17 20 october 2011
1 / 23

17-20 OCTOBER 2011 - PowerPoint PPT Presentation

  • Uploaded on

17-20 OCTOBER 2011. DURBAN ICC. Hack-proofing your web application. Using Web Forms and MVC. William Brander @ WilliamBZA http://WilliamB.Net [email protected] You have no business on the internet if you don’t take security seriously. What to expect. Level 400 session

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' 17-20 OCTOBER 2011' - auryon

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
17 20 october 2011

17-20 OCTOBER 2011


Hack proofing your web application

Hack-proofing your web application

Using Web Forms and MVC

William Brander



[email protected]

What to expect
What to expect security seriously

  • Level 400 session

    • Focus on concepts

    • Plenty of samples

  • Lots of scenarios, not much time

    • Code is available



Topics covered

Clickjacking security seriously (0.6%)

Topics Covered

Session Hijacking (2.3%)

Top Attack Methods

Brute Force

CSRF (2%)





SQL Injection

Predictable Resource Location

Source: Web Hacking Incident Database (http://tinyurl.com/WebHackDB)

Irony security seriously

Does EXACTLY what it’s told to!

SQL= “

SELECT * FROM Products WHERE Name LIKE ‘Beer%’

SQL= “

SELECT * FROM Products WHERE Name LIKE ‘Beer’ UNION SELECT * FROM systables;--%’


“Beer’ UNION SELECT * FROM systables;--”


Demo security seriously

  • SQL Injection

Preventing sql injection
Preventing SQL Injection security seriously

  • Use Parameterized Queries

    • Stored procedures won’t save you

  • If you need to use dynamic SQL: sp_executesql

  • Use a mature O/RM

Twitter bird so bird worm
Twitter = bird, so bird + worm = ? security seriously


Welcome back<script>






Welcome Back <USERNAME>



Welcome Back WilliamBZA


Demo security seriously

  • XSS

Preventing xss
Preventing XSS security seriously

  • Use the AntiXSS Library

  • Sanitize AND Encode

    Use Razor (@ encodes by default)

  • Be careful of IE6

    • Allows XSS in images!!

Ing here have some of my money
ING: here, have some of my money! security seriously

Request (http://firewall/AllRules)

GET Request

POST Request (button click)


GET http://server/page



Welcome Back



Demo security seriously

  • CSRF

Preventing csrf
Preventing CSRF security seriously

Use AntiForgeryTokens

Set ViewStateUserKey

How many facebook likes can you get
How many Facebook likes can you get? security seriously

  • Hacker Problem:

    • Users have to click to do something

  • Answer: Make them click on it

    • But make them think they’re clicking on something else

Demo security seriously

  • Clickjacking

Preventing clickjacking
Preventing security seriouslyClickjacking

  • Add X-Frame-Options=DENY Header

Phishing jitsu number 34
Phishing security seriouslyJitsu: number 34

How do you make someone think they’re accessing


when they’re actually typing their

password into


Demo security seriously

  • Open Redirection

Preventing open redirection
Preventing Open Redirection security seriously

Check the URL you are redirecting to

Use MVC 3

Don’t allow cross app redirection (disabled by default)

  • If in doubt, don’t redirect!

  • OWASP ( security seriouslyhttp://owasp.org)

  • WASC (http://webappsec.org)

  • Microsoft Security Center (http://tinyurl.com/MicrosoftSecurityCenter)

You have a responsibility to your security seriouslyusers

18:30 – 20:30 security seriously

this evening


Submit your session evaluation for a chance to win!

Sponsored by MVA