Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

Web Security Never, ever, trust user inputs Supankar.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

Welcome to Blackhat! Blackhat Security Briefings New Orleans- Feb 2002 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat New Orleans – Feb 2002; Timothy M.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Martin Kruliš by Martin Kruliš (v1.0)1.

Secure Software Engineering: Input Vulnerabilities

Workshop 3 Web Application Security Li Weichao March

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Prevent Cross-Site Scripting (XSS) attack

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

CSC 2720 Building Web Applications Web Application Security.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.

Web 2.0 Security James Walden Northern Kentucky University.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Sofia, Bulgaria | 9-10 October Writing Secure Code for ASP.NET Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA) Stephen Forte CTO,

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Prof Frankl, Spring 2008CS Polytechnic University 1 Overview of Web database applications with PHP.

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Group 18: Chris Hood Brett Poche

Building Secure ColdFusion Applications

Web Application Vulnerabilities

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

A Security Review Process for Existing Software Applications

Defense in Depth Web Server Custom HTTP Handler Input Validation

Lecture 2 - SQL Injection

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Agenda 1.XSS, 2.SQL Injection, 3.Argument Injection, 4.Session Attacks. NOTE: More information on security threat details and their handling can be found in Kentico CMS Security White Paper available on Paper.pdf - in addition to above also discussses the Code Injection, XPath Injection, XSRF, Directory Traversal, Unvalidated Redirects & Forwards and DoS on Application Layer. Paper.pdf

XSS What is XSS: Cross-site scripting (XSS) is website vulnerability when evil input is rendered as a part of HTML page or such evil input is by rendering used to stole sensitive user data, XSS types: 1.Persistent XSS – evil input stored by system, 2.Non-persistent XSS – evil input displayed on the output directly, 3.DOM XSS attacks – type of non-persistent XSS with input usually processed on client-side (no contact with web server), Security threats caused by XSS - website inconsistence, user-experience degradation, stealing user auth cookies - MySpace Worm exploit.

XSS DEMO – XSS I

XSS How to avoid XSS: Whatever text is being displayed by the front-end should be encoded, Strings from external sources should be encoded as well, Use pre-defined Kentico API methods to handle possible XSS entries: 1.HTMLHelper.HTMLEncode() - to explicitly encode output string, 2.QueryHelper.GetText() - for values coming from URL query string and is rendered to the output directly, 3.ScriptHelper.GetString() – to safely treat strings rendered as dynamic parts of the JavaScript code, DO NOT allow rendering any string in JavaScript code directly without proper handling on server side.

XSS DEMO – XSS II

SQL Injection What is SQL Injection: Executing harmful SQL code as a part of system executed query, Controlled SQL injections vs. Un-controlled (blind) injections, SQL Injection vulnerable website allows attacker execute the same queries as system does, Whatever commands are supported on T-SQL level are exposed to the attacker through the SQL injection hole – including xp_cmdshell()

SQL Injection DEMO – SQL Injection I

SQL Injection How to avoid SQL Injection: Two options – SQL parameters and escaping single quotes, For SELECT, INSERT, UPDATE, DELETE use parameters wherever possible, When building WHERE conditions dynamically using input as string data type from external sources always replace apostrophes using ‘.Replace(“ ’ ”, “ ’’ ”), Applies also to selection lists and arrays coming in post back – actual values of selection options may be changed through the JavaScript, When building WHERE conditions using input different from string data type try to convert it to target data type first – it doesn’t make sense to use replace technique to protect non-string data types, Avoid building T-SQL queries on SQL level from input coming from data layer and executing those by exec() statement

SQL Injection DEMO – SQL Injection II

Argument Injection What is Argument Injection: Type of attack based on supplying modified page input parameters used by page logic to display data or perform action with input provided, Any page that reads input from URL query string (or any external source, e.g. user’s form input) and process information in any way without any validation mechanism is vulnerable, Allows attackers to read sensitive data they’re not allowed to see or perform actions with objects they’re not allowed to perform.

Argument Injection DEMO – Argument Injection I

Argument Injection How to avoid Argument Injection: The core of the Argument Injection issue is that data displayed/ modified are identified by parameter passed in the URL – make it difficult to guess identifier for data processed by page – GUIDs secured with hash, Use QueryHelper.GetHash() to generate hash for generated URL, Use QueryHelper.ValidateHash() to validate hash passed in the URL, If possible use context information supplied by Kentico CMSContext class instead of parameters passed in URL – DO NOT need to check hash then, Check permissions when manipulating objects identified by parameters -

Argument Injection DEMO – Argument Injection II

Session Attacks What are Session Attacks: Today’s web application solve issues related to fact that HTTP protocol is stateless mostly through by using the session – storage for information on state/ context of user’s interaction with the website, User’s session is identified by session ID which is generated on website access and send back and forth with each request - the session ID is key to sensitive user data, Most common session related vulnerabilities are: Session stealing – achieved through the XSS attacks – stealing ASP.NET_SessionId cookie, Session prediction – ASP.NET using 120 bit random number – quite safe, Session fixation – tampering attackers session ID to the regular user to gain same state as user.

Session Attacks How to avoid Session Attacks: Do not store any sensitive user related data in the session, Protect website from XSS vulnerabilities, Manually regenerate session ID once user logs in.

Questions & Answers

Thank you!