17 20 october 2011
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

17-20 OCTOBER 2011 PowerPoint PPT Presentation


  • 57 Views
  • Uploaded on
  • Presentation posted in: General

17-20 OCTOBER 2011. DURBAN ICC. Hack-proofing your web application. Using Web Forms and MVC. William Brander @ WilliamBZA http://WilliamB.Net [email protected] You have no business on the internet if you don’t take security seriously. What to expect. Level 400 session

Download Presentation

17-20 OCTOBER 2011

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


17 20 october 2011

17-20 OCTOBER 2011

DURBAN ICC


Hack proofing your web application

Hack-proofing your web application

Using Web Forms and MVC

William Brander

@WilliamBZA

http://WilliamB.Net

[email protected]


17 20 october 2011

You have no business on the internet if you don’t take security seriously


What to expect

What to expect

  • Level 400 session

    • Focus on concepts

    • Plenty of samples

  • Lots of scenarios, not much time

    • Code is available

MVC

Webforms


Topics covered

Clickjacking (0.6%)

Topics Covered

Session Hijacking (2.3%)

Top Attack Methods

Brute Force

CSRF (2%)

Unknown

XSS

Phishing

DDoS

SQL Injection

Predictable Resource Location

Source: Web Hacking Incident Database (http://tinyurl.com/WebHackDB)


Irony

Irony

Does EXACTLY what it’s told to!

SQL= “

SELECT * FROM Products WHERE Name LIKE ‘Beer%’

SQL= “

SELECT * FROM Products WHERE Name LIKE ‘Beer’ UNION SELECT * FROM systables;--%’

SearchProducts

“Beer’ UNION SELECT * FROM systables;--”

“Beer”


17 20 october 2011

Demo

  • SQL Injection


Preventing sql injection

Preventing SQL Injection

  • Use Parameterized Queries

    • Stored procedures won’t save you

  • If you need to use dynamic SQL: sp_executesql

  • Use a mature O/RM


Twitter bird so bird worm

Twitter = bird, so bird + worm = ?

<div>

Welcome back<script>

doHax(){

}

</script>

</div>

<div>

Welcome Back <USERNAME>

</div>

<div>

Welcome Back WilliamBZA

</div>


17 20 october 2011

Demo

  • XSS


Preventing xss

Preventing XSS

  • Use the AntiXSS Library

  • Sanitize AND Encode

    Use Razor (@ encodes by default)

  • Be careful of IE6

    • Allows XSS in images!!


Ing here have some of my money

ING: here, have some of my money!

Request (http://firewall/AllRules)

GET Request

POST Request (button click)

Request

GET http://server/page

Request

<div>

Welcome Back

<imgsrc=‘http://Firewall/AllRules’/>

</div>


17 20 october 2011

Demo

  • CSRF


Preventing csrf

Preventing CSRF

Use AntiForgeryTokens

Set ViewStateUserKey


How many facebook likes can you get

How many Facebook likes can you get?

  • Hacker Problem:

    • Users have to click to do something

  • Answer: Make them click on it

    • But make them think they’re clicking on something else


17 20 october 2011

Demo

  • Clickjacking


Preventing clickjacking

Preventing Clickjacking

  • Add X-Frame-Options=DENY Header


Phishing jitsu number 34

Phishing Jitsu: number 34

How do you make someone think they’re accessing

securebanking.com

when they’re actually typing their

password into

securebnaking.com?


17 20 october 2011

Demo

  • Open Redirection


Preventing open redirection

Preventing Open Redirection

Check the URL you are redirecting to

Use MVC 3

Don’t allow cross app redirection (disabled by default)

  • If in doubt, don’t redirect!


17 20 october 2011

  • OWASP (http://owasp.org)

  • WASC (http://webappsec.org)

  • Microsoft Security Center (http://tinyurl.com/MicrosoftSecurityCenter)


17 20 october 2011

You have a responsibility to your users


17 20 october 2011

18:30 – 20:30

this evening

http://microsoftvirtualacademy.com

Submit your session evaluation for a chance to win!

Sponsored by MVA


  • Login