1. DEV333

2. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack

3. SQL Injection SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Information Leakage Encryption

4. ' Network enumeration Account creating/cracking Database Copying over port 80 Data Tampering Code Download Backdoors Expected Input Unexpected Input '

6. ALL calls are parameterized No dynamic strings Escape/Whitelist input. Audit table permissions! Use Entity Framework!! DEMO - Permissions checker code

9. Cross Site Scripting SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage

10. Candidate Names Included: Unauthorized Site Scripting Unofficial Site Scripting URL Parameter Script Insertion Cross Site Scripting Synthesized Scripting Fraudulent Scripting Script Injected to Web Page Evil Script User Visits Page

14. Cross Site Request Forgery SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage

17. GET Request Data Returned-No Action POST Request with Token Token Check->Action!

20. Parameter Tampering SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage

21. Client contains key field Attacker alters data (userId) on POST Wrong data updated based on new key UserId=59 UserId=1

23. Encryption / Protecting Credentials SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage

25. Forms Authentication Tokens Basic Credentials CookiesNTLM

26. Information Leakage SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage

27. Simplest Implementation in web.config

28. All links at: http://bit.ly/mlml1B Free Trial!! PluralSite OnDemand Training Library – Free Trial!! OWASP: The Open Web Application Security Project Security Tools Microsoft Anti-Cross Site Scripting Library V4.0 (4.1 in beta!) Microsoft Code Analysis Tool.NET (CAT.NET) v1 CTP - 32 bit

29. Required Slide Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC.

32. www.microsoft.com/teched Sessions On-Demand & CommunityMicrosoft Certification & Training Resources Resources for IT ProfessionalsResources for Developers www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn http://northamerica.msteched.com Connect. Share. Discuss.

34. Scan the Tag to evaluate this session now on myTechEd Mobile