a demo of and preventing xss in.net applications
TRANSCRIPT
![Page 1: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/1.jpg)
A Demo of and Preventing XSS in .NET Applications
![Page 2: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/2.jpg)
• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection
Library•OWASP AntiSamy .NET•Cat .NET & Others
![Page 3: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/3.jpg)
• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection
Library•OWASP AntiSamy .NET•Cat .NET & Others
![Page 4: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/4.jpg)
OWASP Top Ten1 Injection 2 Broken Authentication and Session
Management
3 Cross-Site Scripting (XSS) Insecure Direct Object References
5 Security Misconfiguration
![Page 5: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/5.jpg)
OWASP Top Ten6 Sensitive Data Exposure 7 Missing Function Level Access Control 8 Cross-Site Request Forgery (CSRF) 9 Using Components with Known
Vulnerabilities 10 Invalidated Redirects and Forwards
![Page 6: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/6.jpg)
Injection SQL & XSS Cross-Site Scripting
Information Leakage
Principle of Least Privilege
![Page 7: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/7.jpg)
![Page 8: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/8.jpg)
The Two top vulnerabilities both have the same vulnerability.
Programmer does not make a distinction between code and data.
![Page 9: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/9.jpg)
• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection
Library•OWASP AntiSamy .NET•Cat .NET & Others
![Page 10: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/10.jpg)
•XSS–What it is.–Types of XSS
![Page 11: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/11.jpg)
How To Mitigate•Validate and constrain input•Properly encode output•Microsoft Anti-Cross Site Scripting Library
![Page 12: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/12.jpg)
•OWASP AntiSamy .NET•What about
Server.HTMLEncode?•Uses blacklist for exclusion•Less secure
![Page 13: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/13.jpg)
•Regex•Home Grown approach
![Page 14: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/14.jpg)
•Goldilocks Problem.–Scrub Data to little.–Scrub Data just right.–Scrub Data to Hard.
![Page 15: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/15.jpg)
Demo XSSAnd if time permits
SQL Injection
![Page 16: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/16.jpg)
• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection
Library•OWASP AntiSamy .NET•Cat .NET & Others
![Page 17: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/17.jpg)
• Pros…–Validate Input / Encode Output
(Anti-XSS library)–Helps with sql injection and XSS–Adds another level of defense–Used by Microsoft as an internal
tool
![Page 18: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/18.jpg)
• Cons…–Its not perfect and it should not be
our only defense layer–Microsoft doesn’t update as often
as it should.–We do have an open source
Alternative (OWASP AntiSamy .Net)
![Page 19: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/19.jpg)
• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection
Library•OWASP AntiSamy .NET•Cat .NET & Others
![Page 20: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/20.jpg)
Demo AntiSamy
![Page 21: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/21.jpg)
• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection
Library•OWASP AntiSamy .NET•Cat .Net
![Page 22: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/22.jpg)
Cat .NET Demo
![Page 23: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/23.jpg)
Resources
![Page 24: A Demo of and Preventing XSS in.NET Applications](https://reader038.vdocuments.site/reader038/viewer/2022110206/56649d095503460f949dab51/html5/thumbnails/24.jpg)
About Me
• Larry Conklin Senior Developer at QuikTrip in Tulsa, Oklahoma.• My current emphasis is in Microsoft .NET technologies including C#, VB.NET,
and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores.
• Skills: C#, C/C++,RPGILE, COBOL, SQL, (SQL Server, Oracle, Sybase, PostgreSQL)
• My current passion is talking and learning about security and integrating it into SDLC to create secure code. – Current project support manager OWASP Code review project 2.0.– INFOSEC Certificate Program at University of Tulsa– ISC(2) CISSP Certification– Committee on Nation Security Systems Certificates. NSTISSI No. 4011:– Information Systems Security Professional, 4012: