Building Secure Web Applications With ASP.Net MVC.

Slides:



Advertisements
Similar presentations
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Advertisements

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Understanding SharePoint 2013 Add-In Security Vulnerabilities
OWASP Zed Attack Proxy Project Lead
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
The OWASP Way Understanding the OWASP Vision and the Top Ten.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
ASP.NET  ASP.NET is a web development platform, which provides a programming model, a comprehensive software infrastructure and various services required.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Web Applications Testing By Jamie Rougvie Supported by.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking ASP.NET MVC SoftUni Team Technical Trainers Software University.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
START Application Spencer Johnson Jonathan Barella Cohner Marker.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Security
How they work and how to stop them.
Building Secure ColdFusion Applications
Web Application Vulnerabilities
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
World Wide Web policy.
Secure Software Confidentiality Integrity Data Security Authentication
Error Message Handling
Security mechanisms and vulnerabilities in .NET
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
…and web frameworks in general
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

Building Secure Web Applications With ASP.Net MVC

What is ASP.Net MVC? An extension to ASP.Net. An extension to ASP.Net. Implements the MVC software pattern that divides an application's implementation into three component roles: Implements the MVC software pattern that divides an application's implementation into three component roles: –models –views –controllers.

Models "Models" in a MVC based application are the components responsible for: "Models" in a MVC based application are the components responsible for: – Maintaining state. – Maintaining state. –Often a database.

Views "Views" in a MVC based application are the components responsible for: "Views" in a MVC based application are the components responsible for: –Displaying the application's user interface. –Displaying the application's user interface. –Typically this UI is created off of the model data.

Controllers Responsible for: Responsible for: – Handling user interaction – Manipulating the model – Choosing a view to render to display UI. – Choosing a view to render to display UI. In a MVC application the view is only about displaying information - it is the controller that handles and responds to user input and interaction. In a MVC application the view is only about displaying information - it is the controller that handles and responds to user input and interaction.

Part 1: Form Security Cross Site Scripting (XSS) Cross Site Scripting (XSS) Injection Flaws Injection Flaws

Cross Site Scripting (XSS) Common flaw in a web applications Common flaw in a web applications Allows attackers to execute script in the victims browser. Allows attackers to execute script in the victims browser. Caused by improper input validation and encoding. Caused by improper input validation and encoding.

Cross Site Scripting Prevention Request Validation enabled by default. Request Validation enabled by default. Server.HtmlEncode(); Server.HtmlEncode(); Microsoft AntiXSS Library Microsoft AntiXSS Library

Injection Flaws Common in web applications. Common in web applications. Caused when user input is evaluated as part of a command or query. Caused when user input is evaluated as part of a command or query. SQL Injection most common. SQL Injection most common. If _userName = “admin” and _password = “' OR 1 = 1 --” the result would be: If _userName = “admin” and _password = “' OR 1 = 1 --” the result would be: SELECT * FROM tblUsers WHERE UserName = 'admin' and Password = '' OR 1 = 1 --' SELECT * FROM tblUsers WHERE UserName = 'admin' and Password = '' OR 1 = 1 --'

Injection Prevention MVC is built around a data Model MVC is built around a data Model Object Relational Mappers (ORM) Object Relational Mappers (ORM) –Linq to SQL –ADO.Net Entity Framework Handle CRUD commands in an Injection safe way. Handle CRUD commands in an Injection safe way.

Part 2: Application Security

Malicious File Execution Occurs when an attacker is able to upload and execute code on a server. Occurs when an attacker is able to upload and execute code on a server. The ASP.Net MVC Advantage The ASP.Net MVC Advantage –Classic ASP.Net served pages from their corresponding location on the disk. –ASP.Net MVC routes requests to the appropriate controller and view. –Attacker doesn’t know the applications directory structure.

Insecure Direct Object Reference Occurs when an application exposes a direct reference to a resource. Occurs when an application exposes a direct reference to a resource. –Files –Primary keys for database records Attackers can edit these references to gain access to protected data. Attackers can edit these references to gain access to protected data. Prevention: Prevention: –Encrypt any reference data when passing it between pages.

Cross Site Request Forgery (CSRF) Cross Site Request Forgery (CSRF) Tricks logged-on victim's browser to send a pre-authenticated request to a vulnerable web application. Tricks logged-on victim's browser to send a pre-authenticated request to a vulnerable web application. Can cause a user to perform an action they did not intend to do. Can cause a user to perform an action they did not intend to do. Example: Example:

CSRF Prevention Avoid updating user data from HTTP Get requests. Avoid updating user data from HTTP Get requests. ASP.Net MVC AntiForgeryToken ASP.Net MVC AntiForgeryToken

Attack Result

Information Leakage and Improper Error Handling Improper error handling exposes implementation detail. Improper error handling exposes implementation detail. Prevention: Prevention: –Disable debugging. –Custom error pages. –ASP.Net MVC HandleError Attribute

Failure to Restrict URL Access Web application only protects URL by not showing them to unauthorized users. Web application only protects URL by not showing them to unauthorized users. URL can still be accesses manually. URL can still be accesses manually. Prevention: Prevention: –ASP.Net MVC [Authorize] Attribute

Thank You Kevin Watt Kevin Watt Chris Brousseau Chris Brousseau

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.