Wrong confirmation ID

Email
Favorite
Favorited ×
Download
Embed
Private Content
Copy and paste this code into your blog or website Copy Customize… Close
We have emailed the verification/download link to "".
Login to your email and click the link to download the file directly.

To request the link at a different email address, update it here. Close
Validation messages. Success message. Fail message.

Check your bulk/spam folders if you can't find our mail.

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

+ Follow

Defensive programming 101

by Niall Merrigan on May 09, 2011

3,157 views

More…

Less

5 Embeds 1,861

http://www.certsandprogs.com	1838
url_unknown	19
http://www.certsandprogs.com HTTP	2
http://www.slideshare.net	1
http://siljeandniall.com	1

Statistics

Favorites: 0
Downloads: 0
Comments: 0
Embed Views: 1,861
Views on SlideShare: 1,296
Total Views: 3,157

I am Irish
But I live in Norway. I am Senior Solutions
Mainly applies to web apps. Leaving admin info systems on the server to be accessedYou can use Google to find this infoYou can find password files, office data files (PST) etcOld files are possible especially you rename in the same directory. Then possible to download source code from your site.Sample: intitle:index.of outlook pstAlso leaving trace output with .. Allows access to trace.axd
Following issue #10Usernames and passwords should be encrypted.Sensitive data should be in encryptedDont write your own Crypto protocols. Can also use google code to find these (especially if you leave personal ones there!!!)http://google.com/codesearch?hl=en&lr=&q=sa+connectionstring+file%3Aweb.config&sbtn=Search
One of the easiest ways to get caughtVulnerability is not in your code but on the systemEspecially painful on web serversGoogle can be used to find vulnerable web serversRequires you most of the time to pester the local sys admin
Shouldn’t be the only thing that sanitizes your inputConsider you have a javascript function to see if the number is validUser views source page and sends you the variablesDo validation on both sides to be sure, but definately server side at least.
Validate all inputs at the server even if client validatedUse a central validation sourceUse white lists rather than blacklistsEscape special charactersValidate against RFC rulesValidate XML against the schema
You should never show a detailed error message on a production web site.Use CustomErrors in the web.configEither RemoteOnly or OnAgain also turn off Trace and set Debug=“false”
SQL connection using SA or SysAdm level permissionsRequiring Administrator permissions on the web server!!!!!Requiring Admin privileges for a windows app
Consider default.aspx?download=filestore/file.exe using BinaryWriteChange the download variableNow default.aspx? download=web.configPage will display the incorrect file and give ideas about what way the machine is configured and possibly access to a lot more.
Validate your inputChecking for ../ usually wont work due to URLEncodeStrong checking of inputPlacing web apps on separate partitions to system filesCorrect permissionsWeb server fully patchedUsing scanner tools to validate the web server IIS LockdownURL Scan
HTML & Script Injection3 Main typesDOMNon PersistantPersistantNon persistant is the most common, and persistant is the most dangerous.Certain CMS are vuln, as well as pages taking input and displaying that input back.Other variations include HTTP response splitting, HTTP header injection, remote file inclusionParticularly nastyMore common with scripting languages such as ASP and PHPAllows you to insert your own file to be runNot as relevant to .NET but still can cause a problemExamplehttp://server/file.aspx?redir=page.aspxhttp://server/file.aspx?redir=http://badplace/haha.aspx?Imagine that with a login and similar look of your own site
Make cookies only accessible to server side codeUse cookie based session state to stop session hijackingWhere possible use SSL for authentication cookiesUse unique forms name when using multiple sites with forms auth.Use HtmlEncode to disable special charsMake sure on redirect its only going to where you expect it to be goingSanitize your inputMind your cookies and evaluate web.configs above the web app for vulns
Allowing straight input to your databaseConsider SELECT * FROM tbl WHERE (Email=‘RequestData’) AND (PASSWORD=’OtherData’)Now consider the inputs ” ‘ OR ‘1’=‘1’ ”SELECT * FROM tbl WHERE (Email=‘’ OR ‘1’=‘1’) AND (PASSWORD=’’ OR ‘1’=‘1’)Worse UPDATE tbl WHERE ID=RequestDataRequestData = 1;DELETE FROM tbl;Worst!RequestData = 1;DROP tbl;Sanitize your inputDont blindly allow access to the database from the front endUse only the permissions required for the optionConsider two level database accessReaderWriterWith SQL Server reduce your permissions to execute only if you are using stored procs
Trusting your users!!!Sanitize your inputIf you don’t check it, be prepared to deal with the consequences. See issues 2 & 3!Famous examples: Amazon & Komplett

Defensive programming 101 — Presentation Transcript

Defensive Programming 101
I just farted but Dad doesnt know yet
When all you have is a mallet, everything looks like Justin Bieber
If this text is too big you are sitting too close
Code Demo
Code Demo
Why didn’t I wear pants today?
Resources
IIS Security What If Tool - http://support.microsoft.com/kb/229694
URLScan – http://technet.microsoft.com/en-us/security/cc242650
IIS Configuring security - http://learn.iis.net/page.aspx/88/configuring-security/
MSCASI tool - http://support.microsoft.com/kb/954476
IIS Lockdown - http://technet.microsoft.com/en-us/library/dd450372%28WS.10%29.aspx
AntiXSS Toolkit - http://wpl.codeplex.com/
IIS Security Tools - http://www.iis.net/community/Security
Advice from SDL - http://blogs.msdn.com/b/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx
More Resources
http://www.security.nnov.ru/
http://www.devx.com/dotnet/Article/32493/1763/page/1
http://cwe.mitre.org/top25/#Brief
Contact
Twitter: @nmerrigan
Blog: http://www.certsandprogs.com
Email – via blog
Image credits
http://www.flickr.com/photos/darwinbell/412631864/sizes/l/in/photostream/
http://www.flickr.com/photos/splorp/59231687/sizes/l/in/photostream/
http://www.flickr.com/photos/wecand/5103599890/sizes/l/in/photostream/
http://www.flickr.com/photos/darwinbell/2382912185/sizes/z/in/photostream/
http://www.flickr.com/photos/95565118@N00/922632392
http://www.flickr.com/photos/49968232@N00/4789356849
http://www.flickr.com/photos/20195637@N00/2322127250
http://www.flickr.com/photos/lwr/305130907/sizes/z/in/photostream/
http://www.flickr.com/photos/baboon/4116381/sizes/z/in/photostream/
http://www.flickr.com/photos/mrlederhosen/4283136097/sizes/l/in/photostream/
http://www.flickr.com/photos/30799995@N00/4348942883
http://www.flickr.com/photos/proimos/4199675334/sizes/z/in/photostream/
http://www.flickr.com/photos/ianvisits/4000931824/sizes/z/in/photostream/
http://www.flickr.com/photos/21446836@N00/3117966481
http://www.flickr.com/photos/41754875@N00/1996389857
http://www.flickr.com/photos/baboon/2057927/sizes/z/in/photostream/
http://www.flickr.com/photos/baboon/2057927/sizes/z/in/photostream/
http://www.flickr.com/photos/limowreck666/223731385/sizes/z/in/photostream/
http://www.flickr.com/photos/72429059@N00/2982093881
http://www.flickr.com/photos/qusic/3370510628/sizes/z/in/photostream/
http://www.flickr.com/photos/ubookworm/71288675/sizes/z/in/photostream/
http://www.flickr.com/photos/8395041@N02/2505803867
Questions?

Defensive programming 101

by Niall Merrigan on May 09, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 1,861

Statistics

Defensive programming 101 — Presentation Transcript