Downloaded 18 times
Uploaded byMikhail Shcherbakov
Practice of AppSec .NET
This document summarizes a presentation on application security practices for .NET applications. It discusses common vulnerabilities like cross-site scripting, SQL injection, and cross-site request forgery. It provides examples of these vulnerabilities using code snippets and HTTP requests. It also covers mitigation techniques, like input validation, output encoding, and anti-forgery tokens. The presentation recommends resources on the OWASP Top 10, secure coding best practices, and classification of security risks.
More Related Content
![[OWASP Poland Day] Application security - daily questions & answers](https://cdn.slidesharecdn.com/ss_thumbnails/owasp-applicationsecurity-171003211500-thumbnail.jpg?width=640&height=640&fit=bounds)
![[OWASP Poland Day] Saving private token](https://cdn.slidesharecdn.com/ss_thumbnails/pawelbochenskisecuretoken2-171003211501-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Wroclaw #6] Introduction to desktop browser add-ons](https://cdn.slidesharecdn.com/ss_thumbnails/owaspppt2wz-170531065551-thumbnail.jpg?width=640&height=640&fit=bounds)
![[OWASP Poland Day] Web App Security Architectures](https://cdn.slidesharecdn.com/ss_thumbnails/michaelschlapferwebapplicationsecurityarchitectures-171003211454-thumbnail.jpg?width=640&height=640&fit=bounds)
![[OWASP Poland Day] Security knowledge framework](https://cdn.slidesharecdn.com/ss_thumbnails/skf-preso-171004061039-thumbnail.jpg?width=640&height=640&fit=bounds)
![[OWASP Poland Day] A study of Electron security](https://cdn.slidesharecdn.com/ss_thumbnails/lucacarettonia-study-of-electron-security-171003211450-thumbnail.jpg?width=640&height=640&fit=bounds){kind=icon}
![[OWASP Poland Day] Application frameworks' vulnerabilities](https://cdn.slidesharecdn.com/ss_thumbnails/wd-applicationframeworksvulns-pub-171003211201-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Practice of AppSec .NET
More from Mikhail Shcherbakov
Practice of AppSec .NET
- 1. Practice of AppSec.NET Mikhail Shcherbakov SPB .NET Meetup #2 Product Manager at Cezurity
- 2. About me ProductManager at Cezurity One of the core developers of the source code analyzer PT Application Inspector Former Team Lead at Acronis, Luxoft, Boeing
- 3.
- 4.
- 5.
- 6. Improper Input /Output Handling Implementation
- 7. Improper Input /Output Handling SQL Injection OS Commanding Cross-Site Scripting (XSS) XML Injection XPath Injection XQuery Injection LDAP Injection Mail Command Injection Null Injection Unrestricted File Upload Unrestricted File Download Path Traversal HTTP Response Splitting Content Spoofing Buffer Overflow
- 8. Cross-Site Scripting (XSS) Reflected Stored DOM-based
- 9.
- 10. Reflected XSS Reflected XSS POSThttp://localhost/Example __VIEWSTATE=1WhGrdaz6wBJ67aoKvJd1oc1Nw…& __VIEWSTATEGENERATOR=E5E1B94B& __EVENTVALIDATION=uixzE1cGQE%2BFAGQTbTA…& TextBox1=<& TextBox2=img src=# onerror=alert('XSS')//& Button1=Save
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17. Reflected XSS Reflected XSS GEThttp://localhost/Example?first=--%3E%3C& second=img%20src=%27n%27%20onerror=alert%28%27XSS%27%2 9//
- 18.
- 19.
- 20.
- 21.
- 22. Stored XSS Show methe code!
- 23. DOM-based XSS Show methe code!
- 24. Insufficient Control Flow Management Design/ Implementation
- 25. Insufficient Control FlowManagement Cross-Site Request Forgery (CSRF) Mass Assignment Business Logic Errors Abuse of Functionality
- 26.
- 27. CSRF Show me thecode!
- 28.
- 29. CSRF Defense ASP.NETMVC <%= Html.AntiForgeryToken() %> <input name="__RequestVerificationToken" type="hidden“ … ASP.NET Web Forms __VIEWSTATE __EVENTVALIDATION
- 30. CSRF Defense SameOrigin Policy An origin is defined by the scheme, host and port Documents retrieved from distinct origins are isolated
- 31.
- 32.
- 33. Habrahabr Example #2 SQLInjection GET http://localhost/Example?email=‘--
- 34.
- 35.
- 36. Habrahabr Example #2 BusinessLogic Error GET http://localhost/Example?field=password&min=a&max=b GET http://localhost/Example?field=password&min=aD&max=aE
- 37.
- 38.
- 39.
- 40. Business Logic Error Showme the code!
- 41. Broken Authentication and SessionManagement Design / Implementation / Deployment
- 42. Session Fixation Show methe code!
- 43. Session Fixation Defense Set invalid ASP .NET session cookie when the user log in, so the user receives a new cookie
- 44. Session Fixation Defense Set invalid ASP .NET session cookie when the user log in, so the user receives a new cookie Issue: the order to send cookies from the browser Store the username in the session Generate Session ID on the logged user NWebsec.SessionSecurity
- 45. Summary OWASP TopTen Project (2010/2013) http://bit.ly/1OffewO Vladimir Kochetkov Blog and Workshop http://bit.ly/1DecXWI Troy Hunt Blog www.troyhunt.com OWASP Developer Guide http://bit.ly/1JcQLoh CWE/SANS Top 25 Most Dangerous Software Errors (2011) http://bit.ly/1bjDTOH OWASP Classification http://bit.ly/1GlKmGz http://bit.ly/1DE3852 WASC Classification http://bit.ly/1d3EXYd
- 46. Thank you foryour attention! Mikhail Shcherbakov ms@cezurity.com linkedin.com/in/mikhailshcherbakov github.com/yuske @yu5k3 Product Manager at Cezurity