The document discusses various web security topics such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and parameter tampering. It provides examples of these vulnerabilities and methods to prevent them, including input validation, output encoding, anti-forgery tokens, and limiting exposed functionality. The document is intended as an educational guide on common web security issues and best practices.
This Express Js tutorial will walk you through what express js is, what we can do with it, features of express js and companies that are hiring express js developers. Express Js is a Node Js framework which helps to write the API’s very efficiently. It’s a awesome framework of node js which is helping Backend development so much and it provides wide set of features to develop both web and mobile applications it is used to build single page, multipage and hybrid web applications.
This presentation walks through essential points for developing and working with REST APIs or web services to communicate through various platforms. This also explains HTTP methods.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
This Express Js tutorial will walk you through what express js is, what we can do with it, features of express js and companies that are hiring express js developers. Express Js is a Node Js framework which helps to write the API’s very efficiently. It’s a awesome framework of node js which is helping Backend development so much and it provides wide set of features to develop both web and mobile applications it is used to build single page, multipage and hybrid web applications.
This presentation walks through essential points for developing and working with REST APIs or web services to communicate through various platforms. This also explains HTTP methods.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
https://www.youtube.com/watch?v=lKrbeJ7-J98
HTTP messages are how data is exchanged between a server and a client. There are two types of messages: requests sent by the client to trigger an action on the server, and responses, the answer from the server.
Swagger is a simple yet powerful representation of your RESTful API. With the largest ecosystem of API tooling on the planet, thousands of developers are supporting Swagger in almost every modern programming language and deployment environment. With a Swagger-enabled API, you get interactive documentation, client SDK generation and discoverability.
An introduction to REST and RESTful web services.
You can take the course below to learn about REST & RESTful web services.
https://www.udemy.com/building-php-restful-web-services/
Java 8 Stream API. A different way to process collections.David Gómez García
A look on one of the features of Java 8 hidden behind the lambdas. A different way to iterate Collections. You'll never see the Collecions the same way.
These are the slides I used on my talk at the "Tech Thursday" by Oracle in June in Madrid.
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
Introduction
Impact of XSS attacks
Types of XSS attacks
Detection of XSS attacks
Prevention of XSS attacks
At client side
At Server-side
Conclusion
References
https://www.youtube.com/watch?v=lKrbeJ7-J98
HTTP messages are how data is exchanged between a server and a client. There are two types of messages: requests sent by the client to trigger an action on the server, and responses, the answer from the server.
Swagger is a simple yet powerful representation of your RESTful API. With the largest ecosystem of API tooling on the planet, thousands of developers are supporting Swagger in almost every modern programming language and deployment environment. With a Swagger-enabled API, you get interactive documentation, client SDK generation and discoverability.
An introduction to REST and RESTful web services.
You can take the course below to learn about REST & RESTful web services.
https://www.udemy.com/building-php-restful-web-services/
Java 8 Stream API. A different way to process collections.David Gómez García
A look on one of the features of Java 8 hidden behind the lambdas. A different way to iterate Collections. You'll never see the Collecions the same way.
These are the slides I used on my talk at the "Tech Thursday" by Oracle in June in Madrid.
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
Introduction
Impact of XSS attacks
Types of XSS attacks
Detection of XSS attacks
Prevention of XSS attacks
At client side
At Server-side
Conclusion
References
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
SCA, if used for finding vulnerabilities also called SAST, is an
important technique for detecting software vulnerabilities already
at an early stage in the software development life-cycle. As such,
SCA is adopted by an increasing number of software vendors.
The wide-spread introduction of SCA at a large software vendor,
such as SAP, creates both technical as well as non-technical
challenges. Technical challenges include high false positive and
false negative rates. Examples of non-technical challenges are the
insufficient security awareness among the developers and managers
or the integration of SCA into a software development life-cycle
that facilitates agile development. Moreover, software is not
developed following a greenfield approach: SAP's security
standards need to be passed to suppliers and partners in the same
manner as SAP's customers begin to pass their security standards
to SAP.
In this paper, we briefly present how the SAP's Central Code
Analysis Team introduced SCA at SAP and discuss open problems in
using SCA both inside SAP as well as across the complete software
production line, i.e., including suppliers and partners.
Finding a good .Net Developer can be a challenge. With this course, you will gain insight on how to find good candidates for your company or you clients. We cover the basics of .Net as well as many great interview questions. Check it out today!
This presentation gives the brief overview of the procedure that needs to be followed for performing manual code review while assessing the security of an application/service. There are two parts for this presentation. This first part covers some vulnerabilities and the second part covers remaining vulnerabilities.
Secure Code Review is the best approach to uncover the most security flaws, in addition to being the only approach to find certain types of flaws like design flaws. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application. You will get an introduction to Static Code Analysis tools and how you can automate some parts of the process using tools like FxCop.
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalore 2nd meet up on 21 Feb 2015
Watch the screen recording of this presentation at https://vimeo.com/120481276
Writing secure applications is critical. Whether you're writing code at the SMT level, MivaScript level, server level or anywhere else, it's important to keep security in mind. Come in and learn how to mitigate exploits, initiate exploits, and learn about incidence handling.
Protecting Your Web Site From SQL Injection & XSSskyhawk133
The UNM Information Architects and the UNM Arts LAB invite you to to a presentation by ABQ Web Geeks' own Chris Kenworthy at the UNM SUB this Wednesday the 27th of August.
Chris will be discussing SQL Injection and Cross Site Scripting Vulnerabilities.
These types of attacks against websites are both common and potentially devastating. Chris will bring us up to speed on them and give us some tips on how to prevent them.
Please mark your calendars for Wednesday, August 27 from 10:00 - 11:30 at the UNM Student Union Building, Lobo Rooms A & B.
Application and Website Security -- Fundamental EditionDaniel Owens
This is the first presentation in the 200 level, specifically targeting developers with a more hardcore training program. This program includes numerous case studies and live demonstrations and is considered technical, but does not require a working knowledge of the languages discussed.
Learn how to exploit security vulnerabilities that are commonly found in the arsenal of malicious attackers. We won't simply talk about issues like XSS, CSRF and SQL Injection, but will have live demos showing how hackers exploit these potentially devastating defects using freely available tools. You'll see how to hack a real world open source application and explore bugs in commonly used open source frameworks. We also look at the source code and see how to fix these issues using secure coding principles. We will also discuss best practices that can be used to build security into your SDLC. Java developers and architects will learn how to find and fix security issues in their applications before hackers do.
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
What is it?
How to prevent?
How to test my application web?
what say OWASP about it
All about SQL injection and Cross Site Scripting XSS
Tools to test our application web
Rules to prevent attacks from Hackers on our web
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
ASP.NET Web Security
1. Web Security
SQL Injection, XSS, CSRF, Parameter
Tampering, DoS Attacks, Session
Hijacking
SoftUni Team
Radi Atanassov
Software University
http://softuni.bg
2. C:usersradi>whoami
Radi Atanassov
Microsoft Certified Master:
SharePoint 2010
Microsoft Certified Solutions
Master
Microsoft MVP - SharePoint
Microsoft Certified Trainer
Owner - OneBit Software
Web Platform User Group Lead
Certified Scrum Master
Microsoft Office Dev PnP Core
Team & P-TSP
3. 3
Web Security Main Concepts
Main Security Problems with Examples
SQL Injection
Cross Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Parameter Tampering
Other Threats
Server-Side Protection
Table of Contents
6. 6
Is Software Security a Feature?
Most people consider software security as a necessary feature of
a product
Is Security Vulnerability a Bug?
If the software "failed" and allowed a hacker to see personal info,
most users would consider that a software bug
Feature or Bug
7. 7
Not enough time or money
No quality over development
Lack of penetration testing in the industry
Redundant solutions are expensive
Software failures usually happen spontaneously
Without intentional mischief
Failures can be result of malicious attacks
For the Challenge/Prestige
Curiosity driven
Aiming to use resources
Vandalizing
Stealing
Reasons for Failures
9. 9
We use a secure hosting provider
We are not a bank
We are too busy and don’t have time
We are too small
We are using a stable platform like Java, PHP, ASP.NET
Real-Life Excuses
* Bonus content
10. 10
Maximum Simplicity
More complicated – greater chance for mistakes
Secure the Weakest Link
Hackers attack where the weakest link is
Limit the Publicly Available Resources
Incorrect Until Proven Correct
Consider each user input as incorrect
The Principle of the "Weakest Privilege"
Security in Errors (Remain stable)
Provide Constant Defense (also use backups)
Golden Rules!
11. 11
The Open Web Application Security Project (OWASP) is a not-
for-profit org. focused on improving the security of software,
make software security visible, so that individuals and
organizations worldwide can make informed decisions about
true software security risks.
https://www.owasp.org
* Bonus content
12. 12
Injection
Broken Authentication and Session Management
Cross-Site Scripting (XSS)
Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross-Site Request Forgery (CSRF)
Using Components with Known Vulnerabilities
Unvalidated Redirects and Forwards
Top 10 Web Security Vulnerabilities
* Bonus content
14. 14
Try the following queries:
' crashes
'; INSERT INTO Messages(MessageText, MessageDate) VALUES
('Hacked!!!', '1.1.1980') injects a message
What is SQL Injection?
protected void ButtonSearch_Click(object sender, EventArgs e)
{
string searchString = this.TextBoxSearch.Text;
string searchSql = "SELECT * FROM Messages WHERE
MessageText LIKE '%" + searchString + "%'";
MessagesDbContext dbContext = new MessagesDbContext();
var matchingMessages =
dbContext.Database.SqlQuery<Message>(searchSql).ToList();
this.ListViewMessages.DataSource = matchingMessages;
this.DataBind();
}
15. 15
The following SQL commands are executed:
Usual search (no SQL injection):
SQL-injected search (matches all records):
SQL-injected INSERT command:
How Does
SQL Injection Work?
SELECT * FROM Messages WHERE MessageText LIKE '%atanassov%'"
SELECT * FROM Messages WHERE MessageText LIKE '%%%%'"
SELECT * FROM Messages WHERE MessageText
LIKE '%'; INSERT INTO Messages(MessageText, MessageDate)
VALUES ('Hacked!!!', '1.1.1980') --%'"
SELECT * FROM Messages WHERE MessageText LIKE '%' or 1=1 --%'"
16. 16
Original SQL Query:
Setting username to Admin & password to ' OR '1'= '1 produces
The result:
If a user Admin exists – he is logged in without password
Another SQL Injection Example
String sqlQuery = SELECT * FROM user WHERE name =
'Admin' AND pass='' OR '1'='1'
String sqlQuery = "SELECT * FROM user WHERE name = '" +
username + "' AND pass='" + password + "'"
* Bonus content
17. 17
Username: radi
Password: test
-> SELECT * FROM users WHERE name = ‘radi’ AND pass=‘test’
Username: ‘ OR 1=1; /*
Password: */ --
-> SELECT * FROM users WHERE name=‘’ OR 1=1; /* ‘ AND pass=‘*/’
Another SQL Injection Example
18. 18
Ways to prevent the SQL injection:
SQL-escape all data coming from the user:
Not recommended: use as last resort only!
Preferred approach:
Use ORM (e.g. Entity Framework)
Use parameterized queries
Preventing SQL Injection
string searchSql = @"SELECT * FROM Messages
WHERE MessageText LIKE {0} ESCAPE '~'";
string searchString = "%" +
TextBoxSearch.Text.Replace("~", "~~").Replace("%", "~%") + "%";
MessagesDbContext dbContext = new MessagesDbContext();
var matchingMessages = dbContext.Database.SqlQuery<Message>(searchSql, searchString);
20. Stored Procedures & ORM
ALTER PROCEDURE dbo.SearchWidgets
@SearchTerm VARCHAR(50)
AS BEGIN
DECLARE @query VARCHAR(100)
SET @query = 'SELECT Id, Name FROM dbo.Widget WHERE Name LIKE ''%'
+ @SearchTerm + '%'''
EXEC(@query)
END
20
var searchTerm = Request.QueryString["SearchTerm"];
var db = new WidgetEntities();
var widgets = db.SearchWidgets(searchTerm);
SELECT Id, Name FROM dbo.Widget WHERE Name LIKE '%Radi' or 1=1;--%'
* Bonus content from: http://www.troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html
21. 21
Encrypt your DB connection: https://technet.microsoft.com/en-
us/library/ms189067.aspx (Use SSL for connections to MS SQL
Server)
Do not use username/password in your connection string!
-> use service accounts
-> use ApplicaitonPoolIdentity and give access to “IIS
APPPOOLAppPoolName”
Run under a “least privilege” account
Avoid query concatenation at almost all costs.
BONUS: SQL Security Hardening
* Bonus content
25. 25
Cross-site scripting (XSS) is a common security vulnerability in Web
applications
Web application is let to display a JavaScript code that is executed at
the client's browser
Crackers could take control over sessions, cookies, passwords, and other
private data
How to prevent from XSS?
Validate the user input (built-in in ASP.NET)
Perform HTML escaping when displaying text data in a Web control
XSS Attack
27. 27
ASP.NET applies automatic request validation
Controlled by the ValidateRequest attribute of Page
directive
Checks all input data against a hard-coded list of potentially
dangerous values
The default is true
Using it could harm the normal work on most applications
E.g. a user posts JavaScript code in a forum
Escaping is a better way to handle the problem
Automatic Request Validation
500 Internal Server Error: A potentially dangerous
Request.Form value was detected from the client (…)
28. 28
ASP.NET WebForms
Disable the HTTP request validation for all pages in Web.config
(in <system.web>):
ASP.NET MVC
Using the ValidateInput filter we can disable validation for an
action or entire controller
Disable Request Validation
<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />
[ValidateInput(false)]
public ActionResult XssMvc(string someInput) { … }
29. 29
Database varchar (not nvarchar)
‘%uFF1C’ converted to angle bracket in DB (<)
Aka “Smuggling”
Request Validation loophole
* Bonus content
30. 30
HTML escaping is the act of replacing special characters with
their HTML entities
Escaped characters are interpreted as character data instead of
mark up
Typical characters to escape
<, > – start / end of HTML tag
& – start of character entity reference
', " – text in single / double quotes
…
What is HTML Escaping?
31. 31
Each character could be presented as HTML entity escaping sequence
Numeric character references:
'λ' is λ, λ or λ
Named HTML entities:
'λ' is λ
'<' is <
'>' is >
'&' is &
" (double quote) is "
HTML Character Escaping
32. 32
HttpServerUtility.HtmlEncode
HTML encodes a string and returns the encoded (html-safe) string
Example (in ASPX):
HTML Output:
Web browser renders the following:
How to Encode HTML Entities?
<%response.write(Server.HtmlEncode("The image tag: <img>"))%>
The image tag: <img>
The image tag: <img>
<%: "The image tag: <img>" %>
33. 33
The Razor template engine in ASP.NET MVC escapes everything
by default:
To render un-escaped HTML in MVC view use:
Preventing XSS in ASP.NET MVC
@{ ViewBag.SomeText = "<script>alert('hi')</script>"; }
@ViewBag.SomeText
<script>alert('hi')</script>
@{ ViewBag.SomeText = "<script>alert('hi')</script>"; }
@Html.Raw(ViewBag.SomeText)
<script>alert('hi')</script>
34. 34
Starting from ASP.NET 4.0:
WebForms: <span><%: untrustedData %></span>
MVC: <span>@untrustedData</span>
Starting from ASP.NET 4.5:
<asp:TemplateField HeaderText="Name">
<ItemTemplate><%#: Item.Products.Name %></ItemTemplate>
</asp:TemplateField>
Encoding in ASP.NET
* Bonus content
35. 35
ASP.NET encoding methods use a black-listing technique
White-list approach: use the Anti-Cross Site Scripting Library
from Microsoft
ASP.NET 4.5+ :
<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder" />
ASP.NET 4.0- :
<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder,
AntiXssLibrary" />
Inherit HttpEncoder
Using AntiXSSEncoder
* Bonus content
41. 41
Cross-Site Request Forgery (CSRF / XSRF) is a web security
attack over the HTTP protocol
Allows executing unauthorized commands on behalf of some
authenticated user
E.g. to transfer some money in a bank system
The user has valid permissions to execute the requested
command
The attacker uses these permissions to send a forged HTTP
request unbeknownst to the user
Through a link / site / web form that the user is allured to open
What is CSRF?
42. 42
How does CSRF work?
1. The user has a valid authentication cookie for the site victim.org
(remembered in the browser)
2. The attacker asks the user to visit some evil site, e.g. http://evilsite.com
3. The evil site sends HTTP GET / POST to victim.org and does something
evil
Through a JavaScript AJAX request
Using the browser's authentication cookie
4. The victim.org performs the unauthorized command on behalf of the
authenticated user
CSRF Explained
43. 43
Cross-site request forgery attack
CSRF
Evil.com
MySite.com
User
Submit data on behalf of User
45. 45
One site refers scripts from another:
webapp.com site includes .JS from bankservice.com
User is authenticated on both with cookie
JSONP used to send data across domains
Hacker.com includes .JS from bankservice.com
User tricked to Hacker.com leads to user data leakage
BONUS: Cross Site Script Inclusion (XSSI)
* Bonus content
46. 46
To prevent CSRF attacks in MVC apps use
anti-forgery tokens (aka NONCE token)
Put the anti-CSRF token in the HTML forms:
Verify the anti-CSRF token in each controller action that should be
protected:
Prevent CSRF in ASP.NET MVC
@using (@Html.BeginForm("Action", "Controller"))
{
…
@Html.AntiForgeryToken()
}
[ValidateAntiForgeryToken]
public ActionResult Action(…)
{ … }
47. 47
In jQuery AJAX requests use code like this:
Send the token in the AJAX requests:
Prevent CSRF in AJAX Requests
<%-- used for ajax in AddAntiForgeryToken() --%>
<form id="__AjaxAntiForgeryForm" action="#"
method="post"><%= Html.AntiForgeryToken()%></form>
$.ajax({
type: "post",
dataType: "html",
url: …,
data: AddAntiForgeryToken({ some-data })
});
48. 48
Http Header:
Content-Security-Policy: script-src 'self'
Whitelist trusted locations for content
Show errors when there are violations
Supports variants:
script-src; style-src; frame-src; connect-src
Growing browser support
Content Security Policy
* Bonus content
49. 49
Indicate if a browser should be allowed to render a page in a <frame>,
<iframe> or <object>
DENY
The page cannot be displayed in a frame, regardless of the site
attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the
page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.
Can prevent ClickJack attacks
The X-Frame-Options header
* Bonus content
52. 52
In Web Forms just add the following code in your Site.Master.cs:
It changes the VIEWSTATE encryption key for all pages when there is a
logged-in user
In the VS 2013 Web Forms app template, there is already CSRF
protection in Site.master.cs
Prevent CSRF in Web Forms
protected override void OnInit(EventArgs e) {
base.OnInit(e);
if (Page.User.Identity.IsAuthenticated)
{
Page.ViewStateUserKey = Session.SessionID;
}
}
54. 54
What is Parameter Tampering?
Malicious user alters the HTTP request parameters in unexpected
way
Altered query string (in GET requests)
Altered request body (form fields in POST requests)
Altered cookies (e.g. authentication cookie)
Skipped data validation at the client-side
Injected parameter in MVC apps
What is Parameter Tampering?
55. 55
URL is http://www.dumbsite.com/ShowUserProfile/666
Changed to http://www.dumbsite.com/ShowUserProfile/667
667…N
Result: Information leakage.
Tampering example
* Bonus content
57. 57
MVC is stateless – no real protection
WebForms is much better – ViewState & Event Validation
Looking at Request.UrlReferrer is not sufficient!
Parameter encryption
([Bind(Include = "Name, Email, CommentText")] &
[Bind(Exclude)]
Only real solution – validate if the user can retrieve or update
the data – [Authorize] is not enough!
Preventing Parameter Tampering
* Bonus content
58. Key learning:
There is no such thing as
Security Through Obscurity
(STO)
* Bonus content
64. 64
Hosted on non-SSL site
Accesses data and sends credentials
Real life: Old Subway.bg site
Flash in ASP.NET
* Bonus content
65. JSON responses
Don’t return DB objects
public JsonResult Search() /* Exposed to Hack */
{
/* I am passing whole 'Users' object */
return Json(new dbContext().Users);
}
public JsonResult Search() /* Secured */
{
/* I am passing required fields only, not whole object!! */
return Json(new dbContext().Users.Select(u => new{u.UserName, u.FullName}));
}
65
* Bonus content
66. 66
Don’t use :
the “unsafe” keyword
unsafe API’s, like the “Marshal” class unless you *really* know
what you are doing
StructLayoutKind.Explicit
Buffer Overflow
* Bonus content
67. 67
Use cookies
<forms protection="All" > (encryption and validation)
Use SHA1 for HMAC Generation and AES for Encryption
requireSSL="true“ httpOnlyCookies=”true”
Do Not Persist Forms Authentication Cookies
Use a Fixed Expiration and have it low
Cross-subdomain attack!
Use Distinct Cookie Names and Paths
Now called ASP.NET Identity, across all frameworks
ASP.NET Forms Authentication
* Bonus content
68. 68
Semantic URL attacks
URL Manipulation (Weev, AT&T)
Man in the Middle (MiTM)
Session Hijacking (easy if part of the URL)
Always use SSL when sending sensitive data
Never redirect to HTTPS
Insufficient Access Control
Error messages can reveal information
Denial of Service (DoS and Ddos and Hash Dos)
Brute force (use CAPTCHA!)
Phishing
Security flows in other software you are using
Social Engineering
Other Threats
69. MitM - The importance of
HTTPS
Live Demo – Code from Troy Hunt
70. 70
Custom Errors -> On
<customErrors mode="On" defaultRedirect="~/Error.aspx" />
Request Validation -> On
Hash DoS patch MS11-100
ELMAH
Tracing off
Securing ASP.NET Summary - #1
<pages validateRequest="false" />
Page Level <%@ Page Language="C#" ValidateRequest="false" %>
* Bonus content
71. 71
Constrain All Input (whitelist)
Encode All HTML Output
Encode All URL Output
Validate Unicode Characters
Verify HTML Output that Includes Input Parameters
HTTPS only!
Remove the version header - MvcHandler.DisableMvcResponseHeader = true;
Remove the version header - HttpContext.Current.Response.Headers.Remove("Server");
Decorate with PrincipalPermission to prevent unrestricted URL access
Securing ASP.NET Summary - #2
* Bonus content
72. 72
Use IsLocalUrl() on login pages
FormsService.SignIn(model.UserName, model.RememberMe);
if (IsLocalUrl(returnUrl)) {
Use the AntiForgeryToken on every form post to prevent CSRF
attacks
Use ValidateAntiForgeryToken on Controllers
[ValidateAntiForgeryToken] public ViewResult Update()
Validate access to retrieved or edited data
Securing ASP.NET Summary - #3
* Bonus content
73. 73
Use Command Parameters for SQL Queries
Use a Least-Privileged Database Account
Use an ORM
Securing ASP.NET Summary – SQL - #4
* Bonus content
74. 74
patterns & practices Security Guidance for Applications Index
(https://msdn.microsoft.com/en-us/library/ff650760.aspx )
XSRF/CSRF Prevention in ASP.NET MVC and Web Pages
(http://www.asp.net/mvc/overview/security/xsrfcsrf-
prevention-in-aspnet-mvc-and-web-pages )
Security Considerations (Entity Framework)
https://msdn.microsoft.com/en-
us/library/vstudio/cc716760(v=vs.110).aspx
Reading #1
* Bonus content
77. 77
Contains lots of sensitive info
Connection Strings
Never use clear text passwords
OAuth: ClientID & ClientSecret
Payment gateway secrets
Web.Config
* Bonus content
78. 78
Never store clear text passwords anywhere
ASP.NET Forms Authentication database should be safe, uses
Salt + Hash
Least-privilege SQL permissions
Password Storage and Databases
79. 79
DLL files
Can be reflected
Can be replaced!
Signing of assemblies
Assemblies
* Bonus content
80. 80
ASP.NET Web pages and code files are compiled dynamically
Stored in
%SystemRoot%Microsoft.NETFrameworkversionTemporary
ASP.NET Files folder
Can modify code at any point in time
No precompilation
* Bonus content
81. 81
Faster response time for users, because pages and code files do
not have to be compiled the first time that they are requested.
This is especially useful on large sites that are frequently
updated.
A means to identify compile-time bugs before users see a site.
The ability to create a compiled version of the site that can be
deployed to a production server without source code.
Stored in BIN folder
Still a risk!
Precompilation
* Bonus content
82. 82
Not precompiled by default
Can be with <MvcBuildViews>true</MvcBuildViews> in .csproj
file
ASP.NET 5 and MVC 6 have the RazorPreCompileModule
Razor Views
* Bonus content
83. 83
Central location for assemblies
Must be signed (good thing!)
.NET 4.0+ : %windir%Microsoft.NETassembly
.NET 4.0- : %windir%assembly
Trickier to install, needs privileges
Use gacutil.exe
You are already using it!
Need to use fully qualified assembly name:
System.Data.SqlClient.SqlConnection, System.Data,
Version=1.0.3300.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089
Global Assembly Cache
* Bonus content
84. 84
A “token” used to make the fully qualified assembly name
unique
A hash is generated from the important parts of an assembly
A signature private key is used to encrypt the hash
The signed hash is stored in the assembly with the public key
The public key will decrypt the signed hash
The CLR will generate a new hash and compare with the
decrypted hash
Public Key Token
* Bonus content
86. 86
Directory listing
File system ACL’s
Remove headers
Certificate management
Avoid HTTP to HTTPS redirect ***
HTTP Verb rules
Allowed files
Remove unnecessary modules and handlers
Avoid basic authentication for web services
Protecting IIS
* Bonus content
87. 87
Authentication protocols
Basic, Digest, NTLM, Kerberos, Certificate Auth
Claims, SAML, OAuth, OpenID Connect
Active Directory and Azure Active Directory
Service accounts, credential storage and least privilege
Hashing & encryption
Edge firewalls, perimeter networks and DMZ
TLS/SSL/IPSEC
So much more in Enterprise…
* Bonus content
88. 88
Data security and leakage
Automated hardening during deployment
Load-balancing and state management
Active Directory and Azure Active Directory
Intra-Farm Communication
SQL TDE
STRIDE & DREAD concepts
So MUCH more in Enterprise…
* Bonus content
90. License
This course (slides, examples, demos, videos, homework, etc.)
is licensed under the "Creative Commons Attribution-NonCommercial-ShareAlike
4.0 International" license
Heavily modified by Radi Atanassov
90
Attribution: this work may contain portions from
"ASP.NET MVC" course by Telerik Academy under CC-BY-NC-SA license
91. Free Trainings @ Software University
Software University Foundation – softuni.org
Software University – High-Quality Education,
Profession and Job for Software Developers
softuni.bg
Software University @ Facebook
facebook.com/SoftwareUniversity
Software University @ YouTube
youtube.com/SoftwareUniversity
Software University Forums – forum.softuni.bg
Editor's Notes
(c) 2008 National Academy for Software Development - http://academy.devbg.org. All rights reserved. Unauthorized copying or re-distribution is strictly prohibited.*
Advanced Software Testing Vol. 1
Software Security Testing, Gary McGraw
+
Software Testing, Ron Patton
