S E C U R I N G YO U R U M BRAC O

C H R I S G A S K E LL

@ CG A S K E LL

C H R I S @ D E TA N G LE D -D I G I TA L . C OM

I ’ M N O T A H AC K E R

HTTPSUmbraco Setup

CookiesInput and Outputs

Self TestingPen Testing

– K EV I N M I TN I C K

“Companies spend millions of dollars on firewalls, encryption and secure access

devices, and it’s money wasted, because none of these measures address the weakest

link in the security chain.”

HTTP S : / /W W W. OWA S P. OR G

T H I S P R E S E N TAT I O N I S P O W E R E D BY

OWASPA N D M Y

E X P E R I E N C E S

B E F O R E YO U S TART , T H I N K SECURITY

#1U P G RA D E UPGRADE U PG RA D E

T H A N K S G AV

#1

C AS E S TUDY

Umbraco 4.7 running on an un patched Windows 2008 Server

This vulnerability was reported by Umbraco HQ and patches made available

immediately.

#1U P G RA D E UPGRADE U PG RA D E

• Upgrade Umbraco

• Upgrade servers operating system

• Upgrade the .NET framework

• Upgrade your packages (Umbraco and Nuget)

• Upgrade your front end frameworks

#2

HT TPS: / /

#2

OPTION 1

S E C U R E YOU R E N T I R E S I T E OV E R HT TPS: / /

#2

I N S TA L L T H E C E RT I F I C AT E

#2

F R O N T E N D

Ensure HTTP requests are redirected to HTTPS.

To redirect the entire site why not use the URL REWRITE module for IIS.

All page assets must serve over HTTPS to avoid‘mixed mode’

#2

BAC K OF F I C E - W E B . C O N F I G

Make sure that all of the requests in the back office are called over HTTPS instead of

HTTP

#2

OPTION 2

S E C U R E PA R T S O F YOU R S I T E OV E R HT TPS: / /

#2

F R O N T E N D

Switch a URL from HTTP to HTTPS based on the document-type (alias), node id or

template alias with help from @leekelleher

G I THUB . C OM /LEEK ELLEHER /UM BRAC O - HTT P S -R ED I R EC T

#2

OPTION 3

SECU R E YOU R S I T E OVER HT TPS: / / WIT H

IN FRAST R U CT U R E

#2

S E C U R E BY N -T I E R I N F RA S T R U C T U R E

1 - 4. Request ARR

5. ARR ‘Offloads’ SSL

6. HTTP request to application server

7 - 9. Application server responding to ARR on HTTP

10. ARR encrypts response and sends to client

#3

H A N D L I N G YO U R E R R O R S

#3H A N D L I N G YO U R E R R O R S

#3H A N D L I N G YO U R E R R O R S - 4 0 4

1. Update UmbracoSettings.config with the content node you wish to serve as your error page

2. IIS7+You may find IIS handles the error. Add the following key to your web.config just before the closing tag of the system.webServer section.

#3H A N D L I N G YO U R E R R O R S - 5 0 0

1. Tell IIS to pass the error to Umbraco (same setting for the 404)

2. Set the CustomErrors section of the web.config

#4

R E S T R I C T AC C E S S T O T H E BAC KO F F I C E

#4R E S T R I C T AC C E S S

Restrict access to ‘/umbraco' by IP using IIS Rewrite.

<rewrite> <rules> <rule name="Restrict URL" enabled="true" stopProcessing="true" > <match url="^umbraco($|/)" /> <conditions logicalGrouping="MatchAll"> <!-- Use REMOTE_ADDR if your server is NOT behind load balancer --> <add input="{REMOTE_ADDR}" pattern="^10\.11\.12\.13$" negate="true" /> </conditions> <action type="Redirect" url=“/page-not-found/“ /> </rule> </rules></rewrite>

#5

C O D E C OM M E N T S

#5C O M M E N T S

Use server side comments in your markup rather than HTML comments

#6

H TT P H E A D E R S

#6I I S / . N E T H TT P H E A D E R S

Server: The web server software being run by the site. Typically for Umbraco:

“Microsoft-IIS/7.5”

X-Powered-By: The collection (there can be multiple) of application frameworks

being run by the site. Typically: “ASP.NET”

X-AspNet-Version: ASP.NET only header, typical examples include “2.0.50727” and

“4.0.30319”

X-AspNetMvc-Version: ASP.NET stack and typical examples include “3.0”, “2.0” and

“1.0”

– I ET F ( I N T ER N ET EN G I N EER I N G TA S K F ORC E )

“Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security

holes.”

#6H TT P H E A D E R S

‘Server’ header reads:

‘; DROP TABLE servertyes; —

The web server on reddit.com.

#6H TT P H E A D E R S

Removing the headers manually isn't as straight forward as you

may initially expect.

#6H TT P H E A D E R S

StripHeaders IIS Module

G I THUB . C OM /D I ON AC H/S TR I P HEA D ER S /

#6H TT P H E A D E R S

Umbraco used to serve a version header

‘X-Umbraco-Version’

This was removed from V4.8

#6

H TT P H E A D E R S T O T H I N K A BOU T A D D I N G

#6H TT P H E A D E R S

Header: Strict-Transport-Security

Example:Strict-Transport-Security: max-age=16070400; includeSubDomains

#6H TT P H E A D E R S

Header: X-XSS-Protection

Example:X-XSS-Protection: 1; mode=block

#6H TT P H E A D E R S

Header: X-Frame-Options, Frame-Options

Example:X-Frame-Options: SAMEORIGIN

#6H TT P H E A D E R S

Header: Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP

Example:Content-Security-Policy: default-src 'self'

#7

C O O K I E S

#7C O O K I E S

Mark your cookies ‘HttpOnly’

#7C O O K I E S

Mark your cookies ‘Secure’ when working over HTTPS

#8

S A N I T I S I N G I N P U T S A N D O U T P U T S

#8S A N IT IS I N G I N PU T S

X SS - VA L IDAT E RE Q U E ST

D O N ' T R E LY O N R E Q U E S T

VA L I DAT I O N F O R XS S PR O T E C T I O N

#8F O R M S - S A N I T I S I N G I N P U T S

• Validate form fields both client and server side

• Where there are option types (dropdown, checkboxes etc) ensure the value matches an available option

• Required fields

• Correct data type and length

• Data falls within an acceptable range

• Whitelist allowable values. The regex namespace is particularly useful for checking to make sure an email address or URL is as expected.

#8M V C F O R M S - S A N I T I S I N G

I N P U T S

Use the Synchroniser token patternValidateAntiForgeryToken

#8S Q L I N J E CT I O N - S AN I T I S I N G

I N PUT S• Use Parameterised SQL commands for all data access, without exception.

• Do not use SqlCommand with a string parameter made up of a concatenated SQL String.

• Whitelist allowable values coming from the user. Use enums, TryParse or lookup values to assure that the data coming from the user is as expected.

• Enums are still vulnerable to unexpected values because .NET only validates a successful cast to the underlying data type, integer by default. Enum.IsDefined can validate whether the input value is valid within the list of defined constants.

• Apply the principle of least privilege when setting up the Database User in your database of choice. The database user should only be able to access items that make sense for the use case.

• Use of the Entity Framework is a very effective SQL injection prevention mechanism. Remember that building your own ad hoc queries in EF is just as susceptible to SQLi as a plain SQL query.

• When using SQL Server, prefer integrated authentication over SQL authentication.

#8F O R M S - S A N I T I S I N G O U T P U T S

Encode your outputs - if the nasties are in then don't let them out.

RAZOR@Model.Title

is encoded

WEBFORMSFrom .NET 4+ use <%: text %>

#9

BAC KUP BACKUP BAC KU P

– C OD E S PAC ES , J UN E 2014

“In summary, most of our data, backups, machine configurations and offsite backups

were either partially or completely deleted. ”

#10

T E S T YO U R O W N S I T E

A S A FAW EB . C OM

#11

H I R E A P E N E T RAT I O N T E S T E R(P E N -T E S T I N G )

W W W. OWA S P. OR G

G I THUB . C OM /LEEK ELLEHER /UM BRAC O - HTT P S -R ED I R EC T

G I THUB . C OM /D I ON AC H/S TR I P HEA D ER S /

W W W. RA P I D 7 . C OM

S TA HER I . C OM

W W W. T R OY HUN T. C OM

A S A FAW EB . C OM

Also thanks to

@CGAS KEL L