The O2 Platform:Exploiting and Fixing Microsoft ASP.net          MVC Vulnerabilities                                      ...
About Me Software      Developer Engineer at Fiserv, Digital Channels- Corillian Online ASP team. –Developing Software fo...
Why this presentation?Software Developers need         tools!                                  3
But also because…We Software Developers need a framework that help                    us to write secure applications     ...
Agenda• An overview of the O2 Platform• An overview of Microsoft ASP.net MVC Framework• A demo running the IE automation s...
The O2 PlatformWhat is the O2 Platform?                             6
The O2 Platform            The O2 PlatformThe O2 platform represents a new paradigm for how to perform, document and distr...
The O2 Platform• The Project Manager is Dinis Cruz, a security  expert based in the UK. Dinis has a strong  background in ...
The O2 PlatformThe O2 Platform: More features!   •   Powerful search engine   •   Graphical Engines   •   Multiple APIs   ...
The O2 Platform• A comprehensive UI!                                          10
The O2 Platform• A look at the IE automation editor                                            11
The O2 Platform• IE Automation syntax• var topPanel = panel.clear().add_Panel();  var ie = topPanel.add_IE().silent(false)...
The O2 Platform• O2 Platform inside Visual Studio IDE                                       13
The O2 Platform                    Where to get O2 Platform?• From Visual Studio Gallery :•   http://visualstudiogallery.m...
Agenda• An overview of the O2 Platform• An overview of Microsoft ASP.net MVC Framework• A demo running the IE automation s...
MVC ArchitectureArchitecture of the World Wide Web  • Addressable resources  • Standard resource formats  • Uniform interf...
Uniform Interface         • Retrieves a resource GET     • Safe         • CacheablePOST     • Creates a new resource.     ...
MVC ArchitectureWeb Applications should embrace the               Web!                                   18
MVC Architecture• MVC is a standard design pattern that many developers are  familiar with. Some types of Web applications...
MVC Architecture• MVC Actors:Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview   20
MVC Architecture• Models : Model Objects are the parts of the  application that implements the logic for the  application’...
MVC Architecture• Views:Components that displays application’s  user interface (UX).• Created from Model Data.• An example...
MVC Architecture• Controllers:Components that handle user  interactions, work with the model and select a  view to render ...
MVC Architecture• Vulnerabilities on top of MVC Framework• MVC applications are vulnerable to most of  the vector attacks ...
MVC Architecture• Mass Assignments (aka Auto Binding).• MVC frameworks rely heavily on binding query  strings, route value...
MVC Architecture            Mass Assignments (aka Auto Binding).• Let’s take a look at the following Model Object:public c...
MVC Architecture                 What can happen?Someone could send a HTTP request using Fiddler2 or cURL  Request URL: ht...
Agenda• An overview of the O2 Platform• An overview of Microsoft ASP.net MVC Framework• A demo running the IE automation s...
MVC ArchitectureRunning a O2 Demo!!!                               29
MVC ArchitectureHow to protect us against Mass assignments?• Never trust user input!!!!• Matching incoming parameters• Usi...
MVC ArchitectureHow to protect us against Mass assignments?Matching incoming parameters                                   ...
MVC ArchitectureHow to protect us against Mass assignments?Protecting sensitive fields (using Bind Attribute)             ...
MVC ArchitectureHow to protect us against Mass assignments?• Protecting sensitive fields (using Bind  Attribute)• BlackLis...
Q&A     Michael Hidalgomichael.hidalgo@owasp.org                             34
Upcoming SlideShare
Loading in …5
×

O2 platform and ASP.NET MVC, by Michael Hidalgo

3,124
-1

Published on

Presentation (still in draft) to be presented at OWASP's Latam 2012 conference in Uruguay https://www.owasp.org/index.php/AppSecLatam2012

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,124
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

O2 platform and ASP.NET MVC, by Michael Hidalgo

  1. 1. The O2 Platform:Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities Michael Hidalgo michael.hidalgo@owasp.org Chapter Leader OWASP Costa Rica Colaborador OWASP O2 Platform Project
  2. 2. About Me Software Developer Engineer at Fiserv, Digital Channels- Corillian Online ASP team. –Developing Software for Financial Institutions (FI,CU) –Web Services, Interoperatibility OWASP Costa Rica Chapter Leader Participation in the OData Protocol OWASP Projects contributor – OWASP O2 Platform (Dinis Cruz) – REST Security Cheat Sheet (Jim Manico) 2
  3. 3. Why this presentation?Software Developers need tools! 3
  4. 4. But also because…We Software Developers need a framework that help us to write secure applications 4
  5. 5. Agenda• An overview of the O2 Platform• An overview of Microsoft ASP.net MVC Framework• A demo running the IE automation script against Music Store MVC Application. 5
  6. 6. The O2 PlatformWhat is the O2 Platform? 6
  7. 7. The O2 Platform The O2 PlatformThe O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews.O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge 7
  8. 8. The O2 Platform• The Project Manager is Dinis Cruz, a security expert based in the UK. Dinis has a strong background in the application security world and he has performed very interesting researches.• Some features of O2 platform: – Scripting Engine and development environment. – Black-Box/Browser-automation environment. – Source Code analysis environment. – Data Consumption and API Generation
  9. 9. The O2 PlatformThe O2 Platform: More features! • Powerful search engine • Graphical Engines • Multiple APIs • Integration with third parties 9
  10. 10. The O2 Platform• A comprehensive UI! 10
  11. 11. The O2 Platform• A look at the IE automation editor 11
  12. 12. The O2 Platform• IE Automation syntax• var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(false); ie.open("http://www.google.com"); ie.field("q").Value="OWASP Costa Rica"; //O2File:WatiN_IE_ExtensionMethods.cs //O2Ref:WatiN.Core.1x.dll //O2Tag_DontAddExtraO2Files; 12
  13. 13. The O2 Platform• O2 Platform inside Visual Studio IDE 13
  14. 14. The O2 Platform Where to get O2 Platform?• From Visual Studio Gallery :• http://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d- ea4741905dc2• Getting the standalone installer• http://tiny.cc/O2Platform• For more info on O2 see:• O2 related posts on this blog: http://diniscruz.blogspot.co.uk/search/label/O2 Platform• O2 Blog: https://o2platform.wordpress.com 14
  15. 15. Agenda• An overview of the O2 Platform• An overview of Microsoft ASP.net MVC Framework• A demo running the IE automation script against Music Store MVC Application. 15
  16. 16. MVC ArchitectureArchitecture of the World Wide Web • Addressable resources • Standard resource formats • Uniform interface for interacting with resource • Stateless and Hyperlinking 16
  17. 17. Uniform Interface • Retrieves a resource GET • Safe • CacheablePOST • Creates a new resource. • Unsafe, effect of this verb is not defined by HTTP • Updates an existing resource PUT • Used for resource creation • IdempotentDELETE • Removes a resource • Call N times, same thing always happen (idempotent) 17
  18. 18. MVC ArchitectureWeb Applications should embrace the Web! 18
  19. 19. MVC Architecture• MVC is a standard design pattern that many developers are familiar with. Some types of Web applications will benefit from the MVC framework..• Some feature : – Embrace the Web: MVC is a standard compliant architecture that embraces the Web Architecture. – Easy to implement: The industry is adopting MVC framework because it provides an easy approach to create rapid applications. – Separation of concerns:This architecture is designed to separate responsabilities within your application. – Testability Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview
  20. 20. MVC Architecture• MVC Actors:Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview 20
  21. 21. MVC Architecture• Models : Model Objects are the parts of the application that implements the logic for the application’s data domain.• Retrieve and store model state in databases.• An example is a Product model, a Customer model or a Speaker model. 21
  22. 22. MVC Architecture• Views:Components that displays application’s user interface (UX).• Created from Model Data.• An example is editing a Speaker information, dispñaying text boxes for name and address. 22
  23. 23. MVC Architecture• Controllers:Components that handle user interactions, work with the model and select a view to render that displays in the UI.• Handles and responds to user input and interactions. 23
  24. 24. MVC Architecture• Vulnerabilities on top of MVC Framework• MVC applications are vulnerable to most of the vector attacks in Web applications (XSS,CSRF).• Mass Assignments (Auto Binding) : This vulnerability can be found in Spring MVC and Microsoft ASP.NET MVC Framework. 24
  25. 25. MVC Architecture• Mass Assignments (aka Auto Binding).• MVC frameworks rely heavily on binding query strings, route values and form values to in- code objects.• This vulnerability is a kind of parameter tampering.• Model Binding works by assigning HTML form fields to object properties. 25
  26. 26. MVC Architecture Mass Assignments (aka Auto Binding).• Let’s take a look at the following Model Object:public class BlogMember{ public string Name { get; set; } public string LastName { get; set; } public string EmailAddress{ get; set; } public bool IsAdmin{ get; set; }} 26
  27. 27. MVC Architecture What can happen?Someone could send a HTTP request using Fiddler2 or cURL Request URL: http://yourBlog/register Request Method: POST Status Code: 200 OK...... Name: Michael LastName: Hidalgo EmailAddress: michael.hidalgo@owasp.org IsAdmin: true 27
  28. 28. Agenda• An overview of the O2 Platform• An overview of Microsoft ASP.net MVC Framework• A demo running the IE automation script against Music Store MVC Application. 28
  29. 29. MVC ArchitectureRunning a O2 Demo!!! 29
  30. 30. MVC ArchitectureHow to protect us against Mass assignments?• Never trust user input!!!!• Matching incoming parameters• Using a ViewModel• Protect your sensitive Model properties (i.e SSN, Id’s, Account numbers) 30
  31. 31. MVC ArchitectureHow to protect us against Mass assignments?Matching incoming parameters 31
  32. 32. MVC ArchitectureHow to protect us against Mass assignments?Protecting sensitive fields (using Bind Attribute) 32
  33. 33. MVC ArchitectureHow to protect us against Mass assignments?• Protecting sensitive fields (using Bind Attribute)• BlackList 33
  34. 34. Q&A Michael Hidalgomichael.hidalgo@owasp.org 34
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×