SlideShare uma empresa Scribd logo

Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities

Dinis Cruz
Dinis Cruz

The document discusses the O2 Platform, which is a framework for automating security testing and documentation. It provides features like a scripting engine, browser automation, source code analysis tools, and APIs. The document also provides an overview of the Microsoft ASP.NET MVC framework and common vulnerabilities it faces like mass assignment. It demonstrates running an IE automation script on the Music Store sample application using the O2 Platform to test for vulnerabilities like cross-site scripting and CSRF. The presentation educates developers on security best practices like validating user input and protecting sensitive fields when using MVC frameworks.

Tecnologia
1 de 34
Baixar para ler offline
The O2 Platform: Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities Michael Hidalgo michael.hidalgo@owasp.org Chapter Leader OWASP Costa Rica Colaborador OWASP O2 Platform Project
About Me  Software Developer Engineer at Fiserv, Digital Channels- Corillian Online ASP team. –Developing Software for Financial Institutions (FI,CU) –Web Services, Interoperatibility  OWASP Costa Rica Chapter Leader  Participation in the OData Protocol  OWASP Projects contributor – OWASP O2 Platform (Dinis Cruz) – REST Security Cheat Sheet (Jim Manico) 2
Why this presentation? Software Developers need tools! 3
But also because… We Software Developers need a framework that help us to write secure applications 4
Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 5
The O2 Platform What is the O2 Platform? 6
The O2 Platform The O2 Platform The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non- security experts to access and consume Security Knowledge 7
The O2 Platform • The Project Manager is Dinis Cruz, a security expert based in the UK. Dinis has a strong background in the application security world and he has performed very interesting researches. • Some features of O2 platform: – Scripting Engine and development environment. – Black-Box/Browser-automation environment. – Source Code analysis environment. – Data Consumption and API Generation
The O2 Platform The O2 Platform: More features! • Powerful search engine • Graphical Engines • Multiple APIs • Integration with third parties 9
The O2 Platform • A comprehensive UI! 10
The O2 Platform • A look at the IE automation editor 11
The O2 Platform • IE Automation syntax • var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(false); ie.open("http://www.google.com"); ie.field("q").Value="OWASP Costa Rica"; //O2File:WatiN_IE_ExtensionMethods.cs //O2Ref:WatiN.Core.1x.dll //O2Tag_DontAddExtraO2Files; 12
The O2 Platform • O2 Platform inside Visual Studio IDE 13
The O2 Platform Where to get O2 Platform? • From Visual Studio Gallery : • http://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d- ea4741905dc2 • Getting the standalone installer • http://tiny.cc/O2Platform • For more info on O2 see: • O2 related posts on this blog: http://diniscruz.blogspot.co.uk/search/label/O2 Platform • O2 Blog: https://o2platform.wordpress.com 14
Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 15
MVC Architecture Architecture of the World Wide Web • Addressable resources • Standard resource formats • Uniform interface for interacting with resource • Stateless and Hyperlinking 16
Uniform Interface • Retrieves a resource GET • Safe • Cacheable POST • Creates a new resource. • Unsafe, effect of this verb is not defined by HTTP • Updates an existing resource PUT • Used for resource creation • Idempotent DELETE • Removes a resource • Call N times, same thing always happen (idempotent) 17
MVC Architecture Web Applications should embrace the Web! 18
MVC Architecture • MVC is a standard design pattern that many developers are familiar with. Some types of Web applications will benefit from the MVC framework.. • Some feature : – Embrace the Web: MVC is a standard compliant architecture that embraces the Web Architecture. – Easy to implement: The industry is adopting MVC framework because it provides an easy approach to create rapid applications. – Separation of concerns:This architecture is designed to separate responsabilities within your application. – Testability Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview
MVC Architecture • MVC Actors: Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview 20
MVC Architecture • Models : Model Objects are the parts of the application that implements the logic for the application’s data domain. • Retrieve and store model state in databases. • An example is a Product model, a Customer model or a Speaker model. 21
MVC Architecture • Views:Components that displays application’s user interface (UX). • Created from Model Data. • An example is editing a Speaker information, dispñaying text boxes for name and address. 22
MVC Architecture • Controllers:Components that handle user interactions, work with the model and select a view to render that displays in the UI. • Handles and responds to user input and interactions. 23
MVC Architecture • Vulnerabilities on top of MVC Framework • MVC applications are vulnerable to most of the vector attacks in Web applications (XSS,CSRF). • Mass Assignments (Auto Binding) : This vulnerability can be found in Spring MVC and Microsoft ASP.NET MVC Framework. 24
MVC Architecture • Mass Assignments (aka Auto Binding). • MVC frameworks rely heavily on binding query strings, route values and form values to in- code objects. • This vulnerability is a kind of parameter tampering. • Model Binding works by assigning HTML form fields to object properties. 25
MVC Architecture Mass Assignments (aka Auto Binding). • Let’s take a look at the following Model Object: public class BlogMember { public string Name { get; set; } public string LastName { get; set; } public string EmailAddress{ get; set; } public bool IsAdmin{ get; set; } } 26
MVC Architecture What can happen? Someone could send a HTTP request using Fiddler2 or cURL Request URL: http://yourBlog/register Request Method: POST Status Code: 200 OK...... Name: Michael LastName: Hidalgo EmailAddress: michael.hidalgo@owasp.org IsAdmin: true 27
Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 28
MVC Architecture Running a O2 Demo!!! 29
MVC Architecture How to protect us against Mass assignments? • Never trust user input!!!! • Matching incoming parameters • Using a ViewModel • Protect your sensitive Model properties (i.e SSN, Id’s, Account numbers) 30
MVC Architecture How to protect us against Mass assignments? Matching incoming parameters 31
MVC Architecture How to protect us against Mass assignments? Protecting sensitive fields (using Bind Attribute) 32
MVC Architecture How to protect us against Mass assignments? • Protecting sensitive fields (using Bind Attribute) • BlackList 33
Q&A Michael Hidalgo michael.hidalgo@owasp.org 34

Recomendados

Wicket Intro
Wicket IntroWicket Intro
Wicket Introkoppenolski
 
Getting Started with Spring Framework
Getting Started with Spring FrameworkGetting Started with Spring Framework
Getting Started with Spring FrameworkEdureka!
 
Hindes_Active_2016Gz2
Hindes_Active_2016Gz2Hindes_Active_2016Gz2
Hindes_Active_2016Gz2William Hindes
 
Mobile developement
Mobile developementMobile developement
Mobile developementLilia Sfaxi
 
Java Framework comparison
Java Framework comparisonJava Framework comparison
Java Framework comparisonSIB Visions GmbH
 
Spring User Guide
Spring User GuideSpring User Guide
Spring User GuideMuthuselvam RS
 
JEE 8, A Big Overview
JEE 8, A Big OverviewJEE 8, A Big Overview
JEE 8, A Big OverviewJasmine Conseil
 
OpenAjax Alliance: Driving Ajax Standards and Interoperability
OpenAjax Alliance: Driving Ajax Standards and InteroperabilityOpenAjax Alliance: Driving Ajax Standards and Interoperability
OpenAjax Alliance: Driving Ajax Standards and Interoperabilityelliando dias
 

Recomendados

Wicket Intro
Wicket IntroWicket Intro
Wicket Introkoppenolski
 
Getting Started with Spring Framework
Getting Started with Spring FrameworkGetting Started with Spring Framework
Getting Started with Spring FrameworkEdureka!
 
Hindes_Active_2016Gz2
Hindes_Active_2016Gz2Hindes_Active_2016Gz2
Hindes_Active_2016Gz2William Hindes
 
Mobile developement
Mobile developementMobile developement
Mobile developementLilia Sfaxi
 
Java Framework comparison
Java Framework comparisonJava Framework comparison
Java Framework comparisonSIB Visions GmbH
 
Spring User Guide
Spring User GuideSpring User Guide
Spring User GuideMuthuselvam RS
 
JEE 8, A Big Overview
JEE 8, A Big OverviewJEE 8, A Big Overview
JEE 8, A Big OverviewJasmine Conseil
 
OpenAjax Alliance: Driving Ajax Standards and Interoperability
OpenAjax Alliance: Driving Ajax Standards and InteroperabilityOpenAjax Alliance: Driving Ajax Standards and Interoperability
OpenAjax Alliance: Driving Ajax Standards and Interoperabilityelliando dias
 
Santosh_Resume_Java
Santosh_Resume_JavaSantosh_Resume_Java
Santosh_Resume_JavaSANTOSH PATTNAIK
 
Silverlight Demos For Beginners
Silverlight Demos For BeginnersSilverlight Demos For Beginners
Silverlight Demos For BeginnersGaurav Arora
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMiki Lombardi
 
Detailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-HamidaDetailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-HamidaHamida Rebai Trabelsi
 
Resume-REBAI.json
Resume-REBAI.jsonResume-REBAI.json
Resume-REBAI.jsonHamida Rebai Trabelsi
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009Jason Ragsdale
 
Mini-Training Owin Katana
Mini-Training Owin KatanaMini-Training Owin Katana
Mini-Training Owin KatanaBetclic Everest Group Tech Team
 
Asp 1a-aspnetmvc
Asp 1a-aspnetmvcAsp 1a-aspnetmvc
Asp 1a-aspnetmvcFajar Baskoro
 
Aspnetmvc 1
Aspnetmvc 1Aspnetmvc 1
Aspnetmvc 1Fajar Baskoro
 
Asp.net mvc 5 ppt
Asp.net mvc 5 pptAsp.net mvc 5 ppt
Asp.net mvc 5 pptJavedAnsari65
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineGaruda Trainings
 
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Gabriel Villa
 
Introduction to ASP.NET 5
Introduction to ASP.NET 5Introduction to ASP.NET 5
Introduction to ASP.NET 5mbaric
 
Aspnet mvc
Aspnet mvcAspnet mvc
Aspnet mvcHiep Luong
 
Mihai tataran developing modern web applications
Mihai tataran developing modern web applicationsMihai tataran developing modern web applications
Mihai tataran developing modern web applicationsITCamp
 
Node.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivNode.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivRon Perlmuter
 
CG_CS25010_Lecture
CG_CS25010_LectureCG_CS25010_Lecture
CG_CS25010_LectureConnor Goddard
 
4Ward Company Presentation
4Ward Company Presentation4Ward Company Presentation
4Ward Company Presentation4Ward
 
www.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwww.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwebre24h
 
Spring tutorials
Spring tutorialsSpring tutorials
Spring tutorialsTIB Academy
 
Docker12 factor
Docker12 factorDocker12 factor
Docker12 factorJohn Zaccone
 
Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC vipin kumar
 

Mais conteúdo relacionado

Mais procurados

Silverlight Demos For Beginners
Silverlight Demos For BeginnersSilverlight Demos For Beginners
Silverlight Demos For BeginnersGaurav Arora
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMiki Lombardi
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009Jason Ragsdale
 

Mais procurados (6)

Santosh_Resume_Java
Santosh_Resume_JavaSantosh_Resume_Java
Santosh_Resume_Java
 
Silverlight Demos For Beginners
Silverlight Demos For BeginnersSilverlight Demos For Beginners
Silverlight Demos For Beginners
 
Micro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - PlansoftMicro Front-End & Microservices - Plansoft
Micro Front-End & Microservices - Plansoft
 
Detailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-HamidaDetailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-Hamida
 
Resume-REBAI.json
Resume-REBAI.jsonResume-REBAI.json
Resume-REBAI.json
 
RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009RIA with Flex & PHP - Tulsa TechFest 2009
RIA with Flex & PHP - Tulsa TechFest 2009
 

Semelhante a Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities

Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineGaruda Trainings
 
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Gabriel Villa
 
Introduction to ASP.NET 5
Introduction to ASP.NET 5Introduction to ASP.NET 5
Introduction to ASP.NET 5mbaric
 
Mihai tataran developing modern web applications
Mihai tataran developing modern web applicationsMihai tataran developing modern web applications
Mihai tataran developing modern web applicationsITCamp
 
Node.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivNode.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivRon Perlmuter
 
4Ward Company Presentation
4Ward Company Presentation4Ward Company Presentation
4Ward Company Presentation4Ward
 
www.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwww.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwebre24h
 
Spring tutorials
Spring tutorialsSpring tutorials
Spring tutorialsTIB Academy
 
Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC vipin kumar
 
Mobile App Architectures & Coding guidelines
Mobile App Architectures & Coding guidelinesMobile App Architectures & Coding guidelines
Mobile App Architectures & Coding guidelinesQamar Abbas
 
ZZ BC#7 asp.net mvc practice and guideline by NineMvp
ZZ BC#7 asp.net mvc practice and guideline by NineMvpZZ BC#7 asp.net mvc practice and guideline by NineMvp
ZZ BC#7 asp.net mvc practice and guideline by NineMvpChalermpon Areepong
 

Semelhante a Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities (20)

Mini-Training Owin Katana
Mini-Training Owin KatanaMini-Training Owin Katana
Mini-Training Owin Katana
 
Asp 1a-aspnetmvc
Asp 1a-aspnetmvcAsp 1a-aspnetmvc
Asp 1a-aspnetmvc
 
Aspnetmvc 1
Aspnetmvc 1Aspnetmvc 1
Aspnetmvc 1
 
Asp.net mvc 5 ppt
Asp.net mvc 5 pptAsp.net mvc 5 ppt
Asp.net mvc 5 ppt
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement online
 
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
Develop a Quick and Dirty Web interface to your database: for the DBA and oth...
 
Introduction to ASP.NET 5
Introduction to ASP.NET 5Introduction to ASP.NET 5
Introduction to ASP.NET 5
 
Aspnet mvc
Aspnet mvcAspnet mvc
Aspnet mvc
 
Mihai tataran developing modern web applications
Mihai tataran developing modern web applicationsMihai tataran developing modern web applications
Mihai tataran developing modern web applications
 
Node.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel AvivNode.js meetup at Palo Alto Networks Tel Aviv
Node.js meetup at Palo Alto Networks Tel Aviv
 
CG_CS25010_Lecture
CG_CS25010_LectureCG_CS25010_Lecture
CG_CS25010_Lecture
 
4Ward Company Presentation
4Ward Company Presentation4Ward Company Presentation
4Ward Company Presentation
 
www.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modelingwww.webre24h.com - An ajax tool for online modeling
www.webre24h.com - An ajax tool for online modeling
 
Spring tutorials
Spring tutorialsSpring tutorials
Spring tutorials
 
Docker12 factor
Docker12 factorDocker12 factor
Docker12 factor
 
Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC Cloud compiler - Minor Project by students of CBPGEC
Cloud compiler - Minor Project by students of CBPGEC
 
About 4Ward
About 4WardAbout 4Ward
About 4Ward
 
Mobile App Architectures & Coding guidelines
Mobile App Architectures & Coding guidelinesMobile App Architectures & Coding guidelines
Mobile App Architectures & Coding guidelines
 
ZZ BC#7 asp.net mvc practice and guideline by NineMvp
ZZ BC#7 asp.net mvc practice and guideline by NineMvpZZ BC#7 asp.net mvc practice and guideline by NineMvp
ZZ BC#7 asp.net mvc practice and guideline by NineMvp
 
codeigniter
codeignitercodeigniter
codeigniter
 

Mais de Dinis Cruz

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesDinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsDinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceDinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Dinis Cruz
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data scienceDinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyDinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Dinis Cruz
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityDinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsDinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Dinis Cruz
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febDinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febDinis Cruz
 

Mais de Dinis Cruz (20)

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 

Último

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Último (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities

  • 1. The O2 Platform: Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities Michael Hidalgo michael.hidalgo@owasp.org Chapter Leader OWASP Costa Rica Colaborador OWASP O2 Platform Project
  • 2. About Me  Software Developer Engineer at Fiserv, Digital Channels- Corillian Online ASP team. –Developing Software for Financial Institutions (FI,CU) –Web Services, Interoperatibility  OWASP Costa Rica Chapter Leader  Participation in the OData Protocol  OWASP Projects contributor – OWASP O2 Platform (Dinis Cruz) – REST Security Cheat Sheet (Jim Manico) 2
  • 3. Why this presentation? Software Developers need tools! 3
  • 4. But also because… We Software Developers need a framework that help us to write secure applications 4
  • 5. Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 5
  • 6. The O2 Platform What is the O2 Platform? 6
  • 7. The O2 Platform The O2 Platform The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non- security experts to access and consume Security Knowledge 7
  • 8. The O2 Platform • The Project Manager is Dinis Cruz, a security expert based in the UK. Dinis has a strong background in the application security world and he has performed very interesting researches. • Some features of O2 platform: – Scripting Engine and development environment. – Black-Box/Browser-automation environment. – Source Code analysis environment. – Data Consumption and API Generation
  • 9. The O2 Platform The O2 Platform: More features! • Powerful search engine • Graphical Engines • Multiple APIs • Integration with third parties 9
  • 10. The O2 Platform • A comprehensive UI! 10
  • 11. The O2 Platform • A look at the IE automation editor 11
  • 12. The O2 Platform • IE Automation syntax • var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(false); ie.open("http://www.google.com"); ie.field("q").Value="OWASP Costa Rica"; //O2File:WatiN_IE_ExtensionMethods.cs //O2Ref:WatiN.Core.1x.dll //O2Tag_DontAddExtraO2Files; 12
  • 13. The O2 Platform • O2 Platform inside Visual Studio IDE 13
  • 14. The O2 Platform Where to get O2 Platform? • From Visual Studio Gallery : • http://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d- ea4741905dc2 • Getting the standalone installer • http://tiny.cc/O2Platform • For more info on O2 see: • O2 related posts on this blog: http://diniscruz.blogspot.co.uk/search/label/O2 Platform • O2 Blog: https://o2platform.wordpress.com 14
  • 15. Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 15
  • 16. MVC Architecture Architecture of the World Wide Web • Addressable resources • Standard resource formats • Uniform interface for interacting with resource • Stateless and Hyperlinking 16
  • 17. Uniform Interface • Retrieves a resource GET • Safe • Cacheable POST • Creates a new resource. • Unsafe, effect of this verb is not defined by HTTP • Updates an existing resource PUT • Used for resource creation • Idempotent DELETE • Removes a resource • Call N times, same thing always happen (idempotent) 17
  • 18. MVC Architecture Web Applications should embrace the Web! 18
  • 19. MVC Architecture • MVC is a standard design pattern that many developers are familiar with. Some types of Web applications will benefit from the MVC framework.. • Some feature : – Embrace the Web: MVC is a standard compliant architecture that embraces the Web Architecture. – Easy to implement: The industry is adopting MVC framework because it provides an easy approach to create rapid applications. – Separation of concerns:This architecture is designed to separate responsabilities within your application. – Testability Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview
  • 20. MVC Architecture • MVC Actors: Taken from :http://www.asp.net/mvc/tutorials/older-versions/overview/asp-net-mvc-overview 20
  • 21. MVC Architecture • Models : Model Objects are the parts of the application that implements the logic for the application’s data domain. • Retrieve and store model state in databases. • An example is a Product model, a Customer model or a Speaker model. 21
  • 22. MVC Architecture • Views:Components that displays application’s user interface (UX). • Created from Model Data. • An example is editing a Speaker information, dispñaying text boxes for name and address. 22
  • 23. MVC Architecture • Controllers:Components that handle user interactions, work with the model and select a view to render that displays in the UI. • Handles and responds to user input and interactions. 23
  • 24. MVC Architecture • Vulnerabilities on top of MVC Framework • MVC applications are vulnerable to most of the vector attacks in Web applications (XSS,CSRF). • Mass Assignments (Auto Binding) : This vulnerability can be found in Spring MVC and Microsoft ASP.NET MVC Framework. 24
  • 25. MVC Architecture • Mass Assignments (aka Auto Binding). • MVC frameworks rely heavily on binding query strings, route values and form values to in- code objects. • This vulnerability is a kind of parameter tampering. • Model Binding works by assigning HTML form fields to object properties. 25
  • 26. MVC Architecture Mass Assignments (aka Auto Binding). • Let’s take a look at the following Model Object: public class BlogMember { public string Name { get; set; } public string LastName { get; set; } public string EmailAddress{ get; set; } public bool IsAdmin{ get; set; } } 26
  • 27. MVC Architecture What can happen? Someone could send a HTTP request using Fiddler2 or cURL Request URL: http://yourBlog/register Request Method: POST Status Code: 200 OK...... Name: Michael LastName: Hidalgo EmailAddress: michael.hidalgo@owasp.org IsAdmin: true 27
  • 28. Agenda • An overview of the O2 Platform • An overview of Microsoft ASP.net MVC Framework • A demo running the IE automation script against Music Store MVC Application. 28
  • 29. MVC Architecture Running a O2 Demo!!! 29
  • 30. MVC Architecture How to protect us against Mass assignments? • Never trust user input!!!! • Matching incoming parameters • Using a ViewModel • Protect your sensitive Model properties (i.e SSN, Id’s, Account numbers) 30
  • 31. MVC Architecture How to protect us against Mass assignments? Matching incoming parameters 31
  • 32. MVC Architecture How to protect us against Mass assignments? Protecting sensitive fields (using Bind Attribute) 32
  • 33. MVC Architecture How to protect us against Mass assignments? • Protecting sensitive fields (using Bind Attribute) • BlackList 33
  • 34. Q&A Michael Hidalgo michael.hidalgo@owasp.org 34