230 likes | 374 Views
17-20 OCTOBER 2011. DURBAN ICC. Hack-proofing your web application. Using Web Forms and MVC. William Brander @ WilliamBZA http://WilliamB.Net william@williamb.net. You have no business on the internet if you don’t take security seriously. What to expect. Level 400 session
E N D
17-20 OCTOBER 2011 DURBAN ICC
Hack-proofing your web application Using Web Forms and MVC William Brander @WilliamBZA http://WilliamB.Net william@williamb.net
You have no business on the internet if you don’t take security seriously
What to expect • Level 400 session • Focus on concepts • Plenty of samples • Lots of scenarios, not much time • Code is available MVC Webforms
Clickjacking (0.6%) Topics Covered Session Hijacking (2.3%) Top Attack Methods Brute Force CSRF (2%) Unknown XSS Phishing DDoS SQL Injection Predictable Resource Location Source: Web Hacking Incident Database (http://tinyurl.com/WebHackDB)
Irony Does EXACTLY what it’s told to! SQL= “ SELECT * FROM Products WHERE Name LIKE ‘Beer%’ ” SQL= “ SELECT * FROM Products WHERE Name LIKE ‘Beer’ UNION SELECT * FROM systables;--%’ ” SearchProducts “Beer’ UNION SELECT * FROM systables;--” “Beer”
Demo • SQL Injection
Preventing SQL Injection • Use Parameterized Queries • Stored procedures won’t save you • If you need to use dynamic SQL: sp_executesql • Use a mature O/RM
Twitter = bird, so bird + worm = ? <div> Welcome back<script> doHax(){ } </script> </div> <div> Welcome Back <USERNAME> </div> <div> Welcome Back WilliamBZA </div>
Demo • XSS
Preventing XSS • Use the AntiXSS Library • Sanitize AND Encode Use Razor (@ encodes by default) • Be careful of IE6 • Allows XSS in images!!
ING: here, have some of my money! Request (http://firewall/AllRules) GET Request POST Request (button click) Request GET http://server/page Request <div> Welcome Back <imgsrc=‘http://Firewall/AllRules’/> </div>
Demo • CSRF
Preventing CSRF Use AntiForgeryTokens Set ViewStateUserKey
How many Facebook likes can you get? • Hacker Problem: • Users have to click to do something • Answer: Make them click on it • But make them think they’re clicking on something else
Demo • Clickjacking
Preventing Clickjacking • Add X-Frame-Options=DENY Header
Phishing Jitsu: number 34 How do you make someone think they’re accessing securebanking.com when they’re actually typing their password into securebnaking.com?
Demo • Open Redirection
Preventing Open Redirection Check the URL you are redirecting to Use MVC 3 Don’t allow cross app redirection (disabled by default) • If in doubt, don’t redirect!
OWASP (http://owasp.org) • WASC (http://webappsec.org) • Microsoft Security Center (http://tinyurl.com/MicrosoftSecurityCenter)
18:30 – 20:30 this evening http://microsoftvirtualacademy.com Submit your session evaluation for a chance to win! Sponsored by MVA