1 / 14

Silverlight Security: A Hacker's Perspective on Vulnerabilities and Best Practices

This comprehensive guide delves into Silverlight security from a hacker's viewpoint, highlighting key concepts, vulnerabilities, and recommended practices. It covers the architecture of Silverlight, emphasizing its cross-browser and cross-platform capabilities, as well as highlighting common threats such as SQL Injection and XSS. In-depth demos illustrate issues like code obfuscation and tampering. The document also provides actionable recommendations on web security, encryption, and securing business logic on both client and server sides, making it essential for developers and security enthusiasts.

leone
Télécharger la présentation

Silverlight Security: A Hacker's Perspective on Vulnerabilities and Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Silverlight Security A Hacker's Perspective Kamran Bilgrami / Angelo Chan

  2. Agenda • Silverlight overview • Scope • Key concepts • Demos • Recommendations • Q&A

  3. Silverlight Overview User • Cross-browser, cross-platform • Media-rich (audio/video) • Run in-browser, out-of-browser • .xap - archive of assemblies, manifest Programmer • .NET programming model • Networking and LINQ support

  4. Silverlight architecture • Presentation (e.g. Media) • CoreCLR (optimized)

  5. Silverlight overview - security • Run-time security modes  • In browser, out of browser • Sandbox • User initiated, same origin policy

  6. Scope • In scope • Vulnerabilities against Silverlight related components • Out of scope • Classical attacks (SQL Injection, XSS etc) • Due to XAP/CoreCLR, hackers can now apply .NET assembly hacking techniques to your web application

  7. Useful concepts • XAP • CoreCLR • Intermediate Language (IL) • Widely Available Tools • ILASM/ILDASM • Reflector • ReflexIL • Signing/Tamper detection • Obfuscation (Protect IP)

  8. Demos

  9. Problems Code not obfuscated Tamper-able Assembly Client side Business logic Solutions Use code obfuscation Assembly Signing Server Side Business Demo 1 Summary

  10. Starting conditions Code was obfuscated Tamper resistant IP / Business logic on server side  Run-time hacking Bypass tamper detection Bypass server business logic Demo 2 Summary

  11. Recommendations • Web security - XSS, data encryption • CLR - Obfuscation, signing • Domain-specific - e.g. banking application • Legal

  12. Q&A

  13. References Silverlight Security Overview - MSDN Silverlight Architecture - MSDN SOS command reference - MSDN CLR Inside Out - MSDN http://www.windowsdebugging.com kamran@windowsdebugging.com angelo@windowsdebugging.com

More Related