@DNNConDon’t forget to include #DNNCon in your tweets!

Are There Security Flaws in Your Modules?Joshua Bradley / Web Developer

Engage Software@JRBradley1

@DNNConDon’t forget to include #DNNCon in your tweets!

THANKS TO ALL OF OUR GENEROUS SPONSORS!

@DNNConDon’t forget to include #DNNCon in your tweets!

Agenda• Introduction• Cross Site Scripting• SQL Injection• Cross Site Request Forgery• Insecure Direct Object References• Q & A

@DNNConDon’t forget to include #DNNCon in your tweets!

GoalFor Developers-To think about possible security vulnerabilities while developing your modules.

For Everyone -Be able to recognize potential vulnerabilities when testing websites.

@DNNConDon’t forget to include #DNNCon in your tweets!

Introduction

@DNNConDon’t forget to include #DNNCon in your tweets!

Cross Site Scripting

@DNNConDon’t forget to include #DNNCon in your tweets!

Reflective XSS

@DNNConDon’t forget to include #DNNCon in your tweets!

Reflective XSS

Example

@DNNConDon’t forget to include #DNNCon in your tweets!

Stored XSS

@DNNConDon’t forget to include #DNNCon in your tweets!

Stored XSS

Example

@DNNConDon’t forget to include #DNNCon in your tweets!

XSS Summary• Html Encode when not needing HTML

• Use Anti XSS library when needing to accept HTML from user input.

@DNNConDon’t forget to include #DNNCon in your tweets!

SQL Injection

@DNNConDon’t forget to include #DNNCon in your tweets!

SQLi

Example

@DNNConDon’t forget to include #DNNCon in your tweets!

SQLi Summary• Never do string concatenation with SQL.

• Use an ORM or Parameterized Stored Procedure.

@DNNConDon’t forget to include #DNNCon in your tweets!

Cross Site Request Forgery

@DNNConDon’t forget to include #DNNCon in your tweets!

CSRFExample

@DNNConDon’t forget to include #DNNCon in your tweets!

CSRF Summary• Use HttpPost

• ValidateAntiForgery• Never Allow Access from any host

@DNNConDon’t forget to include #DNNCon in your tweets!

Insecure Direct Object References

@DNNConDon’t forget to include #DNNCon in your tweets!

IDORExample

@DNNConDon’t forget to include #DNNCon in your tweets!

IDOR Summary• Use built in Folder and File Manager.

• Avoid using user input when selecting file.

@DNNConDon’t forget to include #DNNCon in your tweets!

Available on GitHub & Slideshare

•http://www.engagesoftware.com/blog/post/5052

@DNNConDon’t forget to include #DNNCon in your tweets!

Questions

@JRBradley1

@DNNConDon’t forget to include #DNNCon in your tweets!

Resources•https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

• http://www.dnnsoftware.com/

wiki/analysis-of-dotnetnuke-compliance-

against-owasp-top-10-2013

@DNNConDon’t forget to include #DNNCon in your tweets!

Resources•http://www.troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html•https://www.owasp.org/index.php/Main_Page•http://www.jwaffinityit.com/Portals/28/Documents/DNN/Analysis%20of%20DotNetNuke%20compliance%20against%20OWASP%20Top%2010.pdf

@DNNConDon’t forget to include #DNNCon in your tweets!

Resources•https://msdn.microsoft.com/en-us/library/system.web.security.antixss.antixssencoder(v=vs.110).

aspx• https://

weblog.west-wind.com/posts/2012/Jul/19/NET-HTML-Sanitation-for-rich-HTML-Input

• http://www.computerweekly.com/

tip/Cross-site-request-forgery-Lessons-from-a-CSRF-attack-

example

@DNNConDon’t forget to include #DNNCon in your tweets!

Resources• http://

resources.infosecinstitute.com/dumping-a-database-using-sql-

injection/• https://www.sql-programmers.com/

sql-injection.aspx• https://msdn.microsoft.com/en-us/

library/bb386929.aspx• https://msdn.microsoft.com/en-us/

library/cc716760.aspx

@DNNConDon’t forget to include #DNNCon in your tweets!

Resources• http://www.troyhunt.com/

2013/07/everything-you-wanted-to-know-about-

sql.html• https://github.com/

malcomvetter/WidgetSender