A Hacker's Perspective Kamran Bilgrami / Angelo Chan Silverlight Security.

Slides:

Advertisements

Similar presentations

Compliance and Robustness Rules for Windows Media DRM Implementations Microsoft Corporation.

Advertisements

Overview / Introduction to our work in Silverlight Developing with the Silverlight 2 Framework Design of the Concept / Storyboards Architecture Game Logic.

HiveMind Distributed File Storage Using JavaScript Botnets Copyright 2013 Sean T. Malone.

Hands on Demonstration for Testing Security in Web Applications

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.

By: M. Swain. Client-side refers to operations that are performed by the client in a client–server environment Typically, web browser, that runs on a.

Barracuda Web Application Firewall

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

The Microsoft’s solution for building cross-platform Rich Internet Applications.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.

ISYS 512 Business Application Design and Development with.Net David Chao.

Browser Exploitation Framework (BeEF) Lab

It’s always better live. MSDN Events Developing ASP.NET AJAX Controls with Silverlight.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer.

It’s always better live. MSDN Events INTRODUCTION TO SILVERLIGHT prepared by Joe Nov INTRODUCTION TO SILVERLIGHT prepared by Joe Nov

Approaches to Application Security – DSM

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

By: Surapheal Belay ITEC ABSTRACT According to NIST SP : “ Mail servers are often the most targeted and attacked servers on an organization’s.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 1.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

SEC835 Practical aspects of security implementation Part 1.

Database Vulnerability And Encryption Presented By: Priti Talukder.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

ISYS 350 Business Application Development David Chao.

Behind Enemy Lines Administrative Web Application Attacks Rafael Dominguez Vega 12 th of March 2009.

Microsoft ® Visual Studio.NET Presented by Joseph J. Sarna Jr., MCSD JJS Systems, LLC.

System Wide Information Management (SWIM). FAA Transition to Service Oriented Architecture (SOA) - System Wide Information Management (SWIM) Initiative.

Hacking the Phone System Development solutions which change how people communicate Tom

Enterprise Network Security Accessing the WAN – Chapter 4.

Group 19 Juan O’Connell Justin Rand ECE 4112 Group 19 May 1, 2007 Georgia Institute of Technology College of Engineering School of Electrical and Computer.

Contents : What is Silverlight? Silverlight Overview Silverlight Toolkit Overview Timeline & Packaging Silverlight V1.0 & V1.1 Properties of V1.0 Properties.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

Web Applications on the battlefield Alain Abou Tass.

Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group

Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Zac Fenigshtien  Introduction: 3 Tier Architecture  SQL Injection ◦ Parameter Sandboxing ◦ Blacklisting, Whitelisting.

Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.

Mobile Hacking - Fundamentals

Introducing the Microsoft® .NET Framework

Javascript worms By Benjamin Mossé SecPro

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Web Application Security

Ilija Jovičić Sophos Consultant.

Web Application Protection Against Hackers and Vulnerabilities

World Wide Web policy.

Backdoor Attacks.

Chris Menegay Sr. Consultant TECHSYS Business Solutions

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

System Wide Information Management (SWIM)

Leveraging your existing code base for Windows 8

Security of web applications.

PT0-001 Dumps PDF CompTIA PenTest+ Exam Exam Code Exam Name.

A Web-based Integrated Console for Controlling a Set of Networks

Row Level Security in SQL Azure and in On Premise

Web Servers / Deployment

Visual Studio 2005 Tools For Office: Creating A Multi-tier Application

Protecting Against Common Web Application Vulnerabilities

Presentation transcript:

A Hacker's Perspective Kamran Bilgrami / Angelo Chan Silverlight Security

Agenda Silverlight overview Scope Key concepts Demos Recommendations Q&A

Silverlight Overview User Cross-browser, cross-platform Media-rich (audio/video) Run in-browser, out-of-browser.xap - archive of assemblies, manifest Programmer.NET programming model Networking and LINQ support

Silverlight architecture Presentation (e.g. Media) CoreCLR (optimized)

Silverlight overview - security Run-time security modes o In browser, out of browser Sandbox o User initiated, same origin policy

Scope In scope o Vulnerabilities against Silverlight related components Out of scope o Classical attacks (SQL Injection, XSS etc) Due to XAP/CoreCLR, hackers can now apply.NET assembly hacking techniques to your web application

Useful concepts XAP CoreCLR Intermediate Language (IL) Widely Available Tools o ILASM/ILDASM o Reflector o ReflexIL Signing/Tamper detection Obfuscation (Protect IP)

Demos

Demo 1 Summary Problems Code not obfuscated Tamper-able Assembly Client side Business logic Solutions Use code obfuscation Assembly Signing Server Side Business

Demo 2 Summary Starting conditions Code was obfuscated Tamper resistant IP / Business logic on server side Run-time hacking Bypass tamper detection Bypass server business logic

Recommendations Web security - XSS, data encryption CLR - Obfuscation, signing Domain-specific - e.g. banking application Legal

Q&A

References Silverlight Security Overview - MSDN Silverlight Architecture - MSDNM SOS command reference - MSDN CLR Inside Out - MSDN