1 / 24

A Demo of and Preventing XSS in .NET Applications

A Demo of and Preventing XSS in .NET Applications. Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy . NET Cat .NET & Others. Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy . NET Cat .NET & Others.

tobit
Download Presentation

A Demo of and Preventing XSS in .NET Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Demo of and Preventing XSS in .NET Applications

  2. Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others

  3. Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others

  4. Injection SQL & XSS Cross-Site Scripting Information Leakage Principle of Least Privilege

  5. The Two top vulnerabilities both have the same vulnerability. Programmer does not make a distinction between code and data.

  6. Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others

  7. XSS • What it is. • Types of XSS

  8. How To Mitigate • Validate and constrain input • Properly encode output • Microsoft Anti-Cross Site Scripting Library

  9. OWASP AntiSamy .NET • What about Server.HTMLEncode? • Uses blacklist for exclusion • Less secure

  10. Regex • Home Grown approach

  11. Goldilocks Problem. • Scrub Data to little. • Scrub Data just right. • Scrub Data to Hard.

  12. Demo XSS And if time permits SQL Injection

  13. Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others

  14. Pros… • Validate Input / Encode Output (Anti-XSS library) • Helps with sql injection and XSS • Adds another level of defense • Used by Microsoft as an internal tool

  15. Cons… • Its not perfect and it should not be our only defense layer • Microsoft doesn’t update as often as it should. • We do have an open source Alternative (OWASP AntiSamy .Net)

  16. Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others

  17. Demo AntiSamy

  18. Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .Net

  19. Cat .NET Demo

  20. Resources

  21. About Me • Larry Conklin Senior Developer at QuikTrip in Tulsa, Oklahoma. • My current emphasis is in Microsoft .NET technologies including C#, VB.NET, and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores. • Skills: C#, C/C++,RPGILE, COBOL, SQL, (SQL Server, Oracle, Sybase, PostgreSQL) • My current passion is talking and learning about security and integrating it into SDLC to create secure code. • Current project support manager OWASP Code review project 2.0. • INFOSEC Certificate Program at University of Tulsa • ISC(2) CISSP Certification • Committee on Nation Security Systems Certificates. NSTISSI No. 4011: • Information Systems Security Professional, 4012:

More Related