Post on 23-Feb-2016
description
transcript
A Demo of and Preventing XSS in .NET Applications
• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection Library•OWASP AntiSamy .NET•Cat .NET & Others
• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection Library•OWASP AntiSamy .NET•Cat .NET & Others
OWASP Top Ten1 Injection 2 Broken Authentication and Session
Management
3 Cross-Site Scripting (XSS) Insecure Direct Object References
5 Security Misconfiguration
OWASP Top Ten6 Sensitive Data Exposure 7 Missing Function Level Access Control 8 Cross-Site Request Forgery (CSRF) 9 Using Components with Known
Vulnerabilities 10 Invalidated Redirects and Forwards
Injection SQL & XSS Cross-Site Scripting
Information Leakage
Principle of Least Privilege
The Two top vulnerabilities both have the same vulnerability.
Programmer does not make a distinction between code and data.
• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection Library•OWASP AntiSamy .NET•Cat .NET & Others
•XSS–What it is.–Types of XSS
How To Mitigate•Validate and constrain input•Properly encode output•Microsoft Anti-Cross Site Scripting Library
•OWASP AntiSamy .NET•What about
Server.HTMLEncode?•Uses blacklist for exclusion•Less secure
•Regex•Home Grown approach
•Goldilocks Problem.–Scrub Data to little.–Scrub Data just right.–Scrub Data to Hard.
Demo XSSAnd if time permits
SQL Injection
• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection Library•OWASP AntiSamy .NET•Cat .NET & Others
• Pros…–Validate Input / Encode Output
(Anti-XSS library)–Helps with sql injection and XSS–Adds another level of defense–Used by Microsoft as an internal
tool
• Cons…–Its not perfect and it should not be
our only defense layer–Microsoft doesn’t update as often
as it should.–We do have an open source
Alternative (OWASP AntiSamy .Net)
• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection Library•OWASP AntiSamy .NET•Cat .NET & Others
Demo AntiSamy
• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection Library•OWASP AntiSamy .NET•Cat .Net
Cat .NET Demo
Resources
About Me
• Larry Conklin Senior Developer at QuikTrip in Tulsa, Oklahoma.• My current emphasis is in Microsoft .NET technologies including C#, VB.NET,
and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores.
• Skills: C#, C/C++,RPGILE, COBOL, SQL, (SQL Server, Oracle, Sybase, PostgreSQL)
• My current passion is talking and learning about security and integrating it into SDLC to create secure code. – Current project support manager OWASP Code review project 2.0.– INFOSEC Certificate Program at University of Tulsa– ISC(2) CISSP Certification– Committee on Nation Security Systems Certificates. NSTISSI No. 4011:– Information Systems Security Professional, 4012: