dnncon 2016: are there security flaws in your dnn modules?
TRANSCRIPT
![Page 1: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/1.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Are There Security Flaws in Your Modules?Joshua Bradley / Web Developer
Engage Software@JRBradley1
![Page 2: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/2.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
THANKS TO ALL OF OUR GENEROUS SPONSORS!
![Page 3: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/3.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Agenda• Introduction• Cross Site Scripting• SQL Injection• Cross Site Request Forgery• Insecure Direct Object References• Q & A
![Page 4: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/4.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
GoalFor Developers-To think about possible security vulnerabilities while developing your modules.
For Everyone -Be able to recognize potential vulnerabilities when testing websites.
![Page 5: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/5.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Introduction
![Page 6: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/6.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Cross Site Scripting
![Page 7: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/7.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Reflective XSS
![Page 8: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/8.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Reflective XSS
Example
![Page 9: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/9.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Stored XSS
![Page 10: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/10.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Stored XSS
Example
![Page 11: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/11.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
XSS Summary• Html Encode when not needing HTML
• Use Anti XSS library when needing to accept HTML from user input.
![Page 12: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/12.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
SQL Injection
![Page 13: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/13.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
SQLi
Example
![Page 14: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/14.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
SQLi Summary• Never do string concatenation with SQL.
• Use an ORM or Parameterized Stored Procedure.
![Page 15: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/15.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Cross Site Request Forgery
![Page 16: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/16.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
CSRFExample
![Page 17: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/17.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
CSRF Summary• Use HttpPost
• ValidateAntiForgery• Never Allow Access from any host
![Page 18: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/18.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Insecure Direct Object References
![Page 19: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/19.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
IDORExample
![Page 20: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/20.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
IDOR Summary• Use built in Folder and File Manager.
• Avoid using user input when selecting file.
![Page 21: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/21.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Available on GitHub & Slideshare
•http://www.engagesoftware.com/blog/post/5052
![Page 22: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/22.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Questions
@JRBradley1
![Page 23: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/23.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources•https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
• http://www.dnnsoftware.com/
wiki/analysis-of-dotnetnuke-compliance-
against-owasp-top-10-2013
![Page 24: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/24.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources•http://www.troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html•https://www.owasp.org/index.php/Main_Page•http://www.jwaffinityit.com/Portals/28/Documents/DNN/Analysis%20of%20DotNetNuke%20compliance%20against%20OWASP%20Top%2010.pdf
![Page 25: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/25.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources•https://msdn.microsoft.com/en-us/library/system.web.security.antixss.antixssencoder(v=vs.110).
aspx• https://
weblog.west-wind.com/posts/2012/Jul/19/NET-HTML-Sanitation-for-rich-HTML-Input
• http://www.computerweekly.com/
tip/Cross-site-request-forgery-Lessons-from-a-CSRF-attack-
example
![Page 26: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/26.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources• http://
resources.infosecinstitute.com/dumping-a-database-using-sql-
injection/• https://www.sql-programmers.com/
sql-injection.aspx• https://msdn.microsoft.com/en-us/
library/bb386929.aspx• https://msdn.microsoft.com/en-us/
library/cc716760.aspx
![Page 27: DNNcon 2016: Are There Security Flaws in Your DNN Modules?](https://reader036.vdocument.in/reader036/viewer/2022070509/589eba701a28ab4a5c8b5a39/html5/thumbnails/27.jpg)
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources• http://www.troyhunt.com/
2013/07/everything-you-wanted-to-know-about-
sql.html• https://github.com/
malcomvetter/WidgetSender