User Group n 1 Hacking and Securing - POST Attacks
|
|
- Gloria Preston
- 5 years ago
- Views:
Transcription
1 User Group n 1 By Pierre-Emmanuel Dautreppe Reviewed by Damien Pinauldt 1 Agenda 1 Agenda Introduction HTML Attack What is an HTML Attack? Security evolutions between the framework versions Framework Framework Framework So we are safe? POST What is a POST attack? How to do a POST attack? Demo Using a web simulator Using a DOM Explorer (eg the FireFox one) Using a copy of the page Security evolution in the.net Framework Improvements of the framework How does it work? Protecting the web site against POST Using a Secured Button Other problems in.net 2.0: TextBoxes Showing the problem How to correct it And what about DropDownLists? Demo using the WebSimulator How does it work? Propagating the improvements to the whole web site Conclusion Will it be ensured in the next.net version? Why not? Any advice?... 8 Page 1 sur 8
2 2 Introduction This user group has been inspired by a Dino Esposito s article from MSDN Magazine and our own experience on the DH2 project while using HttpRequest, GET or POST. Its aim is to focus on risks that can exist on ASP.NET applications facing POST attacks and will cover the different improvements ASP.NET has made in this domain. 3 HTML Attack 3.1 What is an HTML Attack? - They have been inspired by the SQL Injections attacks o Note that we won t deal with the SQL Injections attacks as they are avoided very easily by using SQL parameters when dealing with queries - Trying to inject HTML code in the normal display of a page to o Change its behaviour o Provoke a DoS (by refreshing continuously the page for example) o Simply hack the site (redirecting to another one, displaying unexpected images, ) 3.2 Security evolutions between the framework versions Framework No validation is done - HTML attacks are very easy to do Framework Addition of the attribute ValidateRequest at the page level Requests are now validated and HTML attacks are blocked - What is a potentially dangerous Request.Form value? o See the code of HttpRequest.ValidateString o See the code of CrossSiteScriptingValidation.IsDangerousString Any string containing expression( (whatever the case) Any string containing < followed by a letter from a-z or A-Z Any string containing </ Any string containing <! Any string containing on But not having a letter from a-z or A-Z just before Followed by any number of letter a-z or A-Z Followed by any number of white spaces Followed by a = Any string containing script (whatever the case) Followed by any number of white spaces Followed by a : To really test these values in 1.1, share the web application into IIS and configure it to run in 1.1. After go to the page Page 2 sur 8
3 Framework The attribute ValidateRequest is now available at web site level in the web.config file - Simplification of CrossSiteScriptingValidation.IsDangerousString Any string containing &# Any string containing < followed by a letter from a-z or A-Z Any string containing <! Any string containing </ 3.3 So we are safe? - Almost - Be careful anyway if you display concatenated fields even if you have a low risk 4 POST 4.1 What is a POST attack? - Sending POST data to the server that: o Are incorrect trying to make the server crash o Are correct but that we shouldn t send trying to do things the server wants to forbid us from doing 4.2 How to do a POST attack? - There is many ways, some being o Using Telnet o Using any tool (or personal development) that is working with HTTP requests o By creating a copy of the page we want to hack and adding HTML controls that will send the fake POST arguments 4.3 Demo Using a web simulator - Import the existing project WebSimulator - Create a new Console Application DemoWebSimulator and add a reference to WebSimulator - Type the following code in the main WebSimulator web = new WebSimulator(); web.vasurpage(" web.remplitchamps("txtamount", "10000"); web.cliquesurbouton("increase Account"); - Look to the value of the field : web.lecteur.dernierereponse.pagehtml NB: Using this technique, you could click on a disabled button or on a not rendered button. However the web simulator used for the demo do not allow you to click on not rendered buttons. Page 3 sur 8
4 Using a DOM Explorer (eg the FireFox one) - Using the DOM explorer you can remove the disabled attribute of the button - Simply click on the button NB : The Firefox DOM Inspector will allow you to update existing tags, remove tags or to copy existing tags Using a copy of the page - Go to the page - View Source and Save as Html - Edit the page to change the form s action tag to give the full URL - Update the control tag you need to modify (or add a new tag) - Save the page and launch it The web site reacts normally as if the button was enabled 4.4 Security evolution in the.net Framework 2.0 Note that to show the EnableEventValidation effect, I propose to use a copy of the page and to remove all what is related to the Menu Improvements of the framework - Addition of the attribute EnableEventValidation at the page or web.config level that prevents from doing a POST attack when the button is invisible How does it work? - In AddAttributesToRender methods, the controls register themselves for event validation o Remember that a visible = false controls will NOT be rendered in HTML and so all the xxxrender or Renderxxx methods won t get called Page.ClientScript.RegisterForEventValidation(string uniqueid); Page.ClientScript.RegisterForEventValidation(PostBackOptions options); Page.ClientScript.RegisterForEventValidation(string uniqueid, string argument); - At postback (in the method LoadPostData or RaisePostBackEvent) you can validate that the postback is correct using the ValidateEvent method defined on the Control class (the base class of all controls) base.validateevent(string uniqueid); base.validateevent(string uniqueid, string eventagument); Page 4 sur 8
5 - A complex algorithm that o will compute hash keys of each control that is registered for validation o Getting hash for the uniqueid and eventargument using System.Web.Util.StringUtil.GetStringHashCode and XOR the result o Serialize as binary all the elements o Encrypt the result using the server machine key a MACKeyModifier wich depends on where the website is deployed the page s type name the view state user key Note : - MAC : Message Authentication Code - Default value for MachineKey : AutoGenerate,IsolateApps - Validation uses one of the following encryption algorithm : AES (Rijndael), MD5 (Message Digest 5), 3DES (three successive iteration of DES), SHA1 (default) - Decryption uses one of the following hashing algorithm AES, 3EDS, DES 5 Protecting the web site against POST 5.1 Using a Secured Button - Copy the PostAttack folder to the folder 2_0_Secured - Create a new DLL SecuredControls - Create a new class SecuredButton - Override the RaisePostBackEvents to add a code like: protected override void RaisePostBackEvent(string eventargument) if (this.enabled) base.raisepostbackevent(eventargument); else throw new InvalidOperationException("POST ATTACK!!"); - Update the web.config file to add the tagmapping tag with the following code and replace your asp:button with a pda:button <system.web> <pages> <controls> <add tagprefix="pda" namespace="securedcontrols" /> </controls> </pages> </system.web> - Do a new POST attack trial this time, the attack is blocked Page 5 sur 8
6 5.2 Other problems in.net 2.0: TextBoxes Showing the problem - Do the demo with the page Default.aspx - Try to add more than 3 characters blocked due to maxlength HTML attribute - Use one of the previous technique to send more than 3 characters The modification is done How to correct it - In the SecuredControls DLL, create a new class SecuredTextBox - Override (or rewrite completely) the LoadPostData method to : o Either truncate the received value o Or not to load the value if too long - If we want to truncate the value we can choose of the two following implementations, depending if we want to rewrite or modify: protected override bool LoadPostData(string postdatakey, NameValueCollection postcollection) // Truncate the value and delegate to the base class // Note : postdatakey = this.uniqueid string value = postcollection[postdatakey]; if (value!= null && this.maxlength > 0 && value.length > this.maxlength) NameValueCollection newcol = new NameValueCollection(postCollection); newcol[postdatakey] = value.substring(0, this.maxlength); return base.loadpostdata(postdatakey, newcol); return base.loadpostdata(postdatakey, postcollection); protected override bool LoadPostData(string postdatakey, NameValueCollection postcollection) // Rewrite the method // Do not forget to validate the event! this.page.clientscript.validateevent(postdatakey); string value = postcollection[postdatakey]; if (value!= null && this.maxlength > 0 && value.length > this.maxlength) value = value.substring(0, this.maxlength); if (!this.readonly &&!this.text.equals(value, StringComparison.Ordinal)) this.text = value; return true; return false; - Update the page to use the new control - Try again this time only the 3 first characters are taken into account Page 6 sur 8
7 5.3 And what about DropDownLists? Demo using the WebSimulator - Update the project DemoWebSimulator to type the following code in the main WebSimulator web = new WebSimulator(); web.vasurpage(" web.selectionnelisteparvaleur("cbolist", "5"); web.cliquesurbouton("send"); - Look to the value of the field : web.lecteur.dernierereponse.pagehtml Again the EnableValidation works to stop the POST attack How does it work? - The Dropdownlist control will register each value for event validation and the posted value is of course controlled. - See ListControl.RenderContents - See DropDownList.LoadPostData 5.4 Propagating the improvements to the whole web site - The proposed solutions apply only to the modified control You may forget to update some controls One maintenance guy may forget to use it -.NET 2.0 allows you to configure the controls use in the web.config file <system.web> <pages> <tagmapping> <add tagtype="system.web.ui.webcontrols.button" mappedtagtype="securedcontrols.securedbutton, SecuredControls"/> <add tagtype="system.web.ui.webcontrols.textbox" mappedtagtype="securedcontrols.securedtextbox, SecuredControls"/> </tagmapping> </pages> </system.web> Page 7 sur 8
8 6 Conclusion 6.1 Will it be ensured in the next.net version? - Neither in 3.0 nor in Probably never in the future 6.2 Why not? - If you can change the controls attributes in.net, you can also change them in Javascript. - If you are using the Secured Controls and some Javascript to reactivate the controls, your application won t work because for the server will still think the button is deactivated and will stop the request 6.3 Any advice? - Client side scripting like Javascript should never ever be used to ensure some business (or security) rules like forbidding a button use - These rules shall be ensured by a stronger model server-side and shall be re-tested before doing any actions - Protect your controls against POST attacks - Do not use Javascript, or use Ajax as it will execute server requests Page 8 sur 8
EXAM Web Development Fundamentals. Buy Full Product.
Microsoft EXAM - 98-363 Web Development Fundamentals Buy Full Product http://www.examskey.com/98-363.html Examskey Microsoft 98-363 exam demo product is here for you to test the quality of the product.
More informationVIEWSTATE VULNERABILITIES TIMUR YUNUSOV, POSITIVE TECHNOLOGIES
VIEWSTATE VULNERABILITIES TIMUR YUNUSOV, POSITIVE TECHNOLOGIES 1. VIEWSTATE OVERWIEW 3 3. PROTECTION. 8 4. CONCLUSION.. 9 5. REFERENCE.. 10 6. ABUOT POSITIVE TECHNOLOGIES. 11 1. VIEWSTATE OVERWIEW "View
More informationCreating Better Forms; an article for developers 2010
By Simon Miller - 20 th May 2010 www.wiliam.com.au Creating a form on a website is not a difficult thing to do with modern frameworks. Ensuring that the form is designed and functions correctly under all
More informationEarly Data Analyzer Web User Guide
Early Data Analyzer Web User Guide Early Data Analyzer, Version 1.4 About Early Data Analyzer Web Getting Started Installing Early Data Analyzer Web Opening a Case About the Case Dashboard Filtering Tagging
More informationMicrosoft Web Development Fundamentals. Download Full Version :
Microsoft 98-363 Web Development Fundamentals Download Full Version : https://killexams.com/pass4sure/exam-detail/98-363 Answer: B, C, E QUESTION: 193 You are creating a webpage in Visual Studio. The webpage
More informationSecurity: Threats and Countermeasures. Stanley Tan Academic Program Manager Microsoft Singapore
Security: Threats and Countermeasures Stanley Tan Academic Program Manager Microsoft Singapore Session Agenda Types of threats Threats against the application Countermeasures against the threats Types
More informationASP.NET provides several mechanisms to manage state in a more powerful and easier to utilize way than classic ASP.
Page 1 of 5 ViewState... ASP.NET provides several mechanisms to manage state in a more powerful and easier to utilize way than classic ASP. By: John Kilgo Date: July 20, 2003 Introduction A DotNetJohn
More informationChecklist for Testing of Web Application
Checklist for Testing of Web Application Web Testing in simple terms is checking your web application for potential bugs before its made live or before code is moved into the production environment. During
More informationASP.NET State Management Techniques
ASP.NET State Management Techniques This article is for complete beginners who are new to ASP.NET and want to get some good knowledge about ASP.NET State Management. What is the need of State Management?
More informationYour Turn to Hack the OWASP Top 10!
OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationSecure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn
Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn Our Observations The same old code-level problems Input Validation, Parameter Manipulation,
More informationThe security of Mozilla Firefox s Extensions. Kristjan Krips
The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting
More informationTHE LAUNCHER. Patcher, updater, launcher for Unity. Documentation file. - assetstore.unity.com/publishers/19358
THE LAUNCHER Patcher, updater, launcher for Unity. Documentation file Index: 1.What does the Launcher do? 2.Workflow 3.How to upload a build? 4.How to configure the launcher client? 1.What does the Launcher
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationRIA Security - Broken By Design. Joonas Lehtinen IT Mill - CEO
RIA Security - Broken By Design Joonas Lehtinen IT Mill - CEO a system is secure if it is designed to be secure and there are no bugs no system should be designed to be insecure not all bugs are security
More informationDynamic Web Programming BUILDING WEB APPLICATIONS USING ASP.NET, AJAX AND JAVASCRIPT
Dynamic Web Programming BUILDING WEB APPLICATIONS USING ASP.NET, AJAX AND JAVASCRIPT AGENDA 3. Advanced C# Programming 3.1 Events in ASP.NET 3.2 Programming C# Methods 4. ASP.NET Web Forms 4.1 Page Processing
More informationAssignment 6: Web Security
COS 432 November 20, 2017 Information Security Assignment 6: Web Security Assignment 6: Web Security This project is due on Monday, December 4 at 11:59 p.m.. Late submissions will be penalized by 10% per
More informationChapter 9. Web Applications The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill
Chapter 9 Web Applications McGraw-Hill 2010 The McGraw-Hill Companies, Inc. All rights reserved. Chapter Objectives - 1 Explain the functions of the server and the client in Web programming Create a Web
More informationSHAREPOINT 2013 DEVELOPMENT
SHAREPOINT 2013 DEVELOPMENT Audience Profile: This course is for those people who have couple of years of development experience on ASP.NET with C#. Career Path: After completing this course you will be
More informationAssessment 1 Task 3 Explain the following security risks SQL Injection Cross Site Scripting XSS Brute Force Attack/Dictionary Attack
P3 - Explain the security risks and protection mechanisms involved in website performance Assessment 1 Task 3 Explain the following security risks SQL Injection Cross Site Scripting XSS Brute Force Attack/Dictionary
More informationDeveloping ASP.NET MVC Web Applications (486)
Developing ASP.NET MVC Web Applications (486) Design the application architecture Plan the application layers Plan data access; plan for separation of concerns, appropriate use of models, views, controllers,
More information10267A CS: Developing Web Applications Using Microsoft Visual Studio 2010
10267A CS: Developing Web Applications Using Microsoft Visual Studio 2010 Course Overview This instructor-led course provides knowledge and skills on developing Web applications by using Microsoft Visual
More informationshortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge
shortcut Your Short Cut to Knowledge The following is an excerpt from a Short Cut published by one of the Pearson Education imprints. Short Cuts are short, concise, PDF documents designed specifically
More informationIntroduction 13. Feedback Downloading the sample files Problem resolution Typographical Conventions Used In This Book...
Contents Introduction 13 Feedback... 13 Downloading the sample files... 13 Problem resolution... 13 Typographical Conventions Used In This Book... 14 Putting the Smart Method to Work 16 Visual Studio version
More informationASP.NET Web Forms Programming Using Visual Basic.NET
ASP.NET Web Forms Programming Using Visual Basic.NET Duration: 35 hours Price: $750 Delivery Option: Attend training via an on-demand, self-paced platform paired with personal instructor facilitation.
More informationLive Guide Co-browsing
TECHNICAL PAPER Live Guide Co-browsing Netop develops and sells software solutions that enable swift, secure and seamless transfer of video, screens, sounds and data between two or more computers over
More informationCSCE 120: Learning To Code
CSCE 120: Learning To Code Module 11.0: Consuming Data I Introduction to Ajax This module is designed to familiarize you with web services and web APIs and how to connect to such services and consume and
More informationMobile MOUSe.NET SECURITY FOR DEVELOPERS PART 2 ONLINE COURSE OUTLINE
Mobile MOUSe.NET SECURITY FOR DEVELOPERS PART 2 ONLINE COURSE OUTLINE COURSE TITLE.NET SECURITY FOR DEVELOPERS PART 2 COURSE DURATION 15 Hour(s) of Self-Paced Interactive Training COURSE OVERVIEW In the.net
More information20486-Developing ASP.NET MVC 4 Web Applications
Course Outline 20486-Developing ASP.NET MVC 4 Web Applications Duration: 5 days (30 hours) Target Audience: This course is intended for professional web developers who use Microsoft Visual Studio in an
More information.NET Advance Package Syllabus
Module 1: Introduction to.net Lecture 1: About US: About SiSTech About your self Describe training methodology Lecture 2: What is.net? Application developed in.net Application development Architecture.Net
More informationSecurity issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith
Security issues Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith Criteria D3 D3 Recommend ways to improve web security when using web server scripting Clean browser input Don
More informationProgress Exchange June, Phoenix, AZ, USA 1
1 COMP-1: Securing your web application against hackers Edwin Lijnzaad & Ronald Smits Consultants Agenda Introduction Issues How to... Questions 2 COMP-1: Securing your web application against hackers
More informationr.a.d.ajax: Time-Saving AJAX from Telerik
r.a.d.ajax: Time-Saving AJAX from Telerik by Mike Gunderloy You ve probably heard a lot about AJAX lately. But there are many different ways to add AJAX applications to your ASP.NET applications. This
More informationArchitecture. Steven M. Bellovin October 31,
Architecture Steven M. Bellovin October 31, 2016 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More informationWhat You Need to Use this Book
What You Need to Use this Book The following is the list of recommended system requirements for running the code in this book: Windows 2000 Professional or Windows XP Professional with IIS installed Visual
More informationAn analysis of security in a web application development process
An analysis of security in a web application development process Florent Gontharet Ethical Hacking University of Abertay Dundee MSc Ethical Hacking 2015 Table of Contents Abstract...2 Introduction...3
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationSelectSurvey.NET Developers Manual
Developers Manual (Last updated: 5/6/2016) SelectSurvey.NET Developers Manual Table of Contents: SelectSurvey.NET Developers Manual... 1 Overview... 2 Before Starting - Is your software up to date?...
More informationMicrosoft ASP.NET Using Visual Basic 2008: Volume 1 Table of Contents
Table of Contents INTRODUCTION...INTRO-1 Prerequisites...INTRO-2 Installing the Practice Files...INTRO-3 Software Requirements...INTRO-3 Installation...INTRO-3 The Chapter Files...INTRO-3 Sample Database...INTRO-3
More informationSharePoint 3.0 / MOSS 2007 Configuration Guide
SharePoint 3.0 / MOSS 2007 Configuration Guide Summary: This is the configuration guide to set up Windows SharePoint Services 3.0 with SecureAuth. It is divided into 3 sections: Section I go over the procedure
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationGetting Started with. Management Portal. Version
Getting Started with Management Portal Version 10.1.0.0 Copyright RES Software Development B.V. All rights reserved. Commercial Computer Software documentation/data Restricted Rights. RES and RES ONE are
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationProject 2: Web Security
EECS 388 September 30, 2016 Intro to Computer Security Project 2: Web Security Project 2: Web Security This project is due on Thursday, October 13 at 6 p.m. and counts for 8% of your course grade. Late
More informationWeb Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le
Web Security Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Topics Web Architecture Parameter Tampering Local File Inclusion SQL Injection XSS Web Architecture Web Request Structure Web Request Structure
More informationCOURSE 20486B: DEVELOPING ASP.NET MVC 4 WEB APPLICATIONS
ABOUT THIS COURSE In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5 tools and technologies. The focus will be on coding activities that enhance the
More information20486: Developing ASP.NET MVC 4 Web Applications
20486: Developing ASP.NET MVC 4 Web Applications Length: 5 days Audience: Developers Level: 300 OVERVIEW In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework
More informationManipulating Web Application Interfaces a New Approach to Input Validation Testing. AppSec DC Nov 13, The OWASP Foundation
Manipulating Web Application Interfaces a New Approach to Input Validation Testing Felipe Moreno-Strauch AppSec DC Nov 13, 2009 felipe@wobot.org http://groundspeed.wobot.org The Foundation http://www.owasp.org
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationThe PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference
The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,
More information20486: Developing ASP.NET MVC 4 Web Applications (5 Days)
www.peaklearningllc.com 20486: Developing ASP.NET MVC 4 Web Applications (5 Days) About this Course In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework
More informationMTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions
MTAT.07.019 Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions Kristjan Krips 1 Introduction Mozilla Firefox has 24.05% of the recorded usage share of web browsers as of October
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationAbusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)
Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Narendra Bhati @NarendraBhatiB http://websecgeeks.com Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page
More informationBuilding Effective ASP.NET MVC 5.x Web Applications using Visual Studio 2013
coursemonster.com/au Building Effective ASP.NET MVC 5.x Web Applications using Visual Studio 2013 Overview The course takes existing.net developers and provides them with the necessary skills to develop
More informationDeveloping ASP.NET MVC 4 Web Applications
Developing ASP.NET MVC 4 Web Applications Course 20486B; 5 days, Instructor-led Course Description In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5
More informationWindows 2000/2003/2008 Server. Microsoft Windows Small Business Server (SBS) is not supported. Windows NT 4.0 is not supported.
CYBER RECRUITER: TECHNOLOGY OVERVIEW Cyber Recruiter is a 100% web-based recruiting solution that takes advantage of Microsoft SQL Server, HTML,.NET, and Active Server Page technology to provide a stable,
More informationSecurity overview Setup and configuration Securing GIS Web services. Securing Web applications. Web ADF applications
Implementing Security for ArcGIS Server for the Microsoft.NET NET Framework Tom Brenneman Sud Menon Schedule Security overview Setup and configuration Securing GIS Web services Using the token service
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationThe name of this chapter should be Getting Everything You Can from
Chapter 1: Exploring Visual Studio Extensions In This Chapter Getting the most out of Visual Studio Building the next generation of Web sites with AJAX Looking ahead to the future of Visual Studio The
More informationOPPM Install and Config Guide. Legal Notices... 49
OPPM Install and Config Guide 18 July 2018 Contents Overview... 5 Types of Installation Configurations... 5 Installation Prerequisites... 9 Setting Up Server Roles and Features... 10 Configuring Server
More informationSECURE CODING ESSENTIALS
SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017 AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design
More informationJOE WIPING OUT CSRF
JOE ROZNER @JROZNER WIPING OUT CSRF IT S 2017 WHAT IS CSRF? 4 WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS WHERE DOES CSRF COME FROM? 6 SAFE VS. UNSAFE Safe GET HEAD
More informationSEO TOOLBOX ADMINISTRATOR'S MANUAL :55. Administrator's Manual COPYRIGHT 2018 DECERNO AB 1 (13)
Administrator's Manual COPYRIGHT 2018 DECERNO AB 1 (13) TABLE OF CONTENTS INTRODUCTION... 3 INSTALL SEO TOOLBOX FOR EPISERVER... 4 What will be installed?... 4 Add-on store installation... 4 Manual installation
More informationPractical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private
More informationIntroduction to using Microsoft Expression Web to build data-aware web applications
CT5805701 Software Engineering in Construction Information System Dept. of Construction Engineering, Taiwan Tech Introduction to using Microsoft Expression Web to build data-aware web applications Yo Ming
More informationXIA Automation Server
Administrator's Guide Version: 3.1 Copyright 2017, CENTREL Solutions Table of contents About... 6 Installation... 7 Installation Requirements (Server)... 8 Prerequisites (Windows 2016 / 2012)... 9 Prerequisites
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More informationCourse 20486B: Developing ASP.NET MVC 4 Web Applications
Course 20486B: Developing ASP.NET MVC 4 Web Applications Overview In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5 tools and technologies. The focus
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationDeveloping ASP.NET MVC 4 Web Applications
Developing ASP.NET MVC 4 Web Applications Duration: 5 Days Course Code: 20486B About this course In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework 4.5
More informationContents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5
Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Symbolic Links 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical
More informationinforouter V8.0 Server & Client Requirements
inforouter V8.0 Server & Client Requirements Please review this document thoroughly before proceeding with the installation of inforouter Version 8. This document describes the minimum and recommended
More informationCS 220: Introduction to Parallel Computing. Arrays. Lecture 4
CS 220: Introduction to Parallel Computing Arrays Lecture 4 Note: Windows I updated the VM image on the website It now includes: Sublime text Gitkraken (a nice git GUI) And the git command line tools 1/30/18
More informationVisual Studio Course Developing ASP.NET MVC 5 Web Applications
Visual Studio Course - 20486 Developing ASP.NET MVC 5 Web Applications Length 5 days Prerequisites Before attending this course, students must have: In this course, students will learn to develop advanced
More informationMicrosoft Windows Servers 2012 & 2016 Families
Version 8 Installation Guide Microsoft Windows Servers 2012 & 2016 Families 2301 Armstrong St, Suite 2111, Livermore CA, 94551 Tel: 925.371.3000 Fax: 925.371.3001 http://www.imanami.com Installation Guide
More informationPDshop Installation Guide (For ASP.NET Editions)
PDshop Installation Guide (For ASP.NET Editions) PageDown Technology, LLC / Copyright 2003-2010 All Rights Reserved. FOR USE WHEN INSTALLING: PDshop.Net Original (Version 1) PDshop.Net Standard (Version
More informationCS50 Quiz Review. November 13, 2017
CS50 Quiz Review November 13, 2017 Info http://docs.cs50.net/2017/fall/quiz/about.html 48-hour window in which to take the quiz. You should require much less than that; expect an appropriately-scaled down
More informationDeveloping ASP.NET MVC 5 Web Applications
Developing ASP.NET MVC 5 Web Applications Course 20486C; 5 days, Instructor-led Course Description In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework tools
More informationTypes of XSS attacks. Persistent XSS. Non-persistent XSS
Cross site scripting happens when somebody (an attacker) inserts a malicious input into a form (for example, a piece of HTML code). Depending on what happens after that, we divide XSS attacks into these
More informationReportPlus Embedded Web SDK Guide
ReportPlus Embedded Web SDK Guide ReportPlus Web Embedding Guide 1.4 Disclaimer THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY EXPRESS REPRESENTATIONS OF WARRANTIES. IN ADDITION,
More informationIntroduction. Introduction
Building ASP.NET MVC 3 Applications Using Visual C# 2010 Intro-1 Prerequisites This course assumes that you are familiar and experienced with Microsoft s.net Framework and ASP.NET development tools. You
More information2310C VB - Developing Web Applications Using Microsoft Visual Studio 2008 Course Number: 2310C Course Length: 5 Days
2310C VB - Developing Web Applications Using Microsoft Visual Studio 2008 Course Number: 2310C Course Length: 5 Days Certification Exam This course will help you prepare for the following Microsoft Certified
More informationInstallation Guide. For use with all.net versions of PDshop Revised: 12/29/17. PDshop.com / Copyright All Rights Reserved.
PDshop Installation Guide For use with all.net versions of PDshop Revised: 12/29/17 PDshop.com / Copyright 2002-2018 All Rights Reserved. 1 Table of Contents If you are already using a.net version of PDshop
More informationDeveloping ASP.NET MVC 5 Web Applications
20486C - Version: 1 23 February 2018 Developing ASP.NET MVC 5 Web Developing ASP.NET MVC 5 Web 20486C - Version: 1 5 days Course Description: In this course, students will learn to develop advanced ASP.NET
More informationCSC 415 ONLINE PHOTOALBUM: THE SEQUEL ASP.NET VERSION
CSC 415 ONLINE PHOTOALBUM: THE SEQUEL ASP.NET VERSION GODFREY MUGANDA In this project, you will convert the Online Photo Album project to run on the ASP.NET platform, using only generic HTTP handlers.
More informationdnrtv! featuring Peter Blum
dnrtv! featuring Peter Blum Overview Hello, I am Peter Blum. My expertise is in how users try to use web controls for data entry and what challenges they face. Being a developer of third party controls,
More informationMobileFast SyncStudio. A Complete Mobile Database Synchronization Solution. Quick-Start Manual. Release 1.61, May 2014
MobileFast SyncStudio A Complete Mobile Database Synchronization Solution Quick-Start Manual Release 1.61, May 2014 Copyright 2014 by MobileFast Corporation All rights reserved Page 1 of 25 Edition Notes
More information.NET SAML Consumer Value-Added (VAM) Deployment Guide
.NET SAML Consumer Value-Added (VAM) Deployment Guide Copyright Information SecureAuth is a copyright of SecureAuth Corporation. SecureAuth s IdP software, appliances, and other products and solutions,
More informationWeb Database Applications: Report. Name. Institution of Affiliation
Web Database Applications: Report Name Institution of Affiliation 1 Table of Contents Assumptions... 3 Validation Constraints... 3 Test plan... 6 Customer registration... 6 Customer authentication... 8
More information.NET Secure Coding for Client-Server Applications 4-Day hands on Course. Course Syllabus
.NET Secure Coding for Client-Server Applications 4-Day hands on Course Course Syllabus Course description.net Secure Coding for Client-Server Applications 4-Day hands on Course Secure programming is the
More informationTen good practices for ASP.NET MVC applications
Ten good practices for ASP.NET MVC applications Dino Esposito JetBrains dino.esposito@jetbrains.com @despos facebook.com/naa4e Options for Web development Fully serverside Fully clientside Hybrid SPA And
More informationAngularJS Intro Homework
AngularJS Intro Homework Contents 1. Overview... 2 2. Database Requirements... 2 3. Navigation Requirements... 3 4. Styling Requirements... 4 5. Project Organization Specs (for the Routing Part of this
More informationSummer Cart Synchronization Guide for.net
Summer Cart Synchronization Guide for.net Page 1 of 21 Introduction This guide explains how you can synchronize the data from your data management software with your Summer Cart-based web store. In the
More information20486 Developing ASP.NET MVC 5 Web Applications
Course Overview In this course, students will learn to develop advanced ASP.NET MVC applications using.net Framework tools and technologies. The focus will be on coding activities that enhance the performance
More informationJOE WIPING OUT CSRF
JOE ROZNER @JROZNER WIPING OUT CSRF IT S 2017 WHAT IS CSRF? 4 WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS WHERE DOES CSRF COME FROM? LET S TALK HTTP SAFE VS. UNSAFE
More information