Sitecore Website Security assessment

Published: 24 November 2022

Website security is a major concern for any projects before it is pushed live. To prevent any threats, you need to identify and resolve all the points that pose a threat to your project. You need to fix both the client’s side and the server’s side.

You can find threats from your application using a few tools that provide this specific type of functionality. There are 3 main methods when it comes to finding security vulnerabilities to make an application susceptible to attack.

Static application security testing (SAST)
DAST Dynamic application security testing(DAST)
VAPT Vulnerability Assessment & Penetration Testing(VAPT)

From these methods given above, SAST and DAST methods will scan the backend application (code and the application flow) and the VAPT method is a security testing that will identify vulnerabilities in applications, networks, endpoints and cloud.

There are also different levels of security which are High, Medium, and Low and based on these levels, the developers will remediate.

Difference between SAST and DAST.

SAST	DAST
White box security testing The tester here has access to the underlying framework, design, and implementation. The application is tested from the inside out. This type of testing represents the developer approach.	Black box security testing The tester has no knowledge of the technologies or frameworks that the application is built on. The application is tested from the outside in. This type of testing represents the hacker approach.
Requires source code SAST does not require a deployed application. It analyzes the source code or binary without executing the application.	Requires a running application DAST doesn’t require source code or binaries. It analyzes by executing the application.
Finds vulnerabilities earlier in the SDLC As soon as code is deemed feature-complete, the scan can be executed.	Finds vulnerabilities toward the end of the SDLC Vulnerabilities can be discovered after the development cycle is complete.
Less expensive to fix vulnerabilities Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to remediate them. Findings can often be fixed before the code enters the QA cycle.	More expensive to fix vulnerabilities Since vulnerabilities are found toward the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release.
Can’t discover run-time and environment-related issues Since the tool scans static code, it can’t discover run-time vulnerabilities.	Can discover run-time and environment-related issues Since the tool uses dynamic analysis on an application, it is able to find run-time vulnerabilities.
Typically supports all kinds of software Examples include web applications, web services, and thick clients.	Typically scans only apps like web applications and web services DAST is not useful for other types of software.

SAST

DAST

White box security testing

The tester here has access to the underlying framework, design, and implementation. The application is tested from the inside out. This type of testing represents the developer approach.

Black box security testing

The tester has no knowledge of the technologies or frameworks that the application is built on. The application is tested from the outside in. This type of testing represents the hacker approach.

Requires source code

SAST does not require a deployed application. It analyzes the source code or binary without executing the application.

Requires a running application

DAST doesn’t require source code or binaries. It analyzes by executing the application.

Finds vulnerabilities earlier in the SDLC

As soon as code is deemed feature-complete, the scan can be executed.

Finds vulnerabilities toward the end of the SDLC

Vulnerabilities can be discovered after the development cycle is complete.

Less expensive to fix vulnerabilities

Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to remediate them. Findings can often be fixed before the code enters the QA cycle.

More expensive to fix vulnerabilities

Since vulnerabilities are found toward the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release.

Can’t discover run-time and environment-related issues

Since the tool scans static code, it can’t discover run-time vulnerabilities.

Can discover run-time and environment-related issues

Since the tool uses dynamic analysis on an application, it is able to find run-time vulnerabilities.

Typically supports all kinds of software

Examples include web applications, web services, and thick clients.

Typically scans only apps like web applications and web services

DAST is not useful for other types of software.

Let us now discuss some points from the SAST method regarding the threats and how to remediate those.

SAST Report

It will scan the code/repository based on the configuration/code and make a report. There are many types of vulnerabilities such as:

unencrypted config
log forging
information exposure via header
improper resource shutdown or release
improper exception handling
Use of Insufficiently Random Values
Heap Inspection
Overly Permissive Cross Origin Resource Sharing Policy
Insufficient Logging of Sensitive Operations
Hardcoded Absolute Path

Note: “csharp.cs” is a class file in the below article.

unencrypted config

Severity: Low

error message: config does not encrypt the sensitive element found at line 1. This information can be plainly read by anyone with local file-system access.

remediation: The developer needs to make encryption code in appconfig file and needs to use different encryption/decryption methods and also needs to resolve it. There is a different module for this (e.g.: ASPNET_REGIIS) or you can make your custom algorithm for the same.

Log Forging

Severity: Low

error message: “csharp.cs” file gets user input from element” A”. This element’s value flows through the code without being properly sanitized or validated and is eventually used in writing an audit log.

remediation: remove Unnecessary log If there is confidential information related URL, Password and server info etc. and if the logs are necessary then encrypt the log value with your encryption code.

Information Exposure via Headers

Severity: Low

error message: ‘Web.config’, to expose server data in response headers.

remediation: add the below codethe in configuration node.

<system.webServer> 
    <httpRuntime enableVersionHeader="false" /> 
    <security> 
        <requestFiltering removeServerHeader="true" />
    </security> 
</system.webServer>

Improper Resource Shutdown or Release

Severity: Low

error message: csharp.cs defines and initializes the StreamWriter object at 92. The object encapsulates a limited computing resource, such as open file streams, database connections, or network streams. This resource is not properly closed and released in all situations.

remediation: Wherever a developer is using file streams to read and write they need to ensure that all the objects are shut and disposed after the execution. To resolve this, a developer needs to make sure to clear the filesystem object and dispose that object or they can also use locally created objects.

using (var streamReader = new StreamReader(responseStream)) 
    { 
        streamReader.Close(); 
        streamReader.Dispose(); 
    }

Improper Exception Handling

Severity: Low

error message: csharp.cs performs an operation that could be expected to throw an exception and is not properly wrapped in a try-catch block. This constitutes Improper Exception Handling

remediation: Please use the finally block with the try-catch block and make sure that the object is not readable out of the block.

Use of Insufficiently Random Values

Severity: Low

error message: csharp.cs uses a weak method Next to produce random values. These values might be used as personal identifiers, session tokens or cryptographic input; however, due to their insufficient randomness, an attacker may be able to derive their value.

remediation: instead of using random method you can use below code.

private string GenerateRandomOTP(int iOTPLength) 
    { 
        RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider(); 
        var byteArray = new byte[iOTPLength]; 
        provider.GetBytes(byteArray); 
        var randomInteger = BitConverter.ToInt32(byteArray, 0); 
        randomInteger = Math.Abs(randomInteger); 
        var randomIntegerStr = randomInteger.ToString().Substring(0, iOTPLength);           
        return randomIntegerStr; 
    }

Heap Inspection

Severity: Low

error message: csharp.cs defines Password, which is designated to contain user passwords. However, while plaintext passwords are later assigned to Password, this variable is never cleared from memory.

remediation: Use a local variable instead of using global variable and use this into method or else you can encrypt the password using your algorithm and decrypt it while using.

Overly Permissive Cross Origin Resource Sharing Policy

Severity: Low

error message: csharp.cs sets an overly permissive CORS access control origin header.

remediation: use website domain instead of using *,

if (request.HttpMethod == "OPTIONS") 
    { 
        response.AddHeader("Access-Control-Allow-Origin", "domain"); 
        response.Headers.Remove("Server"); 
        response.Flush(); 
    } 
if (request.HttpMethod == "POST") 
    { 
        response.AddHeader("Access-Control-Allow-Origin", "domain"); 
        response.AddHeader("Access-Control-Allow-Credentials", "true"); 
        response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains;preload"); 
        response.AddHeader("Referrer-Policy", "strict-origin-when-cross-origin"); 
        response.Headers.Remove("Server"); 
    }

Insufficient Logging of Sensitive Operations

Severity: Information

error message: The sensitive operation ‘DeleteAllOnSubmit’ is not properly logged and, therefore, important execution details may be omitted.

remediation: Getting this error because sensitive information is displaying in log.to remediate this encrypt the log or remove if it is not necessary.

Hardcoded Absolute Path

Severity: Information

error message: Method references external files using a hard-coded, absolute path.

remediation: Remove hard coded path from class and fetch it from appconfig.

DAST Report

DAST doesn’t require source code or binaries. It analyzes by executing the application.

there are different types of Vulnerability

OTP flooding
OTP Brute Force/ No rate Limit
Improper Implementation of OTP
Excessive data in response
Improper Input Validation
Improper Error Handling
HSTS Not implemented
Misconfigured CORS
Insecure Inline frame
Server Banner Disclosure
Referrer Policy Not implemented

OTP flooding

Severity: High

error message: Able to send multiple OTPs value to any user.

remediation:

Limit the OTP sending
Implement request limit

OTP Brute Force/ No rate Limit

Severity: High

error message: Able to brute force user's OTP.

remediation:

User should have limited retries (n retries)

Improper Implementation of OTP

Severity: High

error message: OTP value not getting invalidated after using it once.

remediation:

OTP is one time password and should expire after using it once
There should be a 10 mins time if the OTP is not used in that time, it should expire automatically
After sending the new OTP the previous OTP should expire

Excessive data in response

Severity: Medium

error message: OTP value, user data and some other ids are being returned in the response

remediation:

Do not send OTP in response
Do not send user data (only specifics)
Don't return the IDs which are not required

Improper Input Validation

Severity: Medium

error message: No Character limit, no validation on mobile number.

remediation:

Implement character limit on every field
Do not display the entered information when displaying the error in response

Improper Error Handling

Severity: Low

error message: Able to See Stack trace of the web application

remediation: Implement custom error pages

HSTS Not implemented

Severity: Low

error message: Strict transport policy not implemented

remediation: The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime',

response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains;preload");

Misconfigured CORS

Severity: Low

error message: The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request. The response uses a wildcard in the Access-Control-Allow-Origin header and specifies that credentials are allowed. Note that browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be ignored. Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks

remediation: Whitelist specific URLs

response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains;preload");

Insecure Inline frame

Severity: Low

error message: The web page was found to be using an Inline Frame ("iframe") to embed a resource, such as a different web page. The Inline Frame is either configured insecurely, or not as securely as expected. This vulnerability alert is based on the origin of the embedded resource and the iframe’s sandbox attribute, which can be used to apply security restrictions as well as exceptions to these restrictions.

remediation: Apply sandboxing in inline frame

For untrusted content, avoid the usage of seamless attribute and allow-top-navigation, allow-popups and allow-scripts in sandbox attribute.

Server Banner Disclosure

Severity: Informational

error message:Server version is getting disclosed

remediation: Hide the server version and the type of server from the response. response.Headers.Remove("Server");

Referrer Policy Not implemented

Severity: Informational

error message: Referrer policy controls behavior of the referrer header, which indicates the origin or web page URL the request was made from. The web application uses insecure Referrer Policy configuration that may leak user's information to third party.

remediation: Consider setting Referrer-Policy header to 'strict-origin-when-cross-origin' or a stricter value.

response.AddHeader("Referrer-Policy", "strict-origin-when-cross-origin");

Sitecore Website Security assessment

Published: 24 November 2022

Static application security testing (SAST)
DAST Dynamic application security testing(DAST)
VAPT Vulnerability Assessment & Penetration Testing(VAPT)

There are also different levels of security which are High, Medium, and Low and based on these levels, the developers will remediate.

Difference between SAST and DAST.

SAST	DAST
White box security testing The tester here has access to the underlying framework, design, and implementation. The application is tested from the inside out. This type of testing represents the developer approach.	Black box security testing The tester has no knowledge of the technologies or frameworks that the application is built on. The application is tested from the outside in. This type of testing represents the hacker approach.
Requires source code SAST does not require a deployed application. It analyzes the source code or binary without executing the application.	Requires a running application DAST doesn’t require source code or binaries. It analyzes by executing the application.
Finds vulnerabilities earlier in the SDLC As soon as code is deemed feature-complete, the scan can be executed.	Finds vulnerabilities toward the end of the SDLC Vulnerabilities can be discovered after the development cycle is complete.
Less expensive to fix vulnerabilities Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to remediate them. Findings can often be fixed before the code enters the QA cycle.	More expensive to fix vulnerabilities Since vulnerabilities are found toward the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release.
Can’t discover run-time and environment-related issues Since the tool scans static code, it can’t discover run-time vulnerabilities.	Can discover run-time and environment-related issues Since the tool uses dynamic analysis on an application, it is able to find run-time vulnerabilities.
Typically supports all kinds of software Examples include web applications, web services, and thick clients.	Typically scans only apps like web applications and web services DAST is not useful for other types of software.

SAST

DAST

White box security testing

The tester here has access to the underlying framework, design, and implementation. The application is tested from the inside out. This type of testing represents the developer approach.

Black box security testing

The tester has no knowledge of the technologies or frameworks that the application is built on. The application is tested from the outside in. This type of testing represents the hacker approach.

Requires source code

SAST does not require a deployed application. It analyzes the source code or binary without executing the application.

Requires a running application

DAST doesn’t require source code or binaries. It analyzes by executing the application.

Finds vulnerabilities earlier in the SDLC

As soon as code is deemed feature-complete, the scan can be executed.

Finds vulnerabilities toward the end of the SDLC

Vulnerabilities can be discovered after the development cycle is complete.

Less expensive to fix vulnerabilities

Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to remediate them. Findings can often be fixed before the code enters the QA cycle.

More expensive to fix vulnerabilities

Since vulnerabilities are found toward the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release.

Can’t discover run-time and environment-related issues

Since the tool scans static code, it can’t discover run-time vulnerabilities.

Can discover run-time and environment-related issues

Since the tool uses dynamic analysis on an application, it is able to find run-time vulnerabilities.

Typically supports all kinds of software

Examples include web applications, web services, and thick clients.

Typically scans only apps like web applications and web services

DAST is not useful for other types of software.

Let us now discuss some points from the SAST method regarding the threats and how to remediate those.

SAST Report

It will scan the code/repository based on the configuration/code and make a report. There are many types of vulnerabilities such as:

unencrypted config
log forging
information exposure via header
improper resource shutdown or release
improper exception handling
Use of Insufficiently Random Values
Heap Inspection
Overly Permissive Cross Origin Resource Sharing Policy
Insufficient Logging of Sensitive Operations
Hardcoded Absolute Path

Note: “csharp.cs” is a class file in the below article.

unencrypted config

Severity: Low

error message: config does not encrypt the sensitive element found at line 1. This information can be plainly read by anyone with local file-system access.

Log Forging

Severity: Low

Information Exposure via Headers

Severity: Low

error message: ‘Web.config’, to expose server data in response headers.

remediation: add the below codethe in configuration node.

<system.webServer> 
    <httpRuntime enableVersionHeader="false" /> 
    <security> 
        <requestFiltering removeServerHeader="true" />
    </security> 
</system.webServer>

Improper Resource Shutdown or Release

Severity: Low

using (var streamReader = new StreamReader(responseStream)) 
    { 
        streamReader.Close(); 
        streamReader.Dispose(); 
    }

Improper Exception Handling

Severity: Low

error message: csharp.cs performs an operation that could be expected to throw an exception and is not properly wrapped in a try-catch block. This constitutes Improper Exception Handling

remediation: Please use the finally block with the try-catch block and make sure that the object is not readable out of the block.

Use of Insufficiently Random Values

Severity: Low

remediation: instead of using random method you can use below code.

private string GenerateRandomOTP(int iOTPLength) 
    { 
        RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider(); 
        var byteArray = new byte[iOTPLength]; 
        provider.GetBytes(byteArray); 
        var randomInteger = BitConverter.ToInt32(byteArray, 0); 
        randomInteger = Math.Abs(randomInteger); 
        var randomIntegerStr = randomInteger.ToString().Substring(0, iOTPLength);           
        return randomIntegerStr; 
    }

Heap Inspection

Severity: Low

remediation: Use a local variable instead of using global variable and use this into method or else you can encrypt the password using your algorithm and decrypt it while using.

Overly Permissive Cross Origin Resource Sharing Policy

Severity: Low

error message: csharp.cs sets an overly permissive CORS access control origin header.

remediation: use website domain instead of using *,

if (request.HttpMethod == "OPTIONS") 
    { 
        response.AddHeader("Access-Control-Allow-Origin", "domain"); 
        response.Headers.Remove("Server"); 
        response.Flush(); 
    } 
if (request.HttpMethod == "POST") 
    { 
        response.AddHeader("Access-Control-Allow-Origin", "domain"); 
        response.AddHeader("Access-Control-Allow-Credentials", "true"); 
        response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains;preload"); 
        response.AddHeader("Referrer-Policy", "strict-origin-when-cross-origin"); 
        response.Headers.Remove("Server"); 
    }

Insufficient Logging of Sensitive Operations

Severity: Information

error message: The sensitive operation ‘DeleteAllOnSubmit’ is not properly logged and, therefore, important execution details may be omitted.

remediation: Getting this error because sensitive information is displaying in log.to remediate this encrypt the log or remove if it is not necessary.

Hardcoded Absolute Path

Severity: Information

error message: Method references external files using a hard-coded, absolute path.

remediation: Remove hard coded path from class and fetch it from appconfig.

DAST Report

DAST doesn’t require source code or binaries. It analyzes by executing the application.

there are different types of Vulnerability

OTP flooding
OTP Brute Force/ No rate Limit
Improper Implementation of OTP
Excessive data in response
Improper Input Validation
Improper Error Handling
HSTS Not implemented
Misconfigured CORS
Insecure Inline frame
Server Banner Disclosure
Referrer Policy Not implemented

OTP flooding

Severity: High

error message: Able to send multiple OTPs value to any user.

remediation:

Limit the OTP sending
Implement request limit

OTP Brute Force/ No rate Limit

Severity: High

error message: Able to brute force user's OTP.

remediation:

User should have limited retries (n retries)

Improper Implementation of OTP

Severity: High

error message: OTP value not getting invalidated after using it once.

remediation:

OTP is one time password and should expire after using it once
There should be a 10 mins time if the OTP is not used in that time, it should expire automatically
After sending the new OTP the previous OTP should expire

Excessive data in response

Severity: Medium

error message: OTP value, user data and some other ids are being returned in the response

remediation:

Do not send OTP in response
Do not send user data (only specifics)
Don't return the IDs which are not required

Improper Input Validation

Severity: Medium

error message: No Character limit, no validation on mobile number.

remediation:

Implement character limit on every field
Do not display the entered information when displaying the error in response

Improper Error Handling

Severity: Low

error message: Able to See Stack trace of the web application

remediation: Implement custom error pages

HSTS Not implemented

Severity: Low

error message: Strict transport policy not implemented

response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains;preload");

Misconfigured CORS

Severity: Low

remediation: Whitelist specific URLs

response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains;preload");

Insecure Inline frame

Severity: Low

remediation: Apply sandboxing in inline frame

For untrusted content, avoid the usage of seamless attribute and allow-top-navigation, allow-popups and allow-scripts in sandbox attribute.

Server Banner Disclosure

Severity: Informational

error message:Server version is getting disclosed

remediation: Hide the server version and the type of server from the response. response.Headers.Remove("Server");

Referrer Policy Not implemented

Severity: Informational

remediation: Consider setting Referrer-Policy header to 'strict-origin-when-cross-origin' or a stricter value.

response.AddHeader("Referrer-Policy", "strict-origin-when-cross-origin");