SlideShare uma empresa Scribd logo

Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities

Dinis Cruz
Dinis Cruz

The document discusses the O2 Platform, which is a framework for automating security testing and documentation. It provides features like a scripting engine, browser automation, source code analysis tools, and APIs. The document also provides an overview of the Microsoft ASP.NET MVC framework and common vulnerabilities it faces like mass assignment. It demonstrates running an IE automation script on the Music Store sample application using the O2 Platform to test for vulnerabilities like cross-site scripting and CSRF. The presentation educates developers on security best practices like validating user input and protecting sensitive fields when using MVC frameworks.

Tecnologia
1 de 34
Baixar para ler offline
The O2 Platform: Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities Michael Hidalgo michael.hidalgo@owasp.org Chapter Leader OWASP Costa Rica Colaborador OWASP O2 Platform Project
About Me  Software Developer Engineer at Fiserv, Digital Channels- Corillian Online ASP team. –Developing Software for Financial Institutions (FI,CU) –Web Services, Interoperatibility  OWASP Costa Rica Chapter Leader  Participation in the OData Protocol  OWASP Projects contributor – OWASP O2 Platform (Dinis Cruz) – REST Security Cheat Sheet (Jim Manico) 2
Why this presentation? Software Developers need tools! 3
But also because… We Software Developers need a framework that help us to write secure applications 4
Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 5
The O2 Platform What is the O2 Platform? 6
The O2 Platform The O2 Platform The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non- security experts to access and consume Security Knowledge 7
The O2 Platform • The Project Manager is Dinis Cruz, a security expert based in the UK. Dinis has a strong background in the application security world and he has performed very interesting researches. • Some features of O2 platform: – Scripting Engine and development environment. – Black-Box/Browser-automation environment. – Source Code analysis environment. – Data Consumption and API Generation
The O2 Platform The O2 Platform: More features! • Powerful search engine • Graphical Engines • Multiple APIs • Integration with third parties 9
The O2 Platform • A comprehensive UI! 10
The O2 Platform • A look at the IE automation editor 11
The O2 Platform • IE Automation syntax • var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(false); ie.open("http://www.google.com"); ie.field("q").Value="OWASP Costa Rica"; //O2File:WatiN_IE_ExtensionMethods.cs //O2Ref:WatiN.Core.1x.dll //O2Tag_DontAddExtraO2Files; 12
The O2 Platform • O2 Platform inside Visual Studio IDE 13
The O2 Platform Where to get O2 Platform? • From Visual Studio Gallery : • http://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d- ea4741905dc2 • Getting the standalone installer • http://tiny.cc/O2Platform • For more info on O2 see: • O2 related posts on this blog: http://diniscruz.blogspot.co.uk/search/label/O2 Platform • O2 Blog: https://o2platform.wordpress.com 14
Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 15
MVC Architecture Architecture of the World Wide Web • Addressable resources • Standard resource formats • Uniform interface for interacting with resource • Stateless and Hyperlinking 16
Uniform Interface • Retrieves a resource GET • Safe • Cacheable POST • Creates a new resource. • Unsafe, effect of this verb is not defined by HTTP • Updates an existing resource PUT • Used for resource creation • Idempotent DELETE • Removes a resource • Call N times, same thing always happen (idempotent) 17
MVC Architecture Web Applications should embrace the Web! 18
MVC Architecture • MVC is a standard design pattern that many developers are familiar with. Some types of Web applications will benefit from the MVC framework.. • Some feature : – Embrace the Web: MVC is a standard compliant architecture that embraces the Web Architecture. – Easy to implement: The industry is adopting MVC framework because it provides an easy approach to create rapid applications. – Separation of concerns:This architecture is designed to separate responsabilities within your application. – Testability Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview
MVC Architecture • MVC Actors: Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview 20
MVC Architecture • Models : Model Objects are the parts of the application that implements the logic for the application’s data domain. • Retrieve and store model state in databases. • An example is a Product model, a Customer model or a Speaker model. 21
MVC Architecture • Views:Components that displays application’s user interface (UX). • Created from Model Data. • An example is editing a Speaker information, dispñaying text boxes for name and address. 22
MVC Architecture • Controllers:Components that handle user interactions, work with the model and select a view to render that displays in the UI. • Handles and responds to user input and interactions. 23
MVC Architecture • Vulnerabilities on top of MVC Framework • MVC applications are vulnerable to most of the vector attacks in Web applications (XSS,CSRF). • Mass Assignments (Auto Binding) : This vulnerability can be found in Spring MVC and Microsoft ASP.NET MVC Framework. 24
MVC Architecture • Mass Assignments (aka Auto Binding). • MVC frameworks rely heavily on binding query strings, route values and form values to in- code objects. • This vulnerability is a kind of parameter tampering. • Model Binding works by assigning HTML form fields to object properties. 25
MVC Architecture Mass Assignments (aka Auto Binding). • Let’s take a look at the following Model Object: public class BlogMember { public string Name { get; set; } public string LastName { get; set; } public string EmailAddress{ get; set; } public bool IsAdmin{ get; set; } } 26
MVC Architecture What can happen? Someone could send a HTTP request using Fiddler2 or cURL Request URL: http://yourBlog/register Request Method: POST Status Code: 200 OK...... Name: Michael LastName: Hidalgo EmailAddress: michael.hidalgo@owasp.org IsAdmin: true 27
Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 28
MVC Architecture Running a O2 Demo!!! 29
MVC Architecture How to protect us against Mass assignments? • Never trust user input!!!! • Matching incoming parameters • Using a ViewModel • Protect your sensitive Model properties (i.e SSN, Id’s, Account numbers) 30
MVC Architecture How to protect us against Mass assignments? Matching incoming parameters 31
MVC Architecture How to protect us against Mass assignments? Protecting sensitive fields (using Bind Attribute) 32
MVC Architecture How to protect us against Mass assignments? • Protecting sensitive fields (using Bind Attribute) • BlackList 33
Q&A Michael Hidalgo michael.hidalgo@owasp.org 34

Recomendados

Wicket Intro
Wicket IntroWicket Intro
Wicket Introkoppenolski
 
Getting Started with Spring Framework
Getting Started with Spring FrameworkGetting Started with Spring Framework
Getting Started with Spring FrameworkEdureka!
 
Hindes_Active_2016Gz2
Hindes_Active_2016Gz2Hindes_Active_2016Gz2
Hindes_Active_2016Gz2William Hindes
 
Mobile developement
Mobile developementMobile developement
Mobile developementLilia Sfaxi
 
Java Framework comparison
Java Framework comparisonJava Framework comparison
Java Framework comparisonSIB Visions GmbH
 
Spring User Guide
Spring User GuideSpring User Guide
Spring User GuideMuthuselvam RS
 
JEE 8, A Big Overview
JEE 8, A Big OverviewJEE 8, A Big Overview
JEE 8, A Big OverviewJasmine Conseil
 
OpenAjax Alliance: Driving Ajax Standards and Interoperability
OpenAjax Alliance: Driving Ajax Standards and InteroperabilityOpenAjax Alliance: Driving Ajax Standards and Interoperability
OpenAjax Alliance: Driving Ajax Standards and Interoperabilityelliando dias
 

Recomendados

Wicket Intro
Wicket IntroWicket Intro
Wicket Introkoppenolski
 
Getting Started with Spring Framework
Getting Started with Spring FrameworkGetting Started with Spring Framework
Getting Started with Spring FrameworkEdureka!
 
Hindes_Active_2016Gz2
Hindes_Active_2016Gz2Hindes_Active_2016Gz2
Hindes_Active_2016Gz2William Hindes
 
Mobile developement
Mobile developementMobile developement
Mobile developementLilia Sfaxi
 
Java Framework comparison
Java Framework comparisonJava Framework comparison
Java Framework comparisonSIB Visions GmbH
 
Spring User Guide
Spring User GuideSpring User Guide
Spring User GuideMuthuselvam RS
 
JEE 8, A Big Overview
JEE 8, A Big OverviewJEE 8, A Big Overview
JEE 8, A Big OverviewJasmine Conseil
 
OpenAjax Alliance: Driving Ajax Standards and Interoperability
OpenAjax Alliance: Driving Ajax Standards and InteroperabilityOpenAjax Alliance: Driving Ajax Standards and Interoperability
OpenAjax Alliance: Driving Ajax Standards and Interoperabilityelliando dias
 
Santosh_Resume_Java
Santosh_Resume_JavaSantosh_Resume_Java
Santosh_Resume_JavaSANTOSH PATTNAIK
 
Silverlight Demos For Beginners
Silverlight Demos For BeginnersSilverlight Demos For Beginners
Silverlight Demos For BeginnersGaurav Arora
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMiki Lombardi
 
Detailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-HamidaDetailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-HamidaHamida Rebai Trabelsi
 
Resume-REBAI.json
Resume-REBAI.jsonResume-REBAI.json
Resume-REBAI.jsonHamida Rebai Trabelsi
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009Jason Ragsdale
 
Mini-Training Owin Katana
Mini-Training Owin KatanaMini-Training Owin Katana
Mini-Training Owin KatanaBetclic Everest Group Tech Team
 
Asp 1a-aspnetmvc
Asp 1a-aspnetmvcAsp 1a-aspnetmvc
Asp 1a-aspnetmvcFajar Baskoro
 
Aspnetmvc 1
Aspnetmvc 1Aspnetmvc 1
Aspnetmvc 1Fajar Baskoro
 
Asp.net mvc 5 ppt
Asp.net mvc 5 pptAsp.net mvc 5 ppt
Asp.net mvc 5 pptJavedAnsari65
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineGaruda Trainings
 
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Gabriel Villa
 
Introduction to ASP.NET 5
Introduction to ASP.NET 5Introduction to ASP.NET 5
Introduction to ASP.NET 5mbaric
 
Aspnet mvc
Aspnet mvcAspnet mvc
Aspnet mvcHiep Luong
 
Mihai tataran developing modern web applications
Mihai tataran developing modern web applicationsMihai tataran developing modern web applications
Mihai tataran developing modern web applicationsITCamp
 
Node.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivNode.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivRon Perlmuter
 
CG_CS25010_Lecture
CG_CS25010_LectureCG_CS25010_Lecture
CG_CS25010_LectureConnor Goddard
 
4Ward Company Presentation
4Ward Company Presentation4Ward Company Presentation
4Ward Company Presentation4Ward
 
www.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwww.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwebre24h
 
Spring tutorials
Spring tutorialsSpring tutorials
Spring tutorialsTIB Academy
 
Docker12 factor
Docker12 factorDocker12 factor
Docker12 factorJohn Zaccone
 
Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC vipin kumar
 

Mais conteúdo relacionado

Mais procurados

Silverlight Demos For Beginners
Silverlight Demos For BeginnersSilverlight Demos For Beginners
Silverlight Demos For BeginnersGaurav Arora
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMiki Lombardi
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009Jason Ragsdale
 

Mais procurados (6)

Santosh_Resume_Java
Santosh_Resume_JavaSantosh_Resume_Java
Santosh_Resume_Java
 
Silverlight Demos For Beginners
Silverlight Demos For BeginnersSilverlight Demos For Beginners
Silverlight Demos For Beginners
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - Plansoft
 
Detailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-HamidaDetailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-Hamida
 
Resume-REBAI.json
Resume-REBAI.jsonResume-REBAI.json
Resume-REBAI.json
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009
 

Semelhante a Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities

Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineGaruda Trainings
 
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Gabriel Villa
 
Introduction to ASP.NET 5
Introduction to ASP.NET 5Introduction to ASP.NET 5
Introduction to ASP.NET 5mbaric
 
Mihai tataran developing modern web applications
Mihai tataran developing modern web applicationsMihai tataran developing modern web applications
Mihai tataran developing modern web applicationsITCamp
 
Node.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivNode.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivRon Perlmuter
 
4Ward Company Presentation
4Ward Company Presentation4Ward Company Presentation
4Ward Company Presentation4Ward
 
www.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwww.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwebre24h
 
Spring tutorials
Spring tutorialsSpring tutorials
Spring tutorialsTIB Academy
 
Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC vipin kumar
 
Mobile App Architectures & Coding guidelines
Mobile App Architectures & Coding guidelinesMobile App Architectures & Coding guidelines
Mobile App Architectures & Coding guidelinesQamar Abbas
 
ZZ BC#7 asp.net mvc practice and guideline by NineMvp
ZZ BC#7 asp.net mvc practice and guideline by NineMvpZZ BC#7 asp.net mvc practice and guideline by NineMvp
ZZ BC#7 asp.net mvc practice and guideline by NineMvpChalermpon Areepong
 

Semelhante a Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities (20)

Mini-Training Owin Katana
Mini-Training Owin KatanaMini-Training Owin Katana
Mini-Training Owin Katana
 
Asp 1a-aspnetmvc
Asp 1a-aspnetmvcAsp 1a-aspnetmvc
Asp 1a-aspnetmvc
 
Aspnetmvc 1
Aspnetmvc 1Aspnetmvc 1
Aspnetmvc 1
 
Asp.net mvc 5 ppt
Asp.net mvc 5 pptAsp.net mvc 5 ppt
Asp.net mvc 5 ppt
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement online
 
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
 
Introduction to ASP.NET 5
Introduction to ASP.NET 5Introduction to ASP.NET 5
Introduction to ASP.NET 5
 
Aspnet mvc
Aspnet mvcAspnet mvc
Aspnet mvc
 
Mihai tataran developing modern web applications
Mihai tataran developing modern web applicationsMihai tataran developing modern web applications
Mihai tataran developing modern web applications
 
Node.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivNode.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel Aviv
 
CG_CS25010_Lecture
CG_CS25010_LectureCG_CS25010_Lecture
CG_CS25010_Lecture
 
4Ward Company Presentation
4Ward Company Presentation4Ward Company Presentation
4Ward Company Presentation
 
www.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwww.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modeling
 
Spring tutorials
Spring tutorialsSpring tutorials
Spring tutorials
 
Docker12 factor
Docker12 factorDocker12 factor
Docker12 factor
 
Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC
 
About 4Ward
About 4WardAbout 4Ward
About 4Ward
 
Mobile App Architectures & Coding guidelines
Mobile App Architectures & Coding guidelinesMobile App Architectures & Coding guidelines
Mobile App Architectures & Coding guidelines
 
ZZ BC#7 asp.net mvc practice and guideline by NineMvp
ZZ BC#7 asp.net mvc practice and guideline by NineMvpZZ BC#7 asp.net mvc practice and guideline by NineMvp
ZZ BC#7 asp.net mvc practice and guideline by NineMvp
 
codeigniter
codeignitercodeigniter
codeigniter
 

Mais de Dinis Cruz

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesDinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsDinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceDinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Dinis Cruz
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data scienceDinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyDinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Dinis Cruz
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityDinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsDinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Dinis Cruz
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febDinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febDinis Cruz
 

Mais de Dinis Cruz (20)

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 

Último

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Último (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities

  • 1. The O2 Platform: Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities Michael Hidalgo michael.hidalgo@owasp.org Chapter Leader OWASP Costa Rica Colaborador OWASP O2 Platform Project
  • 2. About Me  Software Developer Engineer at Fiserv, Digital Channels- Corillian Online ASP team. –Developing Software for Financial Institutions (FI,CU) –Web Services, Interoperatibility  OWASP Costa Rica Chapter Leader  Participation in the OData Protocol  OWASP Projects contributor – OWASP O2 Platform (Dinis Cruz) – REST Security Cheat Sheet (Jim Manico) 2
  • 3. Why this presentation? Software Developers need tools! 3
  • 4. But also because… We Software Developers need a framework that help us to write secure applications 4
  • 5. Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 5
  • 6. The O2 Platform What is the O2 Platform? 6
  • 7. The O2 Platform The O2 Platform The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non- security experts to access and consume Security Knowledge 7
  • 8. The O2 Platform • The Project Manager is Dinis Cruz, a security expert based in the UK. Dinis has a strong background in the application security world and he has performed very interesting researches. • Some features of O2 platform: – Scripting Engine and development environment. – Black-Box/Browser-automation environment. – Source Code analysis environment. – Data Consumption and API Generation
  • 9. The O2 Platform The O2 Platform: More features! • Powerful search engine • Graphical Engines • Multiple APIs • Integration with third parties 9
  • 10. The O2 Platform • A comprehensive UI! 10
  • 11. The O2 Platform • A look at the IE automation editor 11
  • 12. The O2 Platform • IE Automation syntax • var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(false); ie.open("http://www.google.com"); ie.field("q").Value="OWASP Costa Rica"; //O2File:WatiN_IE_ExtensionMethods.cs //O2Ref:WatiN.Core.1x.dll //O2Tag_DontAddExtraO2Files; 12
  • 13. The O2 Platform • O2 Platform inside Visual Studio IDE 13
  • 14. The O2 Platform Where to get O2 Platform? • From Visual Studio Gallery : • http://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d- ea4741905dc2 • Getting the standalone installer • http://tiny.cc/O2Platform • For more info on O2 see: • O2 related posts on this blog: http://diniscruz.blogspot.co.uk/search/label/O2 Platform • O2 Blog: https://o2platform.wordpress.com 14
  • 15. Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 15
  • 16. MVC Architecture Architecture of the World Wide Web • Addressable resources • Standard resource formats • Uniform interface for interacting with resource • Stateless and Hyperlinking 16
  • 17. Uniform Interface • Retrieves a resource GET • Safe • Cacheable POST • Creates a new resource. • Unsafe, effect of this verb is not defined by HTTP • Updates an existing resource PUT • Used for resource creation • Idempotent DELETE • Removes a resource • Call N times, same thing always happen (idempotent) 17
  • 18. MVC Architecture Web Applications should embrace the Web! 18
  • 19. MVC Architecture • MVC is a standard design pattern that many developers are familiar with. Some types of Web applications will benefit from the MVC framework.. • Some feature : – Embrace the Web: MVC is a standard compliant architecture that embraces the Web Architecture. – Easy to implement: The industry is adopting MVC framework because it provides an easy approach to create rapid applications. – Separation of concerns:This architecture is designed to separate responsabilities within your application. – Testability Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview
  • 20. MVC Architecture • MVC Actors: Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview 20
  • 21. MVC Architecture • Models : Model Objects are the parts of the application that implements the logic for the application’s data domain. • Retrieve and store model state in databases. • An example is a Product model, a Customer model or a Speaker model. 21
  • 22. MVC Architecture • Views:Components that displays application’s user interface (UX). • Created from Model Data. • An example is editing a Speaker information, dispñaying text boxes for name and address. 22
  • 23. MVC Architecture • Controllers:Components that handle user interactions, work with the model and select a view to render that displays in the UI. • Handles and responds to user input and interactions. 23
  • 24. MVC Architecture • Vulnerabilities on top of MVC Framework • MVC applications are vulnerable to most of the vector attacks in Web applications (XSS,CSRF). • Mass Assignments (Auto Binding) : This vulnerability can be found in Spring MVC and Microsoft ASP.NET MVC Framework. 24
  • 25. MVC Architecture • Mass Assignments (aka Auto Binding). • MVC frameworks rely heavily on binding query strings, route values and form values to in- code objects. • This vulnerability is a kind of parameter tampering. • Model Binding works by assigning HTML form fields to object properties. 25
  • 26. MVC Architecture Mass Assignments (aka Auto Binding). • Let’s take a look at the following Model Object: public class BlogMember { public string Name { get; set; } public string LastName { get; set; } public string EmailAddress{ get; set; } public bool IsAdmin{ get; set; } } 26
  • 27. MVC Architecture What can happen? Someone could send a HTTP request using Fiddler2 or cURL Request URL: http://yourBlog/register Request Method: POST Status Code: 200 OK...... Name: Michael LastName: Hidalgo EmailAddress: michael.hidalgo@owasp.org IsAdmin: true 27
  • 28. Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 28
  • 29. MVC Architecture Running a O2 Demo!!! 29
  • 30. MVC Architecture How to protect us against Mass assignments? • Never trust user input!!!! • Matching incoming parameters • Using a ViewModel • Protect your sensitive Model properties (i.e SSN, Id’s, Account numbers) 30
  • 31. MVC Architecture How to protect us against Mass assignments? Matching incoming parameters 31
  • 32. MVC Architecture How to protect us against Mass assignments? Protecting sensitive fields (using Bind Attribute) 32
  • 33. MVC Architecture How to protect us against Mass assignments? • Protecting sensitive fields (using Bind Attribute) • BlackList 33
  • 34. Q&A Michael Hidalgo michael.hidalgo@owasp.org 34