Download presentation
Presentation is loading. Please wait.
Published byIyanna Winfield Modified over 9 years ago
1
DEV333
2
Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack
3
SQL Injection SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Information Leakage Encryption
4
' Network enumeration Account creating/cracking Database Copying over port 80 Data Tampering Code Download Backdoors Expected Input Unexpected Input '
6
ALL calls are parameterized No dynamic strings Escape/Whitelist input. Audit table permissions! Use Entity Framework!! DEMO - Permissions checker code
9
Cross Site Scripting SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage
10
Candidate Names Included: Unauthorized Site Scripting Unofficial Site Scripting URL Parameter Script Insertion Cross Site Scripting Synthesized Scripting Fraudulent Scripting Script Injected to Web Page Evil Script User Visits Page
14
Cross Site Request Forgery SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage
17
GET Request Data Returned-No Action POST Request with Token Token Check->Action!
20
Parameter Tampering SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage
21
Client contains key field Attacker alters data (userId) on POST Wrong data updated based on new key UserId=59 UserId=1
23
Encryption / Protecting Credentials SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage
25
Forms Authentication Tokens Basic Credentials CookiesNTLM
26
Information Leakage SQL Injection Cross Site Scripting Cross Site Request Forgery Parameter Tampering Encryption / Protecting Credentials Information Leakage
27
Simplest Implementation in web.config
28
All links at: http://bit.ly/mlml1B Free Trial!! PluralSite OnDemand Training Library – Free Trial!! OWASP: The Open Web Application Security Project Security Tools Microsoft Anti-Cross Site Scripting Library V4.0 (4.1 in beta!) Microsoft Code Analysis Tool.NET (CAT.NET) v1 CTP - 32 bit
29
Required Slide Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC.
32
www.microsoft.com/teched Sessions On-Demand & CommunityMicrosoft Certification & Training Resources Resources for IT ProfessionalsResources for Developers www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn http://northamerica.msteched.com Connect. Share. Discuss.
34
Scan the Tag to evaluate this session now on myTechEd Mobile
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.