SlideShare a Scribd company logo

O2 platform and ASP.NET MVC, by Michael Hidalgo

Dinis Cruz
Dinis Cruz

The document discusses the O2 Platform, which is a framework for automating security testing and documentation. It provides features like a scripting engine, browser automation, source code analysis tools, and APIs. The document also provides an overview of the Microsoft ASP.NET MVC framework and common vulnerabilities it faces like mass assignment. It demonstrates running an IE automation script on the Music Store sample application using the O2 Platform to test for vulnerabilities like cross-site scripting and CSRF. The presentation educates developers on security best practices like validating user input and protecting sensitive fields when using MVC frameworks.

Technology
1 of 34
Download to read offline
The O2 Platform: Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities Michael Hidalgo michael.hidalgo@owasp.org Chapter Leader OWASP Costa Rica Colaborador OWASP O2 Platform Project
About Me  Software Developer Engineer at Fiserv, Digital Channels- Corillian Online ASP team. –Developing Software for Financial Institutions (FI,CU) –Web Services, Interoperatibility  OWASP Costa Rica Chapter Leader  Participation in the OData Protocol  OWASP Projects contributor – OWASP O2 Platform (Dinis Cruz) – REST Security Cheat Sheet (Jim Manico) 2
Why this presentation? Software Developers need tools! 3
But also because… We Software Developers need a framework that help us to write secure applications 4
Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 5
The O2 Platform What is the O2 Platform? 6
The O2 Platform The O2 Platform The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non- security experts to access and consume Security Knowledge 7
The O2 Platform • The Project Manager is Dinis Cruz, a security expert based in the UK. Dinis has a strong background in the application security world and he has performed very interesting researches. • Some features of O2 platform: – Scripting Engine and development environment. – Black-Box/Browser-automation environment. – Source Code analysis environment. – Data Consumption and API Generation
The O2 Platform The O2 Platform: More features! • Powerful search engine • Graphical Engines • Multiple APIs • Integration with third parties 9
The O2 Platform • A comprehensive UI! 10
The O2 Platform • A look at the IE automation editor 11
The O2 Platform • IE Automation syntax • var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(false); ie.open("http://www.google.com"); ie.field("q").Value="OWASP Costa Rica"; //O2File:WatiN_IE_ExtensionMethods.cs //O2Ref:WatiN.Core.1x.dll //O2Tag_DontAddExtraO2Files; 12
The O2 Platform • O2 Platform inside Visual Studio IDE 13
The O2 Platform Where to get O2 Platform? • From Visual Studio Gallery : • http://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d- ea4741905dc2 • Getting the standalone installer • http://tiny.cc/O2Platform • For more info on O2 see: • O2 related posts on this blog: http://diniscruz.blogspot.co.uk/search/label/O2 Platform • O2 Blog: https://o2platform.wordpress.com 14
Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 15
MVC Architecture Architecture of the World Wide Web • Addressable resources • Standard resource formats • Uniform interface for interacting with resource • Stateless and Hyperlinking 16
Uniform Interface • Retrieves a resource GET • Safe • Cacheable POST • Creates a new resource. • Unsafe, effect of this verb is not defined by HTTP • Updates an existing resource PUT • Used for resource creation • Idempotent DELETE • Removes a resource • Call N times, same thing always happen (idempotent) 17
MVC Architecture Web Applications should embrace the Web! 18
MVC Architecture • MVC is a standard design pattern that many developers are familiar with. Some types of Web applications will benefit from the MVC framework.. • Some feature : – Embrace the Web: MVC is a standard compliant architecture that embraces the Web Architecture. – Easy to implement: The industry is adopting MVC framework because it provides an easy approach to create rapid applications. – Separation of concerns:This architecture is designed to separate responsabilities within your application. – Testability Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview
MVC Architecture • MVC Actors: Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview 20
MVC Architecture • Models : Model Objects are the parts of the application that implements the logic for the application’s data domain. • Retrieve and store model state in databases. • An example is a Product model, a Customer model or a Speaker model. 21
MVC Architecture • Views:Components that displays application’s user interface (UX). • Created from Model Data. • An example is editing a Speaker information, dispñaying text boxes for name and address. 22
MVC Architecture • Controllers:Components that handle user interactions, work with the model and select a view to render that displays in the UI. • Handles and responds to user input and interactions. 23
MVC Architecture • Vulnerabilities on top of MVC Framework • MVC applications are vulnerable to most of the vector attacks in Web applications (XSS,CSRF). • Mass Assignments (Auto Binding) : This vulnerability can be found in Spring MVC and Microsoft ASP.NET MVC Framework. 24
MVC Architecture • Mass Assignments (aka Auto Binding). • MVC frameworks rely heavily on binding query strings, route values and form values to in- code objects. • This vulnerability is a kind of parameter tampering. • Model Binding works by assigning HTML form fields to object properties. 25
MVC Architecture Mass Assignments (aka Auto Binding). • Let’s take a look at the following Model Object: public class BlogMember { public string Name { get; set; } public string LastName { get; set; } public string EmailAddress{ get; set; } public bool IsAdmin{ get; set; } } 26
MVC Architecture What can happen? Someone could send a HTTP request using Fiddler2 or cURL Request URL: http://yourBlog/register Request Method: POST Status Code: 200 OK...... Name: Michael LastName: Hidalgo EmailAddress: michael.hidalgo@owasp.org IsAdmin: true 27
Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 28
MVC Architecture Running a O2 Demo!!! 29
MVC Architecture How to protect us against Mass assignments? • Never trust user input!!!! • Matching incoming parameters • Using a ViewModel • Protect your sensitive Model properties (i.e SSN, Id’s, Account numbers) 30
MVC Architecture How to protect us against Mass assignments? Matching incoming parameters 31
MVC Architecture How to protect us against Mass assignments? Protecting sensitive fields (using Bind Attribute) 32
MVC Architecture How to protect us against Mass assignments? • Protecting sensitive fields (using Bind Attribute) • BlackList 33
Q&A Michael Hidalgo michael.hidalgo@owasp.org 34

Recommended

Wicket Intro
Wicket IntroWicket Intro
Wicket Intro
koppenolski
 
Getting Started with Spring Framework
Getting Started with Spring FrameworkGetting Started with Spring Framework
Getting Started with Spring Framework
Edureka!
 
Hindes_Active_2016Gz2
Hindes_Active_2016Gz2Hindes_Active_2016Gz2
Hindes_Active_2016Gz2
William Hindes
 
Mobile developement
Mobile developementMobile developement
Mobile developement
Lilia Sfaxi
 
Java Framework comparison
Java Framework comparisonJava Framework comparison
Java Framework comparison
SIB Visions GmbH
 
Spring User Guide
Spring User GuideSpring User Guide
Spring User Guide
Muthuselvam RS
 
JEE 8, A Big Overview
JEE 8, A Big OverviewJEE 8, A Big Overview
JEE 8, A Big Overview
Jasmine Conseil
 
OpenAjax Alliance: Driving Ajax Standards and Interoperability
OpenAjax Alliance: Driving Ajax Standards and InteroperabilityOpenAjax Alliance: Driving Ajax Standards and Interoperability
OpenAjax Alliance: Driving Ajax Standards and Interoperability
elliando dias
 

Recommended

Wicket Intro
Wicket IntroWicket Intro
Wicket Intro
koppenolski
 
Getting Started with Spring Framework
Getting Started with Spring FrameworkGetting Started with Spring Framework
Getting Started with Spring Framework
Edureka!
 
Hindes_Active_2016Gz2
Hindes_Active_2016Gz2Hindes_Active_2016Gz2
Hindes_Active_2016Gz2
William Hindes
 
Mobile developement
Mobile developementMobile developement
Mobile developement
Lilia Sfaxi
 
Java Framework comparison
Java Framework comparisonJava Framework comparison
Java Framework comparison
SIB Visions GmbH
 
Spring User Guide
Spring User GuideSpring User Guide
Spring User Guide
Muthuselvam RS
 
JEE 8, A Big Overview
JEE 8, A Big OverviewJEE 8, A Big Overview
JEE 8, A Big Overview
Jasmine Conseil
 
OpenAjax Alliance: Driving Ajax Standards and Interoperability
OpenAjax Alliance: Driving Ajax Standards and InteroperabilityOpenAjax Alliance: Driving Ajax Standards and Interoperability
OpenAjax Alliance: Driving Ajax Standards and Interoperability
elliando dias
 
Santosh_Resume_Java
Santosh_Resume_JavaSantosh_Resume_Java
Santosh_Resume_Java
SANTOSH PATTNAIK
 
Silverlight Demos For Beginners
Silverlight Demos For BeginnersSilverlight Demos For Beginners
Silverlight Demos For Beginners
Gaurav Arora
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - Plansoft
Miki Lombardi
 
Detailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-HamidaDetailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-Hamida
Hamida Rebai Trabelsi
 
Resume-REBAI.json
Resume-REBAI.jsonResume-REBAI.json
Resume-REBAI.json
Hamida Rebai Trabelsi
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009
Jason Ragsdale
 
Mini-Training Owin Katana
Mini-Training Owin KatanaMini-Training Owin Katana
Mini-Training Owin Katana
Betclic Everest Group Tech Team
 
Asp 1a-aspnetmvc
Asp 1a-aspnetmvcAsp 1a-aspnetmvc
Asp 1a-aspnetmvc
Fajar Baskoro
 
Aspnetmvc 1
Aspnetmvc 1Aspnetmvc 1
Aspnetmvc 1
Fajar Baskoro
 
Asp.net mvc 5 ppt
Asp.net mvc 5 pptAsp.net mvc 5 ppt
Asp.net mvc 5 ppt
JavedAnsari65
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement online
Garuda Trainings
 
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Gabriel Villa
 
Introduction to ASP.NET 5
Introduction to ASP.NET 5Introduction to ASP.NET 5
Introduction to ASP.NET 5
mbaric
 
Aspnet mvc
Aspnet mvcAspnet mvc
Aspnet mvc
Hiep Luong
 
Mihai tataran developing modern web applications
Mihai tataran developing modern web applicationsMihai tataran developing modern web applications
Mihai tataran developing modern web applications
ITCamp
 
Node.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivNode.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel Aviv
Ron Perlmuter
 
CG_CS25010_Lecture
CG_CS25010_LectureCG_CS25010_Lecture
CG_CS25010_Lecture
Connor Goddard
 
4Ward Company Presentation
4Ward Company Presentation4Ward Company Presentation
4Ward Company Presentation
4Ward
 
www.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwww.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modeling
webre24h
 
Spring tutorials
Spring tutorialsSpring tutorials
Spring tutorials
TIB Academy
 
Docker12 factor
Docker12 factorDocker12 factor
Docker12 factor
John Zaccone
 
Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC
vipin kumar
 

More Related Content

What's hot

Santosh_Resume_Java
Santosh_Resume_JavaSantosh_Resume_Java
Santosh_Resume_Java
SANTOSH PATTNAIK
 
Silverlight Demos For Beginners
Silverlight Demos For BeginnersSilverlight Demos For Beginners
Silverlight Demos For Beginners
Gaurav Arora
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - Plansoft
Miki Lombardi
 
Detailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-HamidaDetailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-Hamida
Hamida Rebai Trabelsi
 
Resume-REBAI.json
Resume-REBAI.jsonResume-REBAI.json
Resume-REBAI.json
Hamida Rebai Trabelsi
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009
Jason Ragsdale
 

What's hot (6)

Santosh_Resume_Java
Santosh_Resume_JavaSantosh_Resume_Java
Santosh_Resume_Java
 
Silverlight Demos For Beginners
Silverlight Demos For BeginnersSilverlight Demos For Beginners
Silverlight Demos For Beginners
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - Plansoft
 
Detailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-HamidaDetailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-Hamida
 
Resume-REBAI.json
Resume-REBAI.jsonResume-REBAI.json
Resume-REBAI.json
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009
 

Similar to O2 platform and ASP.NET MVC, by Michael Hidalgo

Mini-Training Owin Katana
Mini-Training Owin KatanaMini-Training Owin Katana
Mini-Training Owin Katana
Betclic Everest Group Tech Team
 
Asp 1a-aspnetmvc
Asp 1a-aspnetmvcAsp 1a-aspnetmvc
Asp 1a-aspnetmvc
Fajar Baskoro
 
Aspnetmvc 1
Aspnetmvc 1Aspnetmvc 1
Aspnetmvc 1
Fajar Baskoro
 
Asp.net mvc 5 ppt
Asp.net mvc 5 pptAsp.net mvc 5 ppt
Asp.net mvc 5 ppt
JavedAnsari65
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement online
Garuda Trainings
 
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Gabriel Villa
 
Introduction to ASP.NET 5
Introduction to ASP.NET 5Introduction to ASP.NET 5
Introduction to ASP.NET 5
mbaric
 
Aspnet mvc
Aspnet mvcAspnet mvc
Aspnet mvc
Hiep Luong
 
Mihai tataran developing modern web applications
Mihai tataran developing modern web applicationsMihai tataran developing modern web applications
Mihai tataran developing modern web applications
ITCamp
 
Node.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivNode.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel Aviv
Ron Perlmuter
 
CG_CS25010_Lecture
CG_CS25010_LectureCG_CS25010_Lecture
CG_CS25010_Lecture
Connor Goddard
 
4Ward Company Presentation
4Ward Company Presentation4Ward Company Presentation
4Ward Company Presentation
4Ward
 
www.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwww.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modeling
webre24h
 
Spring tutorials
Spring tutorialsSpring tutorials
Spring tutorials
TIB Academy
 
Docker12 factor
Docker12 factorDocker12 factor
Docker12 factor
John Zaccone
 
Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC
vipin kumar
 
About 4Ward
About 4WardAbout 4Ward
About 4Ward
Andrija Gramatikovski
 
Mobile App Architectures & Coding guidelines
Mobile App Architectures & Coding guidelinesMobile App Architectures & Coding guidelines
Mobile App Architectures & Coding guidelines
Qamar Abbas
 
ZZ BC#7 asp.net mvc practice and guideline by NineMvp
ZZ BC#7 asp.net mvc practice and guideline by NineMvpZZ BC#7 asp.net mvc practice and guideline by NineMvp
ZZ BC#7 asp.net mvc practice and guideline by NineMvp
Chalermpon Areepong
 
codeigniter
codeignitercodeigniter
codeigniter
Utkarsh Chaturvedi
 

Similar to O2 platform and ASP.NET MVC, by Michael Hidalgo (20)

Mini-Training Owin Katana
Mini-Training Owin KatanaMini-Training Owin Katana
Mini-Training Owin Katana
 
Asp 1a-aspnetmvc
Asp 1a-aspnetmvcAsp 1a-aspnetmvc
Asp 1a-aspnetmvc
 
Aspnetmvc 1
Aspnetmvc 1Aspnetmvc 1
Aspnetmvc 1
 
Asp.net mvc 5 ppt
Asp.net mvc 5 pptAsp.net mvc 5 ppt
Asp.net mvc 5 ppt
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement online
 
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
 
Introduction to ASP.NET 5
Introduction to ASP.NET 5Introduction to ASP.NET 5
Introduction to ASP.NET 5
 
Aspnet mvc
Aspnet mvcAspnet mvc
Aspnet mvc
 
Mihai tataran developing modern web applications
Mihai tataran developing modern web applicationsMihai tataran developing modern web applications
Mihai tataran developing modern web applications
 
Node.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivNode.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel Aviv
 
CG_CS25010_Lecture
CG_CS25010_LectureCG_CS25010_Lecture
CG_CS25010_Lecture
 
4Ward Company Presentation
4Ward Company Presentation4Ward Company Presentation
4Ward Company Presentation
 
www.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwww.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modeling
 
Spring tutorials
Spring tutorialsSpring tutorials
Spring tutorials
 
Docker12 factor
Docker12 factorDocker12 factor
Docker12 factor
 
Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC
 
About 4Ward
About 4WardAbout 4Ward
About 4Ward
 
Mobile App Architectures & Coding guidelines
Mobile App Architectures & Coding guidelinesMobile App Architectures & Coding guidelines
Mobile App Architectures & Coding guidelines
 
ZZ BC#7 asp.net mvc practice and guideline by NineMvp
ZZ BC#7 asp.net mvc practice and guideline by NineMvpZZ BC#7 asp.net mvc practice and guideline by NineMvp
ZZ BC#7 asp.net mvc practice and guideline by NineMvp
 
codeigniter
codeignitercodeigniter
codeigniter
 

More from Dinis Cruz

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
Dinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Dinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
Dinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
Dinis Cruz
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
Dinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
Dinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
Dinis Cruz
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
Dinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Dinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
Dinis Cruz
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
Dinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
Dinis Cruz
 

More from Dinis Cruz (20)

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 

Recently uploaded

Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 

Recently uploaded (20)

Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 

O2 platform and ASP.NET MVC, by Michael Hidalgo

  • 1. The O2 Platform: Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities Michael Hidalgo michael.hidalgo@owasp.org Chapter Leader OWASP Costa Rica Colaborador OWASP O2 Platform Project
  • 2. About Me  Software Developer Engineer at Fiserv, Digital Channels- Corillian Online ASP team. –Developing Software for Financial Institutions (FI,CU) –Web Services, Interoperatibility  OWASP Costa Rica Chapter Leader  Participation in the OData Protocol  OWASP Projects contributor – OWASP O2 Platform (Dinis Cruz) – REST Security Cheat Sheet (Jim Manico) 2
  • 3. Why this presentation? Software Developers need tools! 3
  • 4. But also because… We Software Developers need a framework that help us to write secure applications 4
  • 5. Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 5
  • 6. The O2 Platform What is the O2 Platform? 6
  • 7. The O2 Platform The O2 Platform The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non- security experts to access and consume Security Knowledge 7
  • 8. The O2 Platform • The Project Manager is Dinis Cruz, a security expert based in the UK. Dinis has a strong background in the application security world and he has performed very interesting researches. • Some features of O2 platform: – Scripting Engine and development environment. – Black-Box/Browser-automation environment. – Source Code analysis environment. – Data Consumption and API Generation
  • 9. The O2 Platform The O2 Platform: More features! • Powerful search engine • Graphical Engines • Multiple APIs • Integration with third parties 9
  • 10. The O2 Platform • A comprehensive UI! 10
  • 11. The O2 Platform • A look at the IE automation editor 11
  • 12. The O2 Platform • IE Automation syntax • var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(false); ie.open("http://www.google.com"); ie.field("q").Value="OWASP Costa Rica"; //O2File:WatiN_IE_ExtensionMethods.cs //O2Ref:WatiN.Core.1x.dll //O2Tag_DontAddExtraO2Files; 12
  • 13. The O2 Platform • O2 Platform inside Visual Studio IDE 13
  • 14. The O2 Platform Where to get O2 Platform? • From Visual Studio Gallery : • http://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d- ea4741905dc2 • Getting the standalone installer • http://tiny.cc/O2Platform • For more info on O2 see: • O2 related posts on this blog: http://diniscruz.blogspot.co.uk/search/label/O2 Platform • O2 Blog: https://o2platform.wordpress.com 14
  • 15. Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 15
  • 16. MVC Architecture Architecture of the World Wide Web • Addressable resources • Standard resource formats • Uniform interface for interacting with resource • Stateless and Hyperlinking 16
  • 17. Uniform Interface • Retrieves a resource GET • Safe • Cacheable POST • Creates a new resource. • Unsafe, effect of this verb is not defined by HTTP • Updates an existing resource PUT • Used for resource creation • Idempotent DELETE • Removes a resource • Call N times, same thing always happen (idempotent) 17
  • 18. MVC Architecture Web Applications should embrace the Web! 18
  • 19. MVC Architecture • MVC is a standard design pattern that many developers are familiar with. Some types of Web applications will benefit from the MVC framework.. • Some feature : – Embrace the Web: MVC is a standard compliant architecture that embraces the Web Architecture. – Easy to implement: The industry is adopting MVC framework because it provides an easy approach to create rapid applications. – Separation of concerns:This architecture is designed to separate responsabilities within your application. – Testability Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview
  • 20. MVC Architecture • MVC Actors: Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview 20
  • 21. MVC Architecture • Models : Model Objects are the parts of the application that implements the logic for the application’s data domain. • Retrieve and store model state in databases. • An example is a Product model, a Customer model or a Speaker model. 21
  • 22. MVC Architecture • Views:Components that displays application’s user interface (UX). • Created from Model Data. • An example is editing a Speaker information, dispñaying text boxes for name and address. 22
  • 23. MVC Architecture • Controllers:Components that handle user interactions, work with the model and select a view to render that displays in the UI. • Handles and responds to user input and interactions. 23
  • 24. MVC Architecture • Vulnerabilities on top of MVC Framework • MVC applications are vulnerable to most of the vector attacks in Web applications (XSS,CSRF). • Mass Assignments (Auto Binding) : This vulnerability can be found in Spring MVC and Microsoft ASP.NET MVC Framework. 24
  • 25. MVC Architecture • Mass Assignments (aka Auto Binding). • MVC frameworks rely heavily on binding query strings, route values and form values to in- code objects. • This vulnerability is a kind of parameter tampering. • Model Binding works by assigning HTML form fields to object properties. 25
  • 26. MVC Architecture Mass Assignments (aka Auto Binding). • Let’s take a look at the following Model Object: public class BlogMember { public string Name { get; set; } public string LastName { get; set; } public string EmailAddress{ get; set; } public bool IsAdmin{ get; set; } } 26
  • 27. MVC Architecture What can happen? Someone could send a HTTP request using Fiddler2 or cURL Request URL: http://yourBlog/register Request Method: POST Status Code: 200 OK...... Name: Michael LastName: Hidalgo EmailAddress: michael.hidalgo@owasp.org IsAdmin: true 27
  • 28. Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 28
  • 29. MVC Architecture Running a O2 Demo!!! 29
  • 30. MVC Architecture How to protect us against Mass assignments? • Never trust user input!!!! • Matching incoming parameters • Using a ViewModel • Protect your sensitive Model properties (i.e SSN, Id’s, Account numbers) 30
  • 31. MVC Architecture How to protect us against Mass assignments? Matching incoming parameters 31
  • 32. MVC Architecture How to protect us against Mass assignments? Protecting sensitive fields (using Bind Attribute) 32
  • 33. MVC Architecture How to protect us against Mass assignments? • Protecting sensitive fields (using Bind Attribute) • BlackList 33
  • 34. Q&A Michael Hidalgo michael.hidalgo@owasp.org 34