all input is evil (part 1) introduction will not cover everything healthy level of paranoia use my...
TRANSCRIPT
Introduction
Will not cover everythingHealthy level of paranoiaUse my DVD Swap Shop application (week 2)
Human ProblemsA simple conversationPeople use words they can rememberSame passwords for many sites
Doctor who fan guess the password
T****S
Brute Force AttackIf the password is CC but all we know is that it is
two characters long **
AAABBABBBCCBCC
The longer the password the more time we need to crack it.
Countermeasures Education
Don’t use same password for all sitesAvoid passwords that could be guessedDon’t use dictionary words
Enforce rules in codeMinimum password lengthNon alpha numeric charactersExpiration dateLimit login attempts
Securing Stored PasswordsUnsecured Access databaseStored in App_Data folder(Could store on another
drive/machine)Plain text password stored in the
table
Password Hashing.NET CryptographyEncryption is okHashing better
password123 IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY=
Do not store the password in plain text
Adding SaltIf the passwords for John and Fred without salt
look like this...
John IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY=Fred IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY=
Adding salt would change the hash values like so...
John 354rlrk8Jv7729qVOrOp0lXUv7RAsdVFred 9Wo0irC6+ylay0CJsLVtWBfbJBSn03j4gzhG
Concatenate password + email address
ValidationWho do you trust?
Do you trust me not to make use of that data in some way?
Do you trust me to write a web application that will not be compromised in any way?
Not just a matter of what people you trust but what systems do you trust?
Exclude list = characters we don’t allowInclude list = characters we do allow
Code Injection
Script could run when page is rendered elsewhere in application
IIS automatically disallows this
We now KnowThe language of the application (VB.NET)The names of several parameters SwapTitle
Description etc..In the light of the above probably the names
of some fields in the database (this way the hacker may refine the SQL injection attacks.)
The remote path on the server C:\MyFiles\IMAT1604\content\Widget Swap\Widget Swap\aswap.aspx.vb
Secure Socket Layer (SSL)The browser makes a secure HTTP request
HTTPS on port 443The server sends back a digital certificate
verifying its credentialsThe client verifies the certificate with the
issuing agency Using the public key the data is encrypted
between client and server