This presentation includes information about different attacks on an asp.net web application and how to secure from those attacks.

1. Hack Proof Your ASP.NET Applications
By Sarvesh Kushwaha

2. Content Spoofing
• Content Spoofing is an attack technique that allows an attacker to inject a malicious payload that is
later misrepresented as legitimate content of a web application.
• Text Only Content Spoofing (Dynamic pages build from query string values e.g. error pages, story websites, news)
Example : http://foo.com/news?id=123&title=company+stock+rises
http://foo.com/news?id=123&title=company+filing+bankrupcy
• HTML Markup Reflected Content spoofing (Change the dynamic src tag on a website (iframe src,img src) )
Example : http://foo.com/Sarvesh?ProfileImage=http://validGravatar.com/abc.jpeg
http:// foo.com/Sarvesh?ProfileImage=http://naughty.com/abc.jpeg
• Prevent content spoofing
• For Data transmission use post (sensitive data should be transmit in POST request)
• Validate user input (Avoid URL from diff sources)
• Encode user input
• Encrypt sensitive data in query string (Not recommended)

3. XPath Injection
• XPath is used to navigate through elements and attributes in an XML document.
• Exploit : Lets suppose your login screen validating from XML and your XML is as follows :
<?xml version="1.0" encoding="utf-8" ?>
<Users>
<user> <id>Sarvesh</id> <password>12345</password> <age> 80</age> </user>
<user> <id>Thor</id> <password>asgard</password> <age>100</age> </user>
</Users>
Now an attacker can pass login and password values as follows to make your code condition true.
„ or „1‟ = „1‟
XmlDocument XmlDoc = new XmlDocument();
XmlDoc.Load("...");
XPathNavigator nav = XmlDoc.CreateNavigator();
XPathExpression expr =
nav.Compile("string(//user[id/text()='"+TextBox1.Text+"'
and
password/text()='"+TextBox2.Text+"']/account/text())")'
String account=Convert.ToString(nav.Evaluate(expr));
if (account=="") { }
Prevention :
• Precompile your xpath expression (XPathExpression.Compile)
• Use MVP.XML (Precompiled and AddVariable)
• Use of parameterized XPath queries
• Use of custom error pages(Don‟t disclose too much
information)
• Use replace method to replace “‟” sign
• Validate user input
• Use XPathExpression.SetContext() for variable use

4. XXE (XML External Entity)
An XML External Entity attack is a type of attack against an application that parses XML input. This attack
occurs when XML input containing a reference to an external entity is processed by a weakly configured
XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side
request forgery, port scanning from the perspective of the machine where the parser is located, and other
system impacts. [OWASP]
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ //Using DTD
<!ENTITY xxeattack SYSTEM "file:///system/FinancialData"> ]>
<xxx>&xxeattack;</xxx>
Now In HTTPResposne you can see the password file
Prevention from XXE Attack :
• Prior to .NET 4.0 set prohibitDTD property to true for XMLReaderSettings , set XMLResolver to null for XMLDocument
• After .NET 4.0 use DTDProcessing.prohibit for XmlReaderSettings, set XMLResolver to null for XMLDocument
• Use configurable XML Parser and configure it to ignore certain entities
• Validate your XML Data
• For More Detail Visit OWASP CheatSheet

5. Brute Force Attack
• It‟s a try try until you succeed attack by applications to decode encrypted data , keys, sensitive data.
• Popular tools for Brute Force Attack ;
• Aircrack-ng (For wifi)
• John The Ripper (For passwords)
• Rainbow Crack
• Cain and Abel
• Lopht crack (For windows)
• Crack
• Prevention from Brute Force Attack
• Locking accounts (Like any Bank do)
• Use Captcha
• Block suspicious IP
• Dynamic IP Restrictions Extension for IIS
• Diff Login username and passwords
• Forcing secure passwords (1Usabcd@) dictionary attacker will cry 

6. Hack Proof Your ASP.NET Applications
• Hack Proof Your ASP.NET Applications From SQL Injection
• Hack Proof Your ASP.NET Application From Cross Site Scripting (XSS)
• Hack Proof Your ASP.NET Application Part 3 (Cross Site Request Forgery)
• Hack proof your ASP.NET applications from Sensitive Data Exposure and
Information Leakage
• Hack proof your asp.net applications from Session Hijacking
• Hack proof your JavaScript using JavaScript Obfuscation in ASP.NET
applications

7. Security Testing for ASP.NET Applications
• OWASP Zed Attack Proxy (ZAP)
• Fiddler with Watcher and X5S extensions
• Wapiti
• W3af
• Skip fish
• Arachni
• OWASP Vulnerability Testing Tools
• OWASP Phoenix tools List

8. Sarvesh Kushwaha | | | | | |