a demo of and preventing xss in.net applications

A Demo of and Preventing XSS in .NET Applications

• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection

Library•OWASP AntiSamy .NET•Cat .NET & Others

• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection

Library•OWASP AntiSamy .NET•Cat .NET & Others

OWASP Top Ten1 Injection 2 Broken Authentication and Session

Management

3 Cross-Site Scripting (XSS) Insecure Direct Object References

5 Security Misconfiguration

OWASP Top Ten6 Sensitive Data Exposure 7 Missing Function Level Access Control 8 Cross-Site Request Forgery (CSRF) 9 Using Components with Known

Vulnerabilities 10 Invalidated Redirects and Forwards

Injection SQL & XSS Cross-Site Scripting

Information Leakage

Principle of Least Privilege

The Two top vulnerabilities both have the same vulnerability.

Programmer does not make a distinction between code and data.

• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection

Library•OWASP AntiSamy .NET•Cat .NET & Others

•XSS–What it is.–Types of XSS

How To Mitigate•Validate and constrain input•Properly encode output•Microsoft Anti-Cross Site Scripting Library

•OWASP AntiSamy .NET•What about

Server.HTMLEncode?•Uses blacklist for exclusion•Less secure

•Regex•Home Grown approach

•Goldilocks Problem.–Scrub Data to little.–Scrub Data just right.–Scrub Data to Hard.

Demo XSSAnd if time permits

SQL Injection

• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection

Library•OWASP AntiSamy .NET•Cat .NET & Others

• Pros…–Validate Input / Encode Output

(Anti-XSS library)–Helps with sql injection and XSS–Adds another level of defense–Used by Microsoft as an internal

tool

• Cons…–Its not perfect and it should not be

our only defense layer–Microsoft doesn’t update as often

as it should.–We do have an open source

Alternative (OWASP AntiSamy .Net)

• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection

Library•OWASP AntiSamy .NET•Cat .NET & Others

Demo AntiSamy

• Introduction•OWASP Top Ten•XSS•Microsoft Web Protection

Library•OWASP AntiSamy .NET•Cat .Net

Cat .NET Demo

Resources

About Me

• Larry Conklin Senior Developer at QuikTrip in Tulsa, Oklahoma.• My current emphasis is in Microsoft .NET technologies including C#, VB.NET,

and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores.

• Skills: C#, C/C++,RPGILE, COBOL, SQL, (SQL Server, Oracle, Sybase, PostgreSQL)

• My current passion is talking and learning about security and integrating it into SDLC to create secure code. – Current project support manager OWASP Code review project 2.0.– INFOSEC Certificate Program at University of Tulsa– ISC(2) CISSP Certification– Committee on Nation Security Systems Certificates. NSTISSI No. 4011:– Information Systems Security Professional, 4012: