A Demo of and Preventing XSS in .NET Applications • Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET •
Download ReportTranscript A Demo of and Preventing XSS in .NET Applications • Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET •
A Demo of and Preventing XSS in .NET Applications • Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others • Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others OWASP Top Ten 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) Insecure Direct Object References 5 Security Misconfiguration OWASP Top Ten 6 7 8 9 10 Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Invalidated Redirects and Forwards Injection SQL & XSS Cross-Site Scripting Information Leakage Principle of Least Privilege The Two top vulnerabilities both have the same vulnerability. Programmer does not make a distinction between code and data. • Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others • XSS –What it is. –Types of XSS How To Mitigate •Validate and constrain input •Properly encode output •Microsoft Anti-Cross Site Scripting Library • OWASP AntiSamy .NET • What about Server.HTMLEncode? •Uses blacklist for exclusion •Less secure • Regex • Home Grown approach • Goldilocks Problem. –Scrub Data to little. –Scrub Data just right. –Scrub Data to Hard. Demo XSS And if time permits SQL Injection • Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others • Pros… –Validate Input / Encode Output (Anti-XSS library) –Helps with sql injection and XSS –Adds another level of defense –Used by Microsoft as an internal tool • Cons… –Its not perfect and it should not be our only defense layer –Microsoft doesn’t update as often as it should. –We do have an open source Alternative (OWASP AntiSamy .Net) • Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .NET & Others Demo AntiSamy • Introduction • OWASP Top Ten • XSS • Microsoft Web Protection Library • OWASP AntiSamy .NET • Cat .Net Cat .NET Demo Resources About Me • Larry Conklin Senior Developer at QuikTrip in Tulsa, Oklahoma. • My current emphasis is in Microsoft .NET technologies including C#, VB.NET, and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores. • Skills: C#, C/C++,RPGILE, COBOL, SQL, (SQL Server, Oracle, Sybase, PostgreSQL) • My current passion is talking and learning about security and integrating it into SDLC to create secure code. – – – – – Current project support manager OWASP Code review project 2.0. INFOSEC Certificate Program at University of Tulsa ISC(2) CISSP Certification Committee on Nation Security Systems Certificates. NSTISSI No. 4011: Information Systems Security Professional, 4012: