Enviar búsqueda
Cargar
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Practice
•
2 recomendaciones
•
5,679 vistas
Shreeraj Shah
Seguir
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 62
Recomendados
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
Shreeraj Shah
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Shreeraj Shah
XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
Shreeraj Shah
Recomendados
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
Shreeraj Shah
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Shreeraj Shah
XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
Shreeraj Shah
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
Web Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
Advanced applications-architecture-threats
Advanced applications-architecture-threats
Blueinfy Solutions
Html5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
Assessment methodology and approach
Assessment methodology and approach
Blueinfy Solutions
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
Web Hacking
Web Hacking
Information Technology
HTML5 hacking
HTML5 hacking
Blueinfy Solutions
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
guest66dc5f
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
Application fuzzing
Application fuzzing
Blueinfy Solutions
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
REST in Practice
REST in Practice
Guilherme Silveira
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
ClubHack
HTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applications
James Pearce
Más contenido relacionado
La actualidad más candente
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
Web Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
Advanced applications-architecture-threats
Advanced applications-architecture-threats
Blueinfy Solutions
Html5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
Assessment methodology and approach
Assessment methodology and approach
Blueinfy Solutions
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
Web Hacking
Web Hacking
Information Technology
HTML5 hacking
HTML5 hacking
Blueinfy Solutions
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
guest66dc5f
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
Application fuzzing
Application fuzzing
Blueinfy Solutions
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
REST in Practice
REST in Practice
Guilherme Silveira
La actualidad más candente
(20)
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Web Services Hacking and Security
Web Services Hacking and Security
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Advanced applications-architecture-threats
Advanced applications-architecture-threats
Html5 localstorage attack vectors
Html5 localstorage attack vectors
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
Assessment methodology and approach
Assessment methodology and approach
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010
Web Hacking
Web Hacking
HTML5 hacking
HTML5 hacking
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
Application fuzzing
Application fuzzing
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
REST in Practice
REST in Practice
Similar a [Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Practice
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
ClubHack
HTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applications
James Pearce
Building cross platform mobile web apps
Building cross platform mobile web apps
James Pearce
[2011-17-C-4] Heroku & database.com
[2011-17-C-4] Heroku & database.com
Mitch Okamoto
新人訓練:歡迎來到網路業練功
新人訓練:歡迎來到網路業練功
Ernest Chiang
Building tomorrow's web with today's tools
Building tomorrow's web with today's tools
James Pearce
Building Rich Applications with Appcelerator
Building Rich Applications with Appcelerator
Matt Raible
Rahul 5yr java
Rahul 5yr java
Rahul Kumar Garg
01 web 2.0 - more than a pretty face for soa
01 web 2.0 - more than a pretty face for soa
Technology Transfer
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web Apps
James Pearce
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services Platform
David Chou
Building Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web Apps
James Pearce
Service Oriented Architecture
Service Oriented Architecture
Prabhat gangwar
WEB I - 01 - Introduction to Web Development
WEB I - 01 - Introduction to Web Development
Randy Connolly
S+S Architecture Overview
S+S Architecture Overview
David Solivan
Azure Services Platform
Azure Services Platform
David Chou
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
James Pearce
In Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
In Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
Spike Brehm
Presemtation Tier Optimizations
Presemtation Tier Optimizations
Anup Hariharan Nair
Web Development Presentation
Web Development Presentation
TurnToTech
Similar a [Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Practice
(20)
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
HTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applications
Building cross platform mobile web apps
Building cross platform mobile web apps
[2011-17-C-4] Heroku & database.com
[2011-17-C-4] Heroku & database.com
新人訓練:歡迎來到網路業練功
新人訓練:歡迎來到網路業練功
Building tomorrow's web with today's tools
Building tomorrow's web with today's tools
Building Rich Applications with Appcelerator
Building Rich Applications with Appcelerator
Rahul 5yr java
Rahul 5yr java
01 web 2.0 - more than a pretty face for soa
01 web 2.0 - more than a pretty face for soa
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web Apps
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Building Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web Apps
Service Oriented Architecture
Service Oriented Architecture
WEB I - 01 - Introduction to Web Development
WEB I - 01 - Introduction to Web Development
S+S Architecture Overview
S+S Architecture Overview
Azure Services Platform
Azure Services Platform
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
In Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
In Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
Presemtation Tier Optimizations
Presemtation Tier Optimizations
Web Development Presentation
Web Development Presentation
Más de Shreeraj Shah
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
Shreeraj Shah
Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
Shreeraj Shah
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Shreeraj Shah
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
Shreeraj Shah
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
Shreeraj Shah
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
Shreeraj Shah
Más de Shreeraj Shah
(8)
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
Secure SDLC for Software
Secure SDLC for Software
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
Último
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
Remote DBA Services
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
WSO2
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Christopher Logan Kennedy
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rustici Software
Último
(20)
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Practice
1.
Session J6 Demo New
Defenses for .NET Web Apps: IHttpModule in Practice
2.
Who Am I?
http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com Founder & Director – Blueinfy Solutions Pvt. Ltd. (Brief) – SecurityExposure.com Past experience – Net Square, Chase, IBM & Foundstone Interest – Web security research Published research – Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. – Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. – Advisories - .Net, Java servers etc. Books (Author) – Web 2.0 Security – Defending Ajax, RIA and SOA – Hacking Web Services – Web Hacking © Blueinfy Solutions Pvt. Ltd.
3.
Agenda Application
Security Landscape Application Security Approaches WAF – A Quick Look .NET and HTTP processing Introducing IHTTPModule Security Framework through set of Modules Conclusion Methods – Concepts, Code Walk and Demos © Blueinfy Solutions Pvt. Ltd.
4.
Application Security
Landscape © Blueinfy Solutions Pvt. Ltd.
5.
Application Security State
95% companies hacked from web ports [FBI/CSI] 3 out of 4 web sites are vulnerable to attack (Gartner) Every 1500 lines of code has one security vulnerability (IBM Labs) 2000 attacks / week for unprotected web site © Blueinfy Solutions Pvt. Ltd.
6.
Real life cases
© Blueinfy Solutions Pvt. Ltd.
7.
Next Generation Applications
- 2.0 80% of companies are investing in Web Services as part of their Web 2.0 initiative (McKinsey 2007 Global Survey) By the end of 2007, 30 percent of large companies have some kind of Web 2.0-based business initiative up and running. (Gartner) 2008. Web Services or Service- Oriented Architecture (SOA) would surge ahead. (Gartner) © Blueinfy Solutions Pvt. Ltd.
8.
Real life Cases
– 2.0 F h CSR ug ook rt hro fr o m scrapb filte flash din g o ug h Ad g js f ile thr n Loadi rds ogs and boa ing bl Attack R SS feed r ough XSS th ents comp o n ng Flash e Splitti Re spons HTTP Source: The Web Hacking Incidents Database [http://webappsec.org/projects/whid/] © Blueinfy Solutions Pvt. Ltd.
9.
Attack vectors and
types Source: Web Application Security Consortium (WASC) © Blueinfy Solutions Pvt. Ltd.
10.
New Attack Vectors XML
manipulation SOAP and XML-RPC attacks and tempering CSRF with Ajax and Flash XSS with JSON streams Mashup and RSS attacks © Blueinfy Solutions Pvt. Ltd.
11.
Web Application Layout
Internet DMZ Trusted Scripted Application Web Web Web Servers Server Engine Client And Static pages Dynamic pages Integrated HTML,HTM etc.. ASP DHTML, Framework PHP,CGI Etc.. X ASP.NET with .Net J2EE App Server Web Services Etc.. DB Internal/Corporate © Blueinfy Solutions Pvt. Ltd.
12.
Attack Surface and
Controls Application Controls Web Services Business Application Level Web Services Attacks Application Level Web/customized etc.. Web Attacks SQL injection Parameter tempering X Etc.. Services Level IIS web/SMTP/POP etc.. Brute force X RPC buffer overflow X Null session Operating System Level Etc.. ipc$/wu-ftpd/sunrpc etc.. Firewall Added Defense Accounts/Shares/Patches/updates/Logging/Auditing/ Ports/Registries etc… © Blueinfy Solutions Pvt. Ltd.
13.
Root cause of
Vulnerabilities CSI Security Survey : Vulnerability Distribution misconfiguration, other problems 36% programming errors 64% misconfiguration, other problems programming errors © Blueinfy Solutions Pvt. Ltd.
14.
Application Security
Approaches © Blueinfy Solutions Pvt. Ltd.
15.
How to defend? Two
approaches – Secure Coding and having proper validations at all levels to guard application layer. – Application layer traffic filtering to detect and block malicious requests/responses. © Blueinfy Solutions Pvt. Ltd.
16.
Secure Coding It is
perfect and ideal approach. But… – Needs recoding – Takes longer time in fixing – Quick fix is required many times – QA process after changes – High cost Any work around? © Blueinfy Solutions Pvt. Ltd.
17.
Web Application Firewall
(WAF) HTTP request and response filtering like traditional firewall. But it is specific to Application layer and rules are well crafted. It is catching up and successful in detecting and blocking unintended traffic. It can block SQL injection, XSS, CSRF and many other attack vectors. © Blueinfy Solutions Pvt. Ltd.
18.
WAF – A
Quick Look © Blueinfy Solutions Pvt. Ltd.
19.
Web Application Firewall
(WAF) Advantages – Quick to add rules – Can act as first line of defense – No recoding is required – Easy to implement and manage © Blueinfy Solutions Pvt. Ltd.
20.
Application Infrastructure
Internet DMZ Trusted Corporate Firewall Web Application Web Client Resource.. Server DB Internal/Corporate Pvt. Ltd. © Blueinfy Solutions
21.
WAF in Action
Internet DMZ Trusted Corporate Web 1 Firewall Application Firewall Web IIS Application Client Web Resource.. Server 2 Web Application IDS DB Internal/Corporate Pvt. Ltd. © Blueinfy Solutions
22.
SQL injection attack
SQL injection http://store/products/display.asp?pg = 1&product = 7 Web app Web app DB Web Server Web app DB Web app © Blueinfy Solutions Pvt. Ltd.
23.
SQL injection attack
SQL injection – WAF filtering Payloads – ‘, “, OR, SELECT http://store/products/display.asp?pg = 1&product = 7 Web app Web app DB Web Server Web app DB Web app © Blueinfy Solutions Pvt. Ltd.
24.
WAF models Following models
are possible – Network traffic level filtering [SSL is an issue] – Host level at Web Server – Host level + Reverse Proxy © Blueinfy Solutions Pvt. Ltd.
25.
.NET and HTTP
processing © Blueinfy Solutions Pvt. Ltd.
26.
IIS architecture It is
important to understand how IIS works? .NET gets integrated into IIS and applications can leverage the events IIS7.0 is coming up with a change that can help in building WAF © Blueinfy Solutions Pvt. Ltd.
27.
IIS higher level
view © Blueinfy Solutions Pvt. Ltd.
28.
IIS 6.0 +
ASP.NET © Blueinfy Solutions Pvt. Ltd.
29.
IIS 6.0 -
Limitation ASP.NET is not having direct access to the HTTP pipe Can access ASP.NET requests only Framework is part of ISAPI and hooked to IIS Needs C++ based hooks to access generic pipe © Blueinfy Solutions Pvt. Ltd.
30.
Solved! IIS 7.0 –
Change in Architecture Integrated mode .NET assemblies can be hooked directly to the pipe Full access to HTTP requests Can handle both .NET based as well as generic requests Access to all incoming requests… © Blueinfy Solutions Pvt. Ltd.
31.
IIS 7.0 –
Integrated Mode © Blueinfy Solutions Pvt. Ltd.
32.
Introducing IHTTPModule
© Blueinfy Solutions Pvt. Ltd.
33.
How to hook? Web
application has separate scope and HTTP pipeline can be accessed. HTTP request can be accessed before it hits application resources. HTTPModule and HTTPHandler are defense at your gates. … © Blueinfy Solutions Pvt. Ltd.
34.
HTTP pipe for
.NET Web Application Client Request Response IIS aspnet_isapi.dll HttpModule HttpModule HttpApplication HttpModule HttpHandler Web Application Resource © Blueinfy Solutions Pvt. Ltd.
35.
Interfaces and Hooks
HttpRuntime HttpApplicationFactory Web Application Firewall & IDS HttpApplication IHttpModule HttpHandlerFactory Handler © Blueinfy Solutions Pvt. Ltd.
36.
Leveraging Interfaces HTTPModule and
HTTPHandler - can be leveraged. Application layer firewall can be cooked up for your application. Similarly IDS for web application can be developed. It sits in HTTP pipe and defend web applications. © Blueinfy Solutions Pvt. Ltd.
37.
For IIS 7.0 Integrated
mode with full access Possible to cook up reverse proxy as well Traffic can be controlled at the gates Sound defense can be created with minimal coding Your module can be on top of the pipe Can access – HttpResponse.Headers – HttpRequest.Headers – HttpRequest.ServerVariables © Blueinfy Solutions Pvt. Ltd.
38.
Implementing IHTTPModule
© Blueinfy Solutions Pvt. Ltd.
39.
IHTTPModule Managed code in
C# can be hooked into HTTP pipe. Module can help in filtering HTTP requests. Let’s see its implementation. © Blueinfy Solutions Pvt. Ltd.
40.
IHTTPModule public class iAppFilter
: IHttpModule { } Access to HttpApplication © Blueinfy Solutions Pvt. Ltd.
41.
HttpApplication
© Blueinfy Solutions Pvt. Ltd.
42.
Event Mapping
© Blueinfy Solutions Pvt. Ltd.
43.
Event Trapping and
Firewall © Blueinfy Solutions Pvt. Ltd.
44.
Accessing HTTP request
Access with BeginRequest – Access to Http Context – Access to headers – All server variable – Complete access for filtering © Blueinfy Solutions Pvt. Ltd.
45.
Hooking to HTTP
pipe public void Init(HttpApplication application) { application.BeginRequest += (new EventHandler(this.Application_BeginRequest)); private void Application_BeginRequest(Object source, EventArgs e) { HttpApplication application = (HttpApplication)source; HttpContext context = application.Context; © Blueinfy Solutions Pvt. Ltd.
46.
Processing POST if (app.Request.ServerVariables[quot;REQUEST_METHODquot;]
== quot;POSTquot;) { long streamLength = app.Request.InputStream.Length; byte[] contentBytes = new byte[streamLength]; app.Request.InputStream.Read(contentBytes, 0, (int)streamLength); postreq = System.Text.Encoding.UTF8.GetString(contentBytes); © Blueinfy Solutions Pvt. Ltd.
47.
Request / Response
© Blueinfy Solutions Pvt. Ltd.
48.
Putting it in
action DLL get created after compilation Module in Bin folder Adding to config file It is different with IIS 7.0 for integrated mode Directives are different Let’s see in detail © Blueinfy Solutions Pvt. Ltd.
49.
Security Framework through
set of Modules © Blueinfy Solutions Pvt. Ltd.
50.
Accessing all requests
It is important to access all incoming HTTP requsts IIS 6.0 limitation – can be overcome by using wildcard mapping [Some what] IIS 7.0 – Leveraging integrated mode © Blueinfy Solutions Pvt. Ltd.
51.
IIS 6.0 –
Wildcard mapping © Blueinfy Solutions Pvt. Ltd.
52.
IIS 7.0 –
Integrated mode <modules> <add name=quot;iAppWallquot; type=quot;iAppWallquot;/> </modules> © Blueinfy Solutions Pvt. Ltd.
53.
Security Modules Various module
can be cooked up. Authorization, Authentication, Filtering, XML processing, IDS etc. All of them can be part of one DLL or multiple. © Blueinfy Solutions Pvt. Ltd.
54.
Authorization Module Limited access
to IP addresses Blocking sensitive directories Session based access to various area of application © Blueinfy Solutions Pvt. Ltd.
55.
Validation Module Detecting attack
vectors like XSS or SQL injection Blocking those requests at the module level Total security to all incoming parameters both over GET and POST © Blueinfy Solutions Pvt. Ltd.
56.
Web 2.0 Security
Module Web 2.0 runs on XML, JSON, JS- Array etc.. Intelligent module to detect these sort of traffic and block malicious requests Protecting Web Services running over SOAP, XML/JSON-RPC, REST etc. © Blueinfy Solutions Pvt. Ltd.
57.
CSRF Defense Module
Cross Site Request Forgery is a big concern for sensitive forms Protection by referrer tag or token by HTTP module Securing application against CSRF attack vectors © Blueinfy Solutions Pvt. Ltd.
58.
Response Filtering Module
Limited response filtering for critical resources Monitoring outgoing requests Capturing suspicious traffic and blocking them Web 2.0 framework defense – RSS or proxy based responses © Blueinfy Solutions Pvt. Ltd.
59.
IDS Module Logging all
suspicious requests for forensic use Logging and monitoring can be improved Logging to central database, file or OS events. © Blueinfy Solutions Pvt. Ltd.
60.
Reverse Proxy Module
Defending non IIS applications with reverse tunneling. IIS 7.0 as front end server and securing internal servers Complete control over full traffic going in/out © Blueinfy Solutions Pvt. Ltd.
61.
Conclusion Next generation .NET
application can be defended by IHTTPModules IIS 7.0 – Integrated mode is going to play a big role Web 2.0 application needs better filtering capabilities and IHTTPModule can deliver it © Blueinfy Solutions Pvt. Ltd.
62.
http://shreeraj.blogspot.com
http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com Questions © Blueinfy Solutions Pvt. Ltd.