- Services
- Company
B2B Partnership with Addact will help you organisation to grow
Ensure sustainable success as we support our business partners at each step with our Partnership program.
- Resources
MAIN MENURead what is latest in our industry and learn more about digital transformation and technology.
Blogs
Get all of Addact’s announcements and Sitecore press releases.
Press Releases
Watch some interesting insights directly from the industry experts.
Videos
- Company
Sitecore XM Cloud
Sitecore CMS Development
Sitecore Module Development
Sitecore Content Hub Implementation
Sitecore CDP
Sitecore Send
Sitecore CMP & MRM
Sitecore OrderCloud
Sitecore Discover
Sitecore DevOps
Sitecore SXA
Hire Sitecore Team
Sitecore Digital Marketing
Sitecore Consulting Services
Sitecore Platform Integration service
Sitecore Platform Upgrade Service
Sitecore Audit Service
Sitecore Maintenance & Support
About Us
Careers
Hiring
Our Story
Let’s talk
Let’s Talk
We would love to hear from you. Want to know more about
our services or have any questions? Say Hi!
Sitecore Website Security assessment
What is Sitecore OrderCloud? Major features & benefits
How Sitecore Support Services are beneficial for your business?
A Guide to Sitecore Experience Manager Cloud
Website security is a major concern for any projects before it is pushed live. To prevent any threats, you need to identify and resolve all the points that pose a threat to your project. You need to fix both the client’s side and the server’s side.
You can find threats from your application using a few tools that provide this specific type of functionality. There are 3 main methods when it comes to finding security vulnerabilities to make an application susceptible to attack.
- Static application security testing (SAST)
- DAST Dynamic application security testing(DAST)
- VAPT Vulnerability Assessment & Penetration Testing(VAPT)
From these methods given above, SAST and DAST methods will scan the backend application (code and the application flow) and the VAPT method is a security testing that will identify vulnerabilities in applications, networks, endpoints and cloud.
There are also different levels of security which are High, Medium, and Low and based on these levels, the developers will remediate.
| SAST | DAST |
|---|---|
|
White box security testing
The tester here has access to the underlying framework, design, and implementation. The application is tested from the inside out. This type of testing represents the developer approach. |
Black box security testing
The tester has no knowledge of the technologies or frameworks that the application is built on. The application is tested from the outside in. This type of testing represents the hacker approach. |
|
Requires source code
SAST does not require a deployed application. It analyzes the source code or binary without executing the application. |
Requires a running application
DAST doesn’t require source code or binaries. It analyzes by executing the application. |
|
Finds vulnerabilities earlier in the SDLC
As soon as code is deemed feature-complete, the scan can be executed. |
Finds vulnerabilities toward the end of the SDLC
Vulnerabilities can be discovered after the development cycle is complete. |
|
Less expensive to fix vulnerabilities
Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to remediate them. Findings can often be fixed before the code enters the QA cycle. |
More expensive to fix vulnerabilities
Since vulnerabilities are found toward the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release. |
|
Can’t discover run-time and environment-related issues
Since the tool scans static code, it can’t discover run-time vulnerabilities. |
Can discover run-time and environment-related issues
Since the tool uses dynamic analysis on an application, it is able to find run-time vulnerabilities. |
|
Typically supports all kinds of software
Examples include web applications, web services, and thick clients. |
Typically scans only apps like web applications and web services
DAST is not useful for other types of software. |
Let us now discuss some points from the SAST method regarding the threats and how to remediate those.
It will scan the code/repository based on the configuration/code and make a report. There are many types of vulnerabilities such as:
- unencrypted config
- log forging
- information exposure via header
- improper resource shutdown or release
- improper exception handling
- Use of Insufficiently Random Values
- Heap Inspection
- Overly Permissive Cross Origin Resource Sharing Policy
- Insufficient Logging of Sensitive Operations
- Hardcoded Absolute Path
Note: “csharp.cs” is a class file in the below article.
unencrypted config
Severity: Low
error message: config does not encrypt the sensitive element found at line 1. This information can be plainly read by anyone with local file-system access.
remediation: The developer needs to make encryption code in appconfig file and needs to use different encryption/decryption methods and also needs to resolve it. There is a different module for this (e.g.: ASPNET_REGIIS) or you can make your custom algorithm for the same.
Log Forging
Severity: Low
error message: “csharp.cs” file gets user input from element” A”. This element’s value flows through the code without being properly sanitized or validated and is eventually used in writing an audit log.
remediation: remove Unnecessary log If there is confidential information related URL, Password and server info etc. and if the logs are necessary then encrypt the log value with your encryption code.
Information Exposure via Headers
Severity: Low
error message: ‘Web.config’, to expose server data in response headers.
remediation: add the below codethe in configuration node.
<system.webServer>
<httpRuntime enableVersionHeader="false" />
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
Improper Resource Shutdown or Release
Severity: Low
error message: csharp.cs defines and initializes the StreamWriter object at 92. The object encapsulates a limited computing resource, such as open file streams, database connections, or network streams. This resource is not properly closed and released in all situations.
remediation: Wherever a developer is using file streams to read and write they need to ensure that all the objects are shut and disposed after the execution. To resolve this, a developer needs to make sure to clear the filesystem object and dispose that object or they can also use locally created objects.
using (var streamReader = new StreamReader(responseStream))
{
streamReader.Close();
streamReader.Dispose();
}
Improper Exception Handling
Severity: Low
error message: csharp.cs performs an operation that could be expected to throw an exception and is not properly wrapped in a try-catch block. This constitutes Improper Exception Handling
remediation: Please use the finally block with the try-catch block and make sure that the object is not readable out of the block.
Use of Insufficiently Random Values
Severity: Low
error message: csharp.cs uses a weak method Next to produce random values. These values might be used as personal identifiers, session tokens or cryptographic input; however, due to their insufficient randomness, an attacker may be able to derive their value.
remediation: instead of using random method you can use below code.
private string GenerateRandomOTP(int iOTPLength)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
var byteArray = new byte[iOTPLength];
provider.GetBytes(byteArray);
var randomInteger = BitConverter.ToInt32(byteArray, 0);
randomInteger = Math.Abs(randomInteger);
var randomIntegerStr = randomInteger.ToString().Substring(0, iOTPLength);
return randomIntegerStr;
}
Heap Inspection
Severity: Low
error message: csharp.cs defines Password, which is designated to contain user passwords. However, while plaintext passwords are later assigned to Password, this variable is never cleared from memory.
remediation: Use a local variable instead of using global variable and use this into method or else you can encrypt the password using your algorithm and decrypt it while using.
Overly Permissive Cross Origin Resource Sharing Policy
Severity: Low
error message: csharp.cs sets an overly permissive CORS access control origin header.
remediation: use website domain instead of using *,
if (request.HttpMethod == "OPTIONS")
{
response.AddHeader("Access-Control-Allow-Origin", "domain");
response.Headers.Remove("Server");
response.Flush();
}
if (request.HttpMethod == "POST")
{
response.AddHeader("Access-Control-Allow-Origin", "domain");
response.AddHeader("Access-Control-Allow-Credentials", "true");
response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains;preload");
response.AddHeader("Referrer-Policy", "strict-origin-when-cross-origin");
response.Headers.Remove("Server");
}
Insufficient Logging of Sensitive Operations
Severity: Information
error message: The sensitive operation ‘DeleteAllOnSubmit’ is not properly logged and, therefore, important execution details may be omitted.
remediation: Getting this error because sensitive information is displaying in log.to remediate this encrypt the log or remove if it is not necessary.
Hardcoded Absolute Path
Severity: Information
error message: Method references external files using a hard-coded, absolute path.
remediation: Remove hard coded path from class and fetch it from appconfig.
DAST doesn’t require source code or binaries. It analyzes by executing the application.
there are different types of Vulnerability
- OTP flooding
- OTP Brute Force/ No rate Limit
- Improper Implementation of OTP
- Excessive data in response
- Improper Input Validation
- Improper Error Handling
- HSTS Not implemented
- Misconfigured CORS
- Insecure Inline frame
- Server Banner Disclosure
- Referrer Policy Not implemented
OTP flooding
Severity: High
error message: Able to send multiple OTPs value to any user.
remediation:
- Limit the OTP sending
- Implement request limit
OTP Brute Force/ No rate Limit
Severity: High
error message: Able to brute force user's OTP.
remediation:
- User should have limited retries (n retries)
Improper Implementation of OTP
Severity: High
error message: OTP value not getting invalidated after using it once.
remediation:
- OTP is one time password and should expire after using it once
- There should be a 10 mins time if the OTP is not used in that time, it should expire automatically
- After sending the new OTP the previous OTP should expire
Excessive data in response
Severity: Medium
error message: OTP value, user data and some other ids are being returned in the response
remediation:
- Do not send OTP in response
- Do not send user data (only specifics)
- Don't return the IDs which are not required
Improper Input Validation
Severity: Medium
error message: No Character limit, no validation on mobile number.
remediation:
- Implement character limit on every field
- Do not display the entered information when displaying the error in response
Improper Error Handling
Severity: Low
error message: Able to See Stack trace of the web application
remediation: Implement custom error pages
HSTS Not implemented
Severity: Low
error message: Strict transport policy not implemented
remediation: The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime',
response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains;preload");
Misconfigured CORS
Severity: Low
error message: The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request. The response uses a wildcard in the Access-Control-Allow-Origin header and specifies that credentials are allowed. Note that browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be ignored. Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks
remediation: Whitelist specific URLs
response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubdomains;preload");
Insecure Inline frame
Severity: Low
error message: The web page was found to be using an Inline Frame ("iframe") to embed a resource, such as a different web page. The Inline Frame is either configured insecurely, or not as securely as expected. This vulnerability alert is based on the origin of the embedded resource and the iframe’s sandbox attribute, which can be used to apply security restrictions as well as exceptions to these restrictions.
remediation: Apply sandboxing in inline frame
<iframe sandbox src="framed-page-url"></iframe>
For untrusted content, avoid the usage of seamless attribute and allow-top-navigation, allow-popups and allow-scripts in sandbox attribute.
Server Banner Disclosure
Severity: Informational
error message:Server version is getting disclosed
remediation: Hide the server version and the type of server from the response. response.Headers.Remove("Server");
Referrer Policy Not implemented
Severity: Informational
error message: Referrer policy controls behavior of the referrer header, which indicates the origin or web page URL the request was made from. The web application uses insecure Referrer Policy configuration that may leak user's information to third party.
remediation: Consider setting Referrer-Policy header to 'strict-origin-when-cross-origin' or a stricter value.
response.AddHeader("Referrer-Policy", "strict-origin-when-cross-origin");
