17 20 october 2011
Download
1 / 23

17-20 OCTOBER 2011 - PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on
  • Presentation posted in: General

17-20 OCTOBER 2011. DURBAN ICC. Hack-proofing your web application. Using Web Forms and MVC. William Brander @ WilliamBZA http://WilliamB.Net william@williamb.net. You have no business on the internet if you don’t take security seriously. What to expect. Level 400 session

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

17-20 OCTOBER 2011

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


17-20 OCTOBER 2011

DURBAN ICC


Hack-proofing your web application

Using Web Forms and MVC

William Brander

@WilliamBZA

http://WilliamB.Net

william@williamb.net


You have no business on the internet if you don’t take security seriously


What to expect

  • Level 400 session

    • Focus on concepts

    • Plenty of samples

  • Lots of scenarios, not much time

    • Code is available

MVC

Webforms


Clickjacking (0.6%)

Topics Covered

Session Hijacking (2.3%)

Top Attack Methods

Brute Force

CSRF (2%)

Unknown

XSS

Phishing

DDoS

SQL Injection

Predictable Resource Location

Source: Web Hacking Incident Database (http://tinyurl.com/WebHackDB)


Irony

Does EXACTLY what it’s told to!

SQL= “

SELECT * FROM Products WHERE Name LIKE ‘Beer%’

SQL= “

SELECT * FROM Products WHERE Name LIKE ‘Beer’ UNION SELECT * FROM systables;--%’

SearchProducts

“Beer’ UNION SELECT * FROM systables;--”

“Beer”


Demo

  • SQL Injection


Preventing SQL Injection

  • Use Parameterized Queries

    • Stored procedures won’t save you

  • If you need to use dynamic SQL: sp_executesql

  • Use a mature O/RM


Twitter = bird, so bird + worm = ?

<div>

Welcome back<script>

doHax(){

}

</script>

</div>

<div>

Welcome Back <USERNAME>

</div>

<div>

Welcome Back WilliamBZA

</div>


Demo

  • XSS


Preventing XSS

  • Use the AntiXSS Library

  • Sanitize AND Encode

    Use Razor (@ encodes by default)

  • Be careful of IE6

    • Allows XSS in images!!


ING: here, have some of my money!

Request (http://firewall/AllRules)

GET Request

POST Request (button click)

Request

GET http://server/page

Request

<div>

Welcome Back

<imgsrc=‘http://Firewall/AllRules’/>

</div>


Demo

  • CSRF


Preventing CSRF

Use AntiForgeryTokens

Set ViewStateUserKey


How many Facebook likes can you get?

  • Hacker Problem:

    • Users have to click to do something

  • Answer: Make them click on it

    • But make them think they’re clicking on something else


Demo

  • Clickjacking


Preventing Clickjacking

  • Add X-Frame-Options=DENY Header


Phishing Jitsu: number 34

How do you make someone think they’re accessing

securebanking.com

when they’re actually typing their

password into

securebnaking.com?


Demo

  • Open Redirection


Preventing Open Redirection

Check the URL you are redirecting to

Use MVC 3

Don’t allow cross app redirection (disabled by default)

  • If in doubt, don’t redirect!


  • OWASP (http://owasp.org)

  • WASC (http://webappsec.org)

  • Microsoft Security Center (http://tinyurl.com/MicrosoftSecurityCenter)


You have a responsibility to your users


18:30 – 20:30

this evening

http://microsoftvirtualacademy.com

Submit your session evaluation for a chance to win!

Sponsored by MVA


ad
  • Login