Download presentation
Presentation is loading. Please wait.
Published byHortense Teresa Watkins Modified over 9 years ago
2
All Input is Evil (Part 1)
3
Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
5
Security Considerations Authentication Authorisation Secure communication Software + Hardware
6
The Login Provides authentication asterisks ********* SQL injection attack
7
Human Problems A simple conversation People use words they can remember Same passwords for many sites Doctor who fan guess the password T****S
8
Dictionary Attacks If you know a user name throw the dictionary at it
9
Brute Force Attack If the password is CC but all we know is that it is two characters long ** AA AB BA BB BC CB CC The longer the password the more time we need to crack it.
10
Countermeasures Education Don’t use same password for all sites Avoid passwords that could be guessed Don’t use dictionary words Enforce rules in code Minimum password length Non alpha numeric characters Expiration date Limit login attempts
11
Use a Security Framework Authentication options in.NET Windows Passport Forms DIY
12
Securing Stored Passwords Unsecured Access database Stored in App_Data folder (Could store on another drive/machine) Plain text password stored in the table
13
Password Hashing.NET Cryptography Encryption is ok Hashing better password123 IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY= Do not store the password in plain text
14
Adding Salt If the passwords for John and Fred without salt look like this... JohnIKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY= FredIKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY= Adding salt would change the hash values like so... John354rlrk8Jv7729qVOrOp0lXUv7RAsdV Fred9Wo0irC6+ylay0CJsLVtWBfbJBSn03j4gzhG Concatenate password + email address
15
Validation Who do you trust? Do you trust me not to make use of that data in some way? Do you trust me to write a web application that will not be compromised in any way? Not just a matter of what people you trust but what systems do you trust? Exclude list = characters we don’t allow Include list = characters we do allow
16
Code Injection Script could run when page is rendered elsewhere in application IIS automatically disallows this
17
Turn Off Debug Mode By entering bad data a hacker could crash your program
18
We now Know The language of the application (VB.NET) The names of several parameters SwapTitle Description etc.. In the light of the above probably the names of some fields in the database (this way the hacker may refine the SQL injection attacks.) The remote path on the server C:\MyFiles\IMAT1604\content\Widget Swap\Widget Swap\aswap.aspx.vb
19
Securing the Communication Channel
20
Public and Private Keys
22
Secure Socket Layer (SSL) The browser makes a secure HTTP request HTTPS on port 443 The server sends back a digital certificate verifying its credentials The client verifies the certificate with the issuing agency Using the public key the data is encrypted between client and server
23
Open Ports Port scanners Firewalls IP Filtering Turn off unused services Grant Minimum Permissions to Resources
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.