some dirty, quick and well-known tricks to hack your bad .net webapps
TRANSCRIPT
![Page 1: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/1.jpg)
Some dirty, quick and well-known tricks to hack your bad .NET WebApps
Chema Alonso(@chemaalonso)
Some dirty, quick and well-known tricks to hack your bad .NET WebApps
![Page 2: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/2.jpg)
OWASP Top Ten
![Page 3: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/3.jpg)
Error Messages
![Page 4: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/4.jpg)
IIS Error Messages - 404
![Page 5: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/5.jpg)
ASP Error Messages
![Page 6: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/6.jpg)
Request Filtering
![Page 7: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/7.jpg)
WAF filter
![Page 8: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/8.jpg)
DEMO 1:Hay un error en mí
![Page 9: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/9.jpg)
Server Error – 405,500,…
![Page 10: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/10.jpg)
.NET CustomErrors<system.web><customErrors mode="On|Off|RemoteOnly" defaultRedirect="~/Error/Index" /></ system.web>
![Page 11: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/11.jpg)
IIS Short Name Bug
![Page 12: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/12.jpg)
IIS Short Name Bug
![Page 13: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/13.jpg)
DEMO 2Hay un IIS en mí
![Page 14: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/14.jpg)
Debug Mode<configuration>
<system.Web><compilation debug="true">
<system.Web></configuration>
![Page 15: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/15.jpg)
Trace.axd
![Page 16: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/16.jpg)
Elmah
![Page 17: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/17.jpg)
ViewState Disclosure
![Page 18: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/18.jpg)
Hidden Controls
![Page 19: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/19.jpg)
Fuzzins, Fuzzinj, Fuzzing
![Page 20: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/20.jpg)
DEMO 3:1,2,3. Probando, probando.
![Page 21: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/21.jpg)
LinQ Injection: SQL, Xpath, …
![Page 22: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/22.jpg)
UDL (Universal Data Links) Files
![Page 23: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/23.jpg)
WebServices
![Page 24: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/24.jpg)
DEMO 4Buscando por debajo de tu Backend
![Page 25: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/25.jpg)
Connection String Parameter Pollution
![Page 26: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/26.jpg)
DBConnection Object
Pollutionable Behavior
Param1
Param2
Param1=Value A Param2=Value B Param1=Value C Param2=Value D
![Page 27: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/27.jpg)
What can be done with CSPP?
DBConnection ObjectDataSource
UID
Data Source=DB1 UID=sa Data Source=DB2
password
password=Pwnd!
![Page 28: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/28.jpg)
CSPP Attack: Hijacking Web Credentials
Data source = SQL2005; initial catalog = db1;Integrated Security=no; user
id=+’User_Value’+; Password=+’Password_Value’+;
Data source = SQL2005; initial catalog = db1;Integrated Security=no; user id= ;Data
Source=Target_Server; Password=;Integrated Security=true;
![Page 29: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/29.jpg)
DEMO 5Po-lu-cionate. Mézclate conmigo.
![Page 30: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/30.jpg)
CSPP Bugs
![Page 31: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/31.jpg)
ASP.NET Web Data Admistrator
ASP Web Data Administrator is secure in CodePlex web site, but not in Microsoft web site where an unsecure old version is was published
![Page 32: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/32.jpg)
Poor Hardening• Bad HTTPs implementations– Bad Digital Certificate Management• Weak Cyphers• Well-Known Bugs (HeartBleed)
–Mixed HTTP/HTTPs• SSLStrip
– Secure/HTTPOnly Flags– HSTS
• Use your imagination
![Page 33: Some dirty, quick and well-known tricks to hack your bad .NET WebApps](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ae11e81a28aba3178b5fd1/html5/thumbnails/33.jpg)
Questions?