Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Hacker's Perspective Kamran Bilgrami / Angelo Chan Silverlight Security.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Hacker's Perspective Kamran Bilgrami / Angelo Chan Silverlight Security."— Presentation transcript:

1 A Hacker's Perspective Kamran Bilgrami / Angelo Chan Silverlight Security

2 Agenda Silverlight overview Scope Key concepts Demos Recommendations Q&A

3 Silverlight Overview User Cross-browser, cross-platform Media-rich (audio/video) Run in-browser, out-of-browser.xap - archive of assemblies, manifest Programmer.NET programming model Networking and LINQ support

4 Silverlight architecture Presentation (e.g. Media) CoreCLR (optimized)

5 Silverlight overview - security Run-time security modes o In browser, out of browser Sandbox o User initiated, same origin policy

6 Scope In scope o Vulnerabilities against Silverlight related components Out of scope o Classical attacks (SQL Injection, XSS etc) Due to XAP/CoreCLR, hackers can now apply.NET assembly hacking techniques to your web application

7 Useful concepts XAP CoreCLR Intermediate Language (IL) Widely Available Tools o ILASM/ILDASM o Reflector o ReflexIL Signing/Tamper detection Obfuscation (Protect IP)

8 Demos

9 Demo 1 Summary Problems Code not obfuscated Tamper-able Assembly Client side Business logic Solutions Use code obfuscation Assembly Signing Server Side Business

10 Demo 2 Summary Starting conditions Code was obfuscated Tamper resistant IP / Business logic on server side Run-time hacking Bypass tamper detection Bypass server business logic

11 Recommendations Web security - XSS, data encryption CLR - Obfuscation, signing Domain-specific - e.g. banking application Legal

12 Q&A

13 References Silverlight Security Overview - MSDN Silverlight Architecture - MSDNM SOS command reference - MSDN CLR Inside Out - MSDN http://www.windowsdebugging.com kamran@windowsdebugging.com angelo@windowsdebugging.com

14

Download ppt "A Hacker's Perspective Kamran Bilgrami / Angelo Chan Silverlight Security."

Similar presentations

Compliance and Robustness Rules for Windows Media DRM Implementations Microsoft Corporation.

Compliance and Robustness Rules for Windows Media DRM Implementations Microsoft Corporation.
Overview / Introduction to our work in Silverlight Developing with the Silverlight 2 Framework Design of the Concept / Storyboards Architecture Game Logic.

Overview / Introduction to our work in Silverlight Developing with the Silverlight 2 Framework Design of the Concept / Storyboards Architecture Game Logic.
HiveMind Distributed File Storage Using JavaScript Botnets Copyright 2013 Sean T. Malone.

HiveMind Distributed File Storage Using JavaScript Botnets Copyright 2013 Sean T. Malone.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.

.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.
By: M. Swain. Client-side refers to operations that are performed by the client in a client–server environment Typically, web browser, that runs on a.

By: M. Swain. Client-side refers to operations that are performed by the client in a client–server environment Typically, web browser, that runs on a.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
The Microsoft’s solution for building cross-platform Rich Internet Applications.

The Microsoft’s solution for building cross-platform Rich Internet Applications.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.

Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.
ISYS 512 Business Application Design and Development with.Net David Chao.

ISYS 512 Business Application Design and Development with.Net David Chao.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
It’s always better live. MSDN Events Developing ASP.NET AJAX Controls with Silverlight.

It’s always better live. MSDN Events Developing ASP.NET AJAX Controls with Silverlight.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer.

UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer.
It’s always better live. MSDN Events INTRODUCTION TO SILVERLIGHT prepared by Joe Nov 06 2007 INTRODUCTION TO SILVERLIGHT prepared by Joe Nov 06 2007.

It’s always better live. MSDN Events INTRODUCTION TO SILVERLIGHT prepared by Joe Nov INTRODUCTION TO SILVERLIGHT prepared by Joe Nov

Similar presentations

Ads by Google