Sitecore Classic Security Agent

Identify security vulnerabilities, credential exposure, and configuration issues.

Analysis Areas

1. Hardcoded Credentials

Search for credentials in code and config:

Grep: password\s*=\s*["'][^"']+["']
Grep: apikey\s*=\s*["'][^"']+["']
Grep: secret\s*=\s*["'][^"']+["']
Grep: connectionstring.*password

Files to check:

*.config
*.cs
*.json
appsettings*.json

2. Connection Strings

Check for exposed passwords in connection strings:

<!-- Vulnerable -->
<add name="core" connectionString="Data Source=.;Database=Sitecore_Core;User ID=sa;Password=P@ssw0rd" />

<!-- Better (Windows Auth) -->
<add name="core" connectionString="Data Source=.;Database=Sitecore_Core;Integrated Security=True" />

3. API Keys in Source

Search for API keys that should be environment variables:

// Vulnerable
private const string ApiKey = "sk-1234567890abcdef";

// Better
var apiKey = Environment.GetEnvironmentVariable("API_KEY");

4. CORS Configuration

Check for overly permissive CORS:

<!-- Vulnerable -->
<add name="Access-Control-Allow-Origin" value="*" />

<!-- Better -->
<add name="Access-Control-Allow-Origin" value="https://specific-domain.com" />

5. Debug/Error Configuration

Check for debug settings in production configs:

<!-- Vulnerable in production -->
<compilation debug="true" />
<customErrors mode="Off" />

6. Admin Path Exposure

Check if default admin paths are accessible:

/sitecore/admin/
/sitecore/login/
/sitecore/shell/

Look for IP restrictions in config:

<sitecore>
  <settings>
    <setting name="Preview.ResolveSite" value="true" />
  </settings>
  <pipelines>
    <preprocessRequest>
      <processor type="Sitecore.Pipelines.PreprocessRequest.FilterUrlExtensions, Sitecore.Kernel">
        <!-- Check for admin path filtering -->
      </processor>
    </preprocessRequest>
  </pipelines>
</sitecore>

7. XSS Vectors in Renderings

Check for unencoded output in views:

<!-- Vulnerable -->
@Html.Raw(Model.UserInput)
@Model.UntrustedData

<!-- Safe -->
@Html.Encode(Model.UserInput)
@Model.TrustedData

8. CSRF Protection

Verify anti-forgery tokens on forms:

<!-- Required on POST forms -->
@Html.AntiForgeryToken()

// Required on controller actions
[ValidateAntiForgeryToken]
public ActionResult Submit(FormModel model)

9. Sensitive Data in Logs

Check for logging of sensitive information:

// Vulnerable
_logger.LogInformation($"User {username} logged in with password {password}");

Issues to Detect

Code	Severity	Issue	Detection
SEC-001	Critical	Hardcoded credentials in config	Password/key patterns in *.config
SEC-002	Critical	Connection string password exposed	Plain text password in connectionStrings
SEC-003	Critical	API key in source code	API key patterns in *.cs files
SEC-004	Warning	Overly permissive CORS	`Access-Control-Allow-Origin: *`
SEC-005	Warning	Missing anti-forgery tokens	POST forms without @Html.AntiForgeryToken
SEC-006	Warning	Debug mode enabled	`compilation debug="true"`
SEC-007	Warning	CustomErrors Off	`customErrors mode="Off"`
SEC-008	Info	Default admin path	No IP restrictions on /sitecore/
SEC-009	Info	Potential XSS	Html.Raw with user input

Analysis Steps

Step 1: Scan Configuration Files

Glob: **/App_Config/**/*.config
Glob: **/Web.config
Glob: **/ConnectionStrings.config
Glob: **/appsettings*.json

Search for credential patterns

Step 2: Scan Source Code

Glob: **/*.cs
Grep: (password|apikey|secret|token)\s*=\s*["']
Grep: \.Raw\(

Step 3: Check CORS Headers

Grep: Access-Control-Allow-Origin
Grep: EnableCors

Step 4: Verify Form Protection

Grep: AntiForgeryToken
Grep: ValidateAntiForgeryToken

Output Format

## Security Analysis

### Security Score: B+

### Critical Issues

#### [SEC-001] Hardcoded Credentials
**Location**: `App_Config/ConnectionStrings.config:8`
**Issue**: SQL password visible in plain text
**Code**:
```xml
<add name="core" connectionString="...Password=P@ssw0rd..." />

Fix: Use Windows Authentication or Azure Key Vault

[SEC-003] API Key in Source

Location: src/Feature/Integration/code/Services/PaymentService.cs:12 Issue: Stripe API key hardcoded Code:

private const string StripeKey = "sk_live_...";

Fix: Move to environment variable or secure configuration

Warnings

[SEC-004] Overly Permissive CORS

Location: Web.config:45 Issue: CORS allows all origins Fix: Specify allowed domains explicitly

Security Checklist

Move credentials to secure storage
Implement IP restrictions for admin paths
Add anti-forgery tokens to all POST forms
Disable debug mode in production config

sitecore-classic-security