CMS Web Application Security Overview

Introduction 

Bloomreach Experience Manager is a secure web application that follows well-established best practices to minimize security risks and prevent unauthorized access.

External parties regularly perform security audits and give feedback to Hippo about their findings. This allows us to constantly improve the CMS in this area.

Security Features

The following is an overview of some of the security features of Bloomreach Experience Manager. This list is intended to inform about the most common security issues current today, and the way they are, and/or can be configured to be, prevented in Bloomreach Experience Manager.

Clickjacking 

The clickjack attack is when a user is tricked into performing an action it did not intend to do. For instance send its user name and password to an untrusted website. This kind of attack is prevented in Bloomreach Experience Manager by not allowing the framing of the CMS in a page with a different host origin.

CSRF protection

From http://www.veracode.com/security/csrf

"Cross-Site Request Forgery (CSRF) is an attack outlined in the OWASP Top 10 whereby a malicious website will send a request to a web application that a user is already authenticated against from a different website. This way an attacker can access functionality in a target web application via the victim's already authenticated browser. Targets include web applications like social media, in-browser email clients, online banking and web interfaces for network devices."

Bloomreach Experience Manager CSRF protection is activated by default and prevents CSRF attacks on Wicket components by checking the Origin HTTP header for cross domain requests. It is very similar to Wicket's CsrfPreventionRequestCycleListener but slightly modified to also work behind proxies like httpd. 

If you require a domain to be able to do cross origin requests to the CMS, you can add to the cms web.xml the allowed domains for example as follows:

In Bloomreach Experience Manager v15.x:

<context-param>
  <param-name>accepted-origin-allowlist</param-name>
  <param-value>example.com, example.org</param-value>
  <description>The allowed domains for cross origin requests</description>
</context-param>

In Bloomreach Experience Manager v14.x:

<context-param>
  <param-name>accepted-origin-whitelist</param-name>
  <param-value>example.com, example.org</param-value>
  <description>The allowed domains for cross origin requests</description>
</context-param>

The param-value can be a comma separated list of allowed domains. With above, every Origin header that matches example.com or example.org is allowed. Note that subdomains are also allowed. Thus for above, www.example.org is also allowed.

Please note that in Bloomreach Experience Manager 14.x, the allowlist has a legacy parameter name (accepted-origin-whitelist) that is considered culturally insensitive. As of Bloomreach Experience Manager 15.0, a more appropriate parameter name (accepted-origin-allowlist) is used. However, due to backward compatibility, the legacy filename remains in use in all 14.x releases.

CRLF injection protection

From http://www.veracode.com/security/crlf-injection :

"CRLF refers to the special character elements "Carriage Return" and "Line Feed". These elements are embedded in HTTP headers and other software code to signify an End of Line (EOL) marker. Many internet protocols, including MIME (e-mail), NNTP (newsgroups) and more importantly HTTP use CRLF sequences to split text streams into discrete elements. Web application developers split HTTP and other headers based on where CRLF is located. Exploits occur when an attacker is able to inject a CRLF sequence into an HTTP stream. By introducing this unexpected CRLF injection, the attacker is able to maliciously exploit CRLF vulnerabilities in order to manipulate the web application's functions."

We wrap the response in a ResponseSplittingProtectingServletWebResponse that results in a server error when CRLF characters are tried to be written to response headers.

Session fixation

When the server identifies the session corresponding to the current request by reading the session id from the url, it makes itself vulnerable to a so called session fixation attack. Such an attack would allow an untrusted person to use a session created by a trusted person. To prevent such an attack you should disable url rewriting in your servlet container. 

In Tomcat 7 this is accomplished by adding the following setting to your web.xml:

<session-config>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>
If you use a different container than Tomcat, it might complain about this setting. In that case you have to find a container-specific way to configure the same protection.

Password security

Bloomreach Experience Manager allows your organisation to enforce minimum password strength rules and password expiration policy.

Login page configuration

Also read and follow the directions in configure the CMS login page where among other things a number of security measures are detailed concerning the login page, such as preventing signin form field autocompletion, using secure cookies only, and restricting access to the cms application for to certain users only. 

Miscellaneous

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?