Shawn Wildermuth President, AgiliTrain Microsoft MVP (Data) Knowing the Enemy.

Slides:

Advertisements

Similar presentations

Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland,

Advertisements

Zoiner Tejada Hershey Technologies. About Zoiner Tejada.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

SharePoint 2010 Business Productivity: What's new for Developers in Microsoft SharePoint 2010 Matthew McDermott, MVP Aptillon, Able Blue

Online Security Tuesday April 8, 2003 Maxence Crossley.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Ronnie Saurenmann Principal Architect Microsoft Switzerland

Microsoft ASP.NET AJAX - AJAX as it has to be Presented by : Rana Vijayasimha Nalla CSCE Grad Student.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Securing Squid (Proxy) Using Digest Authentication.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Session 11: Security with ASP.NET

Building Data Driven Applications Using WinRT and XAML Sergey Barskiy, Magenic Microsoft MVP – Data Platform Principal Consultant Level: Intermediate.

It’s always better live. MSDN Events INTRODUCTION TO SILVERLIGHT prepared by Joe Nov INTRODUCTION TO SILVERLIGHT prepared by Joe Nov

Understanding Digest and Advanced Digest Authentication in IIS 6.0

Module 14: WCF Send Adapters. Overview Lesson 1: Introduction to WCF Send Adapters Lesson 2: Consuming a Web Service Lesson 3: Consuming Services from.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

The.NET Runtime and IIS Presented by Chris Dickey – cdickey.net consulting

Christopher M. Pascucci Basic Structural Concepts of.NET Managing State & Scope.

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.

Module 11: Securing a Microsoft ASP.NET Web Application.

Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.

® IBM Software Group © 2007 IBM Corporation Best Practices for Session Management

G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Crash Course in Web Hacking

Web Database Programming Week 7 Session Management & Authentication.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Integrating and Troubleshooting Citrix Access Gateway.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

Building Mobile Phone Applications With Windows Azure Nick HarrisWindows Azure Technical Evangelist Microsoft Blog:

Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.

Simple Back-End Data Access WCF, SOAP WCF, SOAP REST, XML/JSON, Atom/RSS Mashups (Using REST APIs) WCF “Data Push” (Server to Client)

Web Services Security Patterns Alex Mackman CM Group Ltd

Securing Angular Apps Brian Noyes

Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.

Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.

COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.

WEB-API & MVC5 - Identity & Security Mait Poska & Andres Käver, IT Kolledž 2014.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

ArcGIS for Server Security: Advanced

Introduction to Windows Azure AppFabric

WEB-API & MVC5 - Identity & Security

Jim Fawcett CSE686 – Internet Programming Summer 2005

Windows Azure AppFabric

Topic 5: Communication and the Internet

IOS SDK v1.0 with NAM 4.2.

Securing Microsoft Silverlight

HACKIN G CITRIX.

Electronic Payment Security Technologies

Web Services Enhancements 2.0

Presentation transcript:

Shawn Wildermuth President, AgiliTrain Microsoft MVP (Data) Knowing the Enemy

Securing Silverlight: Knowing the Enemy

Users/Hackers (Reflector, Silverlight Spy, Debuggers, Memory Profilers) Users/Hackers (Reflector, Silverlight Spy, Debuggers, Memory Profilers) Hackers/Personnel (Intrusion and Physical Security) Hackers/Personnel Eavesdroppers (Packet Sniffers, etc.) Eavesdroppers

Securing Silverlight: Knowing the Enemy YourApp.xap Main Assembly CodeCode Embedded XAMLEmbedded XAML Other ResourcesOther Resources SDK Assemblies Optionally deployed ControlsOptionally deployed Controls Other.dll Your LibrariesYour Libraries Other Assets ImagesImages FontsFonts YourApp.zip Main Assembly CodeCode Embedded XAMLEmbedded XAML Other ResourcesOther Resources SDK Assemblies Optionally deployed ControlsOptionally deployed Controls Other.dll Your LibrariesYour Libraries Other Assets ImagesImages FontsFonts

Securing Silverlight: Knowing the Enemy  Client Security Considerations ◦ Code ◦ XAML ◦ Assets ◦ Secrets ◦ Isolated Storage ◦ Data

Securing Silverlight: Knowing the Enemy  Code ◦ Limited Protection ◦ Even with Obfuscation  XAML ◦ Almost No Protection ◦ Stored as Text  Assets ◦ Almost No Protection

Securing Silverlight: Knowing the Enemy  Secrets ◦ Obfuscation Helps ◦ Not Complete – Must Be Loaded Into Memory  Isolated Storage ◦ No Protection ◦ Accessible to Users – Keep Your Secrets Out of Here  Data ◦ Limit Surface Area ◦ Send Summary Data ◦ Data Services’ Projections Are Helpful

Securing Silverlight: Knowing the Enemy  Silverlight does not protect your Algorithms ◦ Unlike.NET:  Obfuscation only protects against decompilation  Code runs in the client  Client must be able to download assemblies

Securing Silverlight: Knowing the Enemy  What is worth protecting? ◦ Labor? No… ◦ Unique implementations? Yes… ◦ Sensitive data? Yes…

Securing Silverlight: Knowing the Enemy  Hide it on the Server ◦ Generate the XAML on the Server ◦ Send only summary data to the client

Securing Silverlight: Knowing the Enemy  Silverlight Apps Are Just Files ◦ Protect like any other web file  Forms Authentication  Windows Authentication  Etc.

Securing Silverlight: Knowing the Enemy  For Apps with Login ◦ XAP needs to be anonymous accessed ◦ Compose at Runtime  Bootstrapper App or Composition (Prism, MEF, etc.)

Securing Silverlight: Knowing the Enemy  Only Secure Methods in Silverlight ◦ Token Based ◦ Cookie Based ◦ NTLM Based

Securing Silverlight: Knowing the Enemy BrowserBrowser SilverlightAppSilverlightApp Network Call with Browser State (cookies, Session ID, NTLM) Network Call with Browser State (cookies, Session ID, NTLM)

Securing Silverlight: Knowing the Enemy  Why Not Basic Auth? ◦ Insecure across the wire  (though could secure with SSL) ◦ Uses Headers  Specifically forbidden using the HTTP Stacks

Securing Silverlight: Knowing the Enemy  Integrated Windows Authentication ◦ Just Works ◦ Assumes NTLM on the Platform  OSX is Problematic

Securing Silverlight: Knowing the Enemy  Cookie Based Auth ◦ ASP.NET’s Forms Based Auth ◦ Custom Encrypted Cookies  Never decrypt on client  Expire Cookies Frequently

Securing Silverlight: Knowing the Enemy  Token-based Security ◦ Can use expiring tokens ◦ Pass them in on web services ◦ Not fool proof or ‘secure’ ◦ Must also expire

Securing Silverlight: Knowing the Enemy  Add Service Reference Problem ◦ Doesn’t play well with security ◦ Must disable security when adding/refreshing ◦ Trouble for building references at build-time

Securing Silverlight: Knowing the Enemy  ClientCredentials MyServiceClient client = new MyServiceClient(); client.ClientCredentials.UserName.UserName = "Frank"; client.ClientCredentials.UserName.Password = "P2ssw0rd"; client.GetNameCompleted += (s, args) => { theText.Text = args.Result; }; client.GetNameAsync(); MyServiceClient client = new MyServiceClient(); client.ClientCredentials.UserName.UserName = "Frank"; client.ClientCredentials.UserName.Password = "P2ssw0rd"; client.GetNameCompleted += (s, args) => { theText.Text = args.Result; }; client.GetNameAsync();

Securing Silverlight: Knowing the Enemy  Using Forms Authentication Service ◦ AuthenticationService (pre-built WCF) ◦ Simple SOAP call to authenticate ServiceHost Language="C#" Service="System.Web.ApplicationServices.AuthenticationService" %> ServiceHost Language="C#" Service="System.Web.ApplicationServices.AuthenticationService" %> var proxy = new AuthenticationServiceClient(); proxy.LoginCompleted += (s, args) => { if (args.Result) { // Succeeded } }; proxy.LoginAsync("Frank", "P2ssw0rd", null, false); var proxy = new AuthenticationServiceClient(); proxy.LoginCompleted += (s, args) => { if (args.Result) { // Succeeded } }; proxy.LoginAsync("Frank", "P2ssw0rd", null, false);

Securing Silverlight: Knowing the Enemy  Standard network stack goes through Browser ◦ Good:  Uses cookies and NTLM  Looks and feels like the browser ◦ Bad:  Only GET/POST are supported  Typically limited to two outbound requests

Securing Silverlight: Knowing the Enemy  Alternative: Client HTTP Stack ◦ For specific scenarios:  Need PUT/DELETE  Need Custom Cookies  Need more control  status codes, bodies and headers

Securing Silverlight: Knowing the Enemy  Create New Request ◦ Use WebRequestCreator’s ClientHttp property: ◦ Non-event-based, APM style WebRequest req = WebRequestCreator.ClientHttp.Create(new Uri(" UriKind.Absolute)); WebRequest req = WebRequestCreator.ClientHttp.Create(new Uri(" UriKind.Absolute)); req.BeginGetResponse(new AsyncCallback(r => { var res = req.EndGetResponse(r); var strm = res.GetResponseStream(); }), null); req.BeginGetResponse(new AsyncCallback(r => { var res = req.EndGetResponse(r); var strm = res.GetResponseStream(); }), null);

Securing Silverlight: Knowing the Enemy  Specify all Client HTTP Stack ◦ Call WebRequest’s RegisterPrefix to specify: ◦ Then all calls become client, even WebClient: bool httpResult = WebRequest.RegisterPrefix(" WebRequestCreator.ClientHttp); bool httpResult = WebRequest.RegisterPrefix(" WebRequestCreator.ClientHttp); WebClient client = new WebClient(); client.DownloadStringCompleted += new DownloadStringCompletedEventHandler(OnDlComplete); client.DownloadStringAsync(new Uri("/template.xaml", UriKind.Relative)); WebClient client = new WebClient(); client.DownloadStringCompleted += new DownloadStringCompletedEventHandler(OnDlComplete); client.DownloadStringAsync(new Uri("/template.xaml", UriKind.Relative));

Securing Silverlight: Knowing the Enemy  WebRequests Credentials Supported ◦ For ClientHttp stack only, adds Authentication header var request = WebRequestCreator.ClientHttp.Create( new Uri(" UriKind.Relative)); request.Credentials = new NetworkCredential("shawn", request.UseDefaultCredentials = false; var request = WebRequestCreator.ClientHttp.Create( new Uri(" UriKind.Relative)); request.Credentials = new NetworkCredential("shawn", request.UseDefaultCredentials = false; WebRequest.RegisterPrefix("http", WebRequestCreator.ClientHttp); var client = new WebClient(); client.Credentials = new NetworkCredential("shawn", client.UseDefaultCredentials = false; client.DownloadStringCompleted += (s, a) => a.Result.ToArray(); client.DownloadStringAsync( new Uri(" UriKind.Relative)); WebRequest.RegisterPrefix("http", WebRequestCreator.ClientHttp); var client = new WebClient(); client.Credentials = new NetworkCredential("shawn", client.UseDefaultCredentials = false; client.DownloadStringCompleted += (s, a) => a.Result.ToArray(); client.DownloadStringAsync( new Uri(" UriKind.Relative));