Practice of AppSec .NET
Download as PPTX, PDF0 likes890 views
This document summarizes a presentation on application security practices for .NET applications. It discusses common vulnerabilities like cross-site scripting, SQL injection, and cross-site request forgery. It provides examples of these vulnerabilities using code snippets and HTTP requests. It also covers mitigation techniques, like input validation, output encoding, and anti-forgery tokens. The presentation recommends resources on the OWASP Top 10, secure coding best practices, and classification of security risks.
Practice of AppSec .NET
- 1. Practice of AppSec .NET Mikhail Shcherbakov SPB .NET Meetup #2 Product Manager at Cezurity
- 2. About me Product Manager at Cezurity One of the core developers of the source code analyzer PT Application Inspector Former Team Lead at Acronis, Luxoft, Boeing
- 6. Improper Input / Output Handling Implementation
- 7. Improper Input / Output Handling SQL Injection OS Commanding Cross-Site Scripting (XSS) XML Injection XPath Injection XQuery Injection LDAP Injection Mail Command Injection Null Injection Unrestricted File Upload Unrestricted File Download Path Traversal HTTP Response Splitting Content Spoofing Buffer Overflow
- 8. Cross-Site Scripting (XSS) Reflected Stored DOM-based
- 10. Reflected XSS Reflected XSS POST http://localhost/Example __VIEWSTATE=1WhGrdaz6wBJ67aoKvJd1oc1Nw…& __VIEWSTATEGENERATOR=E5E1B94B& __EVENTVALIDATION=uixzE1cGQE%2BFAGQTbTA…& TextBox1=<& TextBox2=img src=# onerror=alert('XSS')//& Button1=Save
- 11. Reflected XSS
- 13. Reflected XSS
- 15. Reflected XSS
- 16. Reflected XSS
- 17. Reflected XSS Reflected XSS GET http://localhost/Example?first=--%3E%3C& second=img%20src=%27n%27%20onerror=alert%28%27XSS%27%2 9//
- 18. Reflected XSS
- 19. Reflected XSS Reflected XSS GET http://localhost/Example?page=%22%20onerror=alert%28%27XSS% 27%29;//
- 21. Stored XSS
- 22. Stored XSS Show me the code!
- 23. DOM-based XSS Show me the code!
- 24. Insufficient Control Flow Management Design / Implementation
- 25. Insufficient Control Flow Management Cross-Site Request Forgery (CSRF) Mass Assignment Business Logic Errors Abuse of Functionality
- 26. Cross-Site Request Forgery (CSRF)
- 27. CSRF Show me the code!
- 28. CSRF
- 29. CSRF Defense ASP.NET MVC <%= Html.AntiForgeryToken() %> <input name="__RequestVerificationToken" type="hidden“ … ASP.NET Web Forms __VIEWSTATE __EVENTVALIDATION
- 30. CSRF Defense Same Origin Policy An origin is defined by the scheme, host and port Documents retrieved from distinct origins are isolated
- 33. Habrahabr Example #2 SQL Injection GET http://localhost/Example?email=‘--
- 36. Habrahabr Example #2 Business Logic Error GET http://localhost/Example?field=password&min=a&max=b GET http://localhost/Example?field=password&min=aD&max=aE
- 40. Business Logic Error Show me the code!
- 41. Broken Authentication and Session Management Design / Implementation / Deployment
- 42. Session Fixation Show me the code!
- 43. Session Fixation Defense Set invalid ASP .NET session cookie when the user log in, so the user receives a new cookie
- 44. Session Fixation Defense Set invalid ASP .NET session cookie when the user log in, so the user receives a new cookie Issue: the order to send cookies from the browser Store the username in the session Generate Session ID on the logged user NWebsec.SessionSecurity
- 45. Summary OWASP Top Ten Project (2010/2013) http://bit.ly/1OffewO Vladimir Kochetkov Blog and Workshop http://bit.ly/1DecXWI Troy Hunt Blog www.troyhunt.com OWASP Developer Guide http://bit.ly/1JcQLoh CWE/SANS Top 25 Most Dangerous Software Errors (2011) http://bit.ly/1bjDTOH OWASP Classification http://bit.ly/1GlKmGz http://bit.ly/1DE3852 WASC Classification http://bit.ly/1d3EXYd
- 46. Thank you for your attention! Mikhail Shcherbakov ms@cezurity.com linkedin.com/in/mikhailshcherbakov github.com/yuske @yu5k3 Product Manager at Cezurity