All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

Slides:



Advertisements
Similar presentations
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Advertisements

Login dan Permission dfd, Jenis Login dfd, 2012 SQL Server Authentication Membutuhkan password Windows Authentication Mode Tidak membutuhkan password.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Web Server Administration TEC 236 Securing the Web Environment.
ASP.NET Web Application Security Hannes Preishuber ppedv AG
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Introduction To Windows NT ® Server And Internet Information Server.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007 SSL Security with Alpha Five App Server Protecting sensitive or personal data.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
1 6 Chapter 6 Implementing Security for Electronic Commerce.
1 CSE 403 Web Security Testing Reading: Andrews/Whitaker, How to Break Web Software, Ch. 2-5 These lecture slides are copyright (C) Marty Stepp, 2007.
CIS 1310 – HTML & CSS 12 E-Commerce Overview. CIS 1310 – HTML & CSS Learning Outcomes  Define E-commerce  Identify Benefits & Risks of E-Commerce 
Session 11: Security with ASP.NET
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Chapter 13 – Network Security
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
CIS 450 – Network Security Chapter 8 – Password Security.
Security Testing Case Study 360logica Software Testing Services.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Types of Electronic Infection
10/20/2015 ©2006 Scott Miller, University of Victoria 1 User Authentication Content Generation The Use of Cookies Content Pooling Rev 1.5.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
Module 11: Securing a Microsoft ASP.NET Web Application.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
5 th ed: Chapter 17 4 th ed: Chapter 21
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
E-Commerce and Security Dr. John P. Abraham Professor University of Texas Pan American.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.
1-way String Encryption Rainbows (a.k.a. Spectrums) Public Private Key Encryption HTTPS Encryption.
Defense In Depth: Minimizing the Risk of SQL Injection
Unit 3 Section 6.4: Internet Security
Encryption 1-way String Encryption Rainbows (a.k.a. Spectrums)
Penetration Test Debrief
Chapter 5 : Designing Windows Server-Level Security Processes
Jim Fawcett CSE686 – Internet Programming Summer 2005
Security.
Ways to Secure CMS Websites. The most widely used Content Management Systems are Wordpress, Joomla and Drupal as per statistics. The highest CMS platforms.
Securing the Channel.
Web Systems Development (CSC-215)
Defense in Depth Web Server Custom HTTP Handler Input Validation
Security.
Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment
Designing IIS Security (IIS – Internet Information Service)
Electronic Payment Security Technologies
Fast-Track UiPath Developer Module 10: Sensitive Data Handling
Security - Forms Authentication
Presentation transcript:

All Input is Evil (Part 1)

Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

Security Considerations Authentication Authorisation Secure communication Software + Hardware

The Login Provides authentication asterisks ********* SQL injection attack

Human Problems A simple conversation People use words they can remember Same passwords for many sites Doctor who fan guess the password T****S

Dictionary Attacks If you know a user name throw the dictionary at it

Brute Force Attack If the password is CC but all we know is that it is two characters long ** AA AB BA BB BC CB CC The longer the password the more time we need to crack it.

Countermeasures Education Don’t use same password for all sites Avoid passwords that could be guessed Don’t use dictionary words Enforce rules in code Minimum password length Non alpha numeric characters Expiration date Limit login attempts

Use a Security Framework Authentication options in.NET Windows Passport Forms DIY

Securing Stored Passwords Unsecured Access database Stored in App_Data folder (Could store on another drive/machine) Plain text password stored in the table

Password Hashing.NET Cryptography Encryption is ok Hashing better password123 IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY= Do not store the password in plain text

Adding Salt If the passwords for John and Fred without salt look like this... JohnIKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY= FredIKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY= Adding salt would change the hash values like so... John354rlrk8Jv7729qVOrOp0lXUv7RAsdV Fred9Wo0irC6+ylay0CJsLVtWBfbJBSn03j4gzhG Concatenate password + address

Validation Who do you trust? Do you trust me not to make use of that data in some way? Do you trust me to write a web application that will not be compromised in any way? Not just a matter of what people you trust but what systems do you trust? Exclude list = characters we don’t allow Include list = characters we do allow

Code Injection Script could run when page is rendered elsewhere in application IIS automatically disallows this

Turn Off Debug Mode By entering bad data a hacker could crash your program

We now Know The language of the application (VB.NET) The names of several parameters SwapTitle Description etc.. In the light of the above probably the names of some fields in the database (this way the hacker may refine the SQL injection attacks.) The remote path on the server C:\MyFiles\IMAT1604\content\Widget Swap\Widget Swap\aswap.aspx.vb

Securing the Communication Channel

Public and Private Keys

Secure Socket Layer (SSL) The browser makes a secure HTTP request HTTPS on port 443 The server sends back a digital certificate verifying its credentials The client verifies the certificate with the issuing agency Using the public key the data is encrypted between client and server

Open Ports Port scanners Firewalls IP Filtering Turn off unused services Grant Minimum Permissions to Resources

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.