dnn con baltimore security flaws
TRANSCRIPT
@DNNConDon’t forget to include #DNNCon in your tweets!
Are There Security Flaws in Your Modules?Joshua Bradley / Web Developer
Engage Software@JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets!
THANKS TO ALL OF OUR GENEROUS SPONSORS!
@DNNConDon’t forget to include #DNNCon in your tweets!
Agenda• Introduction• Cross Site Scripting• SQL Injection• Cross Site Request Forgery• Insecure Direct Object References• Q & A
@DNNConDon’t forget to include #DNNCon in your tweets!
Introduction
•https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet•http://www.dnnsoftware.com/wiki/analysis-of-dotnetnuke-compliance-against-owasp-top-10-2013
@DNNConDon’t forget to include #DNNCon in your tweets!
Cross Site Scripting
@DNNConDon’t forget to include #DNNCon in your tweets!
XSS Continued…
@DNNConDon’t forget to include #DNNCon in your tweets!
XSS Continued…
Example 1
@DNNConDon’t forget to include #DNNCon in your tweets!
XSS Continued…
@DNNConDon’t forget to include #DNNCon in your tweets!
XSS Continued…
Example 2
@DNNConDon’t forget to include #DNNCon in your tweets!
XSS Continued…• Html Encode when not needing HTML
• Use Anti XSS library when needing to accept HTML from user input.
@DNNConDon’t forget to include #DNNCon in your tweets!
SQL Injection
@DNNConDon’t forget to include #DNNCon in your tweets!
SQLi Continued…
Example
@DNNConDon’t forget to include #DNNCon in your tweets!
SQLi Continued…• Never do string concatenation with SQL.
• Use an ORM or Parameterized Stored Procedure.
@DNNConDon’t forget to include #DNNCon in your tweets!
Cross Site Request Forgery
@DNNConDon’t forget to include #DNNCon in your tweets!
CSRF Continued…Example
@DNNConDon’t forget to include #DNNCon in your tweets!
CSRF Continued…• Use HttpPost
• ValidateAntiForgery• Never Allow Access from any host
@DNNConDon’t forget to include #DNNCon in your tweets!
Insecure Direct Object References
@DNNConDon’t forget to include #DNNCon in your tweets!
IDOR Continued…Example
@DNNConDon’t forget to include #DNNCon in your tweets!
IDOR Continued…• Use built in Folder and File Manager.
• Avoid using user input when selecting file.
@DNNConDon’t forget to include #DNNCon in your tweets!
Available on GitHub & Slideshare• https://github.com/JoshuaBradley/DnnVulnerableModulesSuite
• http://www.slideshare.net/JoshuaBradley/dnn-con-baltimore-security-flaws
@DNNConDon’t forget to include #DNNCon in your tweets!
Questions
@JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources• http://
www.troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html
• https://www.owasp.org/index.php/Main_Page
• http://www.jwaffinityit.com/Portals/28/Documents/DNN/Analysis%20of%20DotNetNuke%20compliance%20against%20OWASP%20Top%2010.pdf
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources•https://msdn.microsoft.com/en-us/library/system.web.security.antixss.antixssencoder(v=vs.110).
aspx• https://
weblog.west-wind.com/posts/2012/Jul/19/NET-HTML-Sanitation-for-rich-HTML-Input
• http://www.computerweekly.com/tip/Cross-site-request-forgery-Lessons-from-a-CSRF-attack-example
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources•http://resources.infosecinstitute.com/dumping-a-database-using-sql-injection
/• https://
www.sql-programmers.com/sql-injection.aspx• https://msdn.microsoft.com/
en-us/library/bb386929.aspx• https://msdn.microsoft.com/
en-us/library/cc716760.aspx
@DNNConDon’t forget to include #DNNCon in your tweets!
Resources• http://www.troyhunt.com/
2013/07/everything-you-wanted-to-know-about-
sql.html• https://github.com/
malcomvetter/WidgetSender