17 20 october 2011
Download
1 / 23

17-20 OCTOBER 2011 - PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on

17-20 OCTOBER 2011. DURBAN ICC. Hack-proofing your web application. Using Web Forms and MVC. William Brander @ WilliamBZA http://WilliamB.Net [email protected] You have no business on the internet if you don’t take security seriously. What to expect. Level 400 session

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' 17-20 OCTOBER 2011' - auryon


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
17 20 october 2011

17-20 OCTOBER 2011

DURBAN ICC


Hack proofing your web application

Hack-proofing your web application

Using Web Forms and MVC

William Brander

@WilliamBZA

http://WilliamB.Net

[email protected]



What to expect
What to expect security seriously

  • Level 400 session

    • Focus on concepts

    • Plenty of samples

  • Lots of scenarios, not much time

    • Code is available

MVC

Webforms


Topics covered

Clickjacking security seriously (0.6%)

Topics Covered

Session Hijacking (2.3%)

Top Attack Methods

Brute Force

CSRF (2%)

Unknown

XSS

Phishing

DDoS

SQL Injection

Predictable Resource Location

Source: Web Hacking Incident Database (http://tinyurl.com/WebHackDB)


Irony
Irony security seriously

Does EXACTLY what it’s told to!

SQL= “

SELECT * FROM Products WHERE Name LIKE ‘Beer%’

SQL= “

SELECT * FROM Products WHERE Name LIKE ‘Beer’ UNION SELECT * FROM systables;--%’

SearchProducts

“Beer’ UNION SELECT * FROM systables;--”

“Beer”


Demo security seriously

  • SQL Injection


Preventing sql injection
Preventing SQL Injection security seriously

  • Use Parameterized Queries

    • Stored procedures won’t save you

  • If you need to use dynamic SQL: sp_executesql

  • Use a mature O/RM


Twitter bird so bird worm
Twitter = bird, so bird + worm = ? security seriously

<div>

Welcome back<script>

doHax(){

}

</script>

</div>

<div>

Welcome Back <USERNAME>

</div>

<div>

Welcome Back WilliamBZA

</div>


Demo security seriously

  • XSS


Preventing xss
Preventing XSS security seriously

  • Use the AntiXSS Library

  • Sanitize AND Encode

    Use Razor (@ encodes by default)

  • Be careful of IE6

    • Allows XSS in images!!


Ing here have some of my money
ING: here, have some of my money! security seriously

Request (http://firewall/AllRules)

GET Request

POST Request (button click)

Request

GET http://server/page

Request

<div>

Welcome Back

<imgsrc=‘http://Firewall/AllRules’/>

</div>


Demo security seriously

  • CSRF


Preventing csrf
Preventing CSRF security seriously

Use AntiForgeryTokens

Set ViewStateUserKey


How many facebook likes can you get
How many Facebook likes can you get? security seriously

  • Hacker Problem:

    • Users have to click to do something

  • Answer: Make them click on it

    • But make them think they’re clicking on something else


Demo security seriously

  • Clickjacking


Preventing clickjacking
Preventing security seriouslyClickjacking

  • Add X-Frame-Options=DENY Header


Phishing jitsu number 34
Phishing security seriouslyJitsu: number 34

How do you make someone think they’re accessing

securebanking.com

when they’re actually typing their

password into

securebnaking.com?


Demo security seriously

  • Open Redirection


Preventing open redirection
Preventing Open Redirection security seriously

Check the URL you are redirecting to

Use MVC 3

Don’t allow cross app redirection (disabled by default)

  • If in doubt, don’t redirect!


  • OWASP ( security seriouslyhttp://owasp.org)

  • WASC (http://webappsec.org)

  • Microsoft Security Center (http://tinyurl.com/MicrosoftSecurityCenter)


You have a responsibility to your security seriouslyusers


18:30 – 20:30 security seriously

this evening

http://microsoftvirtualacademy.com

Submit your session evaluation for a chance to win!

Sponsored by MVA


ad