More in this section
Categories
Bloggers
Blogs RSS feed

Building a secured Sitefinity website

by User Not Found

During the past few weeks I spotted a trend among our customers - web security and hacking concerns. With this blog post, we will cover how Sitefinity is protecting you from being hacked with some of the well known web attacks. We will also mention some of the basics you should keep in mind while building an Asp.Net Website.

Sitefinity against well known web attacks

SQL Injection and Blind SQL Injection

Before I write why SQL injection is not possible with Sitefinity, here is what Wikipedia says about SQL Injection - code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.(the entire article - http://en.wikipedia.org/wiki/SQL_injection).

SQL Injection attacks are not possible with Sitefinity. Every database query that gets executed is constructed by our Object-Relational Mapper. we do not insert user inputted data into the queries. Furthermore we are using parameterized stored procedures for every API method. It's important to note that if you have any custom functionality, you should be filtering the data before you construct the queries to your own tables, but using an ORM  for your own data layer will still help a lot. With this kind of attack, the user authentication is usually where the hackers try to hit - we use stored procedures for any user authentication as well, so 3rd party sql code will not go to the query.

Cross-site scritping /XSS/ attacks

Again from Wikipedia - a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner. (the entire article - http://en.wikipedia.org/wiki/Cross-site_scripting)

Asp.Net comes with a feature called Event Validation. It basically validates forms and fields upon submitting for any special and "sensitive" characters. The Event validation is enabled by default for all pages and modules in Sitefinity. The event validation can be enabled/disabled from the web.config file:

<system.web>   
<pages validateRequest="true" />   
</system.web> 

 

We use both client side and server side validators wherever it is possible.

Passwords storage

It's a fact that 30% of all web sites across the internet store the user passwords in a plain text. It is a mistake Sitefinity does not do though. Using the default membership providers coming with the application, you will store your users' passwords in hashed + salted form, which makes the reversing impossible.  

Asp.Net features

Beyond the form validation, you should also take care of encrypting the viewstate and the authentication cookies. In Asp.Net, these features are usually turned on by default. The viewstate is encrypted before rendering the page. Every page/template could have its own encryption settings, which could be bad in case many developers are working on the same project. In order to enable the encryption of the viewstates for all pages, the following web.config entry is needed:

<configuration> 
   <system.web> 
      <pages ViewStateEncryptionMode="Always" /> 
   </system.web> 
</configuration> 

The following MSDN article is explaining about the security settings of the authentication cookies, as well as encrypting the ViewState and the cookie in the same way on all servers, when working in load balanced and web farm environments - http://msdn.microsoft.com/en-us/library/ms998288.aspx

 

Deploying the project

There are several things you should know before you deploy the application on the live server:
- Running in medium trust will prevent file Input/Output operations. usually the only directory in which write rights are possible, is the App_Data directory.

- Verify that ASP.NET Errors are not returned to the client. In Sitefinity we do not handle some of the errors with a purpose - Sitefinity is a developer tool, and what speaks best to developers are the error messages that they get. This should not be the case when the application is deployed though - whenever an error occurs, make sure that you display friendly messages and no stack trace or code. The errors can be configured from the web.config file:

<system.web> 
    <customErrors mode="RemoteOnly" defaultRedirect="FriendlyMessage.htm">  
      <error statusCode="404" redirect="FriendlyNotFoundError.htm"/>  
      <error statusCode="500" redirect="FriendlyServerError.htm"/>  
    </customErrors> 
</system.web> 

- You can encrypt sensative parts of the web.config file

Server Security

Sometimes the web attacks start with the server being hacked first. Once the attacker has access to your server, he could damage your website. If you have your own server, virtual or physical one, you will have to ensure that the server software is updated, and the firewall is set up correctly.

Other good practices:
- ApplicationPool identity user must not have Administrative rights, and must have access only to the web site files rather to the entire server.
- Administration of the CMS could be locked by IP addresses - only the addresses of your content writers/administrators should be in the firewall exclusion list.

Resources used for this blog post:

MSDN:

Wikipedia:

There is a lot more on the topic, but the right baby steps are usually preventing 99% percents of the problems which might occur later.

69 comments

Leave a comment
  1. Gabe Sumner Jan 29, 2010
    Awesome post Georgi.
  2. Lino Tadros Jan 29, 2010
    Very cool!  excellent article, Georgi, yo da man!
  3. Yasen Jan 29, 2010
    Really neat :)
  4. Michael Jan 30, 2010
    Great post Georgi. Thanks!
  5. Georgi Chokov Feb 01, 2010
    Thank you too guys!
  6. Paul Feb 02, 2010
    Great information! Thank you!
  7. KingKong Feb 03, 2010
    I had some doubts about this, but now everything is clear for me. Sitefinity seems to be very good, cheap and extensible CMS. 
  8. David Feb 04, 2010
    Thanks Georgi for the great article.  Would you consider LinqToSql secure like ORM?
  9. Georgi Feb 11, 2010
    David,
    Apologies for the late reply on your question. We will definitely try to do it. On another hand, if we are talking about 4.0, there is "LinqToSitefinity" which will use the stored procedures :)
  10. Zia Partovi Jan 06, 2011
    SQL injection using ORM Injection is indeed possible.  Please check following url:

    http://www.owasp.org/index.php/Testing_for_ORM_Injection_(OWASP-DV-007)
  11. bram Oct 09, 2013
    Georgi,
    I noticed that username and password are sent to server in plain text format. Is there any built in function that will encrypt/hash username and password before sending them to server?
  12. DTripp Mar 17, 2015

    I've been a professional software engineer for over a decade - if you think its not possible, it's simply because you don't know of the attack vector yet. If there is input from a user into a database, it's impossible to ensure 100% immunity from SQL Injection. I've programmed for some of the largest .com's in the US and i'll say none of the engineers I've worked with in those shops were singing that tune ;p In face quite the opposite. Trust nothing.

    A general programming philosophy I always would tell people (I can't remember where I had read it): The perfect program has 0 lines of code. The moment the programmer starts writing, the program becomes prone to failure, and the more lines from 0, the probability of failure increases. 

  13. Ramesh Mar 10, 2016

    Can i have a solution for the low level priority's of website vulnerabilities

    Login page password-guessing attack

    Possible virtual host found

    slow response time

  14. nergy consulting Apr 05, 2018
    The information you have posted is very useful. The sites you have referred was good. Thanks for sharing..energy consulting
  15. robert Apr 05, 2018
    Thank you very much for keep this information.Freight Forwarding
  16. robert Apr 06, 2018
    I appreciated your work very thanksgclub
  17. search optimization Apr 07, 2018
    hello!! Very interesting discussion glad that I came across such informative post. Keep up the good work friend. Glad to be part of your net community.search optimization
  18. robo Apr 09, 2018
    Thank you so much Love your blog..asm security services in Delray Beach, Florida
  19. robo Apr 10, 2018
    Nice knowledge gaining article. This post is really the best on this valuable topic.smoothies
  20. Id Pro Apr 10, 2018
    This blog is so nice to me. I will keep on coming here again and again. Visit my link as well..Id Pro
  21. Elex watson Apr 11, 2018
    Hopefully, what you provide is useful for all those who need them. Advertising is your main tool to have the business ready to go if you also looking for hosting service visit my site godaddy 12 dollar Hosting Here you can get worth of money web hosting package. Thanks!
  22. robo Apr 11, 2018
    Your website is really cool and this is a great inspiring article.DETECTIVES EN MADRID
  23. robo Apr 12, 2018
    Thank you for some other informative website. The place else may just I get that kind of information written in such a perfect method? I have a venture that I am simply now running on, and I’ve been at the glance out for such info.http://trendsnbits.com/
  24. robo Apr 14, 2018
    The information you have posted is very useful. The sites you have referred was good. Thanks for sharing..DETECTIVES EN GIJÓN
  25. robo Apr 18, 2018
    Thank you for very usefull information..DETECTIVES PRIVADOS
  26. ΑΠΟΦΡΑΞΕΙΣ ΤΙΜΕΣ Apr 18, 2018
    Είμαστε στη διάθεση σας για να εξυπηρετήσουμε κάθε ανάγκη σας σε οποιαδήποτε περιοχή της Αττικής!apolimanseis
  27. robo Apr 24, 2018
    Thanks for every other informative site. The place else may just I get that kind of information written in such an ideal means? I have a venture that I’m just now operating on, and I have been on the look out for such information.DETECTIVES PRIVADOS INFIDELIDADES
  28. sami Apr 27, 2018
    hi was just seeing if you minded a comment. i like your website and the thme you picked is super. I will be back.Avengers Infinity War Soundtrack
  29. sami Apr 30, 2018
    I am very happy to discover your post as it will become on top in my collection of favorite blogs to visit.gadgets and gifts
  30. robo Apr 30, 2018
    Someone Sometimes with visits your blog regularly and recommended it in my experience to read as well. The way of writing is excellent and also the content is top-notch. Thanks for that insight you provide the readers!DETECTIVES PRIVADOS MADRID
  31. sami May 07, 2018
    I think this is one of the most significant information for me. And i’m glad reading your article. But should remark on some general things, The web site style is perfect, the articles is really great : D. Good job, cheerstsmagency.com
  32. MONIKA May 10, 2018
    Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up.christmas gift ideas for girlfriends
  33. sami May 10, 2018
    Thanks, that was a really cool read!voyance par telephone paris
  34. Head Phones May 14, 2018
    I recently found many useful information in your website especially this blog page. Among the lots of comments on your articles. Thanks for sharing.Head Phones
  35. robo May 15, 2018
    Hello I am so delighted I located your blog, I really located you by mistake, while I was watching on google for something else, Anyways I am here now and could just like to say thank for a tremendous post and a all round entertaining website. Please do keep up the great work.bomberman
  36. sami May 16, 2018
    Nice post mate, keep up the great work, just shared this with my friendzDETECTIVES MADRID
  37. robo May 18, 2018
    Please continue this great work and I look forward to more of your awesome blog posts.http://www.gameconsole.ch
  38. robo May 19, 2018
    Thanks, that was a really cool read!sbo
  39. MONIKA May 19, 2018
    Thanks for this article very helpful. thanks.seo
  40. sami May 21, 2018
    This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free.stored procedure tutorial
  41. sami May 21, 2018
    Thanks for the blog post buddy! Keep them coming...NewYork
  42. incontinence help May 21, 2018
    Thanks for the blog post buddy! Keep them coming...incontinence help
  43. sami May 23, 2018
    Please continue this great work and I look forward to more of your awesome blog posts.Life in Roseville
  44. robo May 23, 2018
    Como ganhar curtidas no instagram de um modo rápido, seguro é com o site Curtidas Grátis. O melhor site para ganhar curtidas e likes no Instagram.
  45. sami May 24, 2018
    Thanks for your insight for your fantastic posting. I’m glad I have taken the time to see this.Security company east midlands
  46. robo May 24, 2018
    I have read your article, it is very informative and helpful for me.I admire the valuable information you offer in your articles. Thanks for posting it..2018 D Cent Box - 2018 P Cent Roll
  47. sami May 25, 2018
    I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog, I will keep visiting this blog very often.Office video surveillance installation
  48. sami May 25, 2018
    This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free.vidmate for pc windows 7 free
  49. robo May 25, 2018
    I read that Post and got it fine and informative. Please share more like that...GME Marketing Success
  50. sami May 28, 2018
    If you set out to make me think today; mission accomplished! I really like your writing style and how you express your ideas. Thank you.Office Mail Malaysia

    Leave a comment