Login/Register
Detect whether a site is build on sitecore
Asked Answered
Solved c#sitecore
N

4

5

I am building a webpage that gives statistics about websites of the user.
You enter your URL and get a bunch of results.

My main focus are websites that are build on the Sitecore cms.
At the moment I can detect if the site uses Sitecore only when the '/sitecore/login' page is availabe.

For this I use:

var webclient = new WebClient();
var source = webclient.DownloadString(url);

But when admins decide to crank up the security they can make 'sitecore/login' unaccessible for random users. When this is the case my code obviously does not work.

Does anyone know a better solution how to detect if the Sitecore cms is used?
Remember it is an external website so no access to the sitecore backend.

(p.s. I do not want to use 3th party tools)

Thanks in advance!

Neille answered 21/2, 2014 at 15:16 Comment(2)
Hey are you working for www.builtwith.com ? :PFlieger
@HarshBaid haha no, but trying to create a similar thing ;)Neille
C
5

Common one would be to check if .ashx is used for a media extension, or they are prefixed with /~/media/ or /-/media/ but all of these are obviously subject to change depending on config settings. This would require you to check the source code too.

You could check for other Sitecore files, but again depending on the deployment these may or may not be there or accessible to the public at least. I would look for files outside of the /sitecore folder, e.g.:

  • default.aspx
  • default.css
  • default.js
  • webedit.css

You need to check the contents of the files to make sure they are default Sitecore files. You are relying on the fact that these files would be left over from a default installation, but there is no guarantee so there may be no possible way of being able to tell.

Cockfight answered 21/2, 2014 at 15:26 Comment(3)
The media library often doesnt work, the files outside the sitecore folder seem to have the most succes rate.Neille
It's possible to overide this setting in the sitecore.config and output the real file extensions instead of serving them via the .ashx file so this check will not always work.Aborning
@aseabridge I'm aware of this and I have mentioned that they are subject to change, but there are a lot of implementations that have not changed this. As with all the ansers give, it very much depends on your knowledge of Sitecore and how much people have locked down all the tell tale signs.Cockfight
S
12

There will always be a way to shield that Sitecore is in use. That being said; there are some Things you could be looking at - default settings which, in my experience, are seldom changed by Sitecore administrators and developers.

Cookies

SC_ANALYTICS_GLOBAL_COOKIE
SC_ANALYTICS_SESSION_COOKIE

If your request sends you either of these cookies, I'd Wager it is a safe bet to assume it's a Sitecore solution.

Requesting known media

Requesting this file should only work on Sitecore. But will only work for Sitecore versions 7 and up.

/~/media/System/Template%20Thumbnails/audio.ashx

or

/~/media/System/Simulator%20Backgrounds/blackberry.ashx

(the last one should work on Sitecore 6.6 as well)

or

/layouts/System/VisitorIdentification.aspx

None of these are guaranteed to work. However if you do get a "hit" on either of these, it would be a strange coincidence indeed if it wasn't a Sitecore solution behind the scenes.

Sibella answered 21/2, 2014 at 15:56 Comment(3)
Thanks for the reply. This must work for every version so the media is not an option on itself. The VisitorIdentification also has a limited rate of succes. The cookies on the other hand seem to be an interesting approach. Indeed if all the options are combined it must be clear whether or not the site is build with sitecore.Neille
I don't think one universal solution can be found. As mentioned, Sitecore can be shielded, HTTP headers can (and should be removed) by firewalls. Which leaves the only option of trying a handful or more different things, and if one comes back positive - you have a hit.Sibella
As Mark said, there is no guaranteed way to tell if a site is built on Sitecore. The cookies obviuosly won't be there if Sitecore analytics is disabled. In fact this is something that more defensive Sitecore customers would try very hard to hide, as exposing your undelying technology to strangers is an invitation for security attacks.Zarger
C
5

Common one would be to check if .ashx is used for a media extension, or they are prefixed with /~/media/ or /-/media/ but all of these are obviously subject to change depending on config settings. This would require you to check the source code too.

You could check for other Sitecore files, but again depending on the deployment these may or may not be there or accessible to the public at least. I would look for files outside of the /sitecore folder, e.g.:

  • default.aspx
  • default.css
  • default.js
  • webedit.css

You need to check the contents of the files to make sure they are default Sitecore files. You are relying on the fact that these files would be left over from a default installation, but there is no guarantee so there may be no possible way of being able to tell.

Cockfight answered 21/2, 2014 at 15:26 Comment(3)
The media library often doesnt work, the files outside the sitecore folder seem to have the most succes rate.Neille
It's possible to overide this setting in the sitecore.config and output the real file extensions instead of serving them via the .ashx file so this check will not always work.Aborning
@aseabridge I'm aware of this and I have mentioned that they are subject to change, but there are a lot of implementations that have not changed this. As with all the ansers give, it very much depends on your knowledge of Sitecore and how much people have locked down all the tell tale signs.Cockfight
L
5

Surprisingly Sitecore has a public (by default) accessible version file. It is located located in /sitecore/shell/sitecore.version.xml

I've noticed/experienced that this file is often accessible, even if /sitecore is protected.

Being able to access this file not only confirms the site is built on Sitecore, it gives you the specific revision of the used version.

Lattermost answered 26/5, 2015 at 16:48 Comment(1)
Nice, but should not work on many sites because Sitecore Security Hardening XML files are blokked and/or the Sitecore folder is removed from the CD servers.Autumn
Y
1

Most people don't realise that you can also access Sitecore items outside the site root by specify in the full path of a known item after the domain. For example we can try and accessing the /sitecore/content item using the following URLs:

https://www.somedomain.com/sitecore/content

This sometimes redirects to the layout not found page. This doesn't always work because protection on the /sitecore URL. So an alternative is to use sc_itemId and the ID of /sitecore/content:

https://www.somedomain.com?sc_itemid={0DE95AE4-41AB-4D01-9EB0-67441B7C2450}

This will either return the layout not found page or a 404 page. Both will indicate that this is a Sitecore site.

York answered 14/6, 2017 at 9:50 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.