1 / 23

17-20 OCTOBER 2011

17-20 OCTOBER 2011. DURBAN ICC. Hack-proofing your web application. Using Web Forms and MVC. William Brander @ WilliamBZA http://WilliamB.Net william@williamb.net. You have no business on the internet if you don’t take security seriously. What to expect. Level 400 session

auryon
Download Presentation

17-20 OCTOBER 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 17-20 OCTOBER 2011 DURBAN ICC

  2. Hack-proofing your web application Using Web Forms and MVC William Brander @WilliamBZA http://WilliamB.Net william@williamb.net

  3. You have no business on the internet if you don’t take security seriously

  4. What to expect • Level 400 session • Focus on concepts • Plenty of samples • Lots of scenarios, not much time • Code is available MVC Webforms

  5. Clickjacking (0.6%) Topics Covered Session Hijacking (2.3%) Top Attack Methods Brute Force CSRF (2%) Unknown XSS Phishing DDoS SQL Injection Predictable Resource Location Source: Web Hacking Incident Database (http://tinyurl.com/WebHackDB)

  6. Irony Does EXACTLY what it’s told to! SQL= “ SELECT * FROM Products WHERE Name LIKE ‘Beer%’ ” SQL= “ SELECT * FROM Products WHERE Name LIKE ‘Beer’ UNION SELECT * FROM systables;--%’ ” SearchProducts “Beer’ UNION SELECT * FROM systables;--” “Beer”

  7. Demo • SQL Injection

  8. Preventing SQL Injection • Use Parameterized Queries • Stored procedures won’t save you • If you need to use dynamic SQL: sp_executesql • Use a mature O/RM

  9. Twitter = bird, so bird + worm = ? <div> Welcome back<script> doHax(){ } </script> </div> <div> Welcome Back <USERNAME> </div> <div> Welcome Back WilliamBZA </div>

  10. Demo • XSS

  11. Preventing XSS • Use the AntiXSS Library • Sanitize AND Encode Use Razor (@ encodes by default) • Be careful of IE6 • Allows XSS in images!!

  12. ING: here, have some of my money! Request (http://firewall/AllRules) GET Request POST Request (button click) Request GET http://server/page Request <div> Welcome Back <imgsrc=‘http://Firewall/AllRules’/> </div>

  13. Demo • CSRF

  14. Preventing CSRF Use AntiForgeryTokens Set ViewStateUserKey

  15. How many Facebook likes can you get? • Hacker Problem: • Users have to click to do something • Answer: Make them click on it • But make them think they’re clicking on something else

  16. Demo • Clickjacking

  17. Preventing Clickjacking • Add X-Frame-Options=DENY Header

  18. Phishing Jitsu: number 34 How do you make someone think they’re accessing securebanking.com when they’re actually typing their password into securebnaking.com?

  19. Demo • Open Redirection

  20. Preventing Open Redirection Check the URL you are redirecting to Use MVC 3 Don’t allow cross app redirection (disabled by default) • If in doubt, don’t redirect!

  21. OWASP (http://owasp.org) • WASC (http://webappsec.org) • Microsoft Security Center (http://tinyurl.com/MicrosoftSecurityCenter)

  22. You have a responsibility to your users

  23. 18:30 – 20:30 this evening http://microsoftvirtualacademy.com Submit your session evaluation for a chance to win! Sponsored by MVA

More Related