SlideShare a Scribd company logo

Sea surfing in asp.net mvc

M
magda3695
Technology
1 of 29
Download to read offline
SEA-SURFING IN ASP.NET MVC BARTOSZ LENAR
THE PLAN BASICS  http requests  authentication  cookies  session SEA-SURFING  unfixable bug  hacking the system  csrf attack  token-based defence SPA  problems  server-side layer  client-side layer
FIDDLER responses requests
HTTP REQUEST  Method  Version  Host  Rest as key-value pairs:  Accept  Cache-control  …  BODY RESPONSE  Status dode  Version  Date  Rest as key-value pairs:  Content-type  Content-length  …  BODY
COOKIES  exist in headers as another key-value pair "with parameters"  cookies consist of  name  value  domain & path  expiration date  restrictions (security)
COOKIES SCENARIO 2. responds with cookie visited: true 1. sends request to example.org 4. sends request to example.org with visited:true cookie in headers 3. saves visited:true for example.org 5. knows that client visited this page earlier
HTTP REQUESTS AND COOKIES
WEB AUTHENTICATION  authentication system  authorize once at the beginning  use the system all the time  but http protocol is stateless!  every request is independent  how to simulate the states?  how to identify request from the specific user?
STATES SCENARIO 2. generates über-random identifier 1. sends first request to example.org 5. sends next request to example.org with UserId: QB32SDXC8 cookie in headers 4. saves UserId:QB32S… for example.org 3. sends it back in cookie UserId: QB32SDXC8
SESSION  so far: server is able to distinguish users  session: server-side bag for user data  key: previously generated identifier stored in cookie  like QB32SDXC8  value: yet another dictionary  user-specific data like name, address, etc.  security and access data like roles, privileges, etc.  forms
HACK THE SYSTEM  do we want to be an authorized user?  no! we want to act like one!  to hack the system = to "steal" someone’s session  maybe "someone” is:  facebook user – we have all his private data, photos, etc.  bank user – we know how much money he has  …  admin – we can do anything
SESSION HIJACKING  system/browser backdoor  steal the cookie from memory  xss  sidejacking  main-in-the middle  fixation  send user url with session id: http://example.org/?&sessionId=QB32SDXC8  wait for the user to log in  riding – our topic
THE ROADTO SESSION RIDING  we want to download data stored under http://example.org/admin/secret  let’s think:  authentication & authorization is based on session  session is based on cookies  cookies are being sent to example.org with every request  how about we prepare a website that sends request to the specified path?
LET’S TRYTO GET THE ADMIN’S SECRET
LET’S TRYTO GET THE ADMIN’S SECRET  what actually happened? 1. browser downloads the entire DOM tree 2. img node is being located 3. browser automatically sends GET request to download the image  but… there is no image at the end  nevertheless, browser attached all cookies dedicated to example.org <img src="http://example.org/admin/secret" />
LET’S TRYTO DO THE ADMIN’S JOB  GET shouldn’t change anything  http://example.org/admin/delete-user/?&username=admin  you’re doing itWRONG!  let’s mess up with POST / DELETE / PUT …
LET’S TRYTO DO THE ADMIN’S JOB
BUILDING THE FIREWALL  how browser works:  attacker is able to send cookies with the request …  … but is not able to see them!
ANTI-FORGERY TOKEN – HOW IT’S MADE 2. generates über-random identifier: J723SDA 1. sends request to example.org 3. sends it back inside the form and in the cookie AntiForgeryToken= J723SDA <input name="_token" type="hidden" value="J723SDA" />
ANTI-FORGERY TOKEN – HOW IT WORKS 1. sends request to example.org containing: • cookie with token: J723SDA • form value with token: J723SDA 2. validates the request: • token in cookie is present? true • token in form is present? true • do they match each other? true all true? it’s valid!
ANTI-FORGERY TOKEN – HOW IT SECURES 1. sends request to example.org containing: • cookie with token: J723SDA • form value with token: ?????????? 2. validates the request: • token in cookie is present? true • token in form is present? false • do they match each other? false all true? no! respond with 403 Forbidden
DO THE TRICK IN ASP.NET MVC
EVEN MORE SECURE  create a keyword based on:  action-specific and user-specific data  application, server, etc.  our keyword: "BARTEK"  hash the keyword: (0BDE667AA88E8832B61BF68C0D4E34A4) and split it:  0BDE667AA88E8832 goes into cookie  B61BF68C0D4E34A4 goes into form  on request, compute the keyword once again and validate the tokens
PROBLEMS  strongly relies on browser security  doesn’t work with GET requests  is it a problem in pure, REST service?  to disable cookies = to disable all communication  site vulnerable to XSS = we’re doomed
SINGLE PAGE APPS - PROBLEMS  forms are pre-generated  which form is going to be triggered next?
API WRAPPER – CLIENT SIDE  write wrapper for all ajax communication (GET, POST, PUT, DELETE)  requestSettings contains method, data, etc. ApiWrapper.prototype._SendRequest = function (requestSettings) { var self = this; requestSettings.headers["Token"] = self.Token; return $.ajax(requestSettings).always(function (arg1, textStatus, arg2) { jqXHR = (textStatus !== "success") ? arg1 : arg2; self.Token = jqXHR.getResponseHeader("Token"); document.cookie = "Token=" + self.TokenId + ";"; }); };
API WRAPPER – SERVER SIDE  keep tokens in cache/database  nosql  custom ValidateAntiForgeryTokenAttribute  validates token from cookie and header  updating token if necessary
API WRAPPER - USAGE  write wrapper for all ajax communication (GET, POST, PUT, DELETE)  return jqXHR from all functions api.Get('customers/' + customerId) .success(function (data) { self.Customer(data); }); api.Post('customers/' + customerId, editedData) .success(function () { message.ReportSuccess(); });
SEA-SURFING IN ASP.NET MVC QUESTIONS-SURFING  Fiddler: http://www.telerik.com/fiddler  Icons: http://www.visualpharm.com/ BARTOSZ LENAR bartoszlenar@gmail.com @bartoszlenar

Recommended

What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...Drupaltour
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...David Johansson
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
How it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfHow it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfMaarten Balliauw
 

Recommended

What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...Drupaltour
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...David Johansson
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
How it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfHow it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfMaarten Balliauw
 
AZUG.BE - Azure User Group Belgium - First public meeting
AZUG.BE - Azure User Group Belgium - First public meetingAZUG.BE - Azure User Group Belgium - First public meeting
AZUG.BE - Azure User Group Belgium - First public meetingMaarten Balliauw
 
AtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect SecurityAtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect SecurityAtlassian
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)lpilorz
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 
Subresource Integrity
Subresource IntegritySubresource Integrity
Subresource IntegrityPhilippe De Ryck
 
Advanced workflows for mobile web design and development
Advanced workflows for mobile web design and developmentAdvanced workflows for mobile web design and development
Advanced workflows for mobile web design and developmentbrucebowman
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerationsEoin Keary
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaperAnant Shrivastava
 
Effective SOA
Effective SOAEffective SOA
Effective SOADerrick Isaacson
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Preventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsPreventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsFiyaz Hasan
 
Web fundamentals - part 1
Web fundamentals - part 1Web fundamentals - part 1
Web fundamentals - part 1Bozhidar Boshnakov
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
Zmiana pracy mariola zieba antal
Zmiana pracy mariola zieba antalZmiana pracy mariola zieba antal
Zmiana pracy mariola zieba antalmagda3695
 
Continuous delivery
Continuous deliveryContinuous delivery
Continuous deliverymagda3695
 

More Related Content

What's hot

AZUG.BE - Azure User Group Belgium - First public meeting
AZUG.BE - Azure User Group Belgium - First public meetingAZUG.BE - Azure User Group Belgium - First public meeting
AZUG.BE - Azure User Group Belgium - First public meetingMaarten Balliauw
 
AtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect SecurityAtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect SecurityAtlassian
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)lpilorz
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 
Advanced workflows for mobile web design and development
Advanced workflows for mobile web design and developmentAdvanced workflows for mobile web design and development
Advanced workflows for mobile web design and developmentbrucebowman
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerationsEoin Keary
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaperAnant Shrivastava
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Preventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsPreventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsFiyaz Hasan
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 

What's hot (20)

AZUG.BE - Azure User Group Belgium - First public meeting
AZUG.BE - Azure User Group Belgium - First public meetingAZUG.BE - Azure User Group Belgium - First public meeting
AZUG.BE - Azure User Group Belgium - First public meeting
 
AtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect SecurityAtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect Security
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handouts
 
Subresource Integrity
Subresource IntegritySubresource Integrity
Subresource Integrity
 
Advanced workflows for mobile web design and development
Advanced workflows for mobile web design and developmentAdvanced workflows for mobile web design and development
Advanced workflows for mobile web design and development
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerations
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaper
 
Effective SOA
Effective SOAEffective SOA
Effective SOA
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Preventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsPreventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE apps
 
Web fundamentals - part 1
Web fundamentals - part 1Web fundamentals - part 1
Web fundamentals - part 1
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
 

Viewers also liked

Zmiana pracy mariola zieba antal
Zmiana pracy mariola zieba antalZmiana pracy mariola zieba antal
Zmiana pracy mariola zieba antalmagda3695
 
Continuous delivery
Continuous deliveryContinuous delivery
Continuous deliverymagda3695
 
Akamai in a hyperconnected world
Akamai in a hyperconnected worldAkamai in a hyperconnected world
Akamai in a hyperconnected worldmagda3695
 
Abc zarządzania sobą
Abc zarządzania sobąAbc zarządzania sobą
Abc zarządzania sobąmagda3695
 
Hostingowe i domenowe pułapki [97 2003]
Hostingowe i domenowe pułapki [97 2003]Hostingowe i domenowe pułapki [97 2003]
Hostingowe i domenowe pułapki [97 2003]magda3695
 
Prezentacja v2(1)
Prezentacja v2(1)Prezentacja v2(1)
Prezentacja v2(1)magda3695
 
Agile zrobtosam infomeet
Agile zrobtosam infomeetAgile zrobtosam infomeet
Agile zrobtosam infomeetmagda3695
 
Info meet katalog kraków 8 marca
Info meet katalog kraków 8 marcaInfo meet katalog kraków 8 marca
Info meet katalog kraków 8 marcamagda3695
 
Abc zarządzania sobą
Abc zarządzania sobąAbc zarządzania sobą
Abc zarządzania sobąmagda3695
 
Szczepan Faber mockito story (1)
Szczepan Faber mockito story (1)Szczepan Faber mockito story (1)
Szczepan Faber mockito story (1)magda3695
 
Soft layer cloud without compromise
Soft layer cloud without compromiseSoft layer cloud without compromise
Soft layer cloud without compromisemagda3695
 
Przychodzi baba do lekarza na badania usability
Przychodzi baba do lekarza na badania usabilityPrzychodzi baba do lekarza na badania usability
Przychodzi baba do lekarza na badania usabilitymagda3695
 
Prezentacja personal branding
Prezentacja personal brandingPrezentacja personal branding
Prezentacja personal brandingmagda3695
 
Big data ecosystem
Big data ecosystemBig data ecosystem
Big data ecosystemmagda3695
 
Jakość utracona v13
Jakość utracona v13Jakość utracona v13
Jakość utracona v13magda3695
 
Szczepan.faber.gradle
Szczepan.faber.gradleSzczepan.faber.gradle
Szczepan.faber.gradlemagda3695
 
Patterns for organic architecture codedive
Patterns for organic architecture codedivePatterns for organic architecture codedive
Patterns for organic architecture codedivemagda3695
 

Viewers also liked (19)

Zmiana pracy mariola zieba antal
Zmiana pracy mariola zieba antalZmiana pracy mariola zieba antal
Zmiana pracy mariola zieba antal
 
Continuous delivery
Continuous deliveryContinuous delivery
Continuous delivery
 
Akamai in a hyperconnected world
Akamai in a hyperconnected worldAkamai in a hyperconnected world
Akamai in a hyperconnected world
 
Abc zarządzania sobą
Abc zarządzania sobąAbc zarządzania sobą
Abc zarządzania sobą
 
Scala
ScalaScala
Scala
 
Hostingowe i domenowe pułapki [97 2003]
Hostingowe i domenowe pułapki [97 2003]Hostingowe i domenowe pułapki [97 2003]
Hostingowe i domenowe pułapki [97 2003]
 
Prezentacja v2(1)
Prezentacja v2(1)Prezentacja v2(1)
Prezentacja v2(1)
 
Agile zrobtosam infomeet
Agile zrobtosam infomeetAgile zrobtosam infomeet
Agile zrobtosam infomeet
 
Info meet katalog kraków 8 marca
Info meet katalog kraków 8 marcaInfo meet katalog kraków 8 marca
Info meet katalog kraków 8 marca
 
Abc zarządzania sobą
Abc zarządzania sobąAbc zarządzania sobą
Abc zarządzania sobą
 
Szczepan Faber mockito story (1)
Szczepan Faber mockito story (1)Szczepan Faber mockito story (1)
Szczepan Faber mockito story (1)
 
Ibm
IbmIbm
Ibm
 
Soft layer cloud without compromise
Soft layer cloud without compromiseSoft layer cloud without compromise
Soft layer cloud without compromise
 
Przychodzi baba do lekarza na badania usability
Przychodzi baba do lekarza na badania usabilityPrzychodzi baba do lekarza na badania usability
Przychodzi baba do lekarza na badania usability
 
Prezentacja personal branding
Prezentacja personal brandingPrezentacja personal branding
Prezentacja personal branding
 
Big data ecosystem
Big data ecosystemBig data ecosystem
Big data ecosystem
 
Jakość utracona v13
Jakość utracona v13Jakość utracona v13
Jakość utracona v13
 
Szczepan.faber.gradle
Szczepan.faber.gradleSzczepan.faber.gradle
Szczepan.faber.gradle
 
Patterns for organic architecture codedive
Patterns for organic architecture codedivePatterns for organic architecture codedive
Patterns for organic architecture codedive
 

Similar to Sea surfing in asp.net mvc

15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.pptssuserec53e73
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Tim Bass
 
Generating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesGenerating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesDeeptiJava
 
Php ssession - cookies -introduction
Php ssession - cookies -introductionPhp ssession - cookies -introduction
Php ssession - cookies -introductionProgrammer Blog
 
19_JavaScript - Storage_Cookies-tutorial .pptx
19_JavaScript - Storage_Cookies-tutorial .pptx19_JavaScript - Storage_Cookies-tutorial .pptx
19_JavaScript - Storage_Cookies-tutorial .pptxssuser4a97d3
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Introduction Yii Framework
Introduction Yii FrameworkIntroduction Yii Framework
Introduction Yii FrameworkTuan Nguyen
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest ExpectationsIhor Uzhvenko
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityYu-Shuan Hsieh
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicHarihara sarma
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 

Similar to Sea surfing in asp.net mvc (20)

15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt
 
Ecom2
Ecom2Ecom2
Ecom2
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security
 
Generating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesGenerating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status Codes
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
Php ssession - cookies -introduction
Php ssession - cookies -introductionPhp ssession - cookies -introduction
Php ssession - cookies -introduction
 
19_JavaScript - Storage_Cookies-tutorial .pptx
19_JavaScript - Storage_Cookies-tutorial .pptx19_JavaScript - Storage_Cookies-tutorial .pptx
19_JavaScript - Storage_Cookies-tutorial .pptx
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Introduction Yii Framework
Introduction Yii FrameworkIntroduction Yii Framework
Introduction Yii Framework
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Session management
Session management Session management
Session management
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogic
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 

More from magda3695

Prezentacja 20141129
Prezentacja 20141129Prezentacja 20141129
Prezentacja 20141129magda3695
 
Dlaczego firmy wdrażają er py info_meet kraków
Dlaczego firmy wdrażają er py info_meet krakówDlaczego firmy wdrażają er py info_meet kraków
Dlaczego firmy wdrażają er py info_meet krakówmagda3695
 
Systematic architect
Systematic architectSystematic architect
Systematic architectmagda3695
 
Big data today and tomorrow
Big data today and tomorrowBig data today and tomorrow
Big data today and tomorrowmagda3695
 
Info meet 8 02-2014
Info meet 8 02-2014Info meet 8 02-2014
Info meet 8 02-2014magda3695
 
Ccpm jako metoda planowania i kontroli projektów
Ccpm jako metoda planowania i kontroli projektówCcpm jako metoda planowania i kontroli projektów
Ccpm jako metoda planowania i kontroli projektówmagda3695
 
Info meet pomiary wydajności
Info meet pomiary wydajnościInfo meet pomiary wydajności
Info meet pomiary wydajnościmagda3695
 
A rnav infomeet
A rnav infomeetA rnav infomeet
A rnav infomeetmagda3695
 
Dług technologiczny czyli mały wkład w duże problemy
Dług technologiczny czyli mały wkład w duże problemyDług technologiczny czyli mały wkład w duże problemy
Dług technologiczny czyli mały wkład w duże problemymagda3695
 
Akamai in a hyperconnected world
Akamai in a hyperconnected worldAkamai in a hyperconnected world
Akamai in a hyperconnected worldmagda3695
 
Antal international prezentacja_targi_it
Antal international prezentacja_targi_itAntal international prezentacja_targi_it
Antal international prezentacja_targi_itmagda3695
 
Koprowski t certyfikacja_a_kariera_it_infomeet
Koprowski t certyfikacja_a_kariera_it_infomeetKoprowski t certyfikacja_a_kariera_it_infomeet
Koprowski t certyfikacja_a_kariera_it_infomeetmagda3695
 

More from magda3695 (13)

Prezentacja 20141129
Prezentacja 20141129Prezentacja 20141129
Prezentacja 20141129
 
7
77
7
 
Dlaczego firmy wdrażają er py info_meet kraków
Dlaczego firmy wdrażają er py info_meet krakówDlaczego firmy wdrażają er py info_meet kraków
Dlaczego firmy wdrażają er py info_meet kraków
 
Systematic architect
Systematic architectSystematic architect
Systematic architect
 
Big data today and tomorrow
Big data today and tomorrowBig data today and tomorrow
Big data today and tomorrow
 
Info meet 8 02-2014
Info meet 8 02-2014Info meet 8 02-2014
Info meet 8 02-2014
 
Ccpm jako metoda planowania i kontroli projektów
Ccpm jako metoda planowania i kontroli projektówCcpm jako metoda planowania i kontroli projektów
Ccpm jako metoda planowania i kontroli projektów
 
Info meet pomiary wydajności
Info meet pomiary wydajnościInfo meet pomiary wydajności
Info meet pomiary wydajności
 
A rnav infomeet
A rnav infomeetA rnav infomeet
A rnav infomeet
 
Dług technologiczny czyli mały wkład w duże problemy
Dług technologiczny czyli mały wkład w duże problemyDług technologiczny czyli mały wkład w duże problemy
Dług technologiczny czyli mały wkład w duże problemy
 
Akamai in a hyperconnected world
Akamai in a hyperconnected worldAkamai in a hyperconnected world
Akamai in a hyperconnected world
 
Antal international prezentacja_targi_it
Antal international prezentacja_targi_itAntal international prezentacja_targi_it
Antal international prezentacja_targi_it
 
Koprowski t certyfikacja_a_kariera_it_infomeet
Koprowski t certyfikacja_a_kariera_it_infomeetKoprowski t certyfikacja_a_kariera_it_infomeet
Koprowski t certyfikacja_a_kariera_it_infomeet
 

Recently uploaded

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Recently uploaded (20)

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Sea surfing in asp.net mvc

  • 1. SEA-SURFING IN ASP.NET MVC BARTOSZ LENAR
  • 2. THE PLAN BASICS  http requests  authentication  cookies  session SEA-SURFING  unfixable bug  hacking the system  csrf attack  token-based defence SPA  problems  server-side layer  client-side layer
  • 4. HTTP REQUEST  Method  Version  Host  Rest as key-value pairs:  Accept  Cache-control  …  BODY RESPONSE  Status dode  Version  Date  Rest as key-value pairs:  Content-type  Content-length  …  BODY
  • 5. COOKIES  exist in headers as another key-value pair "with parameters"  cookies consist of  name  value  domain & path  expiration date  restrictions (security)
  • 6. COOKIES SCENARIO 2. responds with cookie visited: true 1. sends request to example.org 4. sends request to example.org with visited:true cookie in headers 3. saves visited:true for example.org 5. knows that client visited this page earlier
  • 8. WEB AUTHENTICATION  authentication system  authorize once at the beginning  use the system all the time  but http protocol is stateless!  every request is independent  how to simulate the states?  how to identify request from the specific user?
  • 9. STATES SCENARIO 2. generates über-random identifier 1. sends first request to example.org 5. sends next request to example.org with UserId: QB32SDXC8 cookie in headers 4. saves UserId:QB32S… for example.org 3. sends it back in cookie UserId: QB32SDXC8
  • 10. SESSION  so far: server is able to distinguish users  session: server-side bag for user data  key: previously generated identifier stored in cookie  like QB32SDXC8  value: yet another dictionary  user-specific data like name, address, etc.  security and access data like roles, privileges, etc.  forms
  • 11. HACK THE SYSTEM  do we want to be an authorized user?  no! we want to act like one!  to hack the system = to "steal" someone’s session  maybe "someone” is:  facebook user – we have all his private data, photos, etc.  bank user – we know how much money he has  …  admin – we can do anything
  • 12. SESSION HIJACKING  system/browser backdoor  steal the cookie from memory  xss  sidejacking  main-in-the middle  fixation  send user url with session id: http://example.org/?&sessionId=QB32SDXC8  wait for the user to log in  riding – our topic
  • 13. THE ROADTO SESSION RIDING  we want to download data stored under http://example.org/admin/secret  let’s think:  authentication & authorization is based on session  session is based on cookies  cookies are being sent to example.org with every request  how about we prepare a website that sends request to the specified path?
  • 14. LET’S TRYTO GET THE ADMIN’S SECRET
  • 15. LET’S TRYTO GET THE ADMIN’S SECRET  what actually happened? 1. browser downloads the entire DOM tree 2. img node is being located 3. browser automatically sends GET request to download the image  but… there is no image at the end  nevertheless, browser attached all cookies dedicated to example.org <img src="http://example.org/admin/secret" />
  • 16. LET’S TRYTO DO THE ADMIN’S JOB  GET shouldn’t change anything  http://example.org/admin/delete-user/?&username=admin  you’re doing itWRONG!  let’s mess up with POST / DELETE / PUT …
  • 17. LET’S TRYTO DO THE ADMIN’S JOB
  • 18. BUILDING THE FIREWALL  how browser works:  attacker is able to send cookies with the request …  … but is not able to see them!
  • 19. ANTI-FORGERY TOKEN – HOW IT’S MADE 2. generates über-random identifier: J723SDA 1. sends request to example.org 3. sends it back inside the form and in the cookie AntiForgeryToken= J723SDA <input name="_token" type="hidden" value="J723SDA" />
  • 20. ANTI-FORGERY TOKEN – HOW IT WORKS 1. sends request to example.org containing: • cookie with token: J723SDA • form value with token: J723SDA 2. validates the request: • token in cookie is present? true • token in form is present? true • do they match each other? true all true? it’s valid!
  • 21. ANTI-FORGERY TOKEN – HOW IT SECURES 1. sends request to example.org containing: • cookie with token: J723SDA • form value with token: ?????????? 2. validates the request: • token in cookie is present? true • token in form is present? false • do they match each other? false all true? no! respond with 403 Forbidden
  • 22. DO THE TRICK IN ASP.NET MVC
  • 23. EVEN MORE SECURE  create a keyword based on:  action-specific and user-specific data  application, server, etc.  our keyword: "BARTEK"  hash the keyword: (0BDE667AA88E8832B61BF68C0D4E34A4) and split it:  0BDE667AA88E8832 goes into cookie  B61BF68C0D4E34A4 goes into form  on request, compute the keyword once again and validate the tokens
  • 24. PROBLEMS  strongly relies on browser security  doesn’t work with GET requests  is it a problem in pure, REST service?  to disable cookies = to disable all communication  site vulnerable to XSS = we’re doomed
  • 25. SINGLE PAGE APPS - PROBLEMS  forms are pre-generated  which form is going to be triggered next?
  • 26. API WRAPPER – CLIENT SIDE  write wrapper for all ajax communication (GET, POST, PUT, DELETE)  requestSettings contains method, data, etc. ApiWrapper.prototype._SendRequest = function (requestSettings) { var self = this; requestSettings.headers["Token"] = self.Token; return $.ajax(requestSettings).always(function (arg1, textStatus, arg2) { jqXHR = (textStatus !== "success") ? arg1 : arg2; self.Token = jqXHR.getResponseHeader("Token"); document.cookie = "Token=" + self.TokenId + ";"; }); };
  • 27. API WRAPPER – SERVER SIDE  keep tokens in cache/database  nosql  custom ValidateAntiForgeryTokenAttribute  validates token from cookie and header  updating token if necessary
  • 28. API WRAPPER - USAGE  write wrapper for all ajax communication (GET, POST, PUT, DELETE)  return jqXHR from all functions api.Get('customers/' + customerId) .success(function (data) { self.Customer(data); }); api.Post('customers/' + customerId, editedData) .success(function () { message.ReportSuccess(); });
  • 29. SEA-SURFING IN ASP.NET MVC QUESTIONS-SURFING  Fiddler: http://www.telerik.com/fiddler  Icons: http://www.visualpharm.com/ BARTOSZ LENAR bartoszlenar@gmail.com @bartoszlenar