SlideShare a Scribd company logo

Top Ten Tips For Tenacious Defense In Asp.Net

Download as PPT, PDF
A
alsmola

Given @ SoCalCodeCamp 2009

Technology
1 of 61
Top Ten Tips for Tenacious Defense in ASP.NET Alex Smolen Senior Consultant SoCal Code Camp , 2008
1. Cross-Site Request Forgery
CSRF ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF - Examples ,[object Object],[object Object],[object Object],[object Object]
CSRF - Defense ,[object Object],[object Object],[object Object]
CSRF Defense ,[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF Defense - Referer ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF Defense - ViewStateUserKey ,[object Object],[object Object],[object Object],[object Object]
CSRF Defense – ViewStateUserKey ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF Defense - Secret Token ,[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF Defense – Secret Token ,[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF Defense - CAPTCHA ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF Defense – Password Re-authentication ,[object Object],[object Object],[object Object],[object Object]
2. Session Fixation
Session Fixation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Session Fixation ,[object Object],[object Object],[object Object],[object Object]
Session Fixation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Session Fixation Defense ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Session Fixation - Defense ,[object Object],[object Object],[object Object],[object Object]
3. Real World Crypto
Real-World Crypto ,[object Object],[object Object],[object Object],[object Object],[object Object]
 
Read-World Crypto ,[object Object],[object Object]
Real-World Crypto ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Real-World Crypto ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Real-World Crypto ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Real-World Crypto ,[object Object],[object Object],[object Object]
 
4. The AntiXss Library
The AntiXSS Library ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Control Behavior Literal None by default. HTML Encoded if Mode property is set to LiteralMode.Encode Label None TextBox Single-line text box is not encoded. Multiline text box is HTML encoded Button Text is attribute encoded LinkButton None Hyperlink Text is not encoded. NavigateUrl is URL path encoded, unless it is JavaScript, in which case it is attribute encoded DropDownList and ListBox Option values are attribute encoded. Option display texts are HTML encoded. CheckBox and CheckBoxList Value is not used. Display text is not encoded. RadioButton and RadioButtonList Value is attribute encoded. Display text is not encoded. GridView and DetailsView Text fields are HTML encoded if their HtmlEncode property is set to true. Null display text is never encoded.
The Anti-XSS Library ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Method Description HtmlEncode More robust version of the HttpUtility.HtmlEncode method. HtmlAttributeEncode Encoding for dynamically created HTML attributes (i.e src=“”) XmlEncode/ XmlAttributeEncode Encoding for XML elements and attributes UrlEncode Encoding for dynamically constructed URLs JavaScriptEncode/ VisualBasicEncode Encoding for dynamically generated JavaScript or VBScript
5. Stop Injection!
Stop Injection! ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Stop Injection! ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Stop Injection! ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
6. Authorization Woes
Authorization Woes ,[object Object],[object Object],[object Object],[object Object],[object Object]
Authorization Woes Orders Products /admin … Customers View View No … Managers View, Modify View, Modify, Add No … Administrators View, Modify, Add, Delete View, Modify, Add, Delete Yes … … … ... ... …
Authorization Woes ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Authorization Woes ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
7. Mind Your Cookies!
Mind Your Cookies ,[object Object],[object Object],[object Object],[object Object],[object Object]
Mind Your Cookies ,[object Object],[object Object],[object Object],[object Object],[object Object]
Mind Your Cookies ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Mind Your Cookies ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Session State in ASP.NET ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
8. Password Potpourri
Password Potpourri ,[object Object],[object Object],[object Object],[object Object],[object Object]
Password Potpourri ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
9. Users, users, users
Users, users, users ,[object Object],[object Object],[object Object],[object Object],[object Object]
10. Full Trust Exercise
Full Trust Exercise ,[object Object],[object Object],[object Object],[object Object],[object Object]
Top Ten Tips For Tenacious Defense In Asp.Net

Recommended

Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Security
Web SecurityWeb Security
Web SecurityAli Habeeb
 
Website Security
Website SecurityWebsite Security
Website SecurityMODxpo
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009Paul Lemon
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 

Recommended

Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Security
Web SecurityWeb Security
Web SecurityAli Habeeb
 
Website Security
Website SecurityWebsite Security
Website SecurityMODxpo
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009Paul Lemon
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
Word press security guard
Word press security guardWord press security guard
Word press security guardAdrianoViana25
 
Web Security
Web SecurityWeb Security
Web SecuritySupankar Banik
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
Password Management
Password ManagementPassword Management
Password ManagementDavon Smart
 
Password management
Password managementPassword management
Password managementWilmington University
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET Journal
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions Ivo Andreev
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber SecurityChris Watts
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMFernando Lopez Aguilar
 
Css
CssCss
Cssbismasheikh3
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication ConceptsCharles Southerland
 
Unified authentication using azure acs
Unified authentication using azure acsUnified authentication using azure acs
Unified authentication using azure acsChris Love
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Программа для рекрутинга e-staff
Программа для рекрутинга e-staffПрограмма для рекрутинга e-staff
Программа для рекрутинга e-staffColoris Soft
 
Presentatie Letselzaken
Presentatie LetselzakenPresentatie Letselzaken
Presentatie LetselzakenVincent van Merwijk
 
Artefotog[1]..
Artefotog[1]..Artefotog[1]..
Artefotog[1]..guestfdb470
 

More Related Content

What's hot

Word press security guard
Word press security guardWord press security guard
Word press security guardAdrianoViana25
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
Password Management
Password ManagementPassword Management
Password ManagementDavon Smart
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET Journal
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions Ivo Andreev
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber SecurityChris Watts
 
Unified authentication using azure acs
Unified authentication using azure acsUnified authentication using azure acs
Unified authentication using azure acsChris Love
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 

What's hot (19)

Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Word press security guard
Word press security guardWord press security guard
Word press security guard
 
Web Security
Web SecurityWeb Security
Web Security
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
Password Management
Password ManagementPassword Management
Password Management
 
Password management
Password managementPassword management
Password management
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJS
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
Css
CssCss
Css
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication Concepts
 
Unified authentication using azure acs
Unified authentication using azure acsUnified authentication using azure acs
Unified authentication using azure acs
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 

Viewers also liked

Программа для рекрутинга e-staff
Программа для рекрутинга e-staffПрограмма для рекрутинга e-staff
Программа для рекрутинга e-staffColoris Soft
 
Frivolous fun or innovative learning? Using social media to deliver professio...
Frivolous fun or innovative learning? Using social media to deliver professio...Frivolous fun or innovative learning? Using social media to deliver professio...
Frivolous fun or innovative learning? Using social media to deliver professio...Sarah Stewart
 
Smolen Alex Securing The Mvc Architecture Part Two
Smolen Alex Securing The Mvc Architecture Part TwoSmolen Alex Securing The Mvc Architecture Part Two
Smolen Alex Securing The Mvc Architecture Part Twoalsmola
 

Viewers also liked (8)

Программа для рекрутинга e-staff
Программа для рекрутинга e-staffПрограмма для рекрутинга e-staff
Программа для рекрутинга e-staff
 
Presentatie Letselzaken
Presentatie LetselzakenPresentatie Letselzaken
Presentatie Letselzaken
 
Artefotog[1]..
Artefotog[1]..Artefotog[1]..
Artefotog[1]..
 
Presentatie letselschadesite
Presentatie letselschadesitePresentatie letselschadesite
Presentatie letselschadesite
 
Frivolous fun or innovative learning? Using social media to deliver professio...
Frivolous fun or innovative learning? Using social media to deliver professio...Frivolous fun or innovative learning? Using social media to deliver professio...
Frivolous fun or innovative learning? Using social media to deliver professio...
 
Kv d presentatie_11-05
Kv d presentatie_11-05Kv d presentatie_11-05
Kv d presentatie_11-05
 
Smolen Alex Securing The Mvc Architecture Part Two
Smolen Alex Securing The Mvc Architecture Part TwoSmolen Alex Securing The Mvc Architecture Part Two
Smolen Alex Securing The Mvc Architecture Part Two
 
Wt2 Coloris
Wt2 ColorisWt2 Coloris
Wt2 Coloris
 

Similar to Top Ten Tips For Tenacious Defense In Asp.Net

Security with ColdFusion
Security with ColdFusionSecurity with ColdFusion
Security with ColdFusionisummation
 
Website Security
Website SecurityWebsite Security
Website SecurityCarlos Z
 
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...Start Pad
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allupllangit
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnottsJohn Staveley
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 

Similar to Top Ten Tips For Tenacious Defense In Asp.Net (20)

Security with ColdFusion
Security with ColdFusionSecurity with ColdFusion
Security with ColdFusion
 
Website Security
Website SecurityWebsite Security
Website Security
 
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Unusual Web Bugs
Unusual Web BugsUnusual Web Bugs
Unusual Web Bugs
 
Web Bugs
Web BugsWeb Bugs
Web Bugs
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Application Security
Application SecurityApplication Security
Application Security
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnotts
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

Recently uploaded (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 

Top Ten Tips For Tenacious Defense In Asp.Net

  • 1. Top Ten Tips for Tenacious Defense in ASP.NET Alex Smolen Senior Consultant SoCal Code Camp , 2008
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20. 3. Real World Crypto
  • 21.
  • 22.  
  • 23.
  • 24.
  • 25.  
  • 26.
  • 27.  
  • 28.
  • 29.  
  • 30.
  • 31.  
  • 32. 4. The AntiXss Library
  • 33.
  • 34. Control Behavior Literal None by default. HTML Encoded if Mode property is set to LiteralMode.Encode Label None TextBox Single-line text box is not encoded. Multiline text box is HTML encoded Button Text is attribute encoded LinkButton None Hyperlink Text is not encoded. NavigateUrl is URL path encoded, unless it is JavaScript, in which case it is attribute encoded DropDownList and ListBox Option values are attribute encoded. Option display texts are HTML encoded. CheckBox and CheckBoxList Value is not used. Display text is not encoded. RadioButton and RadioButtonList Value is attribute encoded. Display text is not encoded. GridView and DetailsView Text fields are HTML encoded if their HtmlEncode property is set to true. Null display text is never encoded.
  • 35.
  • 36. Method Description HtmlEncode More robust version of the HttpUtility.HtmlEncode method. HtmlAttributeEncode Encoding for dynamically created HTML attributes (i.e src=“”) XmlEncode/ XmlAttributeEncode Encoding for XML elements and attributes UrlEncode Encoding for dynamically constructed URLs JavaScriptEncode/ VisualBasicEncode Encoding for dynamically generated JavaScript or VBScript
  • 38.
  • 39.
  • 40.  
  • 41.
  • 42.  
  • 44.
  • 45. Authorization Woes Orders Products /admin … Customers View View No … Managers View, Modify View, Modify, Add No … Administrators View, Modify, Add, Delete View, Modify, Add, Delete Yes … … … ... ... …
  • 46.
  • 47.
  • 48. 7. Mind Your Cookies!
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 55.
  • 56.
  • 58.
  • 59. 10. Full Trust Exercise
  • 60.