auryon
Uploaded by
23 SLIDES
386 VUES
230LIKES

Hack-Proofing Your Web Application: Security Best Practices for Web Forms and MVC

DESCRIPTION

In this informative session, William Brander explores security essentials for web applications focusing on Web Forms and MVC. With an emphasis on hands-on concepts and real-world scenarios, attendees will learn best practices to protect against common threats such as SQL Injection, XSS, CSRF, and Clickjacking. Through plenty of code samples and demonstrations, participants will understand how to implement effective security measures using techniques like parameterized queries and anti-forgery tokens. Join us to enhance your understanding of web security and ensure your applications are safe from vulnerabilities.

1 / 23

Télécharger la présentation

Hack-Proofing Your Web Application: Security Best Practices for Web Forms and MVC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 17-20 OCTOBER 2011 DURBAN ICC

  2. Hack-proofing your web application Using Web Forms and MVC William Brander @WilliamBZA http://WilliamB.Net william@williamb.net

  3. You have no business on the internet if you don’t take security seriously

  4. What to expect • Level 400 session • Focus on concepts • Plenty of samples • Lots of scenarios, not much time • Code is available MVC Webforms

  5. Clickjacking (0.6%) Topics Covered Session Hijacking (2.3%) Top Attack Methods Brute Force CSRF (2%) Unknown XSS Phishing DDoS SQL Injection Predictable Resource Location Source: Web Hacking Incident Database (http://tinyurl.com/WebHackDB)

  6. Irony Does EXACTLY what it’s told to! SQL= “ SELECT * FROM Products WHERE Name LIKE ‘Beer%’ ” SQL= “ SELECT * FROM Products WHERE Name LIKE ‘Beer’ UNION SELECT * FROM systables;--%’ ” SearchProducts “Beer’ UNION SELECT * FROM systables;--” “Beer”

  7. Demo • SQL Injection

  8. Preventing SQL Injection • Use Parameterized Queries • Stored procedures won’t save you • If you need to use dynamic SQL: sp_executesql • Use a mature O/RM

  9. Twitter = bird, so bird + worm = ? <div> Welcome back<script> doHax(){ } </script> </div> <div> Welcome Back <USERNAME> </div> <div> Welcome Back WilliamBZA </div>

  10. Demo • XSS

  11. Preventing XSS • Use the AntiXSS Library • Sanitize AND Encode Use Razor (@ encodes by default) • Be careful of IE6 • Allows XSS in images!!

  12. ING: here, have some of my money! Request (http://firewall/AllRules) GET Request POST Request (button click) Request GET http://server/page Request <div> Welcome Back <imgsrc=‘http://Firewall/AllRules’/> </div>

  13. Demo • CSRF

  14. Preventing CSRF Use AntiForgeryTokens Set ViewStateUserKey

  15. How many Facebook likes can you get? • Hacker Problem: • Users have to click to do something • Answer: Make them click on it • But make them think they’re clicking on something else

  16. Demo • Clickjacking

  17. Preventing Clickjacking • Add X-Frame-Options=DENY Header

  18. Phishing Jitsu: number 34 How do you make someone think they’re accessing securebanking.com when they’re actually typing their password into securebnaking.com?

  19. Demo • Open Redirection

  20. Preventing Open Redirection Check the URL you are redirecting to Use MVC 3 Don’t allow cross app redirection (disabled by default) • If in doubt, don’t redirect!

  21. OWASP (http://owasp.org) • WASC (http://webappsec.org) • Microsoft Security Center (http://tinyurl.com/MicrosoftSecurityCenter)

  22. You have a responsibility to your users

  23. 18:30 – 20:30 this evening http://microsoftvirtualacademy.com Submit your session evaluation for a chance to win! Sponsored by MVA

More Related