behind load balancer --> <add input="{REMOTE_ADDR}" pattern="^10\.11\.12\.13$" negate="true" /> </conditions> <action type="Redirect" url=“/page-not-found/“ /> </rule> </rules></rewrite>
#6I I S / . N E T H TT P H E A D E R S
Server: The web server software being run by the site. Typically for Umbraco:
“Microsoft-IIS/7.5”
X-Powered-By: The collection (there can be multiple) of application frameworks
being run by the site. Typically: “ASP.NET”
X-AspNet-Version: ASP.NET only header, typical examples include “2.0.50727” and
“4.0.30319”
X-AspNetMvc-Version: ASP.NET stack and typical examples include “3.0”, “2.0” and
“1.0”
– I ET F ( I N T ER N ET EN G I N EER I N G TA S K F ORC E )
“Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security
holes.”
#6H TT P H E A D E R S
‘Server’ header reads:
‘; DROP TABLE servertyes; —
The web server on reddit.com.
#6H TT P H E A D E R S
Removing the headers manually isn't as straight forward as you
may initially expect.
#6H TT P H E A D E R S
StripHeaders IIS Module
G I THUB . C OM /D I ON AC H/S TR I P HEA D ER S /
#6H TT P H E A D E R S
Umbraco used to serve a version header
‘X-Umbraco-Version’
This was removed from V4.8
#6H TT P H E A D E R S
Header: Strict-Transport-Security
Example:Strict-Transport-Security: max-age=16070400; includeSubDomains
#6H TT P H E A D E R S
Header: Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
Example:Content-Security-Policy: default-src 'self'
#8F O R M S - S A N I T I S I N G I N P U T S
• Validate form fields both client and server side
• Where there are option types (dropdown, checkboxes etc) ensure the value matches an available option
• Required fields
• Correct data type and length
• Data falls within an acceptable range
• Whitelist allowable values. The regex namespace is particularly useful for checking to make sure an email address or URL is as expected.
#8M V C F O R M S - S A N I T I S I N G
I N P U T S
Use the Synchroniser token patternValidateAntiForgeryToken
#8S Q L I N J E CT I O N - S AN I T I S I N G
I N PUT S• Use Parameterised SQL commands for all data access, without exception.
• Do not use SqlCommand with a string parameter made up of a concatenated SQL String.
• Whitelist allowable values coming from the user. Use enums, TryParse or lookup values to assure that the data coming from the user is as expected.
• Enums are still vulnerable to unexpected values because .NET only validates a successful cast to the underlying data type, integer by default. Enum.IsDefined can validate whether the input value is valid within the list of defined constants.
• Apply the principle of least privilege when setting up the Database User in your database of choice. The database user should only be able to access items that make sense for the use case.
• Use of the Entity Framework is a very effective SQL injection prevention mechanism. Remember that building your own ad hoc queries in EF is just as susceptible to SQLi as a plain SQL query.
• When using SQL Server, prefer integrated authentication over SQL authentication.
#8F O R M S - S A N I T I S I N G O U T P U T S
Encode your outputs - if the nasties are in then don't let them out.
is encoded
WEBFORMSFrom .NET 4+ use <%: text %>
– C OD E S PAC ES , J UN E 2014
“In summary, most of our data, backups, machine configurations and offsite backups
were either partially or completely deleted. ”
W W W. OWA S P. OR G
G I THUB . C OM /LEEK ELLEHER /UM BRAC O - HTT P S -R ED I R EC T
G I THUB . C OM /D I ON AC H/S TR I P HEA D ER S /
W W W. RA P I D 7 . C OM
S TA HER I . C OM
W W W. T R OY HUN T. C OM
A S A FAW EB . C OM
Also thanks to
@CGAS KEL L