A Demo of and Preventing XSS in.NET Applications.

24
A Demo of and Preventing XSS in .NET Applications

Transcript of A Demo of and Preventing XSS in.NET Applications.

Page 1: A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in .NET Applications

Page 2: A Demo of and Preventing XSS in.NET Applications.

• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection

Library•OWASP AntiSamy .NET•Cat .NET & Others

Page 3: A Demo of and Preventing XSS in.NET Applications.

• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection

Library•OWASP AntiSamy .NET•Cat .NET & Others

Page 4: A Demo of and Preventing XSS in.NET Applications.

OWASP Top Ten1 Injection 2 Broken Authentication and Session

Management

3 Cross-Site Scripting (XSS) Insecure Direct Object References

5 Security Misconfiguration

Page 5: A Demo of and Preventing XSS in.NET Applications.

OWASP Top Ten6 Sensitive Data Exposure 7 Missing Function Level Access Control 8 Cross-Site Request Forgery (CSRF) 9 Using Components with Known

Vulnerabilities 10 Invalidated Redirects and Forwards

Page 6: A Demo of and Preventing XSS in.NET Applications.

Injection SQL & XSS Cross-Site Scripting

Information Leakage

Principle of Least Privilege

Page 7: A Demo of and Preventing XSS in.NET Applications.
Page 8: A Demo of and Preventing XSS in.NET Applications.

The Two top vulnerabilities both have the same vulnerability.

Programmer does not make a distinction between code and data.

Page 9: A Demo of and Preventing XSS in.NET Applications.

• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection

Library•OWASP AntiSamy .NET•Cat .NET & Others

Page 10: A Demo of and Preventing XSS in.NET Applications.

•XSS–What it is.–Types of XSS

Page 11: A Demo of and Preventing XSS in.NET Applications.

How To Mitigate•Validate and constrain input•Properly encode output•Microsoft Anti-Cross Site Scripting Library

Page 12: A Demo of and Preventing XSS in.NET Applications.

•OWASP AntiSamy .NET•What about

Server.HTMLEncode?•Uses blacklist for exclusion•Less secure

Page 13: A Demo of and Preventing XSS in.NET Applications.

•Regex•Home Grown approach

Page 14: A Demo of and Preventing XSS in.NET Applications.

•Goldilocks Problem.–Scrub Data to little.–Scrub Data just right.–Scrub Data to Hard.

Page 15: A Demo of and Preventing XSS in.NET Applications.

Demo XSSAnd if time permits

SQL Injection

Page 16: A Demo of and Preventing XSS in.NET Applications.

• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection

Library•OWASP AntiSamy .NET•Cat .NET & Others

Page 17: A Demo of and Preventing XSS in.NET Applications.

• Pros…–Validate Input / Encode Output

(Anti-XSS library)–Helps with sql injection and XSS–Adds another level of defense–Used by Microsoft as an internal

tool

Page 18: A Demo of and Preventing XSS in.NET Applications.

• Cons…–Its not perfect and it should not be

our only defense layer–Microsoft doesn’t update as often

as it should.–We do have an open source

Alternative (OWASP AntiSamy .Net)

Page 19: A Demo of and Preventing XSS in.NET Applications.

• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection

Library•OWASP AntiSamy .NET•Cat .NET & Others

Page 20: A Demo of and Preventing XSS in.NET Applications.

Demo AntiSamy

Page 21: A Demo of and Preventing XSS in.NET Applications.

• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection

Library•OWASP AntiSamy .NET•Cat .Net

Page 22: A Demo of and Preventing XSS in.NET Applications.

Cat .NET Demo

Page 23: A Demo of and Preventing XSS in.NET Applications.

Resources

Page 24: A Demo of and Preventing XSS in.NET Applications.

About Me

• Larry Conklin Senior Developer at QuikTrip in Tulsa, Oklahoma.• My current emphasis is in Microsoft .NET technologies including C#, VB.NET,

and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores.

• Skills: C#, C/C++,RPGILE, COBOL, SQL, (SQL Server, Oracle, Sybase, PostgreSQL)

• My current passion is talking and learning about security and integrating it into SDLC to create secure code. – Current project support manager OWASP Code review project 2.0.– INFOSEC Certificate Program at University of Tulsa– ISC(2) CISSP Certification– Committee on Nation Security Systems Certificates. NSTISSI No. 4011:– Information Systems Security Professional, 4012: