SlideShare a Scribd company logo
1 of 61
Top Ten Tips for Tenacious Defense in ASP.NET Alex Smolen Senior Consultant SoCal Code Camp , 2008
1. Cross-Site Request Forgery
CSRF ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF - Examples ,[object Object],[object Object],[object Object],[object Object]
CSRF - Defense ,[object Object],[object Object],[object Object]
CSRF Defense ,[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF Defense - Referer ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF Defense - ViewStateUserKey ,[object Object],[object Object],[object Object],[object Object]
CSRF Defense – ViewStateUserKey ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF Defense -  Secret Token ,[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF Defense – Secret Token ,[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF Defense - CAPTCHA ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF Defense – Password Re-authentication ,[object Object],[object Object],[object Object],[object Object]
2. Session Fixation
Session Fixation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Session Fixation ,[object Object],[object Object],[object Object],[object Object]
Session Fixation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Session Fixation Defense ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Session Fixation - Defense ,[object Object],[object Object],[object Object],[object Object]
3. Real World Crypto
Real-World Crypto ,[object Object],[object Object],[object Object],[object Object],[object Object]
 
Read-World Crypto ,[object Object],[object Object]
Real-World Crypto ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Real-World Crypto ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Real-World Crypto ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Real-World Crypto ,[object Object],[object Object],[object Object]
 
4. The AntiXss Library
The AntiXSS Library ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Control Behavior Literal None by default. HTML Encoded if Mode property is set to  LiteralMode.Encode Label None TextBox Single-line text box is not encoded. Multiline text box is HTML encoded Button Text is attribute encoded LinkButton None Hyperlink Text is not encoded.  NavigateUrl  is URL path encoded, unless it is JavaScript, in which case it is attribute encoded DropDownList  and  ListBox Option values are attribute encoded.  Option display texts are HTML encoded. CheckBox  and  CheckBoxList Value is not used.  Display text is not encoded. RadioButton  and  RadioButtonList Value is attribute encoded. Display text is not encoded. GridView  and  DetailsView Text fields are HTML encoded if their  HtmlEncode  property is set to true. Null display text is never encoded.
The Anti-XSS Library ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Method Description HtmlEncode More robust version of the  HttpUtility.HtmlEncode  method. HtmlAttributeEncode Encoding for dynamically created HTML attributes (i.e src=“”) XmlEncode/ XmlAttributeEncode Encoding for XML elements and attributes UrlEncode Encoding for dynamically constructed URLs JavaScriptEncode/ VisualBasicEncode Encoding for dynamically generated JavaScript or VBScript
5. Stop Injection!
Stop Injection! ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Stop Injection! ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Stop Injection! ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
6. Authorization Woes
Authorization Woes ,[object Object],[object Object],[object Object],[object Object],[object Object]
Authorization Woes Orders Products /admin … Customers View View No … Managers View, Modify View, Modify, Add No … Administrators View, Modify, Add, Delete View, Modify, Add, Delete Yes … … … ... ... …
Authorization Woes ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Authorization Woes ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
7. Mind Your Cookies!
Mind Your Cookies ,[object Object],[object Object],[object Object],[object Object],[object Object]
Mind Your Cookies ,[object Object],[object Object],[object Object],[object Object],[object Object]
Mind Your Cookies ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Mind Your Cookies ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Session State in ASP.NET ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
8. Password Potpourri
Password Potpourri ,[object Object],[object Object],[object Object],[object Object],[object Object]
Password Potpourri ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
9. Users, users, users
Users, users, users ,[object Object],[object Object],[object Object],[object Object],[object Object]
10. Full Trust Exercise
Full Trust Exercise ,[object Object],[object Object],[object Object],[object Object],[object Object]
Top Ten Tips For Tenacious Defense In Asp.Net

More Related Content

What's hot

How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
Chris Watts
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
 

What's hot (19)

Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Word press security guard
Word press security guardWord press security guard
Word press security guard
 
Web Security
Web SecurityWeb Security
Web Security
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
Password Management
Password ManagementPassword Management
Password Management
 
Password management
Password managementPassword management
Password management
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJS
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
Css
CssCss
Css
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication Concepts
 
Unified authentication using azure acs
Unified authentication using azure acsUnified authentication using azure acs
Unified authentication using azure acs
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR  - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR  - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 

Viewers also liked (8)

Программа для рекрутинга e-staff
Программа для рекрутинга e-staffПрограмма для рекрутинга e-staff
Программа для рекрутинга e-staff
 
Presentatie Letselzaken
Presentatie LetselzakenPresentatie Letselzaken
Presentatie Letselzaken
 
Artefotog[1]..
Artefotog[1]..Artefotog[1]..
Artefotog[1]..
 
Presentatie letselschadesite
Presentatie letselschadesitePresentatie letselschadesite
Presentatie letselschadesite
 
Frivolous fun or innovative learning? Using social media to deliver professio...
Frivolous fun or innovative learning? Using social media to deliver professio...Frivolous fun or innovative learning? Using social media to deliver professio...
Frivolous fun or innovative learning? Using social media to deliver professio...
 
Kv d presentatie_11-05
Kv d presentatie_11-05Kv d presentatie_11-05
Kv d presentatie_11-05
 
Smolen Alex Securing The Mvc Architecture Part Two
Smolen Alex Securing The Mvc Architecture Part TwoSmolen Alex Securing The Mvc Architecture Part Two
Smolen Alex Securing The Mvc Architecture Part Two
 
Wt2 Coloris
Wt2 ColorisWt2 Coloris
Wt2 Coloris
 

Similar to Top Ten Tips For Tenacious Defense In Asp.Net

Security with ColdFusion
Security with ColdFusionSecurity with ColdFusion
Security with ColdFusion
isummation
 
Website Security
Website SecurityWebsite Security
Website Security
Carlos Z
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
Application Security
Application SecurityApplication Security
Application Security
nirola
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 

Similar to Top Ten Tips For Tenacious Defense In Asp.Net (20)

Security with ColdFusion
Security with ColdFusionSecurity with ColdFusion
Security with ColdFusion
 
Website Security
Website SecurityWebsite Security
Website Security
 
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Unusual Web Bugs
Unusual Web BugsUnusual Web Bugs
Unusual Web Bugs
 
Web Bugs
Web BugsWeb Bugs
Web Bugs
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Application Security
Application SecurityApplication Security
Application Security
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnotts
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 

Top Ten Tips For Tenacious Defense In Asp.Net

  • 1. Top Ten Tips for Tenacious Defense in ASP.NET Alex Smolen Senior Consultant SoCal Code Camp , 2008
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20. 3. Real World Crypto
  • 21.
  • 22.  
  • 23.
  • 24.
  • 25.  
  • 26.
  • 27.  
  • 28.
  • 29.  
  • 30.
  • 31.  
  • 32. 4. The AntiXss Library
  • 33.
  • 34. Control Behavior Literal None by default. HTML Encoded if Mode property is set to LiteralMode.Encode Label None TextBox Single-line text box is not encoded. Multiline text box is HTML encoded Button Text is attribute encoded LinkButton None Hyperlink Text is not encoded. NavigateUrl is URL path encoded, unless it is JavaScript, in which case it is attribute encoded DropDownList and ListBox Option values are attribute encoded. Option display texts are HTML encoded. CheckBox and CheckBoxList Value is not used. Display text is not encoded. RadioButton and RadioButtonList Value is attribute encoded. Display text is not encoded. GridView and DetailsView Text fields are HTML encoded if their HtmlEncode property is set to true. Null display text is never encoded.
  • 35.
  • 36. Method Description HtmlEncode More robust version of the HttpUtility.HtmlEncode method. HtmlAttributeEncode Encoding for dynamically created HTML attributes (i.e src=“”) XmlEncode/ XmlAttributeEncode Encoding for XML elements and attributes UrlEncode Encoding for dynamically constructed URLs JavaScriptEncode/ VisualBasicEncode Encoding for dynamically generated JavaScript or VBScript
  • 38.
  • 39.
  • 40.  
  • 41.
  • 42.  
  • 44.
  • 45. Authorization Woes Orders Products /admin … Customers View View No … Managers View, Modify View, Modify, Add No … Administrators View, Modify, Add, Delete View, Modify, Add, Delete Yes … … … ... ... …
  • 46.
  • 47.
  • 48. 7. Mind Your Cookies!
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 55.
  • 56.
  • 58.
  • 59. 10. Full Trust Exercise
  • 60.