Monday, December 26, 2016

Sitecore- How to configure Multiple CD and CM Server.


Let's say my Site name is abc.com, I wanted two CD and one CM with Sitecore setup.

Every instance, will have multiple sub sites like

1.     Abc.multisite1
2.     Abc.multisite2
3.     Abc.multisite3

 Create multiple site entries in the IIS

Abc.multisite1 - create two buildings, one for the public server/name - that will be used for the load balancer, Local host entries – different name with same port :80
Abc.multisite2 - create two buildings, one for the public server/name - that will be used for the load balancer, Local host entries – different name with same port :80
Abc.multisite3 - create two buildings, one for the public server/name - that will be used for the load balancer, Local host entries – different name with same port :80

Configure a new instance for the CM server, Same settings but different public URL for the CM

Important:-

Host entries for local and pubic site in Sitecore.config file in the include section.

Entries in host files

What about if your changes not reflecting on the CD server, Please make below changes only on CM Server, define all locally/publically accessible individual sites – per IP address, this will refers to them

Instance name should be unique and event queue needs to be updated based on below settings.

<setting name="InstanceName">
  :
attribute name="value">CM Server 1:attribute> .PublishingInstance"> :attribute name="value">:attribute>
CD server should have below settings

<setting name="InstanceName">
  :
attribute name="value">:attribute> .PublishingInstance"> :attribute name="value">CM Server Name:attribute>


Thursday, December 22, 2016

Sitecore- Quick info, What is created from field and how to setup the values.

Created from field is basically used to identify the clone items reference.

By default, it's unknown, As mentioned below.


When you close this item, Go to configuration and clone this item to
different location , then only you will see the created from values,

As reference below.




Sunday, May 22, 2016

Thursday, January 7, 2016

Session Hijacking and Session Fixation..

Session Fixation and Session Hijacking from past experiences.



 CSRF - Cross-Site Request Forgery.

        1) Issuing a cookie using a client-side script

Attack 1:- Cross-site scripting


Attack 2:- Persistent cookies (A long-term Session Fixation attack):- This can be achieved by issuing a persistent cookie (e.g., expiring in 10 years), which will keep the session fixed even after the user restarts the computer.


Attack 3:- Domain cookies
this attribute instructs the browser to not only send the cookie back to the issuing server but also to any other server in the specified domain.


Prevention:-
1)     Preventing logins to a chosen session: -
we propose forceful prevention of logging into a chosen session. Web applications must ignore any session ID provided by the user’s browser at login and must always generate a new session to which the user will log in if successfully authenticated.
2)     Preventing the attacker from obtaining a valid session ID:-
If possible, a web application on a strict system should only issue session IDs of newly generated sessions to users after they have successfully authenticated (as opposed to issuing them along with the login form). This means that an attacker who isn’t a legitimate user of the system will not be able to get a valid session ID and will therefore be unable to perform a session fixation attack.

           Additional Notes: - 

           The Session Fixation attack is normally a three step process:

                                          i.    Session set-up:- The attacker sets up a "trap-session" for the target web site and obtains that session's ID. Or, the attacker may select an arbitrary session ID used in the attack. In some cases, the established trap session value must be maintained (kept alive) with repeated web site contact.

                                        ii.    Session fixation: - The attacker introduces the trap session value into the user's browser and fixes the user's session ID.

                                       iii.    Session entrance: - The attacker waits until the user logs into the target web site. When the user does so, the fixed session ID value will be used and the attacker may take over.


Steps: Attacker – who in this case is also a legitimate user of the system – logs in to the server (1) and is issued a session ID 1234 (2). She then sends a hyperlink http://online.worldbank.dom/login.jsp?sessionid=1234 to the user, trying to lure him into clicking on it (3). The user (how convenient for our example) clicks on the link, which opens the server’s login page in his browser (4). Note that upon receipt of the request for login.jsp? sessionid=1234, the web application has established that a session already exists for this user and a new one need not be created. Finally, the user provides his credentials to the login script (5) and the server grants him access to his bank account. However, at this point, knowing the session ID, the attacker can also access the user’s account via account.jsp?sessionid=1234
(6). Since the session has already been fixed before the user logged in, we say that the user logged into the attacker’s session.

 2)  Issuing a cookie using the tag with Set-Cookie attribute :-Most cross-site scripting vulnerabilities         can also be used for injecting tags
                  
                  Attack 4:- Meta tag injection


Prevention: - Restricting the session ID using:-
                                      i.        Binding the session ID to the browser’s network address.

                                     ii.        Binding the session ID to the user’s SSL client certificate

                                    iii.        Session destruction, either due to logging out or timeout, must take place on the server (deleting session), not just on the browser (deleting the session cookie).

                                    iv.        The user must have an option to log out – thereby destroying not just his current session, but also any previous sessions that may still exist (in order to prevent the attacker from using an old session the user forgot to log out from).

                                     v.        Absolute session timeouts prevent attackers from both maintaining a trap session as well as maintaining an already entered user’s session for a long period of time.

Additional Notes:-
For More details: - http://www.acrossecurity.com/papers/session_fixation.pdf


        3) Issuing a cookie using the URL by default some of the J2EE & PHP containers accept cookies as URL parameters. So urls below.

Attack 5 :-
http://example/;JSESSIONID=1234 (J2EE)
http://example/?PHPSESSIONID=1234 (PHP)


           4) Through login form look like pages coming from main server:
This containing a chosen session ID, the attacker managing to trick the user into logging in through a malicious
login form could just as well direct the user’s credentials to her own web server, which is generally a greater threat than that of fixing his session. Session


Session Hijacking

1) Session Sniffing

First the attacker uses a sniffer to capture a valid token session called “Session ID”, then he uses the valid token session to gain unauthorized access to the Web Server.

2) Man-in-the-middle attack

Attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server

            3) MITM Attack tools

There are several tools to realize a MITM attack. These tools are particularly efficient in LAN network environments, because they implement extra functionalities, like the arp spoof capabilities that permit the interception of communication between hosts.
• PacketCreator
• Ettercap
• Dsniff
• Cain e Abel

4) Man-in-the-browser attack

·         Browser Helper Objects – dynamically-loaded libraries loaded by Internet Explorer upon start-up.

·         Extensions – the equivalent to Browser Helper Objects for Firefox Browser.

·         API-Hooking – this is the technique used by Man-in-the-Browser to perform its Man-in-the-Middle between the executable application (EXE) and its libraries (DLL).

·         JavaScript – By using a malicious Ajax worm

SCRIPT alert (document. Cookie) ; SCRIPT