security & umbraco
TRANSCRIPT
![Page 2: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/2.jpg)
Thought experiment
▪ How would I hack into someone’s
Umbraco website?
▪ Sharing my thoughts so you can
reconsider your security strategy
![Page 3: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/3.jpg)
Today’s goal
▪ Education
▪ Increase security awareness
▪ Tips for hardening your Umbracowebsite
![Page 4: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/4.jpg)
We do not want this!
![Page 5: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/5.jpg)
▪ Jeffrey Schoemaker• Umbraco MVP 2017 & 2018
• Security & Umbraco - enthousiast
▪ Webdeveloper / co-owner Perplex• Digital & Marketing agency in the Netherlands
• Umbraco Gold Partner
• Two Umbraco MVP’s
• A few packages• Umbraco Forms Perplex on Steroids
• Perplex Security & GDPR package
• PerplexMail
• Perplex Kraken Image Optimizer
Who am I?
![Page 6: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/6.jpg)
Defense in Depth
▪ Multiple layers of defense
▪ If one fails, there are more layers to protect you
![Page 7: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/7.jpg)
Secure your Umbraco installation
Before After!
![Page 8: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/8.jpg)
Our hacking approach
1. Footprint & Identification
2. Getting into Umbraco
3. In Umbraco – Privilege escalation
4. Clearing our tracks
Agenda
![Page 9: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/9.jpg)
▪Encryption
▪Umbraco settings
▪Hardening your Umbraco
▪9 concrete tips that you can implement right
away!
Sidesteps
![Page 10: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/10.jpg)
![Page 11: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/11.jpg)
Level 1
Footprint & Identification
![Page 12: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/12.jpg)
Mission 1
▪ Goal: Get as much information on the website as possible
▪ Approach: Looking at specifics of the website
▪ We want to use this information in level 2 to try to exploit specific vulnerabilities in specific versions
![Page 13: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/13.jpg)
Footprint & Identification
▪ Most important part of hacking
▪ Stay under the radar
▪ Generate no noise & trigger no Intrusion
Detection System
![Page 14: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/14.jpg)
Mission 1.1
▪ Goal: Determine if it’s Umbraco
▪ Approach: Search for Umbraco-specific
characteristics
![Page 15: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/15.jpg)
On the homepage
▪ No easy way to identify Umbraco
▪ Total freedom of output
![Page 16: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/16.jpg)
Go to /umbraco/
![Page 17: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/17.jpg)
Or.. Like this
![Page 18: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/18.jpg)
After Umbraco 4 we somehow lost
the version numbering
#donttalkaboutV5
Or even like this
![Page 19: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/19.jpg)
▪ Umbraco is exposed to the whole world!
▪ Everyone gets a few shots on accessing
your website... Isn’t that weird?
Publicly available on most websites
![Page 20: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/20.jpg)
<!– Hardening tip 1-->
IP whitelist your /umbraco/ using
IIS Rewrite
<!– END Hardening tip 1 -->
Result: Significant reduction in attack surface
![Page 21: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/21.jpg)
<!– Hardening tip 1-->
Use an IISRewrite.config file
<!– END Hardening tip 1 -->
▪ Get the IP addresses of your client
▪ Whitelist them in your IIS
Rewrite.config
▪ If your client cannot provide one range,
or has a dynamic IP-range, restrict
access by country
![Page 22: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/22.jpg)
IISRewrite.config
![Page 23: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/23.jpg)
And then it looks like this
![Page 24: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/24.jpg)
We get a 403 response
▪ So now we know that there is something
▪ And we are not allowed to see it
![Page 25: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/25.jpg)
<!– Hardening tip 2-->
Rename your Umbraco-folder
<!– END Hardening tip 2 -- >
Change folder on disk and two web.config settings
![Page 26: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/26.jpg)
Hide your Umbraco-path
▪ Change these values in your web.config
▪ Rename your /umbraco/-folder on disk
![Page 27: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/27.jpg)
Rename it to /my-secret-loginpanel/
▪ Change these values in your web.config
▪ Rename the folder on disk
![Page 28: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/28.jpg)
![Page 29: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/29.jpg)
Mission 1.2
▪ Goal: Determine whether it’s
Umbraco, even when the Umbraco
folder is renamed
▪ Approach: Find other characteristics of
Umbraco
![Page 30: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/30.jpg)
A clean Umbracofolder structure
▪ Files not served by
IIS webserver (by
default)• .asax
• .config
• .csproj
![Page 31: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/31.jpg)
Other folders?
Footprinting & Identification
▪ Folders not served
by IIS (by default)• App_Browsers
• App_Data
• bin
▪ Empty folders• Media
• Obj
• Properties
• Views
![Page 32: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/32.jpg)
Leaves us with...
▪ /App_Plugins/
▪ /Config/
▪ /Umbraco_client/
![Page 33: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/33.jpg)
/Config/-folder
![Page 34: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/34.jpg)
Aah... Only .config files
But wait!
Javascript?
![Page 35: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/35.jpg)
![Page 36: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/36.jpg)
That must be Umbraco!
![Page 37: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/37.jpg)
Mission 1.3
▪ Goal: What version of Umbraco is being
used
▪ Approach: Looking at specifics of that
version
![Page 38: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/38.jpg)
Looking at the login screens
7.0 7.1 - 7.4 7.5
7.6 7.7 7.8 / 7.10
![Page 39: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/39.jpg)
But that would be quite hard...
▪ Is there are better a way?
![Page 40: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/40.jpg)
We could...
▪ Look for specific files and their contents
▪ Each new feature in a version requires
language keys
▪ Crawl /umbraco/config/lang/en.xml
![Page 41: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/41.jpg)
7.5 introduced ‘Forgot password’
![Page 42: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/42.jpg)
7.7 introduced Nested Content to the core
![Page 43: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/43.jpg)
7.9 introduced ‘Sensitive data’
![Page 44: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/44.jpg)
If /Umbraco/ is unavailable...
▪ Use another file:
• /umbraco_client/Application/Extensions.js
• /umbraco_client/Application/
UmbracoApplicationActions.js
![Page 45: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/45.jpg)
Now we know the specific version!
![Page 46: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/46.jpg)
Mission 1.4
▪ Goal: Discover installed packages
▪ Approach: Look for specific package
characteristics
![Page 47: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/47.jpg)
Umbraco Forms
![Page 48: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/48.jpg)
Archetype
![Page 49: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/49.jpg)
Multi Url Picker
![Page 50: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/50.jpg)
Mission 1.4 accomplished
▪ We can detect specific Umbraco packages
▪ Hooray!
![Page 51: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/51.jpg)
<!– Hardening tip 3-->
Stop leaking crucial information!
Use IIS Rewrite IP Whitelisting
on the following folders as well:
▪App_Plugins
▪Config
▪Umbraco_Client
<!– END Hardening tip 3 -- >
These folders are only used by authenticated Umbraco users
![Page 52: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/52.jpg)
Automate it!
https://www.perplex.nl/is-it-umbraco/
![Page 53: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/53.jpg)
Version info
▪ Identified more than 5,000 Umbraco
websites (according to the numbers only 1% of the total
population online)
▪ Looking at the version and the installed
packages
![Page 54: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/54.jpg)
UMBRACO FORMS
ARCHETYPE
RJP.MULTIURLPICKER
NESTED CONTENT
DIPLO TRACE LOG VIEWER
USYNC
LEBLENDER
CMSIMPORT
SPECTRUM COLOUR PICKER
ROBOTS.TXT EDITOR
UMBRACO CONTOUR
LINK PICKER
VORTO
DOC TYPE GRID EDITOR
SEO CHECKER
ARTICULATE
THE DASHBOARD
AZURE FILE SYSTEM PROVIDERS
ANGULARGOOGLEMAPS
OPTIMUS
UEDITORNOTES
DIPLO GOD MODE
UMBRACO FORMS ON PERPLEX STEROIDS
BELLE ICON PACK
UCOMMERCE
OEMBED PICKER
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Most used packages
Usages
![Page 55: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/55.jpg)
Now we know the installed packages
![Page 56: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/56.jpg)
Mission 1.5
▪ Goal: Get into the website via a detour
▪ Approach: Look for other websites on
the same server & gather information
there
![Page 57: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/57.jpg)
Horizontal pivotting
▪ If you can’t get direct access your target
website
▪ Maybe other websites on the same server
can be used to gain access to the target
website
![Page 58: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/58.jpg)
Tooling: IPNeighbour.com
![Page 59: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/59.jpg)
Mission 1: Accomplished
We’ve gotUmbraco version
Umbraco packages
Websites on the same server
![Page 60: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/60.jpg)
![Page 61: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/61.jpg)
Level 2
Getting into Umbraco
![Page 62: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/62.jpg)
Mission 2
▪ Goal: Get into Umbraco
▪ Approach 1: Exploit known
vulnerabilities
![Page 63: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/63.jpg)
What is wrong with leakingthis information?
▪ Can we use it to succeed in mission 2?
▪ Or is it just irrelevant information?
![Page 64: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/64.jpg)
Software & hardware systemshave known vulnerabilities
▪ In current or older versions
▪ Tracked in CVE-databases• Common Vulnerabilities & Exposures
▪ Vulnerability scanners use these to test
your website
![Page 65: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/65.jpg)
Umbraco vulnerabilities
▪ According to umbraco.com/security
![Page 66: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/66.jpg)
Umbraco Forms vulnerabilities
![Page 67: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/67.jpg)
Last week’s Umbraco Forms notice
![Page 68: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/68.jpg)
Online CVE - databases
![Page 69: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/69.jpg)
![Page 70: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/70.jpg)
▪ https://vimeo.com/205564261/02bfa2680d
![Page 71: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/71.jpg)
<!– Hardening tip 4-->
Always upgrade your CMS &
your modules
<!– END Hardening tip 4 -- >
Recommended advice by Umbraco...
![Page 72: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/72.jpg)
But do we listen?
▪ Who does not patch or upgrade
their website(s)?
![Page 73: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/73.jpg)
But do we listen?
▪ Who feels guilty about that?
![Page 74: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/74.jpg)
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
20%
7.10 7.9 7.8 7.7 7.6 7.5 7.4 7.3 7.2 7.1 7.0 6.1 6.0 4.11 4.9 4.8 4.7 4.6 4.5 4.0 3.0 2.0
Umbraco versions – based on 5,000 crawled Umbraco websites
Usages
![Page 75: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/75.jpg)
Mission 2: Failure
Not (easily) possible to get into Umbraco
When you’ve patched your installations
![Page 76: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/76.jpg)
Let’s take another approach
![Page 77: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/77.jpg)
Mission 2b
▪ Goal: Get into Umbraco
▪ Approach 2: • Create a cool package that everyone wants to
use
• Insert an exploit that gives us access
![Page 78: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/78.jpg)
A cool package
▪ Perplex Forms on Steroids package
▪ Open source, can be reviewed for
malicious code
![Page 79: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/79.jpg)
![Page 80: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/80.jpg)
Code check
![Page 81: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/81.jpg)
Ok, it’s safeLet’s download it
![Page 82: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/82.jpg)
But...
▪ Who says the uploaded package is the
same as the uploaded sourcecode?
▪ May be it contains some code like this...
![Page 83: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/83.jpg)
Create a password that always works
![Page 84: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/84.jpg)
Official Umbraco Guidelines
![Page 85: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/85.jpg)
<!– Hardening tip 5-->
Compile packages yourself?
<!– END Hardening tip 5 -- >
I am not sure
about this...
But be aware of the
possible impacts
![Page 86: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/86.jpg)
Mission 2: Accomplished
Exploit known vulnerabilities in
specific versions
Create your own exploit
![Page 87: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/87.jpg)
![Page 88: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/88.jpg)
Level 3
Privilege escalation
![Page 89: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/89.jpg)
Privilege escalation
The act of exploiting a bug, design flaw or
configuration oversight in an operating
system or software application to gain
elevated access to resources that are
normally protected from an application or
user. The result is that an application with
more privileges than intended by the
application developer or system
administrator can perform unauthorized
actions.
Thank you, wikipedia
![Page 90: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/90.jpg)
So...
▪ We have access to Umbraco, but we
want more access
![Page 91: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/91.jpg)
Mission 3.1:
▪ Goal: Get more privileges within
Umbraco
▪ Approach: Social engineering
![Page 92: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/92.jpg)
Case 1: Meet Mike, our happy trainee
▪ Mike helps editing the site
▪ It’s a complex website
▪ No property descriptions
in Umbraco
![Page 93: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/93.jpg)
Some of the datatypes
![Page 94: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/94.jpg)
Mike is so helpful..“Shall I add some descriptions to your properties so
everyone can work with your Umbraco install?”
“Wow, would you do that for us?”
“Of course, no problem. Please give me access to
Settings section so I can edit your documenttypes”
“Oh, and BTW. Please do it on production
because we don’t have a way to transfer
document types from development to
production..”
![Page 95: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/95.jpg)
![Page 96: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/96.jpg)
What a nice guy!
▪ Or is he?
![Page 97: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/97.jpg)
But ...
We also gave Mike access to Templates &
Scripts
![Page 98: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/98.jpg)
Outputting the connectionstring
![Page 99: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/99.jpg)
Adding an user?
![Page 100: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/100.jpg)
<!– Hardening tip 6-->
In production, only give your
website write permissions to
/App_Data/
/Media/
On the other folders only read
permissions
<!– END Hardening tip 6 -- >
![Page 101: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/101.jpg)
Mission 3.2:
▪ Goal: Extract crucial data from the
database
▪ Approach: SQL Injection or any other
means to extract data through SQL
commands
![Page 102: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/102.jpg)
Mike is a smart guy...
▪ He gained access to the database and
he’s looking for the data in the table
SecretInfoTable
SELECT * FROM [SecretInfoTable]
![Page 103: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/103.jpg)
<!– Hardening tip 7-->
Store your sensitive data
encrypted in the database
<!– END Hardening tip 7 -- >
Yet another line of defense
![Page 104: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/104.jpg)
Encrypting – Three options
▪ Offered out of the box by MS SQL Server• Transparent Data Encryption
• Always Encrypted
▪ The hard way• ‘Manual’ data encryption
![Page 105: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/105.jpg)
Option 1 - Transparent Data Encryption
▪ Is used to encrypt the .mdf and .ldf files on disk
▪ And to encrypt the backup as well
![Page 106: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/106.jpg)
Option 1 - Transparent Data Encryption
![Page 107: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/107.jpg)
Option 1 - Transparent Data Encryption
▪ This will not help against any SQL Injection
SELECT * FROM [SecretInfoTable]
![Page 108: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/108.jpg)
Option 2 - Always Encrypted (MS SQL)
▪ Enables encryption on columns
▪ On a per-user basis
![Page 109: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/109.jpg)
Option 2 - Always Encrypted
![Page 110: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/110.jpg)
Won’t work on text and ntext columns
![Page 111: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/111.jpg)
The database administator will see this
![Page 112: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/112.jpg)
But the website user (and Mike) still sees
![Page 113: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/113.jpg)
Option 3 – Manual encryption
▪ Encrypt data in .NET before storing it in
your database
▪ Decryption only possible via C#-code
![Page 114: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/114.jpg)
SQL Injection is useless
▪ SELECT * FROM [SecretInfoTable]
![Page 115: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/115.jpg)
Mission 3: Accomplished
Gain access to Umbraco
Extracted the data from the database
![Page 116: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/116.jpg)
![Page 117: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/117.jpg)
Level 4
Clearing our tracks
![Page 118: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/118.jpg)
Mission 4.1
▪ Goal: Remove our presence on the
filesystem
▪ Approach: Clearing every trace we’ve
made with our name on it on the
webserver
![Page 119: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/119.jpg)
Some forensics
▪ Umbraco registers all login attempts
to your website
![Page 120: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/120.jpg)
Some forensics
▪ /App_Data/Logs
![Page 121: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/121.jpg)
Cleanup the files on disk
▪ In the command line
D:\>findstr /V /R “[email protected]"
UmbracoTraceLog.MyMachine.original.txt >
UmbracoTraceLog.MyMachine.cleaned.txt
![Page 122: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/122.jpg)
<!– Hardening tip 8-->
Do not store logs only on disk
which can be easily edited by the
website-user
Store it in the
Windows Event Viewer
<!– END Hardening tip 8 -- >
![Page 123: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/123.jpg)
Add these lines in your /config/log4net.config
![Page 124: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/124.jpg)
Windows Event Viewer
![Page 125: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/125.jpg)
Windows Event Viewer
▪ You cannot remove single lines out of the log• Only flush the whole log (and that is suspicious)
▪ Automatically copy it to a external server
![Page 126: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/126.jpg)
Mission 4.2
▪ Goal: Remove our presence in the
database
▪ Approach: Clearing every trace we’ve
made with our name on it on the
databaseserver
![Page 127: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/127.jpg)
More forensics –In the database
▪ Access to Umbraco is logged on
several places• umbracoUser
![Page 128: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/128.jpg)
In the database
▪ Access to Umbraco is logged on several places• umbracoUserLogin
![Page 129: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/129.jpg)
In the database
▪ Access to Umbraco is logged on several places• umbracoAudit
![Page 130: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/130.jpg)
But...
▪ We’ve inserted data into the database
before, so we can also delete entries from
the Umbraco-database and hide our
tracks...
![Page 131: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/131.jpg)
<!– Hardening tip 9-->
Restrict database CRUD
permissions by default
Allow Read, Update and Delete only
on some tables
<!– END Hardening tip 9 -- >
Clearing these tables is a dbo-task, not a website task
![Page 132: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/132.jpg)
Mission 4: Accomplished
Cleared our presence on the
webserver
Removed ourselves from the
databaseserver
![Page 133: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/133.jpg)
![Page 134: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/134.jpg)
All hardening tips
▪ Tip 1: Use IP-whitelisting on the Umbraco-folder
▪ Tip 2: Rename the Umbraco-folder
▪ Tip 3: IP-whitelist /config/, /App_Plugins/ and /Umbraco_Client
▪ Tip 4: Upgrade Umbraco & your plugins
▪ Tip 5: Compile the packages yourself?
▪ Tip 6: In production, give read-only permissions on most folders
▪ Tip 7: Encrypt sensitive data in the database
▪ Tip 8: Store security related logs in the Event Viewer
▪ Tip 9: Minimize CRUD-permissions on your database tables
![Page 135: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/135.jpg)
We have a more secure application!
![Page 136: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/136.jpg)
“ Don’t outrun the bear, outrun your friends ”
<!-- Security -->
![Page 137: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/137.jpg)
Want more?
▪ Always check the documentation
▪ Umbraco.com/security
▪ Follow me on Twitter• @jschoemaker1984
▪ Umbraco security training or audit?• Drop me an email ([email protected])
![Page 138: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/138.jpg)
Questions?
![Page 139: Security & Umbraco](https://reader031.vdocuments.site/reader031/viewer/2022020700/61f5533cbe735c63a3350bcf/html5/thumbnails/139.jpg)
Thank you!
Have a secure day!Than k you !
Have a secure day!