Friday, October 17, 2014

Sitecore- Vulnerability -Transport Layer Protection and Cross-Frame Scripting

Some key points to handle the Vulnerability and Transport layer protection.

Point #1: - “Transport Layer Protection: Insecure Transmission”:-

Vulnerability Summary: -  As per standard the user type credential should not be exposed through the “get” method. A username was found in the query string of a GET request or Set-Cookie header.

Update and Action:-
1)    This is basically a case where in case item/template not  found, then the URL comes like below


Proposed Solution: - In case if item not found will redirect to the other specific URL, this section required some more investigation.

Point #2: - “Cross-Frame Scripting”:-
Vulnerability Summary: - A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page.


Solution: - Fix by including an X-Frame-Options header set to 'SAMEORGIN'. There are two options available either we can change in the web. Config or in the IIS settings.

1)    Change in the web. config: - This is by default, setting and it’s available in the b2b web.config section.
Ex:-

 
   
     
   

 

2)    Required change in the IIS: - Below are the steps for the IIS settings

  1. Open Internet Information Services (IIS) Manager.
  2. In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
  3. Double-click the HTTP Response Header icon in the feature list in the middle.
  4. In the Actions pane on the right side, click Add.
  5. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
  6. Click OK to save your changes.
For more information :- http://support.microsoft.com/kb/2694329

Please feel free to post, If have any questions

No comments:

Post a Comment