Suche senden
Hochladen
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Practice
•
2 gefällt mir
•
5,674 views
Shreeraj Shah
Folgen
Technologie
Melden
Teilen
Melden
Teilen
1 von 62
Empfohlen
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
Shreeraj Shah
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Shreeraj Shah
XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
Shreeraj Shah
Empfohlen
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
Shreeraj Shah
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Shreeraj Shah
XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
Shreeraj Shah
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
Web Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
Advanced applications-architecture-threats
Advanced applications-architecture-threats
Blueinfy Solutions
Html5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
Assessment methodology and approach
Assessment methodology and approach
Blueinfy Solutions
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
Web Hacking
Web Hacking
Information Technology
HTML5 hacking
HTML5 hacking
Blueinfy Solutions
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
guest66dc5f
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
Application fuzzing
Application fuzzing
Blueinfy Solutions
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
REST in Practice
REST in Practice
Guilherme Silveira
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
ClubHack
HTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applications
James Pearce
Weitere ähnliche Inhalte
Was ist angesagt?
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
Web Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
Advanced applications-architecture-threats
Advanced applications-architecture-threats
Blueinfy Solutions
Html5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
Assessment methodology and approach
Assessment methodology and approach
Blueinfy Solutions
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
Web Hacking
Web Hacking
Information Technology
HTML5 hacking
HTML5 hacking
Blueinfy Solutions
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
guest66dc5f
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
Application fuzzing
Application fuzzing
Blueinfy Solutions
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
REST in Practice
REST in Practice
Guilherme Silveira
Was ist angesagt?
(20)
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Web Services Hacking and Security
Web Services Hacking and Security
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Advanced applications-architecture-threats
Advanced applications-architecture-threats
Html5 localstorage attack vectors
Html5 localstorage attack vectors
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
Assessment methodology and approach
Assessment methodology and approach
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010
Web Hacking
Web Hacking
HTML5 hacking
HTML5 hacking
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
Application fuzzing
Application fuzzing
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
REST in Practice
REST in Practice
Ähnlich wie [Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Practice
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
ClubHack
HTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applications
James Pearce
Building cross platform mobile web apps
Building cross platform mobile web apps
James Pearce
[2011-17-C-4] Heroku & database.com
[2011-17-C-4] Heroku & database.com
Mitch Okamoto
新人訓練:歡迎來到網路業練功
新人訓練:歡迎來到網路業練功
Ernest Chiang
Building tomorrow's web with today's tools
Building tomorrow's web with today's tools
James Pearce
Building Rich Applications with Appcelerator
Building Rich Applications with Appcelerator
Matt Raible
Rahul 5yr java
Rahul 5yr java
Rahul Kumar Garg
01 web 2.0 - more than a pretty face for soa
01 web 2.0 - more than a pretty face for soa
Technology Transfer
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web Apps
James Pearce
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services Platform
David Chou
Building Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web Apps
James Pearce
Service Oriented Architecture
Service Oriented Architecture
Prabhat gangwar
WEB I - 01 - Introduction to Web Development
WEB I - 01 - Introduction to Web Development
Randy Connolly
S+S Architecture Overview
S+S Architecture Overview
David Solivan
Azure Services Platform
Azure Services Platform
David Chou
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
James Pearce
In Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
In Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
Spike Brehm
Presemtation Tier Optimizations
Presemtation Tier Optimizations
Anup Hariharan Nair
Web Development Presentation
Web Development Presentation
TurnToTech
Ähnlich wie [Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Practice
(20)
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
HTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applications
Building cross platform mobile web apps
Building cross platform mobile web apps
[2011-17-C-4] Heroku & database.com
[2011-17-C-4] Heroku & database.com
新人訓練:歡迎來到網路業練功
新人訓練:歡迎來到網路業練功
Building tomorrow's web with today's tools
Building tomorrow's web with today's tools
Building Rich Applications with Appcelerator
Building Rich Applications with Appcelerator
Rahul 5yr java
Rahul 5yr java
01 web 2.0 - more than a pretty face for soa
01 web 2.0 - more than a pretty face for soa
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web Apps
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Building Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web Apps
Service Oriented Architecture
Service Oriented Architecture
WEB I - 01 - Introduction to Web Development
WEB I - 01 - Introduction to Web Development
S+S Architecture Overview
S+S Architecture Overview
Azure Services Platform
Azure Services Platform
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
In Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
In Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
Presemtation Tier Optimizations
Presemtation Tier Optimizations
Web Development Presentation
Web Development Presentation
Mehr von Shreeraj Shah
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
Shreeraj Shah
Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
Shreeraj Shah
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Shreeraj Shah
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
Shreeraj Shah
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
Shreeraj Shah
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
Shreeraj Shah
Mehr von Shreeraj Shah
(8)
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
Secure SDLC for Software
Secure SDLC for Software
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
Kürzlich hochgeladen
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
gurkirankumar98700
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Kürzlich hochgeladen
(20)
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Practice
1.
Session J6 Demo New
Defenses for .NET Web Apps: IHttpModule in Practice
2.
Who Am I?
http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com Founder & Director – Blueinfy Solutions Pvt. Ltd. (Brief) – SecurityExposure.com Past experience – Net Square, Chase, IBM & Foundstone Interest – Web security research Published research – Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. – Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. – Advisories - .Net, Java servers etc. Books (Author) – Web 2.0 Security – Defending Ajax, RIA and SOA – Hacking Web Services – Web Hacking © Blueinfy Solutions Pvt. Ltd.
3.
Agenda Application
Security Landscape Application Security Approaches WAF – A Quick Look .NET and HTTP processing Introducing IHTTPModule Security Framework through set of Modules Conclusion Methods – Concepts, Code Walk and Demos © Blueinfy Solutions Pvt. Ltd.
4.
Application Security
Landscape © Blueinfy Solutions Pvt. Ltd.
5.
Application Security State
95% companies hacked from web ports [FBI/CSI] 3 out of 4 web sites are vulnerable to attack (Gartner) Every 1500 lines of code has one security vulnerability (IBM Labs) 2000 attacks / week for unprotected web site © Blueinfy Solutions Pvt. Ltd.
6.
Real life cases
© Blueinfy Solutions Pvt. Ltd.
7.
Next Generation Applications
- 2.0 80% of companies are investing in Web Services as part of their Web 2.0 initiative (McKinsey 2007 Global Survey) By the end of 2007, 30 percent of large companies have some kind of Web 2.0-based business initiative up and running. (Gartner) 2008. Web Services or Service- Oriented Architecture (SOA) would surge ahead. (Gartner) © Blueinfy Solutions Pvt. Ltd.
8.
Real life Cases
– 2.0 F h CSR ug ook rt hro fr o m scrapb filte flash din g o ug h Ad g js f ile thr n Loadi rds ogs and boa ing bl Attack R SS feed r ough XSS th ents comp o n ng Flash e Splitti Re spons HTTP Source: The Web Hacking Incidents Database [http://webappsec.org/projects/whid/] © Blueinfy Solutions Pvt. Ltd.
9.
Attack vectors and
types Source: Web Application Security Consortium (WASC) © Blueinfy Solutions Pvt. Ltd.
10.
New Attack Vectors XML
manipulation SOAP and XML-RPC attacks and tempering CSRF with Ajax and Flash XSS with JSON streams Mashup and RSS attacks © Blueinfy Solutions Pvt. Ltd.
11.
Web Application Layout
Internet DMZ Trusted Scripted Application Web Web Web Servers Server Engine Client And Static pages Dynamic pages Integrated HTML,HTM etc.. ASP DHTML, Framework PHP,CGI Etc.. X ASP.NET with .Net J2EE App Server Web Services Etc.. DB Internal/Corporate © Blueinfy Solutions Pvt. Ltd.
12.
Attack Surface and
Controls Application Controls Web Services Business Application Level Web Services Attacks Application Level Web/customized etc.. Web Attacks SQL injection Parameter tempering X Etc.. Services Level IIS web/SMTP/POP etc.. Brute force X RPC buffer overflow X Null session Operating System Level Etc.. ipc$/wu-ftpd/sunrpc etc.. Firewall Added Defense Accounts/Shares/Patches/updates/Logging/Auditing/ Ports/Registries etc… © Blueinfy Solutions Pvt. Ltd.
13.
Root cause of
Vulnerabilities CSI Security Survey : Vulnerability Distribution misconfiguration, other problems 36% programming errors 64% misconfiguration, other problems programming errors © Blueinfy Solutions Pvt. Ltd.
14.
Application Security
Approaches © Blueinfy Solutions Pvt. Ltd.
15.
How to defend? Two
approaches – Secure Coding and having proper validations at all levels to guard application layer. – Application layer traffic filtering to detect and block malicious requests/responses. © Blueinfy Solutions Pvt. Ltd.
16.
Secure Coding It is
perfect and ideal approach. But… – Needs recoding – Takes longer time in fixing – Quick fix is required many times – QA process after changes – High cost Any work around? © Blueinfy Solutions Pvt. Ltd.
17.
Web Application Firewall
(WAF) HTTP request and response filtering like traditional firewall. But it is specific to Application layer and rules are well crafted. It is catching up and successful in detecting and blocking unintended traffic. It can block SQL injection, XSS, CSRF and many other attack vectors. © Blueinfy Solutions Pvt. Ltd.
18.
WAF – A
Quick Look © Blueinfy Solutions Pvt. Ltd.
19.
Web Application Firewall
(WAF) Advantages – Quick to add rules – Can act as first line of defense – No recoding is required – Easy to implement and manage © Blueinfy Solutions Pvt. Ltd.
20.
Application Infrastructure
Internet DMZ Trusted Corporate Firewall Web Application Web Client Resource.. Server DB Internal/Corporate Pvt. Ltd. © Blueinfy Solutions
21.
WAF in Action
Internet DMZ Trusted Corporate Web 1 Firewall Application Firewall Web IIS Application Client Web Resource.. Server 2 Web Application IDS DB Internal/Corporate Pvt. Ltd. © Blueinfy Solutions
22.
SQL injection attack
SQL injection http://store/products/display.asp?pg = 1&product = 7 Web app Web app DB Web Server Web app DB Web app © Blueinfy Solutions Pvt. Ltd.
23.
SQL injection attack
SQL injection – WAF filtering Payloads – ‘, “, OR, SELECT http://store/products/display.asp?pg = 1&product = 7 Web app Web app DB Web Server Web app DB Web app © Blueinfy Solutions Pvt. Ltd.
24.
WAF models Following models
are possible – Network traffic level filtering [SSL is an issue] – Host level at Web Server – Host level + Reverse Proxy © Blueinfy Solutions Pvt. Ltd.
25.
.NET and HTTP
processing © Blueinfy Solutions Pvt. Ltd.
26.
IIS architecture It is
important to understand how IIS works? .NET gets integrated into IIS and applications can leverage the events IIS7.0 is coming up with a change that can help in building WAF © Blueinfy Solutions Pvt. Ltd.
27.
IIS higher level
view © Blueinfy Solutions Pvt. Ltd.
28.
IIS 6.0 +
ASP.NET © Blueinfy Solutions Pvt. Ltd.
29.
IIS 6.0 -
Limitation ASP.NET is not having direct access to the HTTP pipe Can access ASP.NET requests only Framework is part of ISAPI and hooked to IIS Needs C++ based hooks to access generic pipe © Blueinfy Solutions Pvt. Ltd.
30.
Solved! IIS 7.0 –
Change in Architecture Integrated mode .NET assemblies can be hooked directly to the pipe Full access to HTTP requests Can handle both .NET based as well as generic requests Access to all incoming requests… © Blueinfy Solutions Pvt. Ltd.
31.
IIS 7.0 –
Integrated Mode © Blueinfy Solutions Pvt. Ltd.
32.
Introducing IHTTPModule
© Blueinfy Solutions Pvt. Ltd.
33.
How to hook? Web
application has separate scope and HTTP pipeline can be accessed. HTTP request can be accessed before it hits application resources. HTTPModule and HTTPHandler are defense at your gates. … © Blueinfy Solutions Pvt. Ltd.
34.
HTTP pipe for
.NET Web Application Client Request Response IIS aspnet_isapi.dll HttpModule HttpModule HttpApplication HttpModule HttpHandler Web Application Resource © Blueinfy Solutions Pvt. Ltd.
35.
Interfaces and Hooks
HttpRuntime HttpApplicationFactory Web Application Firewall & IDS HttpApplication IHttpModule HttpHandlerFactory Handler © Blueinfy Solutions Pvt. Ltd.
36.
Leveraging Interfaces HTTPModule and
HTTPHandler - can be leveraged. Application layer firewall can be cooked up for your application. Similarly IDS for web application can be developed. It sits in HTTP pipe and defend web applications. © Blueinfy Solutions Pvt. Ltd.
37.
For IIS 7.0 Integrated
mode with full access Possible to cook up reverse proxy as well Traffic can be controlled at the gates Sound defense can be created with minimal coding Your module can be on top of the pipe Can access – HttpResponse.Headers – HttpRequest.Headers – HttpRequest.ServerVariables © Blueinfy Solutions Pvt. Ltd.
38.
Implementing IHTTPModule
© Blueinfy Solutions Pvt. Ltd.
39.
IHTTPModule Managed code in
C# can be hooked into HTTP pipe. Module can help in filtering HTTP requests. Let’s see its implementation. © Blueinfy Solutions Pvt. Ltd.
40.
IHTTPModule public class iAppFilter
: IHttpModule { } Access to HttpApplication © Blueinfy Solutions Pvt. Ltd.
41.
HttpApplication
© Blueinfy Solutions Pvt. Ltd.
42.
Event Mapping
© Blueinfy Solutions Pvt. Ltd.
43.
Event Trapping and
Firewall © Blueinfy Solutions Pvt. Ltd.
44.
Accessing HTTP request
Access with BeginRequest – Access to Http Context – Access to headers – All server variable – Complete access for filtering © Blueinfy Solutions Pvt. Ltd.
45.
Hooking to HTTP
pipe public void Init(HttpApplication application) { application.BeginRequest += (new EventHandler(this.Application_BeginRequest)); private void Application_BeginRequest(Object source, EventArgs e) { HttpApplication application = (HttpApplication)source; HttpContext context = application.Context; © Blueinfy Solutions Pvt. Ltd.
46.
Processing POST if (app.Request.ServerVariables[quot;REQUEST_METHODquot;]
== quot;POSTquot;) { long streamLength = app.Request.InputStream.Length; byte[] contentBytes = new byte[streamLength]; app.Request.InputStream.Read(contentBytes, 0, (int)streamLength); postreq = System.Text.Encoding.UTF8.GetString(contentBytes); © Blueinfy Solutions Pvt. Ltd.
47.
Request / Response
© Blueinfy Solutions Pvt. Ltd.
48.
Putting it in
action DLL get created after compilation Module in Bin folder Adding to config file It is different with IIS 7.0 for integrated mode Directives are different Let’s see in detail © Blueinfy Solutions Pvt. Ltd.
49.
Security Framework through
set of Modules © Blueinfy Solutions Pvt. Ltd.
50.
Accessing all requests
It is important to access all incoming HTTP requsts IIS 6.0 limitation – can be overcome by using wildcard mapping [Some what] IIS 7.0 – Leveraging integrated mode © Blueinfy Solutions Pvt. Ltd.
51.
IIS 6.0 –
Wildcard mapping © Blueinfy Solutions Pvt. Ltd.
52.
IIS 7.0 –
Integrated mode <modules> <add name=quot;iAppWallquot; type=quot;iAppWallquot;/> </modules> © Blueinfy Solutions Pvt. Ltd.
53.
Security Modules Various module
can be cooked up. Authorization, Authentication, Filtering, XML processing, IDS etc. All of them can be part of one DLL or multiple. © Blueinfy Solutions Pvt. Ltd.
54.
Authorization Module Limited access
to IP addresses Blocking sensitive directories Session based access to various area of application © Blueinfy Solutions Pvt. Ltd.
55.
Validation Module Detecting attack
vectors like XSS or SQL injection Blocking those requests at the module level Total security to all incoming parameters both over GET and POST © Blueinfy Solutions Pvt. Ltd.
56.
Web 2.0 Security
Module Web 2.0 runs on XML, JSON, JS- Array etc.. Intelligent module to detect these sort of traffic and block malicious requests Protecting Web Services running over SOAP, XML/JSON-RPC, REST etc. © Blueinfy Solutions Pvt. Ltd.
57.
CSRF Defense Module
Cross Site Request Forgery is a big concern for sensitive forms Protection by referrer tag or token by HTTP module Securing application against CSRF attack vectors © Blueinfy Solutions Pvt. Ltd.
58.
Response Filtering Module
Limited response filtering for critical resources Monitoring outgoing requests Capturing suspicious traffic and blocking them Web 2.0 framework defense – RSS or proxy based responses © Blueinfy Solutions Pvt. Ltd.
59.
IDS Module Logging all
suspicious requests for forensic use Logging and monitoring can be improved Logging to central database, file or OS events. © Blueinfy Solutions Pvt. Ltd.
60.
Reverse Proxy Module
Defending non IIS applications with reverse tunneling. IIS 7.0 as front end server and securing internal servers Complete control over full traffic going in/out © Blueinfy Solutions Pvt. Ltd.
61.
Conclusion Next generation .NET
application can be defended by IHTTPModules IIS 7.0 – Integrated mode is going to play a big role Web 2.0 application needs better filtering capabilities and IHTTPModule can deliver it © Blueinfy Solutions Pvt. Ltd.
62.
http://shreeraj.blogspot.com
http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com Questions © Blueinfy Solutions Pvt. Ltd.