Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Demo of and Preventing XSS in.NET Applications.

Published byJonas Stone Modified over 9 years ago

Similar presentations

Presentation on theme: "A Demo of and Preventing XSS in.NET Applications."— Presentation transcript:

1 A Demo of and Preventing XSS in.NET Applications

2 Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy.NET Cat.NET & Others

3 Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy.NET Cat.NET & Others

4 OWASP Top Ten 1Injection 2Broken Authentication and Session Management 3Cross-Site Scripting (XSS) Insecure Direct Object References 5Security Misconfiguration

5 OWASP Top Ten 6 Sensitive Data Exposure 7 Missing Function Level Access Control 8 Cross-Site Request Forgery (CSRF) 9 Using Components with Known Vulnerabilities 10 Invalidated Redirects and Forwards

6 Injection SQL & XSS Cross-Site Scripting Information Leakage Principle of Least Privilege

7

8 The Two top vulnerabilities both have the same vulnerability. Programmer does not make a distinction between code and data.

9 Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy.NET Cat.NET & Others

10 XSS – What it is. – Types of XSS

11 How To Mitigate Validate and constrain input Properly encode output Microsoft Anti-Cross Site Scripting Library

12 OWASP AntiSamy.NET What about Server.HTMLEncode? Uses blacklist for exclusion Less secure

13 Regex Home Grown approach

14 Goldilocks Problem. – Scrub Data to little. – Scrub Data just right. – Scrub Data to Hard.

15 Demo XSS And if time permits SQL Injection

16 Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy.NET Cat.NET & Others

17 Pros… – Validate Input / Encode Output (Anti-XSS library) – Helps with sql injection and XSS – Adds another level of defense – Used by Microsoft as an internal tool

18 Cons… – Its not perfect and it should not be our only defense layer – Microsoft doesn’t update as often as it should. – We do have an open source Alternative (OWASP AntiSamy.Net)

19 Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy.NET Cat.NET & Others

20 Demo AntiSamy

21 Introduction OWASP Top Ten XSS Microsoft Web Protection Library OWASP AntiSamy.NET Cat.Net

22 Cat.NET Demo

23 Resources

24 About Me Larry Conklin Senior Developer at QuikTrip in Tulsa, Oklahoma. My current emphasis is in Microsoft.NET technologies including C#, VB.NET, and SQL Server. Recent project experiences include converting legacy VB software to.NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores. Skills: C#, C/C++,RPGILE, COBOL, SQL, (SQL Server, Oracle, Sybase, PostgreSQL) My current passion is talking and learning about security and integrating it into SDLC to create secure code. – Current project support manager OWASP Code review project 2.0. – INFOSEC Certificate Program at University of Tulsa – ISC(2) CISSP Certification – Committee on Nation Security Systems Certificates. NSTISSI No. 4011: – Information Systems Security Professional, 4012:

Download ppt "A Demo of and Preventing XSS in.NET Applications."

Similar presentations

More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft.

More Secure Online Services Powered by the Microsoft SDL Bryan Sullivan Security Program Manager, SDL Microsoft.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware.

A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
The OWASP 2010 Top 10 Jason Montgomery, CISSP OWASP Cincinnati – Aug 30, 2011.

The OWASP 2010 Top 10 Jason Montgomery, CISSP OWASP Cincinnati – Aug 30, 2011.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
The OWASP Way Understanding the OWASP Vision and the Top Ten.

The OWASP Way Understanding the OWASP Vision and the Top Ten.
Security Management prepared by Dean Hipwell, CISSP

Security Management prepared by Dean Hipwell, CISSP

Similar presentations

Ads by Google