SlideShare una empresa de Scribd logo

Sea surfing in asp.net mvc

M
magda3695
Tecnología
1 de 29
Descargar para leer sin conexión
SEA-SURFING IN ASP.NET MVC BARTOSZ LENAR
THE PLAN BASICS  http requests  authentication  cookies  session SEA-SURFING  unfixable bug  hacking the system  csrf attack  token-based defence SPA  problems  server-side layer  client-side layer
FIDDLER responses requests
HTTP REQUEST  Method  Version  Host  Rest as key-value pairs:  Accept  Cache-control  …  BODY RESPONSE  Status dode  Version  Date  Rest as key-value pairs:  Content-type  Content-length  …  BODY
COOKIES  exist in headers as another key-value pair "with parameters"  cookies consist of  name  value  domain & path  expiration date  restrictions (security)
COOKIES SCENARIO 2. responds with cookie visited: true 1. sends request to example.org 4. sends request to example.org with visited:true cookie in headers 3. saves visited:true for example.org 5. knows that client visited this page earlier
HTTP REQUESTS AND COOKIES
WEB AUTHENTICATION  authentication system  authorize once at the beginning  use the system all the time  but http protocol is stateless!  every request is independent  how to simulate the states?  how to identify request from the specific user?
STATES SCENARIO 2. generates über-random identifier 1. sends first request to example.org 5. sends next request to example.org with UserId: QB32SDXC8 cookie in headers 4. saves UserId:QB32S… for example.org 3. sends it back in cookie UserId: QB32SDXC8
SESSION  so far: server is able to distinguish users  session: server-side bag for user data  key: previously generated identifier stored in cookie  like QB32SDXC8  value: yet another dictionary  user-specific data like name, address, etc.  security and access data like roles, privileges, etc.  forms
HACK THE SYSTEM  do we want to be an authorized user?  no! we want to act like one!  to hack the system = to "steal" someone’s session  maybe "someone” is:  facebook user – we have all his private data, photos, etc.  bank user – we know how much money he has  …  admin – we can do anything
SESSION HIJACKING  system/browser backdoor  steal the cookie from memory  xss  sidejacking  main-in-the middle  fixation  send user url with session id: http://example.org/?&sessionId=QB32SDXC8  wait for the user to log in  riding – our topic
THE ROADTO SESSION RIDING  we want to download data stored under http://example.org/admin/secret  let’s think:  authentication & authorization is based on session  session is based on cookies  cookies are being sent to example.org with every request  how about we prepare a website that sends request to the specified path?
LET’S TRYTO GET THE ADMIN’S SECRET
LET’S TRYTO GET THE ADMIN’S SECRET  what actually happened? 1. browser downloads the entire DOM tree 2. img node is being located 3. browser automatically sends GET request to download the image  but… there is no image at the end  nevertheless, browser attached all cookies dedicated to example.org <img src="http://example.org/admin/secret" />
LET’S TRYTO DO THE ADMIN’S JOB  GET shouldn’t change anything  http://example.org/admin/delete-user/?&username=admin  you’re doing itWRONG!  let’s mess up with POST / DELETE / PUT …
LET’S TRYTO DO THE ADMIN’S JOB
BUILDING THE FIREWALL  how browser works:  attacker is able to send cookies with the request …  … but is not able to see them!
ANTI-FORGERY TOKEN – HOW IT’S MADE 2. generates über-random identifier: J723SDA 1. sends request to example.org 3. sends it back inside the form and in the cookie AntiForgeryToken= J723SDA <input name="_token" type="hidden" value="J723SDA" />
ANTI-FORGERY TOKEN – HOW IT WORKS 1. sends request to example.org containing: • cookie with token: J723SDA • form value with token: J723SDA 2. validates the request: • token in cookie is present? true • token in form is present? true • do they match each other? true all true? it’s valid!
ANTI-FORGERY TOKEN – HOW IT SECURES 1. sends request to example.org containing: • cookie with token: J723SDA • form value with token: ?????????? 2. validates the request: • token in cookie is present? true • token in form is present? false • do they match each other? false all true? no! respond with 403 Forbidden
DO THE TRICK IN ASP.NET MVC
EVEN MORE SECURE  create a keyword based on:  action-specific and user-specific data  application, server, etc.  our keyword: "BARTEK"  hash the keyword: (0BDE667AA88E8832B61BF68C0D4E34A4) and split it:  0BDE667AA88E8832 goes into cookie  B61BF68C0D4E34A4 goes into form  on request, compute the keyword once again and validate the tokens
PROBLEMS  strongly relies on browser security  doesn’t work with GET requests  is it a problem in pure, REST service?  to disable cookies = to disable all communication  site vulnerable to XSS = we’re doomed
SINGLE PAGE APPS - PROBLEMS  forms are pre-generated  which form is going to be triggered next?
API WRAPPER – CLIENT SIDE  write wrapper for all ajax communication (GET, POST, PUT, DELETE)  requestSettings contains method, data, etc. ApiWrapper.prototype._SendRequest = function (requestSettings) { var self = this; requestSettings.headers["Token"] = self.Token; return $.ajax(requestSettings).always(function (arg1, textStatus, arg2) { jqXHR = (textStatus !== "success") ? arg1 : arg2; self.Token = jqXHR.getResponseHeader("Token"); document.cookie = "Token=" + self.TokenId + ";"; }); };
API WRAPPER – SERVER SIDE  keep tokens in cache/database  nosql  custom ValidateAntiForgeryTokenAttribute  validates token from cookie and header  updating token if necessary
API WRAPPER - USAGE  write wrapper for all ajax communication (GET, POST, PUT, DELETE)  return jqXHR from all functions api.Get('customers/' + customerId) .success(function (data) { self.Customer(data); }); api.Post('customers/' + customerId, editedData) .success(function () { message.ReportSuccess(); });
SEA-SURFING IN ASP.NET MVC QUESTIONS-SURFING  Fiddler: http://www.telerik.com/fiddler  Icons: http://www.visualpharm.com/ BARTOSZ LENAR bartoszlenar@gmail.com @bartoszlenar

Recomendados

What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...Drupaltour
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...David Johansson
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
How it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfHow it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfMaarten Balliauw
 

Recomendados

What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...Drupaltour
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...David Johansson
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
How it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfHow it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfMaarten Balliauw
 
AZUG.BE - Azure User Group Belgium - First public meeting
AZUG.BE - Azure User Group Belgium - First public meetingAZUG.BE - Azure User Group Belgium - First public meeting
AZUG.BE - Azure User Group Belgium - First public meetingMaarten Balliauw
 
AtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect SecurityAtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect SecurityAtlassian
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)lpilorz
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 
Subresource Integrity
Subresource IntegritySubresource Integrity
Subresource IntegrityPhilippe De Ryck
 
Advanced workflows for mobile web design and development
Advanced workflows for mobile web design and developmentAdvanced workflows for mobile web design and development
Advanced workflows for mobile web design and developmentbrucebowman
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerationsEoin Keary
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaperAnant Shrivastava
 
Effective SOA
Effective SOAEffective SOA
Effective SOADerrick Isaacson
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Preventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsPreventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsFiyaz Hasan
 
Web fundamentals - part 1
Web fundamentals - part 1Web fundamentals - part 1
Web fundamentals - part 1Bozhidar Boshnakov
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
Zmiana pracy mariola zieba antal
Zmiana pracy mariola zieba antalZmiana pracy mariola zieba antal
Zmiana pracy mariola zieba antalmagda3695
 
Continuous delivery
Continuous deliveryContinuous delivery
Continuous deliverymagda3695
 

Más contenido relacionado

La actualidad más candente

AZUG.BE - Azure User Group Belgium - First public meeting
AZUG.BE - Azure User Group Belgium - First public meetingAZUG.BE - Azure User Group Belgium - First public meeting
AZUG.BE - Azure User Group Belgium - First public meetingMaarten Balliauw
 
AtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect SecurityAtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect SecurityAtlassian
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)lpilorz
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 
Advanced workflows for mobile web design and development
Advanced workflows for mobile web design and developmentAdvanced workflows for mobile web design and development
Advanced workflows for mobile web design and developmentbrucebowman
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerationsEoin Keary
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platformskosborn
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaperAnant Shrivastava
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Preventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsPreventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsFiyaz Hasan
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 

La actualidad más candente (20)

AZUG.BE - Azure User Group Belgium - First public meeting
AZUG.BE - Azure User Group Belgium - First public meetingAZUG.BE - Azure User Group Belgium - First public meeting
AZUG.BE - Azure User Group Belgium - First public meeting
 
AtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect SecurityAtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect Security
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handouts
 
Subresource Integrity
Subresource IntegritySubresource Integrity
Subresource Integrity
 
Advanced workflows for mobile web design and development
Advanced workflows for mobile web design and developmentAdvanced workflows for mobile web design and development
Advanced workflows for mobile web design and development
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerations
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaper
 
Effective SOA
Effective SOAEffective SOA
Effective SOA
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Preventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE appsPreventing XSRF in ASP.NET CORE apps
Preventing XSRF in ASP.NET CORE apps
 
Web fundamentals - part 1
Web fundamentals - part 1Web fundamentals - part 1
Web fundamentals - part 1
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
 

Destacado

Zmiana pracy mariola zieba antal
Zmiana pracy mariola zieba antalZmiana pracy mariola zieba antal
Zmiana pracy mariola zieba antalmagda3695
 
Continuous delivery
Continuous deliveryContinuous delivery
Continuous deliverymagda3695
 
Akamai in a hyperconnected world
Akamai in a hyperconnected worldAkamai in a hyperconnected world
Akamai in a hyperconnected worldmagda3695
 
Abc zarządzania sobą
Abc zarządzania sobąAbc zarządzania sobą
Abc zarządzania sobąmagda3695
 
Hostingowe i domenowe pułapki [97 2003]
Hostingowe i domenowe pułapki [97 2003]Hostingowe i domenowe pułapki [97 2003]
Hostingowe i domenowe pułapki [97 2003]magda3695
 
Prezentacja v2(1)
Prezentacja v2(1)Prezentacja v2(1)
Prezentacja v2(1)magda3695
 
Agile zrobtosam infomeet
Agile zrobtosam infomeetAgile zrobtosam infomeet
Agile zrobtosam infomeetmagda3695
 
Info meet katalog kraków 8 marca
Info meet katalog kraków 8 marcaInfo meet katalog kraków 8 marca
Info meet katalog kraków 8 marcamagda3695
 
Abc zarządzania sobą
Abc zarządzania sobąAbc zarządzania sobą
Abc zarządzania sobąmagda3695
 
Szczepan Faber mockito story (1)
Szczepan Faber mockito story (1)Szczepan Faber mockito story (1)
Szczepan Faber mockito story (1)magda3695
 
Soft layer cloud without compromise
Soft layer cloud without compromiseSoft layer cloud without compromise
Soft layer cloud without compromisemagda3695
 
Przychodzi baba do lekarza na badania usability
Przychodzi baba do lekarza na badania usabilityPrzychodzi baba do lekarza na badania usability
Przychodzi baba do lekarza na badania usabilitymagda3695
 
Prezentacja personal branding
Prezentacja personal brandingPrezentacja personal branding
Prezentacja personal brandingmagda3695
 
Big data ecosystem
Big data ecosystemBig data ecosystem
Big data ecosystemmagda3695
 
Jakość utracona v13
Jakość utracona v13Jakość utracona v13
Jakość utracona v13magda3695
 
Szczepan.faber.gradle
Szczepan.faber.gradleSzczepan.faber.gradle
Szczepan.faber.gradlemagda3695
 
Patterns for organic architecture codedive
Patterns for organic architecture codedivePatterns for organic architecture codedive
Patterns for organic architecture codedivemagda3695
 

Destacado (19)

Zmiana pracy mariola zieba antal
Zmiana pracy mariola zieba antalZmiana pracy mariola zieba antal
Zmiana pracy mariola zieba antal
 
Continuous delivery
Continuous deliveryContinuous delivery
Continuous delivery
 
Akamai in a hyperconnected world
Akamai in a hyperconnected worldAkamai in a hyperconnected world
Akamai in a hyperconnected world
 
Abc zarządzania sobą
Abc zarządzania sobąAbc zarządzania sobą
Abc zarządzania sobą
 
Scala
ScalaScala
Scala
 
Hostingowe i domenowe pułapki [97 2003]
Hostingowe i domenowe pułapki [97 2003]Hostingowe i domenowe pułapki [97 2003]
Hostingowe i domenowe pułapki [97 2003]
 
Prezentacja v2(1)
Prezentacja v2(1)Prezentacja v2(1)
Prezentacja v2(1)
 
Agile zrobtosam infomeet
Agile zrobtosam infomeetAgile zrobtosam infomeet
Agile zrobtosam infomeet
 
Info meet katalog kraków 8 marca
Info meet katalog kraków 8 marcaInfo meet katalog kraków 8 marca
Info meet katalog kraków 8 marca
 
Abc zarządzania sobą
Abc zarządzania sobąAbc zarządzania sobą
Abc zarządzania sobą
 
Szczepan Faber mockito story (1)
Szczepan Faber mockito story (1)Szczepan Faber mockito story (1)
Szczepan Faber mockito story (1)
 
Ibm
IbmIbm
Ibm
 
Soft layer cloud without compromise
Soft layer cloud without compromiseSoft layer cloud without compromise
Soft layer cloud without compromise
 
Przychodzi baba do lekarza na badania usability
Przychodzi baba do lekarza na badania usabilityPrzychodzi baba do lekarza na badania usability
Przychodzi baba do lekarza na badania usability
 
Prezentacja personal branding
Prezentacja personal brandingPrezentacja personal branding
Prezentacja personal branding
 
Big data ecosystem
Big data ecosystemBig data ecosystem
Big data ecosystem
 
Jakość utracona v13
Jakość utracona v13Jakość utracona v13
Jakość utracona v13
 
Szczepan.faber.gradle
Szczepan.faber.gradleSzczepan.faber.gradle
Szczepan.faber.gradle
 
Patterns for organic architecture codedive
Patterns for organic architecture codedivePatterns for organic architecture codedive
Patterns for organic architecture codedive
 

Similar a Sea surfing in asp.net mvc

15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.pptssuserec53e73
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Tim Bass
 
Generating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesGenerating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesDeeptiJava
 
Php ssession - cookies -introduction
Php ssession - cookies -introductionPhp ssession - cookies -introduction
Php ssession - cookies -introductionProgrammer Blog
 
19_JavaScript - Storage_Cookies-tutorial .pptx
19_JavaScript - Storage_Cookies-tutorial .pptx19_JavaScript - Storage_Cookies-tutorial .pptx
19_JavaScript - Storage_Cookies-tutorial .pptxssuser4a97d3
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Introduction Yii Framework
Introduction Yii FrameworkIntroduction Yii Framework
Introduction Yii FrameworkTuan Nguyen
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest ExpectationsIhor Uzhvenko
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityYu-Shuan Hsieh
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicHarihara sarma
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 

Similar a Sea surfing in asp.net mvc (20)

15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt
 
Ecom2
Ecom2Ecom2
Ecom2
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security
 
Generating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesGenerating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status Codes
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
Php ssession - cookies -introduction
Php ssession - cookies -introductionPhp ssession - cookies -introduction
Php ssession - cookies -introduction
 
19_JavaScript - Storage_Cookies-tutorial .pptx
19_JavaScript - Storage_Cookies-tutorial .pptx19_JavaScript - Storage_Cookies-tutorial .pptx
19_JavaScript - Storage_Cookies-tutorial .pptx
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Introduction Yii Framework
Introduction Yii FrameworkIntroduction Yii Framework
Introduction Yii Framework
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Session management
Session management Session management
Session management
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogic
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 

Más de magda3695

Prezentacja 20141129
Prezentacja 20141129Prezentacja 20141129
Prezentacja 20141129magda3695
 
Dlaczego firmy wdrażają er py info_meet kraków
Dlaczego firmy wdrażają er py info_meet krakówDlaczego firmy wdrażają er py info_meet kraków
Dlaczego firmy wdrażają er py info_meet krakówmagda3695
 
Systematic architect
Systematic architectSystematic architect
Systematic architectmagda3695
 
Big data today and tomorrow
Big data today and tomorrowBig data today and tomorrow
Big data today and tomorrowmagda3695
 
Info meet 8 02-2014
Info meet 8 02-2014Info meet 8 02-2014
Info meet 8 02-2014magda3695
 
Ccpm jako metoda planowania i kontroli projektów
Ccpm jako metoda planowania i kontroli projektówCcpm jako metoda planowania i kontroli projektów
Ccpm jako metoda planowania i kontroli projektówmagda3695
 
Info meet pomiary wydajności
Info meet pomiary wydajnościInfo meet pomiary wydajności
Info meet pomiary wydajnościmagda3695
 
A rnav infomeet
A rnav infomeetA rnav infomeet
A rnav infomeetmagda3695
 
Dług technologiczny czyli mały wkład w duże problemy
Dług technologiczny czyli mały wkład w duże problemyDług technologiczny czyli mały wkład w duże problemy
Dług technologiczny czyli mały wkład w duże problemymagda3695
 
Akamai in a hyperconnected world
Akamai in a hyperconnected worldAkamai in a hyperconnected world
Akamai in a hyperconnected worldmagda3695
 
Antal international prezentacja_targi_it
Antal international prezentacja_targi_itAntal international prezentacja_targi_it
Antal international prezentacja_targi_itmagda3695
 
Koprowski t certyfikacja_a_kariera_it_infomeet
Koprowski t certyfikacja_a_kariera_it_infomeetKoprowski t certyfikacja_a_kariera_it_infomeet
Koprowski t certyfikacja_a_kariera_it_infomeetmagda3695
 

Más de magda3695 (13)

Prezentacja 20141129
Prezentacja 20141129Prezentacja 20141129
Prezentacja 20141129
 
7
77
7
 
Dlaczego firmy wdrażają er py info_meet kraków
Dlaczego firmy wdrażają er py info_meet krakówDlaczego firmy wdrażają er py info_meet kraków
Dlaczego firmy wdrażają er py info_meet kraków
 
Systematic architect
Systematic architectSystematic architect
Systematic architect
 
Big data today and tomorrow
Big data today and tomorrowBig data today and tomorrow
Big data today and tomorrow
 
Info meet 8 02-2014
Info meet 8 02-2014Info meet 8 02-2014
Info meet 8 02-2014
 
Ccpm jako metoda planowania i kontroli projektów
Ccpm jako metoda planowania i kontroli projektówCcpm jako metoda planowania i kontroli projektów
Ccpm jako metoda planowania i kontroli projektów
 
Info meet pomiary wydajności
Info meet pomiary wydajnościInfo meet pomiary wydajności
Info meet pomiary wydajności
 
A rnav infomeet
A rnav infomeetA rnav infomeet
A rnav infomeet
 
Dług technologiczny czyli mały wkład w duże problemy
Dług technologiczny czyli mały wkład w duże problemyDług technologiczny czyli mały wkład w duże problemy
Dług technologiczny czyli mały wkład w duże problemy
 
Akamai in a hyperconnected world
Akamai in a hyperconnected worldAkamai in a hyperconnected world
Akamai in a hyperconnected world
 
Antal international prezentacja_targi_it
Antal international prezentacja_targi_itAntal international prezentacja_targi_it
Antal international prezentacja_targi_it
 
Koprowski t certyfikacja_a_kariera_it_infomeet
Koprowski t certyfikacja_a_kariera_it_infomeetKoprowski t certyfikacja_a_kariera_it_infomeet
Koprowski t certyfikacja_a_kariera_it_infomeet
 

Último

Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Último (20)

Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Sea surfing in asp.net mvc

  • 1. SEA-SURFING IN ASP.NET MVC BARTOSZ LENAR
  • 2. THE PLAN BASICS  http requests  authentication  cookies  session SEA-SURFING  unfixable bug  hacking the system  csrf attack  token-based defence SPA  problems  server-side layer  client-side layer
  • 4. HTTP REQUEST  Method  Version  Host  Rest as key-value pairs:  Accept  Cache-control  …  BODY RESPONSE  Status dode  Version  Date  Rest as key-value pairs:  Content-type  Content-length  …  BODY
  • 5. COOKIES  exist in headers as another key-value pair "with parameters"  cookies consist of  name  value  domain & path  expiration date  restrictions (security)
  • 6. COOKIES SCENARIO 2. responds with cookie visited: true 1. sends request to example.org 4. sends request to example.org with visited:true cookie in headers 3. saves visited:true for example.org 5. knows that client visited this page earlier
  • 8. WEB AUTHENTICATION  authentication system  authorize once at the beginning  use the system all the time  but http protocol is stateless!  every request is independent  how to simulate the states?  how to identify request from the specific user?
  • 9. STATES SCENARIO 2. generates über-random identifier 1. sends first request to example.org 5. sends next request to example.org with UserId: QB32SDXC8 cookie in headers 4. saves UserId:QB32S… for example.org 3. sends it back in cookie UserId: QB32SDXC8
  • 10. SESSION  so far: server is able to distinguish users  session: server-side bag for user data  key: previously generated identifier stored in cookie  like QB32SDXC8  value: yet another dictionary  user-specific data like name, address, etc.  security and access data like roles, privileges, etc.  forms
  • 11. HACK THE SYSTEM  do we want to be an authorized user?  no! we want to act like one!  to hack the system = to "steal" someone’s session  maybe "someone” is:  facebook user – we have all his private data, photos, etc.  bank user – we know how much money he has  …  admin – we can do anything
  • 12. SESSION HIJACKING  system/browser backdoor  steal the cookie from memory  xss  sidejacking  main-in-the middle  fixation  send user url with session id: http://example.org/?&sessionId=QB32SDXC8  wait for the user to log in  riding – our topic
  • 13. THE ROADTO SESSION RIDING  we want to download data stored under http://example.org/admin/secret  let’s think:  authentication & authorization is based on session  session is based on cookies  cookies are being sent to example.org with every request  how about we prepare a website that sends request to the specified path?
  • 14. LET’S TRYTO GET THE ADMIN’S SECRET
  • 15. LET’S TRYTO GET THE ADMIN’S SECRET  what actually happened? 1. browser downloads the entire DOM tree 2. img node is being located 3. browser automatically sends GET request to download the image  but… there is no image at the end  nevertheless, browser attached all cookies dedicated to example.org <img src="http://example.org/admin/secret" />
  • 16. LET’S TRYTO DO THE ADMIN’S JOB  GET shouldn’t change anything  http://example.org/admin/delete-user/?&username=admin  you’re doing itWRONG!  let’s mess up with POST / DELETE / PUT …
  • 17. LET’S TRYTO DO THE ADMIN’S JOB
  • 18. BUILDING THE FIREWALL  how browser works:  attacker is able to send cookies with the request …  … but is not able to see them!
  • 19. ANTI-FORGERY TOKEN – HOW IT’S MADE 2. generates über-random identifier: J723SDA 1. sends request to example.org 3. sends it back inside the form and in the cookie AntiForgeryToken= J723SDA <input name="_token" type="hidden" value="J723SDA" />
  • 20. ANTI-FORGERY TOKEN – HOW IT WORKS 1. sends request to example.org containing: • cookie with token: J723SDA • form value with token: J723SDA 2. validates the request: • token in cookie is present? true • token in form is present? true • do they match each other? true all true? it’s valid!
  • 21. ANTI-FORGERY TOKEN – HOW IT SECURES 1. sends request to example.org containing: • cookie with token: J723SDA • form value with token: ?????????? 2. validates the request: • token in cookie is present? true • token in form is present? false • do they match each other? false all true? no! respond with 403 Forbidden
  • 22. DO THE TRICK IN ASP.NET MVC
  • 23. EVEN MORE SECURE  create a keyword based on:  action-specific and user-specific data  application, server, etc.  our keyword: "BARTEK"  hash the keyword: (0BDE667AA88E8832B61BF68C0D4E34A4) and split it:  0BDE667AA88E8832 goes into cookie  B61BF68C0D4E34A4 goes into form  on request, compute the keyword once again and validate the tokens
  • 24. PROBLEMS  strongly relies on browser security  doesn’t work with GET requests  is it a problem in pure, REST service?  to disable cookies = to disable all communication  site vulnerable to XSS = we’re doomed
  • 25. SINGLE PAGE APPS - PROBLEMS  forms are pre-generated  which form is going to be triggered next?
  • 26. API WRAPPER – CLIENT SIDE  write wrapper for all ajax communication (GET, POST, PUT, DELETE)  requestSettings contains method, data, etc. ApiWrapper.prototype._SendRequest = function (requestSettings) { var self = this; requestSettings.headers["Token"] = self.Token; return $.ajax(requestSettings).always(function (arg1, textStatus, arg2) { jqXHR = (textStatus !== "success") ? arg1 : arg2; self.Token = jqXHR.getResponseHeader("Token"); document.cookie = "Token=" + self.TokenId + ";"; }); };
  • 27. API WRAPPER – SERVER SIDE  keep tokens in cache/database  nosql  custom ValidateAntiForgeryTokenAttribute  validates token from cookie and header  updating token if necessary
  • 28. API WRAPPER - USAGE  write wrapper for all ajax communication (GET, POST, PUT, DELETE)  return jqXHR from all functions api.Get('customers/' + customerId) .success(function (data) { self.Customer(data); }); api.Post('customers/' + customerId, editedData) .success(function () { message.ReportSuccess(); });
  • 29. SEA-SURFING IN ASP.NET MVC QUESTIONS-SURFING  Fiddler: http://www.telerik.com/fiddler  Icons: http://www.visualpharm.com/ BARTOSZ LENAR bartoszlenar@gmail.com @bartoszlenar