Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Secure Web Applications With ASP.Net MVC.

Published byDouglas Armstrong Modified over 8 years ago

Similar presentations

Presentation on theme: "Building Secure Web Applications With ASP.Net MVC."— Presentation transcript:

1 Building Secure Web Applications With ASP.Net MVC

2 What is ASP.Net MVC? An extension to ASP.Net. An extension to ASP.Net. Implements the MVC software pattern that divides an application's implementation into three component roles: Implements the MVC software pattern that divides an application's implementation into three component roles: –models –views –controllers.

3 Models "Models" in a MVC based application are the components responsible for: "Models" in a MVC based application are the components responsible for: – Maintaining state. – Maintaining state. –Often a database.

4 Views "Views" in a MVC based application are the components responsible for: "Views" in a MVC based application are the components responsible for: –Displaying the application's user interface. –Displaying the application's user interface. –Typically this UI is created off of the model data.

5 Controllers Responsible for: Responsible for: – Handling user interaction – Manipulating the model – Choosing a view to render to display UI. – Choosing a view to render to display UI. In a MVC application the view is only about displaying information - it is the controller that handles and responds to user input and interaction. In a MVC application the view is only about displaying information - it is the controller that handles and responds to user input and interaction.

6 Part 1: Form Security Cross Site Scripting (XSS) Cross Site Scripting (XSS) Injection Flaws Injection Flaws

7 Cross Site Scripting (XSS) Common flaw in a web applications Common flaw in a web applications Allows attackers to execute script in the victims browser. Allows attackers to execute script in the victims browser. Caused by improper input validation and encoding. Caused by improper input validation and encoding.

8 Cross Site Scripting Prevention Request Validation enabled by default. Request Validation enabled by default. Server.HtmlEncode(); Server.HtmlEncode(); Microsoft AntiXSS Library Microsoft AntiXSS Library

9 Injection Flaws Common in web applications. Common in web applications. Caused when user input is evaluated as part of a command or query. Caused when user input is evaluated as part of a command or query. SQL Injection most common. SQL Injection most common. If _userName = “admin” and _password = “' OR 1 = 1 --” the result would be: If _userName = “admin” and _password = “' OR 1 = 1 --” the result would be: SELECT * FROM tblUsers WHERE UserName = 'admin' and Password = '' OR 1 = 1 --' SELECT * FROM tblUsers WHERE UserName = 'admin' and Password = '' OR 1 = 1 --'

10 Injection Prevention MVC is built around a data Model MVC is built around a data Model Object Relational Mappers (ORM) Object Relational Mappers (ORM) –Linq to SQL –ADO.Net Entity Framework Handle CRUD commands in an Injection safe way. Handle CRUD commands in an Injection safe way.

11 Part 2: Application Security

12 Malicious File Execution Occurs when an attacker is able to upload and execute code on a server. Occurs when an attacker is able to upload and execute code on a server. The ASP.Net MVC Advantage The ASP.Net MVC Advantage –Classic ASP.Net served pages from their corresponding location on the disk. –ASP.Net MVC routes requests to the appropriate controller and view. –Attacker doesn’t know the applications directory structure.

13 Insecure Direct Object Reference Occurs when an application exposes a direct reference to a resource. Occurs when an application exposes a direct reference to a resource. –Files –Primary keys for database records Attackers can edit these references to gain access to protected data. Attackers can edit these references to gain access to protected data. Prevention: Prevention: –Encrypt any reference data when passing it between pages.

14 Cross Site Request Forgery (CSRF) Cross Site Request Forgery (CSRF) Tricks logged-on victim's browser to send a pre-authenticated request to a vulnerable web application. Tricks logged-on victim's browser to send a pre-authenticated request to a vulnerable web application. Can cause a user to perform an action they did not intend to do. Can cause a user to perform an action they did not intend to do. Example: Example:

15 CSRF Prevention Avoid updating user data from HTTP Get requests. Avoid updating user data from HTTP Get requests. ASP.Net MVC AntiForgeryToken ASP.Net MVC AntiForgeryToken

16 Attack Result

17 Information Leakage and Improper Error Handling Improper error handling exposes implementation detail. Improper error handling exposes implementation detail. Prevention: Prevention: –Disable debugging. –Custom error pages. –ASP.Net MVC HandleError Attribute

18 Failure to Restrict URL Access Web application only protects URL by not showing them to unauthorized users. Web application only protects URL by not showing them to unauthorized users. URL can still be accesses manually. URL can still be accesses manually. Prevention: Prevention: –ASP.Net MVC [Authorize] Attribute

19 Thank You Kevin Watt Kevin Watt www.list2lend.com Chris Brousseau Chris Brousseau www.windows7ips.com

Download ppt "Building Secure Web Applications With ASP.Net MVC."

Similar presentations

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Understanding SharePoint 2013 Add-In Security Vulnerabilities

Understanding SharePoint 2013 Add-In Security Vulnerabilities
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google