SlideShare a Scribd company logo

Top Ten Tips For Tenacious Defense In Asp.Net

Download as ppt, pdf
A
alsmola

The document provides 10 tips for securing ASP.NET applications. It discusses common web attacks like cross-site request forgery and session fixation, and defenses against them such as using secret tokens and regenerating session IDs. It also covers proper use of cryptography, input validation, authorization, cookies, password security, and restricting application trust levels.

1 of 61
Downloaded 74 times
1
Top Ten Tips for Tenacious Defense in ASP.NET Alex Smolen Senior Consultant SoCal Code Camp , 2008
2
1. Cross-Site Request Forgery
3
CSRF Attacker entices victim to view an HTML page containing a malicious image tag (hosted by an “accomplice”) Victim unknowingly submits a request to a server of the attacker’s choosing - using the victim’s credentials Effects can vary Log the user out Execute a transaction Post a message Modify settings on an intranet device with a web interface
4
CSRF - Examples <!--Buy shares of Microsoft in the background--> < img src = "http://stocks.com/buy.aspx?sym=MSFT&shares=500"> <!--Open up a firewall port--> < img src ="http://firewall/openPort?portNumber=5344">
5
CSRF - Defense The root cause is “Ambient Authority” Cookies, NTLM Creds, HTTP Auth automatically sent by browser Site needs to provide another form of secret that attacker can’t guess
6
CSRF Defense Referer ViewStateUserKey Secret token CAPTCHA Password Re-authentication
7
CSRF Defense - Referer Check the HTTP referer to make sure that the user just came from the right page Misspelling intentional Referer isn’t always sent Privacy settings Difficult to tell who referer will be Can be faked with vulnerable versions of Flash
8
CSRF Defense - ViewStateUserKey ViewStateUserKey is combined with ViewState ViewStateMac check will fail if ViewStateUserKey is different Can be used to ensure that ViewState is unique between users Set the value to session ID
9
CSRF Defense – ViewStateUserKey There are problems with this solution Have blogged about this What if ViewStateMac isn’t enabled? The action isn’t a postback? You don’t want to use ViewState at all?
10
CSRF Defense - Secret Token This is a more flexible approach The form (or URL, potentially) contains a secret token that is required Could be the same or based on session ID Page checks for this token as well as session ID in cookie Ambient authority is superseded
11
CSRF Defense – Secret Token Both CSRFGuard from OWASP and AntiCsrf from Barry Dorrans use this approach http://www.owasp.org/index.php/CSRF_Guard http://www.codeplex.com/AntiCSRF/ Need to watch GET versus POST Idempotency and verb agnositicty, oh my!
12
CSRF Defense - CAPTCHA CAPTCHA theoretically requires a human to solve Bleh… They work, but aren’t very user-friendly CSRF is possible for a lot of actions Maybe if it’s Asirra… http://research.microsoft.com/en-us/um/redmond/projects/asirra/
13
CSRF Defense – Password Re-authentication Simply require users to re-authenticate to perform an action The most secure, hopefully Can be done for BIG DEAL transactions, like cashing out an account or changing password (this is usually done anyways) Example: Amazon Shopping Cart
14
2. Session Fixation
15
Session Fixation Let’s say… You visit a web site You enter your username and password You continue browsing to other pages The web site continues to knows who you are How?
16
Session Fixation Sessions! An identifier is passed with each request (usually in a cookie) I can steal your session if I know your session identifier Session identifiers are like a temporary password
17
Session Fixation Session fixation occurs when I force you to use a known session identifier Shared terminal At a library, hotel, etc I visit a site, note the session ID, wait for someone else to login Click a link http://site.com/index.aspx?ASPSESSIONID=hack If you click on my link, I know your session ID
18
Session Fixation Defense To defend against this, regenerate the session ID after login You probably don’t do this There’s no good way to regenerate the session ID in ASP.NET If you use Forms authentication, you’re OK…sorta FormsAuthenticationTicket is used in addition to cookie and can’t be preset However I may be able to access your information with my FormsAuthenticationTicket and your session identifier
19
Session Fixation - Defense You could do something like this: Gross  Use an extra authentication cookie if you don’t use Forms Authentication Make sure all requests to a session are from the right authentication user according to the authentication cookie
20
3. Real World Crypto
21
Real-World Crypto cryptography:security::concurrency:programming Truly understood by few, screwed up by almost everyone People like cryptography because it is a security feature A lot of times, they don’t know what it does Magic fairy dust
22
 
23
Read-World Crypto People will use hash functions, random numbers, encryption algorithms, for all sorts of reasons There building blocks, are there are very specific purposes for each of them!
24
Real-World Crypto Random Data Properties: Difficult to guess Uses: Generated passwords or links, session identifiers, cryptographic keys How people mess this up: Use System.Random() Not good enough! Use a predictable seed Don’t use enough bits
25
 
26
Real-World Crypto Hashing Properties: One-way Uses: Verify knowledge of something (e.g. passwords), verify integrity of something How people mess this up: Use hash for authentication Verify this hacked file download with this hacked file hash! Use hash for something else (random data) Use insecure algorithm (not really an issue for most scenarios, but easy enough to fix)
27
 
28
Real-World Crypto Symmetric cryptography Properties: Keeps a big secret with a smaller secret Uses: Keep sensitive data confidential How people mess this up: The key has to be a secret Don’t lose the key Use the DPAPI! Key management for free! You can build your own as well, just be careful
29
 
30
Real-World Crypto That’s it! Not really, cryptography is really complicated If you’re doing anything with certificates, SSL, digital signatures, WS-Security, get a book
31
 
32
4. The AntiXss Library
33
The AntiXSS Library XSS is an issue Has been for a while Really hard to stop The problem is the browser Also, we end up putting user-modifiable data in weird places, such as ASP.NET doesn’t help us too much
34
Control Behavior Literal None by default. HTML Encoded if Mode property is set to LiteralMode.Encode Label None TextBox Single-line text box is not encoded. Multiline text box is HTML encoded Button Text is attribute encoded LinkButton None Hyperlink Text is not encoded. NavigateUrl is URL path encoded, unless it is JavaScript, in which case it is attribute encoded DropDownList and ListBox Option values are attribute encoded. Option display texts are HTML encoded. CheckBox and CheckBoxList Value is not used. Display text is not encoded. RadioButton and RadioButtonList Value is attribute encoded. Display text is not encoded. GridView and DetailsView Text fields are HTML encoded if their HtmlEncode property is set to true. Null display text is never encoded.
35
The Anti-XSS Library Data needs to be encoded Fully With the right context User data could be output to… HTML HTML attribute JavaScript XML Etc…
36
Method Description HtmlEncode More robust version of the HttpUtility.HtmlEncode method. HtmlAttributeEncode Encoding for dynamically created HTML attributes (i.e src=“”) XmlEncode/ XmlAttributeEncode Encoding for XML elements and attributes UrlEncode Encoding for dynamically constructed URLs JavaScriptEncode/ VisualBasicEncode Encoding for dynamically generated JavaScript or VBScript
37
5. Stop Injection!
38
Stop Injection! Injection occurs when: We treat data as code? We fail to properly validate input? We fail to properly encode output? Like, all the time? Yes
39
Stop Injection! How do we stop SQL injection Command injection Path manipulation XML injection LDAP injection Who-knows-what-else
40
 
41
Stop Injection! Two things we can do: Validate Make sure all request data looks the way it’s supposed to Uh, that’s all data (cookies, headers, hidden fields) Encode Make sure all data is properly encoded for it’s destination SqlCommand with SqlParameters does this for SQL Otherwise, you are on your own
42
 
43
6. Authorization Woes
44
Authorization Woes Who is allowed to do what? Well, we don’t know… Draw an authorization matrix! Think about horizontal and vertical privilege escalation! I’m serious!
45
Authorization Woes Orders Products /admin … Customers View View No … Managers View, Modify View, Modify, Add No … Administrators View, Modify, Add, Delete View, Modify, Add, Delete Yes … … … ... ... …
46
Authorization Woes Role-based access control works well here Group users by role Some users will need additional privileges Can use finer-grained model Some authorization concerns rely on state “ After 5PM, traders cannot place orders greater than the sum of the previous weeks total, minus exemptions…” This becomes business logic
47
Authorization Woes User logs in, clicks on “My Account” URL http://www.bank.com/accouts.aspx?id=123-456-7890 What if I got my neighbors statement by mistake? http://www.bank.com/accouts.aspx?id=-098-765-4321 I shouldn’t be seeing their statement Horizontal privilege escalation
48
7. Mind Your Cookies!
49
Mind Your Cookies Don’t use cookies! Let ASP.NET do the session stuff for you What else could you possibly need to use cookies for? OK, OK, so maybe you can use them sometimes Don’t base security decisions off the data!
50
Mind Your Cookies There are two tags that can be added to the set-cookie response header Secure Do not transmit this cookie over non-SSL connections HttpOnly Do not allow JavaScript to access this cooke
51
Mind Your Cookies Domain Think about what sub-domains need access Path You can limit what parts of your application cookies are sent to Expiration Don’t go crazy
52
Mind Your Cookies URL Rewriting Pass the session ID as a URL argument http://site.com/a.aspx? sessionid=123123123 Bad idea Ends up in history, bookmarks, links sent to friends Originally for users with cookies disabled Probably a small enough minority to ignore
53
Session State in ASP.NET <httpCookies httpOnlyCookies=" true "> Mark all container issued cookies as HttpOnly <sessionState cookieless=" UseCookies "> Prevent URL rewriting <forms requireSSL=" true "> Marks Forms Authentication as secure
54
8. Password Potpourri
55
Password Potpourri Make your passwords strong Eight characters, one letter, one number, one symbol Actually this could be totally inappropriate, depends on your security requirements Hash and salt stored passwords Salting prevents rainbow table attacks if password table compromised
56
Password Potpourri Think about your password reset scheme Could send link to reset page in a email, but what if email is hacked? Could ask secret question and answer, but what if their answer is really easy (“Your dog’s name is… Fido”) Use both Lockout brute forcers Just for a little bit
57
9. Users, users, users
58
Users, users, users They (some of them) are dumb! Don’t trust them… to recognize your sites with the right domain and SSL cert to not have malware installed Assume the worst can happen
59
10. Full Trust Exercise
60
Full Trust Exercise Full trust is ASP.NET mode that allows code to do anything it wants Sound dangerous? It is! It’s also the default and the way a LOT of ASP.NET sites run Consider placing your application in Medium trust It could prevent the attacks you don’t know about!
61
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips for Tenacious Defense in ASP.NET Alex Smolen Senior Consultant SoCal Code Camp , 2008
1. Cross-Site Request Forgery
CSRF Attacker entices victim to view an HTML page containing a malicious image tag (hosted by an “accomplice”) Victim unknowingly submits a request to a server of the attacker’s choosing - using the victim’s credentials Effects can vary Log the user out Execute a transaction Post a message Modify settings on an intranet device with a web interface
CSRF - Examples <!--Buy shares of Microsoft in the background--> < img src = "http://stocks.com/buy.aspx?sym=MSFT&shares=500"> <!--Open up a firewall port--> < img src ="http://firewall/openPort?portNumber=5344">
CSRF - Defense The root cause is “Ambient Authority” Cookies, NTLM Creds, HTTP Auth automatically sent by browser Site needs to provide another form of secret that attacker can’t guess
CSRF Defense Referer ViewStateUserKey Secret token CAPTCHA Password Re-authentication
CSRF Defense - Referer Check the HTTP referer to make sure that the user just came from the right page Misspelling intentional Referer isn’t always sent Privacy settings Difficult to tell who referer will be Can be faked with vulnerable versions of Flash
CSRF Defense - ViewStateUserKey ViewStateUserKey is combined with ViewState ViewStateMac check will fail if ViewStateUserKey is different Can be used to ensure that ViewState is unique between users Set the value to session ID
CSRF Defense – ViewStateUserKey There are problems with this solution Have blogged about this What if ViewStateMac isn’t enabled? The action isn’t a postback? You don’t want to use ViewState at all?
CSRF Defense - Secret Token This is a more flexible approach The form (or URL, potentially) contains a secret token that is required Could be the same or based on session ID Page checks for this token as well as session ID in cookie Ambient authority is superseded
CSRF Defense – Secret Token Both CSRFGuard from OWASP and AntiCsrf from Barry Dorrans use this approach http://www.owasp.org/index.php/CSRF_Guard http://www.codeplex.com/AntiCSRF/ Need to watch GET versus POST Idempotency and verb agnositicty, oh my!
CSRF Defense - CAPTCHA CAPTCHA theoretically requires a human to solve Bleh… They work, but aren’t very user-friendly CSRF is possible for a lot of actions Maybe if it’s Asirra… http://research.microsoft.com/en-us/um/redmond/projects/asirra/
CSRF Defense – Password Re-authentication Simply require users to re-authenticate to perform an action The most secure, hopefully Can be done for BIG DEAL transactions, like cashing out an account or changing password (this is usually done anyways) Example: Amazon Shopping Cart
2. Session Fixation
Session Fixation Let’s say… You visit a web site You enter your username and password You continue browsing to other pages The web site continues to knows who you are How?
Session Fixation Sessions! An identifier is passed with each request (usually in a cookie) I can steal your session if I know your session identifier Session identifiers are like a temporary password
Session Fixation Session fixation occurs when I force you to use a known session identifier Shared terminal At a library, hotel, etc I visit a site, note the session ID, wait for someone else to login Click a link http://site.com/index.aspx?ASPSESSIONID=hack If you click on my link, I know your session ID
Session Fixation Defense To defend against this, regenerate the session ID after login You probably don’t do this There’s no good way to regenerate the session ID in ASP.NET If you use Forms authentication, you’re OK…sorta FormsAuthenticationTicket is used in addition to cookie and can’t be preset However I may be able to access your information with my FormsAuthenticationTicket and your session identifier
Session Fixation - Defense You could do something like this: Gross  Use an extra authentication cookie if you don’t use Forms Authentication Make sure all requests to a session are from the right authentication user according to the authentication cookie
3. Real World Crypto
Real-World Crypto cryptography:security::concurrency:programming Truly understood by few, screwed up by almost everyone People like cryptography because it is a security feature A lot of times, they don’t know what it does Magic fairy dust
 
Read-World Crypto People will use hash functions, random numbers, encryption algorithms, for all sorts of reasons There building blocks, are there are very specific purposes for each of them!
Real-World Crypto Random Data Properties: Difficult to guess Uses: Generated passwords or links, session identifiers, cryptographic keys How people mess this up: Use System.Random() Not good enough! Use a predictable seed Don’t use enough bits
 
Real-World Crypto Hashing Properties: One-way Uses: Verify knowledge of something (e.g. passwords), verify integrity of something How people mess this up: Use hash for authentication Verify this hacked file download with this hacked file hash! Use hash for something else (random data) Use insecure algorithm (not really an issue for most scenarios, but easy enough to fix)
 
Real-World Crypto Symmetric cryptography Properties: Keeps a big secret with a smaller secret Uses: Keep sensitive data confidential How people mess this up: The key has to be a secret Don’t lose the key Use the DPAPI! Key management for free! You can build your own as well, just be careful
 
Real-World Crypto That’s it! Not really, cryptography is really complicated If you’re doing anything with certificates, SSL, digital signatures, WS-Security, get a book
 
4. The AntiXss Library
The AntiXSS Library XSS is an issue Has been for a while Really hard to stop The problem is the browser Also, we end up putting user-modifiable data in weird places, such as ASP.NET doesn’t help us too much
Control Behavior Literal None by default. HTML Encoded if Mode property is set to LiteralMode.Encode Label None TextBox Single-line text box is not encoded. Multiline text box is HTML encoded Button Text is attribute encoded LinkButton None Hyperlink Text is not encoded. NavigateUrl is URL path encoded, unless it is JavaScript, in which case it is attribute encoded DropDownList and ListBox Option values are attribute encoded. Option display texts are HTML encoded. CheckBox and CheckBoxList Value is not used. Display text is not encoded. RadioButton and RadioButtonList Value is attribute encoded. Display text is not encoded. GridView and DetailsView Text fields are HTML encoded if their HtmlEncode property is set to true. Null display text is never encoded.
The Anti-XSS Library Data needs to be encoded Fully With the right context User data could be output to… HTML HTML attribute JavaScript XML Etc…
Method Description HtmlEncode More robust version of the HttpUtility.HtmlEncode method. HtmlAttributeEncode Encoding for dynamically created HTML attributes (i.e src=“”) XmlEncode/ XmlAttributeEncode Encoding for XML elements and attributes UrlEncode Encoding for dynamically constructed URLs JavaScriptEncode/ VisualBasicEncode Encoding for dynamically generated JavaScript or VBScript
5. Stop Injection!
Stop Injection! Injection occurs when: We treat data as code? We fail to properly validate input? We fail to properly encode output? Like, all the time? Yes
Stop Injection! How do we stop SQL injection Command injection Path manipulation XML injection LDAP injection Who-knows-what-else
 
Stop Injection! Two things we can do: Validate Make sure all request data looks the way it’s supposed to Uh, that’s all data (cookies, headers, hidden fields) Encode Make sure all data is properly encoded for it’s destination SqlCommand with SqlParameters does this for SQL Otherwise, you are on your own
 
6. Authorization Woes
Authorization Woes Who is allowed to do what? Well, we don’t know… Draw an authorization matrix! Think about horizontal and vertical privilege escalation! I’m serious!
Authorization Woes Orders Products /admin … Customers View View No … Managers View, Modify View, Modify, Add No … Administrators View, Modify, Add, Delete View, Modify, Add, Delete Yes … … … ... ... …
Authorization Woes Role-based access control works well here Group users by role Some users will need additional privileges Can use finer-grained model Some authorization concerns rely on state “ After 5PM, traders cannot place orders greater than the sum of the previous weeks total, minus exemptions…” This becomes business logic
Authorization Woes User logs in, clicks on “My Account” URL http://www.bank.com/accouts.aspx?id=123-456-7890 What if I got my neighbors statement by mistake? http://www.bank.com/accouts.aspx?id=-098-765-4321 I shouldn’t be seeing their statement Horizontal privilege escalation
7. Mind Your Cookies!
Mind Your Cookies Don’t use cookies! Let ASP.NET do the session stuff for you What else could you possibly need to use cookies for? OK, OK, so maybe you can use them sometimes Don’t base security decisions off the data!
Mind Your Cookies There are two tags that can be added to the set-cookie response header Secure Do not transmit this cookie over non-SSL connections HttpOnly Do not allow JavaScript to access this cooke
Mind Your Cookies Domain Think about what sub-domains need access Path You can limit what parts of your application cookies are sent to Expiration Don’t go crazy
Mind Your Cookies URL Rewriting Pass the session ID as a URL argument http://site.com/a.aspx? sessionid=123123123 Bad idea Ends up in history, bookmarks, links sent to friends Originally for users with cookies disabled Probably a small enough minority to ignore
Session State in ASP.NET <httpCookies httpOnlyCookies=" true "> Mark all container issued cookies as HttpOnly <sessionState cookieless=" UseCookies "> Prevent URL rewriting <forms requireSSL=" true "> Marks Forms Authentication as secure
8. Password Potpourri
Password Potpourri Make your passwords strong Eight characters, one letter, one number, one symbol Actually this could be totally inappropriate, depends on your security requirements Hash and salt stored passwords Salting prevents rainbow table attacks if password table compromised
Password Potpourri Think about your password reset scheme Could send link to reset page in a email, but what if email is hacked? Could ask secret question and answer, but what if their answer is really easy (“Your dog’s name is… Fido”) Use both Lockout brute forcers Just for a little bit
9. Users, users, users
Users, users, users They (some of them) are dumb! Don’t trust them… to recognize your sites with the right domain and SSL cert to not have malware installed Assume the worst can happen
10. Full Trust Exercise
Full Trust Exercise Full trust is ASP.NET mode that allows code to do anything it wants Sound dangerous? It is! It’s also the default and the way a LOT of ASP.NET sites run Consider placing your application in Medium trust It could prevent the attacks you don’t know about!
Top Ten Tips For Tenacious Defense In Asp.Net
Ad

Recommended

Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
Miguel Ibarra
 
Web Security
Web SecurityWeb Security
Web Security
Ali Habeeb
 
Website Security
Website SecurityWebsite Security
Website Security
MODxpo
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
Paul Lemon
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Word press security guard
Word press security guardWord press security guard
Word press security guard
AdrianoViana25
 
Web Security
Web SecurityWeb Security
Web Security
Supankar Banik
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
Password Management
Password ManagementPassword Management
Password Management
Davon Smart
 
Password management
Password managementPassword management
Password management
Wilmington University
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
Sasha Goldshtein
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET Journal
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions
Ivo Andreev
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
Chris Watts
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
Fernando Lopez Aguilar
 
Css
CssCss
Css
bismasheikh3
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication Concepts
Charles Southerland
 
Unified authentication using azure acs
Unified authentication using azure acsUnified authentication using azure acs
Unified authentication using azure acs
Chris Love
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
Felipe Prado
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
 
Программа для рекрутинга e-staff
Программа для рекрутинга e-staffПрограмма для рекрутинга e-staff
Программа для рекрутинга e-staff
Coloris Soft
 
Presentatie Letselzaken
Presentatie LetselzakenPresentatie Letselzaken
Presentatie Letselzaken
Vincent van Merwijk
 
Artefotog[1]..
Artefotog[1]..Artefotog[1]..
Artefotog[1]..
guestfdb470
 

More Related Content

What's hot (19)

Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Word press security guard
Word press security guardWord press security guard
Word press security guard
AdrianoViana25
 
Web Security
Web SecurityWeb Security
Web Security
Supankar Banik
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
Password Management
Password ManagementPassword Management
Password Management
Davon Smart
 
Password management
Password managementPassword management
Password management
Wilmington University
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
Sasha Goldshtein
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET Journal
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions
Ivo Andreev
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
Chris Watts
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
Fernando Lopez Aguilar
 
Css
CssCss
Css
bismasheikh3
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication Concepts
Charles Southerland
 
Unified authentication using azure acs
Unified authentication using azure acsUnified authentication using azure acs
Unified authentication using azure acs
Chris Love
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
Felipe Prado
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Word press security guard
Word press security guardWord press security guard
Word press security guard
AdrianoViana25
 
Web Security
Web SecurityWeb Security
Web Security
Supankar Banik
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
Password Management
Password ManagementPassword Management
Password Management
Davon Smart
 
Password management
Password managementPassword management
Password management
Wilmington University
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
Sasha Goldshtein
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET Journal
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions
Ivo Andreev
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
Chris Watts
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
Fernando Lopez Aguilar
 
Css
CssCss
Css
bismasheikh3
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication Concepts
Charles Southerland
 
Unified authentication using azure acs
Unified authentication using azure acsUnified authentication using azure acs
Unified authentication using azure acs
Chris Love
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
Felipe Prado
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
 

Viewers also liked (8)

Программа для рекрутинга e-staff
Программа для рекрутинга e-staffПрограмма для рекрутинга e-staff
Программа для рекрутинга e-staff
Coloris Soft
 
Presentatie Letselzaken
Presentatie LetselzakenPresentatie Letselzaken
Presentatie Letselzaken
Vincent van Merwijk
 
Artefotog[1]..
Artefotog[1]..Artefotog[1]..
Artefotog[1]..
guestfdb470
 
Presentatie letselschadesite
Presentatie letselschadesitePresentatie letselschadesite
Presentatie letselschadesite
Vincent van Merwijk
 
Frivolous fun or innovative learning? Using social media to deliver professio...
Frivolous fun or innovative learning? Using social media to deliver professio...Frivolous fun or innovative learning? Using social media to deliver professio...
Frivolous fun or innovative learning? Using social media to deliver professio...
Sarah Stewart
 
Kv d presentatie_11-05
Kv d presentatie_11-05Kv d presentatie_11-05
Kv d presentatie_11-05
Vincent van Merwijk
 
Smolen Alex Securing The Mvc Architecture Part Two
Smolen Alex Securing The Mvc Architecture Part TwoSmolen Alex Securing The Mvc Architecture Part Two
Smolen Alex Securing The Mvc Architecture Part Two
alsmola
 
Wt2 Coloris
Wt2 ColorisWt2 Coloris
Wt2 Coloris
Coloris Soft
 
Программа для рекрутинга e-staff
Программа для рекрутинга e-staffПрограмма для рекрутинга e-staff
Программа для рекрутинга e-staff
Coloris Soft
 
Presentatie Letselzaken
Presentatie LetselzakenPresentatie Letselzaken
Presentatie Letselzaken
Vincent van Merwijk
 
Artefotog[1]..
Artefotog[1]..Artefotog[1]..
Artefotog[1]..
guestfdb470
 
Presentatie letselschadesite
Presentatie letselschadesitePresentatie letselschadesite
Presentatie letselschadesite
Vincent van Merwijk
 
Frivolous fun or innovative learning? Using social media to deliver professio...
Frivolous fun or innovative learning? Using social media to deliver professio...Frivolous fun or innovative learning? Using social media to deliver professio...
Frivolous fun or innovative learning? Using social media to deliver professio...
Sarah Stewart
 
Kv d presentatie_11-05
Kv d presentatie_11-05Kv d presentatie_11-05
Kv d presentatie_11-05
Vincent van Merwijk
 
Smolen Alex Securing The Mvc Architecture Part Two
Smolen Alex Securing The Mvc Architecture Part TwoSmolen Alex Securing The Mvc Architecture Part Two
Smolen Alex Securing The Mvc Architecture Part Two
alsmola
 
Wt2 Coloris
Wt2 ColorisWt2 Coloris
Wt2 Coloris
Coloris Soft
 
Ad

Similar to Top Ten Tips For Tenacious Defense In Asp.Net (20)

Security with ColdFusion
Security with ColdFusionSecurity with ColdFusion
Security with ColdFusion
isummation
 
Website Security
Website SecurityWebsite Security
Website Security
Carlos Z
 
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
Start Pad
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
Unusual Web Bugs
Unusual Web BugsUnusual Web Bugs
Unusual Web Bugs
amiable_indian
 
Web Bugs
Web BugsWeb Bugs
Web Bugs
Dr Rushi Raval
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
Tony Amoyal
 
Application Security
Application SecurityApplication Security
Application Security
nirola
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
Aditya Mooley
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
InnoTech
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
llangit
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnotts
John Staveley
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
Security with ColdFusion
Security with ColdFusionSecurity with ColdFusion
Security with ColdFusion
isummation
 
Website Security
Website SecurityWebsite Security
Website Security
Carlos Z
 
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
Start Pad
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
Unusual Web Bugs
Unusual Web BugsUnusual Web Bugs
Unusual Web Bugs
amiable_indian
 
Web Bugs
Web BugsWeb Bugs
Web Bugs
Dr Rushi Raval
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
Tony Amoyal
 
Application Security
Application SecurityApplication Security
Application Security
nirola
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
Aditya Mooley
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
InnoTech
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
llangit
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnotts
John Staveley
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
Ad

Recently uploaded (20)

How to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptxHow to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Improving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevExImproving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevEx
Justin Reock
 
How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdf
How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdfHow Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdf
How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdf
Rejig Digital
 
Oracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI FoundationsOracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI Foundations
VICTOR MAESTRE RAMIREZ
 
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
Jasper Oosterveld
 
TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025
Suyash Joshi
 
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and ImplementationAI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
Christine Shepherd
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
“How Qualcomm Is Powering AI-driven Multimedia at the Edge,” a Presentation f...
“How Qualcomm Is Powering AI-driven Multimedia at the Edge,” a Presentation f...“How Qualcomm Is Powering AI-driven Multimedia at the Edge,” a Presentation f...
“How Qualcomm Is Powering AI-driven Multimedia at the Edge,” a Presentation f...
Edge AI and Vision Alliance
 
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
Edge AI and Vision Alliance
 
End-to-end Assurance for SD-WAN & SASE with ThousandEyes
End-to-end Assurance for SD-WAN & SASE with ThousandEyesEnd-to-end Assurance for SD-WAN & SASE with ThousandEyes
End-to-end Assurance for SD-WAN & SASE with ThousandEyes
ThousandEyes
 
Down the Rabbit Hole – Solving 5 Training Roadblocks
Down the Rabbit Hole – Solving 5 Training RoadblocksDown the Rabbit Hole – Solving 5 Training Roadblocks
Down the Rabbit Hole – Solving 5 Training Roadblocks
Rustici Software
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptxISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
AyilurRamnath1
 
Trends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary MeekerTrends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary Meeker
Clive Dickens
 
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to KnowWhat is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
SMACT Works
 
Murdledescargadarkweb.pdfvolumen1 100 elementary
Murdledescargadarkweb.pdfvolumen1 100 elementaryMurdledescargadarkweb.pdfvolumen1 100 elementary
Murdledescargadarkweb.pdfvolumen1 100 elementary
JorgeSemperteguiMont
 
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOMEstablish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Anchore
 
Data Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any ApplicationData Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any Application
Safe Software
 
DevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical PodcastDevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical Podcast
Chris Wahl
 
vertical-cnc-processing-centers-drillteq-v-200-en.pdf
vertical-cnc-processing-centers-drillteq-v-200-en.pdfvertical-cnc-processing-centers-drillteq-v-200-en.pdf
vertical-cnc-processing-centers-drillteq-v-200-en.pdf
AmirStern2
 
How to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptxHow to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Improving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevExImproving Developer Productivity With DORA, SPACE, and DevEx
Improving Developer Productivity With DORA, SPACE, and DevEx
Justin Reock
 
How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdf
How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdfHow Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdf
How Advanced Environmental Detection Is Revolutionizing Oil & Gas Safety.pdf
Rejig Digital
 
Oracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI FoundationsOracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI Foundations
VICTOR MAESTRE RAMIREZ
 
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
ELNL2025 - Unlocking the Power of Sensitivity Labels - A Comprehensive Guide....
Jasper Oosterveld
 
TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025
Suyash Joshi
 
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and ImplementationAI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
Christine Shepherd
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
“How Qualcomm Is Powering AI-driven Multimedia at the Edge,” a Presentation f...
“How Qualcomm Is Powering AI-driven Multimedia at the Edge,” a Presentation f...“How Qualcomm Is Powering AI-driven Multimedia at the Edge,” a Presentation f...
“How Qualcomm Is Powering AI-driven Multimedia at the Edge,” a Presentation f...
Edge AI and Vision Alliance
 
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
Edge AI and Vision Alliance
 
End-to-end Assurance for SD-WAN & SASE with ThousandEyes
End-to-end Assurance for SD-WAN & SASE with ThousandEyesEnd-to-end Assurance for SD-WAN & SASE with ThousandEyes
End-to-end Assurance for SD-WAN & SASE with ThousandEyes
ThousandEyes
 
Down the Rabbit Hole – Solving 5 Training Roadblocks
Down the Rabbit Hole – Solving 5 Training RoadblocksDown the Rabbit Hole – Solving 5 Training Roadblocks
Down the Rabbit Hole – Solving 5 Training Roadblocks
Rustici Software
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptxISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
AyilurRamnath1
 
Trends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary MeekerTrends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary Meeker
Clive Dickens
 
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to KnowWhat is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
SMACT Works
 
Murdledescargadarkweb.pdfvolumen1 100 elementary
Murdledescargadarkweb.pdfvolumen1 100 elementaryMurdledescargadarkweb.pdfvolumen1 100 elementary
Murdledescargadarkweb.pdfvolumen1 100 elementary
JorgeSemperteguiMont
 
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOMEstablish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Anchore
 
Data Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any ApplicationData Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any Application
Safe Software
 
DevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical PodcastDevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical Podcast
Chris Wahl
 
vertical-cnc-processing-centers-drillteq-v-200-en.pdf
vertical-cnc-processing-centers-drillteq-v-200-en.pdfvertical-cnc-processing-centers-drillteq-v-200-en.pdf
vertical-cnc-processing-centers-drillteq-v-200-en.pdf
AmirStern2
 

Top Ten Tips For Tenacious Defense In Asp.Net

  • 1. Top Ten Tips for Tenacious Defense in ASP.NET Alex Smolen Senior Consultant SoCal Code Camp , 2008
  • 3. CSRF Attacker entices victim to view an HTML page containing a malicious image tag (hosted by an “accomplice”) Victim unknowingly submits a request to a server of the attacker’s choosing - using the victim’s credentials Effects can vary Log the user out Execute a transaction Post a message Modify settings on an intranet device with a web interface
  • 4. CSRF - Examples < img src = "http://stocks.com/buy.aspx?sym=MSFT&shares=500"> < img src ="http://firewall/openPort?portNumber=5344">
  • 5. CSRF - Defense The root cause is “Ambient Authority” Cookies, NTLM Creds, HTTP Auth automatically sent by browser Site needs to provide another form of secret that attacker can’t guess
  • 6. CSRF Defense Referer ViewStateUserKey Secret token CAPTCHA Password Re-authentication
  • 7. CSRF Defense - Referer Check the HTTP referer to make sure that the user just came from the right page Misspelling intentional Referer isn’t always sent Privacy settings Difficult to tell who referer will be Can be faked with vulnerable versions of Flash
  • 8. CSRF Defense - ViewStateUserKey ViewStateUserKey is combined with ViewState ViewStateMac check will fail if ViewStateUserKey is different Can be used to ensure that ViewState is unique between users Set the value to session ID
  • 9. CSRF Defense – ViewStateUserKey There are problems with this solution Have blogged about this What if ViewStateMac isn’t enabled? The action isn’t a postback? You don’t want to use ViewState at all?
  • 10. CSRF Defense - Secret Token This is a more flexible approach The form (or URL, potentially) contains a secret token that is required Could be the same or based on session ID Page checks for this token as well as session ID in cookie Ambient authority is superseded
  • 11. CSRF Defense – Secret Token Both CSRFGuard from OWASP and AntiCsrf from Barry Dorrans use this approach http://www.owasp.org/index.php/CSRF_Guard http://www.codeplex.com/AntiCSRF/ Need to watch GET versus POST Idempotency and verb agnositicty, oh my!
  • 12. CSRF Defense - CAPTCHA CAPTCHA theoretically requires a human to solve Bleh… They work, but aren’t very user-friendly CSRF is possible for a lot of actions Maybe if it’s Asirra… http://research.microsoft.com/en-us/um/redmond/projects/asirra/
  • 13. CSRF Defense – Password Re-authentication Simply require users to re-authenticate to perform an action The most secure, hopefully Can be done for BIG DEAL transactions, like cashing out an account or changing password (this is usually done anyways) Example: Amazon Shopping Cart
  • 15. Session Fixation Let’s say… You visit a web site You enter your username and password You continue browsing to other pages The web site continues to knows who you are How?
  • 16. Session Fixation Sessions! An identifier is passed with each request (usually in a cookie) I can steal your session if I know your session identifier Session identifiers are like a temporary password
  • 17. Session Fixation Session fixation occurs when I force you to use a known session identifier Shared terminal At a library, hotel, etc I visit a site, note the session ID, wait for someone else to login Click a link http://site.com/index.aspx?ASPSESSIONID=hack If you click on my link, I know your session ID
  • 18. Session Fixation Defense To defend against this, regenerate the session ID after login You probably don’t do this There’s no good way to regenerate the session ID in ASP.NET If you use Forms authentication, you’re OK…sorta FormsAuthenticationTicket is used in addition to cookie and can’t be preset However I may be able to access your information with my FormsAuthenticationTicket and your session identifier
  • 19. Session Fixation - Defense You could do something like this: Gross  Use an extra authentication cookie if you don’t use Forms Authentication Make sure all requests to a session are from the right authentication user according to the authentication cookie
  • 20. 3. Real World Crypto
  • 21. Real-World Crypto cryptography:security::concurrency:programming Truly understood by few, screwed up by almost everyone People like cryptography because it is a security feature A lot of times, they don’t know what it does Magic fairy dust
  • 22.  
  • 23. Read-World Crypto People will use hash functions, random numbers, encryption algorithms, for all sorts of reasons There building blocks, are there are very specific purposes for each of them!
  • 24. Real-World Crypto Random Data Properties: Difficult to guess Uses: Generated passwords or links, session identifiers, cryptographic keys How people mess this up: Use System.Random() Not good enough! Use a predictable seed Don’t use enough bits
  • 25.  
  • 26. Real-World Crypto Hashing Properties: One-way Uses: Verify knowledge of something (e.g. passwords), verify integrity of something How people mess this up: Use hash for authentication Verify this hacked file download with this hacked file hash! Use hash for something else (random data) Use insecure algorithm (not really an issue for most scenarios, but easy enough to fix)
  • 27.  
  • 28. Real-World Crypto Symmetric cryptography Properties: Keeps a big secret with a smaller secret Uses: Keep sensitive data confidential How people mess this up: The key has to be a secret Don’t lose the key Use the DPAPI! Key management for free! You can build your own as well, just be careful
  • 29.  
  • 30. Real-World Crypto That’s it! Not really, cryptography is really complicated If you’re doing anything with certificates, SSL, digital signatures, WS-Security, get a book
  • 31.  
  • 32. 4. The AntiXss Library
  • 33. The AntiXSS Library XSS is an issue Has been for a while Really hard to stop The problem is the browser Also, we end up putting user-modifiable data in weird places, such as ASP.NET doesn’t help us too much
  • 34. Control Behavior Literal None by default. HTML Encoded if Mode property is set to LiteralMode.Encode Label None TextBox Single-line text box is not encoded. Multiline text box is HTML encoded Button Text is attribute encoded LinkButton None Hyperlink Text is not encoded. NavigateUrl is URL path encoded, unless it is JavaScript, in which case it is attribute encoded DropDownList and ListBox Option values are attribute encoded. Option display texts are HTML encoded. CheckBox and CheckBoxList Value is not used. Display text is not encoded. RadioButton and RadioButtonList Value is attribute encoded. Display text is not encoded. GridView and DetailsView Text fields are HTML encoded if their HtmlEncode property is set to true. Null display text is never encoded.
  • 35. The Anti-XSS Library Data needs to be encoded Fully With the right context User data could be output to… HTML HTML attribute JavaScript XML Etc…
  • 36. Method Description HtmlEncode More robust version of the HttpUtility.HtmlEncode method. HtmlAttributeEncode Encoding for dynamically created HTML attributes (i.e src=“”) XmlEncode/ XmlAttributeEncode Encoding for XML elements and attributes UrlEncode Encoding for dynamically constructed URLs JavaScriptEncode/ VisualBasicEncode Encoding for dynamically generated JavaScript or VBScript
  • 38. Stop Injection! Injection occurs when: We treat data as code? We fail to properly validate input? We fail to properly encode output? Like, all the time? Yes
  • 39. Stop Injection! How do we stop SQL injection Command injection Path manipulation XML injection LDAP injection Who-knows-what-else
  • 40.  
  • 41. Stop Injection! Two things we can do: Validate Make sure all request data looks the way it’s supposed to Uh, that’s all data (cookies, headers, hidden fields) Encode Make sure all data is properly encoded for it’s destination SqlCommand with SqlParameters does this for SQL Otherwise, you are on your own
  • 42.  
  • 44. Authorization Woes Who is allowed to do what? Well, we don’t know… Draw an authorization matrix! Think about horizontal and vertical privilege escalation! I’m serious!
  • 45. Authorization Woes Orders Products /admin … Customers View View No … Managers View, Modify View, Modify, Add No … Administrators View, Modify, Add, Delete View, Modify, Add, Delete Yes … … … ... ... …
  • 46. Authorization Woes Role-based access control works well here Group users by role Some users will need additional privileges Can use finer-grained model Some authorization concerns rely on state “ After 5PM, traders cannot place orders greater than the sum of the previous weeks total, minus exemptions…” This becomes business logic
  • 47. Authorization Woes User logs in, clicks on “My Account” URL http://www.bank.com/accouts.aspx?id=123-456-7890 What if I got my neighbors statement by mistake? http://www.bank.com/accouts.aspx?id=-098-765-4321 I shouldn’t be seeing their statement Horizontal privilege escalation
  • 48. 7. Mind Your Cookies!
  • 49. Mind Your Cookies Don’t use cookies! Let ASP.NET do the session stuff for you What else could you possibly need to use cookies for? OK, OK, so maybe you can use them sometimes Don’t base security decisions off the data!
  • 50. Mind Your Cookies There are two tags that can be added to the set-cookie response header Secure Do not transmit this cookie over non-SSL connections HttpOnly Do not allow JavaScript to access this cooke
  • 51. Mind Your Cookies Domain Think about what sub-domains need access Path You can limit what parts of your application cookies are sent to Expiration Don’t go crazy
  • 52. Mind Your Cookies URL Rewriting Pass the session ID as a URL argument http://site.com/a.aspx? sessionid=123123123 Bad idea Ends up in history, bookmarks, links sent to friends Originally for users with cookies disabled Probably a small enough minority to ignore
  • 53. Session State in ASP.NET Mark all container issued cookies as HttpOnly Prevent URL rewriting Marks Forms Authentication as secure
  • 55. Password Potpourri Make your passwords strong Eight characters, one letter, one number, one symbol Actually this could be totally inappropriate, depends on your security requirements Hash and salt stored passwords Salting prevents rainbow table attacks if password table compromised
  • 56. Password Potpourri Think about your password reset scheme Could send link to reset page in a email, but what if email is hacked? Could ask secret question and answer, but what if their answer is really easy (“Your dog’s name is… Fido”) Use both Lockout brute forcers Just for a little bit
  • 58. Users, users, users They (some of them) are dumb! Don’t trust them… to recognize your sites with the right domain and SSL cert to not have malware installed Assume the worst can happen
  • 59. 10. Full Trust Exercise
  • 60. Full Trust Exercise Full trust is ASP.NET mode that allows code to do anything it wants Sound dangerous? It is! It’s also the default and the way a LOT of ASP.NET sites run Consider placing your application in Medium trust It could prevent the attacks you don’t know about!