DEV333

Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack

SQL Injection SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Information Leakage Encryption

' Network enumeration Account creating/cracking Database Copying over port 80 Data Tampering Code Download Backdoors Expected Input Unexpected Input '

ALL calls are parameterized No dynamic strings Escape/Whitelist input. Audit table permissions! Use Entity Framework!! DEMO - Permissions checker code

Cross Site Scripting SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage

Candidate Names Included: Unauthorized Site Scripting Unofficial Site Scripting URL Parameter Script Insertion Cross Site Scripting Synthesized Scripting Fraudulent Scripting Script Injected to Web Page Evil Script User Visits Page

Cross Site Request Forgery SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage

GET Request Data Returned-No Action POST Request with Token Token Check->Action!

Parameter Tampering SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage

Client contains key field Attacker alters data (userId) on POST Wrong data updated based on new key UserId=59 UserId=1

Encryption / Protecting Credentials SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage

Forms Authentication Tokens Basic Credentials CookiesNTLM

Information Leakage SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage

Simplest Implementation in web.config

All links at: Free Trial!! PluralSite OnDemand Training Library – Free Trial!! OWASP: The Open Web Application Security Project Security Tools Microsoft Anti-Cross Site Scripting Library V4.0 (4.1 in beta!) Microsoft Code Analysis Tool.NET (CAT.NET) v1 CTP - 32 bit

Required Slide Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC.

Sessions On-Demand & CommunityMicrosoft Certification & Training Resources Resources for IT ProfessionalsResources for Developers Connect. Share. Discuss.

Scan the Tag to evaluate this session now on myTechEd Mobile