240 likes | 321 Views
A Demo of and Preventing XSS in .NET Applications. Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy . NET Cat .NET & Others. Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy . NET Cat .NET & Others.
E N D
Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others
Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others
Injection SQL & XSS Cross-Site Scripting Information Leakage Principle of Least Privilege
The Two top vulnerabilities both have the same vulnerability. Programmer does not make a distinction between code and data.
Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others
XSS • What it is. • Types of XSS
How To Mitigate • Validate and constrain input • Properly encode output • Microsoft Anti-Cross Site Scripting Library
OWASP AntiSamy .NET • What about Server.HTMLEncode? • Uses blacklist for exclusion • Less secure
Regex • Home Grown approach
Goldilocks Problem. • Scrub Data to little. • Scrub Data just right. • Scrub Data to Hard.
Demo XSS And if time permits SQL Injection
Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others
Pros… • Validate Input / Encode Output (Anti-XSS library) • Helps with sql injection and XSS • Adds another level of defense • Used by Microsoft as an internal tool
Cons… • Its not perfect and it should not be our only defense layer • Microsoft doesn’t update as often as it should. • We do have an open source Alternative (OWASP AntiSamy .Net)
Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others
Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .Net
About Me • Larry Conklin Senior Developer at QuikTrip in Tulsa, Oklahoma. • My current emphasis is in Microsoft .NET technologies including C#, VB.NET, and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores. • Skills: C#, C/C++,RPGILE, COBOL, SQL, (SQL Server, Oracle, Sybase, PostgreSQL) • My current passion is talking and learning about security and integrating it into SDLC to create secure code. • Current project support manager OWASP Code review project 2.0. • INFOSEC Certificate Program at University of Tulsa • ISC(2) CISSP Certification • Committee on Nation Security Systems Certificates. NSTISSI No. 4011: • Information Systems Security Professional, 4012: