Let’s Talk

We would love to hear from you. Want to know more about
our services or have any questions? Say Hi!

Sitecore Website Security assessment

November 24, 2022
Sitecore Website Security assessment
Keyur Garala
Keyur Garala
Sitecore Certified Solutions Architect

For any projects/website security is a major concern before it is pushed on live. To prevent security threats, we need to check and resolve all the points which are a threat to your project. For this, client side and server side both, we need to fix the respective points

There are a few tools that will provide this functionality with which we find threats from your application, and it will create different reports based on various points. There are 3 main methods that will find security vulnerabilities that can make an application susceptible to attack.

  1. SAST (Static application security testing)
  2. DAST (Dynamic application security testing)
  3. VAPT (Vulnerability Assessment & Penetration Testing)

From the above methods, SAST and DAST methods will scan the backend application (code and application flow). And VAPT is a security testing to identify security vulnerabilities in an application, network, endpoint, and cloud.

There are different levels of Severity: High, Medium, Low, and Information. Based on these different levels the developer needs to remediate.

Difference between SAST and DAST.

White box security testing

The tester has access to the underlying framework, design, and implementation. The application is tested from the inside out. This type of testing represents the developer approach.

Black box security testing

The tester has no knowledge of the technologies or frameworks that the application is built on. The application is tested from the outside in. This type of testing represents the hacker approach.

Requires source code

SAST doesn’t require a deployed application. It analyzes the sources code or binary without executing the application.

Requires a running application

DAST doesn’t require source code or binaries. It analyzes by executing the application.

Finds vulnerabilities earlier in the SDLC

The scan can be executed as soon as code is deemed feature-complete.

Finds vulnerabilities toward the end of the SDLC

Vulnerabilities can be discovered after the development cycle is complete.

Less expensive to fix vulnerabilities

Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to remediate them. Findings can often be fixed before the code enters the QA cycle.

More expensive to fix vulnerabilities

Since vulnerabilities are found toward the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release.

Can’t discover run-time and environment-related issues

Since the tool scans static code, it can’t discover run-time vulnerabilities.

Can discover run-time and environment-related issues

Since the tool uses dynamic analysis on an application, it is able to find run-time vulnerabilities.

Typically supports all kinds of software

Examples include web applications, web services, and thick clients.

Typically scans only apps like web applications and web services

DAST is not useful for other types of software.

Let’s discuss some points (SAST) regarding threats and the remediation of those points.

SAST Report

It will scan code/ repository and based on configuration/code it will make a report.

There are different types of Vulnerability

  1. unencrypted config
  2. log forging
  3. information exposure via header
  4. improper resource shutdown or release
  5. improper exception handling
  6. Use of Insufficiently Random Values
  7. Heap Inspection
  8. Overly Permissive Cross Origin Resource Sharing Policy
  9. Insufficient Logging of Sensitive Operations
  10. Hardcoded Absolute Path

Note: “csharp.cs” is a class file in the below article.

unencrypted config

Severity: Low

error message: config does not encrypt the sensitive element found at line 1. This information can be plainly read by anyone with local file-system access.

remediation: The developer needs to make encryption code in appconfig file and needs to use different encryption/decryption methods and also needs to resolve it. There is a different module for this (e.g.: ASPNET_REGIIS) or you can make your custom algorithm for the same.

Log Forging

Severity: Low

error message: “csharp.cs” file gets user input from element” A”. This element’s value flows through the code without being properly sanitized or validated and is eventually used in writing an audit log.

remediation: remove Unnecessary log If there is confidential information related URL, Password and server info etc. and if the logs are necessary then encrypt the log value with your encryption code.

Information Exposure via Headers

Severity: Low

error message: ‘Web.config’, to expose server data in response headers.

remediation: add the below codethe in configuration node.

    <httpRuntime enableVersionHeader="false" /> 
        <requestFiltering removeServerHeader="true" />

Improper Resource Shutdown or Release

Severity: Low

error message: csharp.cs defines and initializes the StreamWriter object at 92. The object encapsulates a limited computing resource, such as open file streams, database connections, or network streams. This resource is not properly closed and released in all situations.

remediation: Wherever a developer is using file streams to read and write they need to ensure that all the objects are shut and disposed after the execution. To resolve this, a developer needs to make sure to clear the filesystem object and dispose that object or they can also use locally created objects.

using (var streamReader = new StreamReader(responseStream)) 

Improper Exception Handling

Severity: Low

error message: csharp.cs performs an operation that could be expected to throw an exception and is not properly wrapped in a try-catch block. This constitutes Improper Exception Handling

remediation: Please use the finally block with the try-catch block and make sure that the object is not readable out of the block.

Use of Insufficiently Random Values

Severity: Low

error message: csharp.cs uses a weak method Next to produce random values. These values might be used as personal identifiers, session tokens or cryptographic input; however, due to their insufficient randomness, an attacker may be able to derive their value.

remediation: instead of using random method you can use below code

private string GenerateRandomOTP(int iOTPLength) 
        RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider(); 
        var byteArray = new byte[iOTPLength]; 
        var randomInteger = BitConverter.ToInt32(byteArray, 0); 
        randomInteger = Math.Abs(randomInteger); 
        var randomIntegerStr = randomInteger.ToString().Substring(0, iOTPLength);           
        return randomIntegerStr; 

Heap Inspection

Severity: Low

error message: csharp.cs defines Password, which is designated to contain user passwords. However, while plaintext passwords are later assigned to Password, this variable is never cleared from memory.

remediation: Use a local variable instead of using global variable and use this into method or else you can encrypt the password using your algorithm and decrypt it while using.

Overly Permissive Cross Origin Resource Sharing Policy

Severity: Low

error message: csharp.cs sets an overly permissive CORS access control origin header.

remediation: use website domain instead of using *,

if (request.HttpMethod == "OPTIONS") 
        response.AddHeader("Access-Control-Allow-Origin", "domain"); 
if (request.HttpMethod == "POST") 
        response.AddHeader("Access-Control-Allow-Origin", "domain"); 
        response.AddHeader("Access-Control-Allow-Credentials", "true"); 
        response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains;preload"); 
        response.AddHeader("Referrer-Policy", "strict-origin-when-cross-origin"); 

Insufficient Logging of Sensitive Operations

Severity: Information

error message: The sensitive operation ‘DeleteAllOnSubmit’ is not properly logged and, therefore, important execution details may be omitted.

remediation: Getting this error because sensitive information is displaying in log.to remediate this encrypt the log or remove if it is not necessary.

Hardcoded Absolute Path

Severity: Information

error message: Method references external files using a hard-coded, absolute path.

remediation: Remove hard coded path from class and fetch it from appconfig.

DAST Report

DAST doesn’t require source code or binaries. It analyzes by executing the application.

there are different types of Vulnerability

  1. OTP flooding
  2. OTP Brute Force/ No rate Limit
  3. Improper Implementation of OTP
  4. Excessive data in response
  5. Improper Input Validation
  6. Improper Error Handling
  7. HSTS Not implemented
  8. Misconfigured CORS
  9. Insecure Inline frame
  10. Server Banner Disclosure
  11. Referrer Policy Not implemented

OTP flooding

Severity: High

error message: Able to send multiple OTPs value to any user.


  1. Limit the OTP sending
  2. Implement request limit

OTP Brute Force/ No rate Limit

Severity: High

error message: Able to brute force user's OTP.


  1. User should have limited retries (n retries)

Improper Implementation of OTP

Severity: High

error message: OTP value not getting invalidated after using it once.


  1. OTP is one time password and should expire after using it once
  2. There should be a 10 mins time if the OTP is not used in that time, it should expire automatically
  3. After sending the new OTP the previous OTP should expire

Excessive data in response

Severity: Medium

error message: OTP value, user data and some other ids are being returned in the response


  1. Do not send OTP in response
  2. Do not send user data (only specifics)
  3. Don't return the IDs which are not required

Improper Input Validation

Severity: Medium

error message: No Character limit, no validation on mobile number.


  1. Implement character limit on every field
  2. Do not display the entered information when displaying the error in response

Improper Error Handling

Severity: Low

error message: Able to See Stack trace of the web application

remediation: Implement custom error pages

HSTS Not implemented

Severity: Low

error message: Strict transport policy not implemented

remediation: The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime',

response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains;preload");

Misconfigured CORS

Severity: Low

error message: The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request. The response uses a wildcard in the Access-Control-Allow-Origin header and specifies that credentials are allowed. Note that browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be ignored. Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks

remediation: Whitelist specific URLs

response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains;preload");

Insecure Inline frame

Severity: Low

error message: The web page was found to be using an Inline Frame ("iframe") to embed a resource, such as a different web page. The Inline Frame is either configured insecurely, or not as securely as expected. This vulnerability alert is based on the origin of the embedded resource and the iframe’s sandbox attribute, which can be used to apply security restrictions as well as exceptions to these restrictions.

remediation: Apply sandboxing in inline frame

<iframe sandbox src="framed-page-url"></iframe>

For untrusted content, avoid the usage of seamless attribute and allow-top-navigation, allow-popups and allow-scripts in sandbox attribute.

Server Banner Disclosure

Severity: Informational

error message: Server version is getting disclosed

remediation: Hide the server version and the type of server from the response. response.Headers.Remove("Server");

Referrer Policy Not implemented

Severity: Informational

error message: Referrer policy controls behavior of the referrer header, which indicates the origin or web page URL the request was made from. The web application uses insecure Referrer Policy configuration that may leak user's information to third party.

remediation: Consider setting Referrer-Policy header to 'strict-origin-when-cross-origin' or a stricter value.

response.AddHeader("Referrer-Policy", "strict-origin-when-cross-origin");