5 Security Issues and How Umbraco Can Fix Them
Have you been alerted about security issues in your website before? Or worse have you been a victim of a security breach and experienced some unpleasant things? To make sure that doesn’t happen to your Content Management System (again), we’ve put together a list of the most common security vulnerabilities and Umbraco features that help you stay a step ahead of the hackers.
1. Automated/Brute force attacks:
This is when a foreign party tries to enter your site, through the login page for example, by using an automated software to generate thousands of combinations of characters till it eventually finds the correct password/ personal identification number.
To protect your site from such an attack, the password should be rock-solid. Passwords of 12 characters long, with special characters, a monthly change-of-passwords policy in place etc.
The CMS Umbraco reduces the possibility of retrieving passwords using Brute Force method by giving you the option of setting the password length, the format (like ‘Hashed’) and the option of enabling the question-and-answer feature. And with minimal effort it is possible to lock the account for specified duration after a specified number of failed login attempts. You can go a step ahead by restricting access to the login of your site through the firewall to certain IP.
2. SQL Injection:
Commonly known as an attack vector, SQL injection, as the name suggests, is injection of code that is meant to attack your database, change identities etc.
The only proven way to protect a website from SQL injection attacks, is to use SQL parameters. SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.
In the Umbraco source code all queries to the database uses SQL Parameters. However, when you use a third-party package do verify if it was built with security best practices in mind.
3. Cross site scripting:
XSS is probably the most rampant security attack of web application vulnerabilities. Here, the hacker injects a malicious code while entering data. As soon as the code enters the end user's browser, the code gains access to local files, cookies, session, etc.
There are many ways to prevent cross site scripting issues. The most commonly used method is encoding data that is received as input when you write it out as HTML. This technique is effective on data that was not validated for some reason during input.
However, things are a lot simpler with Umbraco; the latest version is built using Asp.Net MVC and Razor view engine. Asp.Net MVC and Razor View engine by default handle the cross site scripting by validating the user input and encoding the data.
4. Click jacking:
ClickJacking is a manipulative technique where the website user is fooled into clicking on something other than what the user is actually intending on clicking. This can be accomplished by the attacker using multiple transparent or opaque layers How do you prevent the hackers from framing your application?
The latest versions of Umbraco is built using ASP.Net MVC. In ASP.Net applications we can prevent Click Jacking issues by simply adding the below configuration entry to <system.webServer> section of web.config file.
<add name="X-Frame-Options" value="DENY" />
This short code adds a http header called x-frame-options to your http responses and prevents your site being loaded in an iframe in "modern" browsers.
5. Cross site request forgery:
Cross-site request forgery is known by a variety of other terms like one-click attack, session riding, CSRF (or sea-surf) or XSRF! This security issue is a threat to the website where unauthorized commands are transmitted from a user that the website actually trusts.
When the server receives a request, the request should be first authenticated before any action is initiated. And since cookies are sent automatically by a browser, checking the session ID or authorization cookie will not suffice. For requests to be authenticated by the server, each request to a sensitive function must include a single-use authentication token. The token is normally included on each page as a hidden form field, which would be included in the request when the form is submitted. The server also keeps a copy of the token within the user’s session, and checks if the two values match after receiving the request.
Umbraco offers a short cut to this security issue. The latest version of Umbraco uses the ASP.Net MVC architecture, and since ASP.NET MVC includes a set of helpers (eg: Html.AntiForgeryToken method and ValidateAntiForgeryToken attribute) that detect and block CSRF using the “user-specific tokens” technique.
Not only does Umbraco help you dodge the common vulnerabilities with minimum effort, it also makes life easy and your web application a lot more secure with the following features.
With the built-in module for users (those with access to backend) the administrator limits backend access to their users based on their roles and responsibilities.
Umbraco also has a module for members (any person with a profile on the website). This module makes sure only members access to private pages.
HTTPS can be activated by merely adding the SSL certificate to IIS webserver by just modifying the configuration value.
Blocking an IP address or a range of suspicious IP addresses is very much possible with your Umbraco web application. You can choose to provide admin access only to a trusted list of IP addresses.
Last but not the least, Umbraco's active and strong community is always on the lookout for vulnerabilities. You've just got to keep yourself updated about security issues and get the appropriate Umbraco upgrade if and when a threat is reported.
Manjunath Govindappa | ASP.NET Technical Lead
Rahul Pachory | Web Developer