Building secure web applications
Download
1 / 19

Building Secure Web Applications - PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on

Building Secure Web Applications. With ASP.Net MVC. What is ASP.Net MVC?. An extension to ASP.Net. Implements the MVC software pattern that divides an application's implementation into three component roles: models views controllers. Models.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Building Secure Web Applications' - jayme


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

What is asp net mvc
What is ASP.Net MVC?

  • An extension to ASP.Net.

  • Implements the MVC software pattern that divides an application's implementation into three component roles:

    • models

    • views

    • controllers.


Models
Models

  • "Models" in a MVC based application are the components responsible for:

    • Maintaining state. 

    • Often a database.


Views
Views

  • "Views" in a MVC based application are the components responsible for:

    • Displaying the application's user interface. 

    • Typically this UI is created off of the model data.


Controllers
Controllers

  • Responsible for:

    • Handling user interaction

    • Manipulating the model

    • Choosing a view to render to display UI. 

  • In a MVC application the view is only about displaying information - it is the controller that handles and responds to user input and interaction.


Part 1 form security
Part 1: Form Security

  • Cross Site Scripting (XSS)

  • Injection Flaws


Cross site scripting xss
Cross Site Scripting (XSS)

  • Common flaw in a web applications

  • Allows attackers to execute script in the victims browser.

  • Caused by improper input validation and encoding.


Cross site scripting prevention
Cross Site Scripting Prevention

  • Request Validation enabled by default.

  • Server.HtmlEncode();

  • Microsoft AntiXSS Library


Injection flaws
Injection Flaws

  • Common in web applications.

  • Caused when user input is evaluated as part of a command or query.

  • SQL Injection most common.

  • If _userName = “admin” and _password = “' OR 1 = 1 --” the result would be:

  • SELECT * FROM tblUsers WHERE UserName = 'admin' and Password = '' OR 1 = 1 --'


Injection prevention
Injection Prevention

  • MVC is built around a data Model

  • Object Relational Mappers (ORM)

    • Linq to SQL

    • ADO.Net Entity Framework

  • Handle CRUD commands in an Injection safe way.



Malicious file execution
Malicious File Execution

  • Occurs when an attacker is able to upload and execute code on a server.

  • The ASP.Net MVC Advantage

    • Classic ASP.Net served pages from their corresponding location on the disk.

    • ASP.Net MVC routes requests to the appropriate controller and view.

    • Attacker doesn’t know the applications directory structure.


Insecure direct object reference
Insecure Direct Object Reference

  • Occurs when an application exposes a direct reference to a resource.

    • Files

    • Primary keys for database records

  • Attackers can edit these references to gain access to protected data.

  • Prevention:

    • Encrypt any reference data when passing it between pages.


Cross site request forgery csrf
Cross Site Request Forgery (CSRF)

  • Tricks logged-on victim's browser to send a pre-authenticated request to a vulnerable web application.

  • Can cause a user to perform an action they did not intend to do.

  • Example:


Csrf prevention
CSRF Prevention

  • Avoid updating user data from HTTP Get requests.

  • ASP.Net MVC AntiForgeryToken



Information leakage and improper error handling
Information Leakage and Improper Error Handling

  • Improper error handling exposes implementation detail.

  • Prevention:

    • Disable debugging.

    • Custom error pages.

    • ASP.Net MVC HandleError Attribute


Failure to restrict url access
Failure to Restrict URL Access

  • Web application only protects URL by not showing them to unauthorized users.

  • URL can still be accesses manually.

  • Prevention:

    • ASP.Net MVC [Authorize] Attribute


Thank you

Kevin Watt

www.list2lend.com

Chris Brousseau

www.windows7ips.com

Thank You


ad