Email
Like
Liked ×
Save
Private Content
Embed
Loading embed code…
We have emailed the verification/download link to "".
Login to your email and click the link to download the file directly.

To request the link at a different email address, update it here. Close
Validation messages. Success message. Fail message.

Check your bulk/spam folders if you can't find our mail.
Loading

+ Follow

Defensive programming 101

by Niall Merrigan

4,006 views

Accessibility

View text version

Upload Details

Uploaded via SlideShare as Microsoft PowerPoint

Usage Rights

File a copyright complaint

5 Embeds 1,943

http://www.certsandprogs.com	1920
url_unknown	19
http://www.certsandprogs.com HTTP	2
http://www.slideshare.net	1
http://siljeandniall.com	1

Statistics

Likes: 1
Downloads: 0
Comments: 0
Embed Views: 1,943
Views on SlideShare: 2,063
Total Views: 4,006

I am Irish
But I live in Norway. I am an IT Architect with Laerdalmedical
Programmers arethe problem. Theyare not nativelysecurityconcious as it takes longer to write and they dont want to break theircode by testing for securityflaws
Mainly applies to web apps. Leaving admin info systems on the server to be accessedYou can use Google to find this infoYou can find password files, office data files (PST) etcOld files are possible especially you rename in the same directory. Then possible to download source code from your site.Sample: intitle:index.of outlook pstAlso leaving trace output with .. Allows access to trace.axd
Following issue #10Usernames and passwords should be encrypted.Sensitive data should be in encryptedDont write your own Crypto protocols. Can also use google code to find these (especially if you leave personal ones there!!!)http://google.com/codesearch?hl=en&lr=&q=sa+connectionstring+file%3Aweb.config&sbtn=Search
One of the easiest ways to get caughtVulnerability is not in your code but on the systemEspecially painful on web serversGoogle can be used to find vulnerable web serversRequires you most of the time to pester the local sys admin
Shouldn’t be the only thing that sanitizes your inputConsider you have a javascript function to see if the number is validUser views source page and sends you the variablesDo validation on both sides to be sure, but definately server side at least.
Validate all inputs at the server even if client validatedUse a central validation sourceUse white lists rather than blacklistsEscape special charactersValidate against RFC rulesValidate XML against the schema
You should never show a detailed error message on a production web site.Use CustomErrors in the web.configEither RemoteOnly or OnAgain also turn off Trace and set Debug=“false”
SQL connection using SA or SysAdm level permissionsRequiring Administrator permissions on the web server!!!!!Requiring Admin privileges for a windows app
Consider default.aspx?download=filestore/file.exe using BinaryWriteChange the download variableNow default.aspx? download=web.configPage will display the incorrect file and give ideas about what way the machine is configured and possibly access to a lot more.
Validate your inputChecking for ../ usually wont work due to URLEncodeStrong checking of inputPlacing web apps on separate partitions to system filesCorrect permissionsWeb server fully patchedUsing scanner tools to validate the web server IIS LockdownURL Scan
HTML & Script Injection3 Main typesDOMNon PersistantPersistantNon persistant is the most common, and persistant is the most dangerous.Certain CMS are vuln, as well as pages taking input and displaying that input back.Other variations include HTTP response splitting, HTTP header injection, remote file inclusionParticularly nastyMore common with scripting languages such as ASP and PHPAllows you to insert your own file to be runNot as relevant to .NET but still can cause a problemExamplehttp://server/file.aspx?redir=page.aspxhttp://server/file.aspx?redir=http://badplace/haha.aspx?Imagine that with a login and similar look of your own site
Make cookies only accessible to server side codeUse cookie based session state to stop session hijackingWhere possible use SSL for authentication cookiesUse unique forms name when using multiple sites with forms auth.Use HtmlEncode to disable special charsMake sure on redirect its only going to where you expect it to be goingSanitize your inputMind your cookies and evaluate web.configs above the web app for vulns
Allowing straight input to your databaseConsider SELECT * FROM tbl WHERE (Email=‘RequestData’) AND (PASSWORD=’OtherData’)Now consider the inputs ” ‘ OR ‘1’=‘1’ ”SELECT * FROM tbl WHERE (Email=‘’ OR ‘1’=‘1’) AND (PASSWORD=’’ OR ‘1’=‘1’)Worse UPDATE tbl WHERE ID=RequestDataRequestData = 1;DELETE FROM tbl;Worst!RequestData = 1;DROP tbl;Sanitize your inputDont blindly allow access to the database from the front endUse only the permissions required for the optionConsider two level database accessReaderWriterWith SQL Server reduce your permissions to execute only if you are using stored procs
Trusting your users!!!Sanitize your inputIf you don’t check it, be prepared to deal with the consequences. See issues 2 & 3!Famous examples: Amazon & Komplett

1 Like

Jürgen Krey 3 months ago

Defensive programming 101 Presentation Transcript

ASP.NET Resources• Web session management security -http://www.isecpartners.com/files/web-session-management.pdf• OWASP Top 10 by Troy Hunt - http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html• ASP.NET Security Guidance - http://wiki.asp.net/page.aspx/48/security-guidelines-and-recommendations/• MSCASI tool - http://support.microsoft.com/kb/954476• AntiXSS Toolkit - http://wpl.codeplex.com/• ASP.NET Security Guidance -http://blogs.msdn.com/b/nunoc/archive/2006/03/04/543631.aspx• Advice from SDL -http://blogs.msdn.com/b/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx• ASafaWeb - http://www.asafeweb.com
IIS Resources• Security Guidance for IIS -http://technet.microsoft.com/en-us/library/dd450371.aspx• IIS Lockdown tool - http://technet.microsoft.com/en-us/library/dd450372(v=ws.10).aspx• URLScan –http://www.iis.net/learn/extensions/working-with-urlscan• IIS Configuring security -http://learn.iis.net/page.aspx/88/configuring-security/• IIS Security Tools -http://www.iis.net/community/Security
Image Credits• highscore -http://www.flickr.com/photos/83476873@N00/4116381• G is for Goggles -http://www.flickr.com/photos/60648084@N00/2349550374
Image credits• http://www.flickr.com/photos/darwinbell/412631864/sizes/l/in/photostream/• http://www.flickr.com/photos/splorp/59231687/sizes/l/in/photostream/• http://www.flickr.com/photos/wecand/5103599890/sizes/l/in/photostream/• http://www.flickr.com/photos/darwinbell/2382912185/sizes/z/in/photostream/• http://www.flickr.com/photos/95565118@N00/922632392• http://www.flickr.com/photos/49968232@N00/4789356849• http://www.flickr.com/photos/20195637@N00/2322127250• http://www.flickr.com/photos/lwr/305130907/sizes/z/in/photostream/• http://www.flickr.com/photos/baboon/4116381/sizes/z/in/photostream/• http://www.flickr.com/photos/mrlederhosen/4283136097/sizes/l/in/photostream/• http://www.flickr.com/photos/30799995@N00/4348942883• http://www.flickr.com/photos/proimos/4199675334/sizes/z/in/photostream/• http://www.flickr.com/photos/ianvisits/4000931824/sizes/z/in/photostream/• http://www.flickr.com/photos/21446836@N00/3117966481• http://www.flickr.com/photos/41754875@N00/1996389857• http://www.flickr.com/photos/baboon/2057927/sizes/z/in/photostream/• http://www.flickr.com/photos/baboon/2057927/sizes/z/in/photostream/• http://www.flickr.com/photos/limowreck666/223731385/sizes/z/in/photostream/• http://www.flickr.com/photos/72429059@N00/2982093881• http://www.flickr.com/photos/qusic/3370510628/sizes/z/in/photostream/• http://www.flickr.com/photos/ubookworm/71288675/sizes/z/in/photostream/• http://www.flickr.com/photos/8395041@N02/2505803867
Contact• Twitter: @nmerrigan• Blog: http://www.certsandprogs.com• Email – via blogResourcesContact Details Twitter

Defensive programming 101

by Niall Merrigan

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 1,943

Statistics

Defensive programming 101 Presentation Transcript

Let LinkedIn power your SlideShare experience

Let LinkedIn power your SlideShare experience

Customize SlideShare content based on your interests

Keep up to date when your LinkedIn contacts post on SlideShare