The document outlines an agenda for a security event, including a session on .NET security from 17:45-19:00 led by Radu Vunvulea, followed by a break and then a session on actor based concurrency in Elixir from 19:30-20:30 led by Adrian Magdas. It then discusses various .NET security topics like the ELMAH error logging module, sensitive information disclosure, known vulnerabilities, and approaches for addressing security vulnerabilities.

1. @ITCAMPRO
.NET Security
Solution Architect , Microsoft Azure MVP
iQuest Technologies
@Radu Vunvulea

2. @ITCAMPRO
Agenda
17:45 - 18:00 - Registration (coffee and beverages)
18:00 - 19:00 - .NET Security (Radu Vunvulea)
19:00 - 19:30 - Break (coffee and beverages)
19:30 - 20:30 - Actor based concurrency with Elixir (Adrian
Magdas)
20:30 - 21:00 - Networking (coffee and beverages)
Sponsors

3. @ITCAMPRO

4. @ITCAMPRO
WHAT IS THE FIRST THINK THAT COMES TO
YOUR MIND WHEN YOU SAY SECURITY?

5. @ITCAMPRO
Security
Connectivity
Transport
Communication
Payload
Data
Hardware
Security

6. @ITCAMPRO
Look at .NET security from
another perspective
- Framework and Packages-
Scope

7. @ITCAMPRO

8. @ITCAMPRO
• Error Logging Modules and Handlers
• Can be added to an application dynamically
• Logs unhandled exceptions
• Web page to see:
–All exceptions
–Details for each exception
–Review the yellow/blue screen of death even if you set
customsErrors == false
ELMAH

9. @ITCAMPRO
• Username
• Cookies
– Including authentication cookies
• Tokens and access keys
Sensitive information

10. @ITCAMPRO
• All:
https://www.google.ro/search?q=inurl:elmah.axd+AS
PXAUTH
• SQL Exception:
https://www.google.ro/search?q=inurl:elmah.axd+Sq
lException
• SQL SELECT:
• https://www.google.ro/search?q=inurl:elmah.axd+sel
ect+where+from
Bing on Google

11. @ITCAMPRO

12. @ITCAMPRO
• After Day 0, ELMAH announced that security
guidelines were updated to:
– Update web app configuration
– Custom handler for this location
Post Day 0

13. @ITCAMPRO
The fix

14. @ITCAMPRO

15. @ITCAMPRO
• More than 190.000 sites were still vulnerable
• Internal stack
• SQL Queries
• Access Tokens
• Server variable
After the update (January 2013)

16. @ITCAMPRO

17. @ITCAMPRO
Combine with…
Invalid URL

18. @ITCAMPRO

19. @ITCAMPRO
Layers
Communication Layer
Transport Layer
Session Layer
Application Layer
Data Layer

20. @ITCAMPRO
• Updates
• Security and Updates Procedures that ensures that
the vulnerabilities hotfixes are pushed to the
production environments with a near-time
What was missing on these sites

21. @ITCAMPRO
• Buffer overflow (Collections)
• External libraries
• Calling unmanaged code
• Old cryptographic mechanism
• Default, unsafe or shared keys for cryptography
• Ignoring security guidelines
Other vulnerabilities

22. @ITCAMPRO
• Security bulletin:
https://technet.microsoft.com/en-
us/library/security/ms14-059
• .NET Vulnerabilities
https://www.cvedetails.com/vulnerability-
list/vendor_id-26/product_id-2002/Microsoft-.net-
Framework.html
Known Vulnerabilities List

23. @ITCAMPRO
• Hands-on examples
https://www.owasp.org/index.php/.NET_Security_Chea
t_Sheet
• Security best-practices
https://msdn.microsoft.com/en-
us/library/fkytk30f(v=vs.110).aspx
Checklist

24. @ITCAMPRO
• Type-safe language
• Runs on top of .NET platform
• You can create a coding vulnerability only if
–> .NET platforms has a bug
–> External library has a bug
–> Execute code outside .NET platform
C# - Specific coding security

25. @ITCAMPRO
Scan
Prioritize
Assess
Report
Fix
Verify
Security Vulnerability Procedure
Create a list with what
software and packages
you are using
Telerik Example

26. @ITCAMPRO
Application
OS
.NET
Framework
NuGet
Packages
Dependenci
es
External Refs
Things that we shall update

27. @ITCAMPRO
• Active Injection
• Passive
Injection
XSS
Session
Hijacking • XSS
• Confused
Deputy
Cross Site
Request Forgery
Over-Posting
Over-
Redirection
Exploiting AP.NET MVC

28. @ITCAMPRO
Cross Site Scripting (XSS) - Active Injection

29. @ITCAMPRO
Cross Site Scripting (XSS) - Passive Injection
Runs on the screen
of another user

30. @ITCAMPRO
Session Hijacking

31. @ITCAMPRO
http://softpedia.com/account/?newpassword=MyPasswordIsSecret
• Posting on a public site (forum):
“Did you hear that someone is offering free
Uber rides using a special code”
• After a while another post comes:
“Just found the special code, link”
Cross Site Request Forgery

32. @ITCAMPRO
• Somebody can append in the form post
“PricePerItem = 1”
Over-posting

33. @ITCAMPRO
• Security is important
• You will never be bulletproof
• Try to assess and prioritize 1st
• Use OAWSP resources
Conclusion

34. @ITCAMPRO
Question
Answers

35. @ITCAMPRO
{
“name” : “Radu Vunvulea,
“blog” : “vunvulearadu.blogspot.com”,
“email” : ”vunvulear@outlook.com”,
“socialMedia” :
{
“twitter” : “@RaduVunvulea”,
“fb” : “radu.vunvulea”
}
}

36. @ITCAMPRO

37. @ITCAMPRO
{
“name” : “Radu Vunvulea,
“blog” : “vunvulearadu.blogspot.com”,
“email” : ”vunvulear@outlook.com”,
“socialMedia” :
{
“twitter” : “@RaduVunvulea”,
“fb” : “radu.vunvulea”
}
}