DEV333
Describe each main attack
Demo how the attack works
Fix our poor vulnerable application!
Why Script Kiddies, Why?
Click to Hack
Select * from pwned
SQL Injection
Cross Site Scripting
Cross Site Request Forgery
Parameter Tampering
Information Leakage
Encryption
your
injected
Network enumeration
Account creating/cracking
Database Copying over port 80
Data Tampering
Code Download
Backdoors
Unexpected Input
Expected Input
'
'
Set-Cookie: DefaultSearchLanguage=EN-US' union x,x,x--; path=/;
ALL calls are parameterized
No dynamic strings
Escape/Whitelist input.
Audit table permissions!
Use Entity Framework!!
DEMO - Permissions checker code
WHERE CustomerId = Coalesce(@customerId, CustomerId)
Order By
exec
RANK
sp_executesql
--
'
SQL Injection
Cross Site Scripting
Cross Site Request Forgery
Parameter Tampering
Encryption / Protecting Credentials
Information Leakage
Candidate Names Included:
Unauthorized Site Scripting
Unofficial Site Scripting
URL Parameter Script Insertion
Cross Site Scripting
Synthesized Scripting
Fraudulent Scripting
Evil Script
Script Injected to Web Page
User Visits Page
<DIV STYLE="width: expression(alert('XSS'));“>
"/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i".
+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4<body onload=alert('test1')>
@, <%:, HtmlEncode(), HtmlAttributeEncode() Warning <:#
<div onclick={dynamic text} >
ValidateRequest=false
AllowHtml
<httpRuntime encoderType>
ValidateInput(false)
sanitized
<
&lt;
&amp;lt;
&amp;amp;let
GetSafeHtml/GetSafeHtmlFragment
Audit all locations
<%, <%#
SQL Injection
Cross Site Scripting
Cross Site Request Forgery
Parameter Tampering
Encryption / Protecting Credentials
Information Leakage
<img src="http://host/CreateUser?JaneDoe">
<script src="http://host/CreateUser?JaneDoe">
<iframe src="http://host/CreateUser?JaneDoe">
var foo = new Image(); foo.src = "http://host/CreateUser?JaneDoe";
GET Request
Data Returned-No Action
POST Request with Token
Token Check->Action!
MVC
• [HttpPost]
• Html.AntiForgeryToken() & [ValidateAntiForgeryToken]
EnableViewStateMac=true
SQL Injection
Cross Site Scripting
Cross Site Request Forgery
Parameter Tampering
Encryption / Protecting Credentials
Information Leakage
Client
contains
key field
UserId=59
Attacker
alters data
(userId) on
POST
UserId=1
Wrong data
updated
based on
new key
ValidateAntiModelInjectionFor()
SQL Injection
Cross Site Scripting
Cross Site Request Forgery
Parameter Tampering
Encryption / Protecting Credentials
Information Leakage
Encrypt sensitive config settings
Hash or Encrypt ALL Passwords
Encrypt all sensitive private information
Additional Code Demos for download
aspnet_regiis.exe -pe "connectionStrings" -app "/security“
• ALL
one cookie value
Forms
Authentication
Tokens
Basic
Credentials
Cookies
NTLM
SQL Injection
Cross Site Scripting
Cross Site Request Forgery
Parameter Tampering
Encryption / Protecting Credentials
Information Leakage
<customErrors>
trace.axd
Simplest Implementation in
web.config
All links at: http://bit.ly/mlml1B
PluralSite OnDemand Training Library – Free Trial!!
OWASP: The Open Web Application Security Project
Security Tools
Microsoft Anti-Cross Site Scripting Library V4.0 (4.1 in beta!)
Microsoft Code Analysis Tool .NET (CAT.NET) v1 CTP - 32 bit
[email protected]
CompleteDevelopment.blogspot.com
@AdamTuliper
http://www.pluralsight-training.net/microsoft/
http://www.asp.net/
http://www.silverlight.net/
http://www.microsoft.com/web/gallery/
http://www.iis.net/
http://weblogs.asp.net/Scottgu/
http://www.hanselman.com/blog/
http://northamerica.msteched.com
www.microsoft.com/teched
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn