(1) threats and defenses
TRANSCRIPT
-
8/8/2019 (1) Threats and Defenses
1/14
9/27/2010 11:58 AM
2003-2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 1
Development of Secure WebDevelopment of Secure Web
ApplicationsApplications Threats andThreats andDefensesDefenses
Malek KemmouMalek KemmouCEO ArrabetaCEO ArrabetaMicrosoft Regional DirectorMicrosoft Regional Directorfor Middle East And Africafor Middle East And Africa
Speaker.GetBio().ToString()Speaker.GetBio().ToString()
CEO Arrabeta (consulting firm based in Casablanca Morocco)CEO Arrabeta (consulting firm based in Casablanca Morocco)
Member of the newtelligence allianceMember of the newtelligence alliance
Senior Consultant and Senior TrainerSenior Consultant and Senior Trainer
Solutions Architecture, integration, interoperabilitySolutions Architecture, integration, interoperability
Microsoft Regional Director for Middle East and AfricaMicrosoft Regional Director for Middle East and Africa
Member of Ineta MEA boardMember of Ineta MEA board
Speaker at many c onferences and eventsSpeaker at many c onferences and events
http://www.microsoft.com/rdhttp://www.microsoft.com/rd
~140 experts from all around the world~140 experts from all around the world
A little quiz for youA little quiz for youWhat is the most dangerous HTML tag ?What is the most dangerous HTML tag ?
What is the most dangerous control in a rich clientWhat is the most dangerous control in a rich client
Form?Form?
TextBoxTextBox
Threats and DefensesThreats and Defenses
Types of threatsTypes of threats
Threats against the applicationThreats against the applicationSQL injectionSQL injectionCrossCross--site scriptingsite scripting
Input tamperingInput tampering
Session hijackingSession hijacking
MoreMore
Writing secure codeWriting secure codeValidating inputValidating input
Accessing databases securely Accessing databases securely
Using forms authentication securelyUsing forms authentication securely
Storing secrets securelyStoring secrets securely
Securing session stateSecuring session state
Handling errors properlyHandling errors properly
Types of ThreatsTypes of Threats
Spoof
packet
, etc.
Bufferoverflows, illicitpat
s, etc.
SQL i
jection, XSS, input tampering, etc.
Network Host Application
Threats againstthe network
Threats against the host
Threats against the application
-
8/8/2019 (1) Threats and Defenses
2/14
-
8/8/2019 (1) Threats and Defenses
3/14
-
8/8/2019 (1) Threats and Defenses
4/14
-
8/8/2019 (1) Threats and Defenses
5/14
-
8/8/2019 (1) Threats and Defenses
6/14
-
8/8/2019 (1) Threats and Defenses
7/14
-
8/8/2019 (1) Threats and Defenses
8/14
-
8/8/2019 (1) Threats and Defenses
9/14
-
8/8/2019 (1) Threats and Defenses
10/14
9/27/2010 11:58 AM
2003-2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 10
ASP.NET View StateASP.NET View State
Great alternative to hidden fields whenGreat alternative to hidden fields when
roundround--tripping data to the clienttripping data to the clientValidated by defaultValidated by default
Encrypted if desiredEncrypted if desired
Encrypting ASP.NET view state:Encrypting ASP.NET view state:
Page.ViewStateUserKeyPage.ViewStateUserKey
Tool for keying view state to individualsTool for keying view state to individuals
Adds value of your choice to view stateAdds value of your choice to view state
Defense against "oneDefense against "one--click" attacksclick" attacks
Must be applied in Page_InitMust be applied in Page_Init
ASP.NET 1.1 onlyASP.NET 1.1 only
void Page_Init (Object sender, EventArgs e){
// Hedge against spoofed postbacksif (User.Identity.IsAuthenticated)
ViewStateUserKey = User.Identity.Name;}
Securing Session StateSecuring Session State
Limit session time-outs as much as possible
Avoid using cookieless session state if possible
Disable ASP.NET state service if you're not using it
Close port 42424 in firewall if using state service
Encrypt connection string if using SQL Server11
Close ports 1433 and 1434 if using SQL Server
Session State, Cont.Session State, Cont.
Optionally use SSL/TLS to protect sessionID cookies 1
Optionally use SSL/TLS or IPSec to secure the
connection to the database server2,9
Dont store potentially injurious data (such as
credit card numbers) in session state
Error HandlingError Handling
Anticipate errors and handle them sensibly
Use to display custom error pages
Beware mode="off" and debug="true"
Don't reveal too much information in error pages
Log unhandled exceptions
Be aggressive about logging failures
Logging UnhandledLogging Unhandled
ExceptionsExceptionsvoid Application_Error (Object sender, EventArgs e){
// Formulate message to write to event log
string msg = "Error accessing " + Request.Path +"\n" + Server.GetLastError ().ToString ();
// Write the message to Windows event logEventLog log = new EventLog ();
log.Source = "My ASP.NET Application";log.WriteEntry (msg, EventLogEntryType.Error);
}
Global.asax
-
8/8/2019 (1) Threats and Defenses
11/14
9/27/2010 11:58 AM
2003-2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 11
Additional ResourcesAdditional Resources
"How to Set UB
SSL on a Web SerC
er"
"How to Use IPSec to ProC
ide Secure
Communications Between SerC
ers"
"How to ImB
lement Patch Management"
"How to Use IISLockD
own"
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT16.asp
1
2
3
4
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT18.asp
http://msdn.microsoft.com/library/en-us/dnnetsec/html/HTImpPatch.asp
http://msdn.microsoft.com/library/en-us/dnnetsec/html/HTlockdown.asp
"How to Use URLScan"5http://msdn.microsoft.com/library/en-us/dnnetsec/html/HT_URLScan.asp
Additional Resources, Cont.Additional Resources, Cont.
Required NTFS Permissions for ASP.NET
"10SteE
s toHelE
Secure SQL SerF
er 2000"
"How to Use SSL to Secure Communications
with SQL SerF
er 2000"
6
7
8
9
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh19.asp?frame=true#c19618429_025
http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT19.asp
"How to Harden the TCP/IP Stack"
http://msdn.microsoft.com/library/en-us/dnnetsec/html/HTHardTCP.asp
Additional Resources, Cont.Additional Resources, Cont.
10 "Kerberos Protocol Transition and ConstrainedG
elegation"http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/plan/ConstDel.asp
"How to Use the ASP.NET Utility to EncryH
t
Credentials and Session State Connection Strings"
11
http://support.microsoft.com/default.aspx?scid=kb;en-us;329290
"How to Create a Custom Account to Run ASP.NET"12http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT01.asp
Speaker as a RessourceSpeaker as a Ressource
[email protected]@kemmou.com
Slide Decks and Demos :Slide Decks and Demos :
http://www.malekkemmou.mahttp://www.malekkemmou.ma
2003-2004 MicrosoftCorporation.All rights reserved.Thispresentation isfor informational purposesonly. Microsoft makesno warranties, express orimpl ied, in thissummary.
A endix A endix
-
8/8/2019 (1) Threats and Defenses
12/14
-
8/8/2019 (1) Threats and Defenses
13/14
-
8/8/2019 (1) Threats and Defenses
14/14