Transcript Slide 1

Building Secure Web
Applications
With ASP.Net MVC
What is ASP.Net MVC?
An extension to ASP.Net.
 Implements the MVC software pattern that
divides an application's implementation
into three component roles:

– models
– views
– controllers.
Models

"Models" in a MVC based application are
the components responsible for:
– Maintaining state.
– Often a database.
Views

"Views" in a MVC based application are
the components responsible for:
– Displaying the application's user interface.
– Typically this UI is created off of the model
data.
Controllers

Responsible for:
– Handling user interaction
– Manipulating the model
– Choosing a view to render to display UI.

In a MVC application the view is only
about displaying information - it is the
controller that handles and responds to
user input and interaction.
Part 1: Form Security
Cross Site Scripting (XSS)
 Injection Flaws

Cross Site Scripting (XSS)
Common flaw in a web applications
 Allows attackers to execute script in the
victims browser.
 Caused by improper input validation and
encoding.

Cross Site Scripting Prevention

Request Validation enabled by default.
Server.HtmlEncode();
 Microsoft AntiXSS Library

Injection Flaws
Common in web applications.
 Caused when user input is evaluated as part of a
command or query.
 SQL Injection most common.

If _userName = “admin” and _password = “' OR
1 = 1 --” the result would be:
 SELECT * FROM tblUsers WHERE UserName =
'admin' and Password = '' OR 1 = 1 --'

Injection Prevention
MVC is built around a data Model
 Object Relational Mappers (ORM)

– Linq to SQL
– ADO.Net Entity Framework

Handle CRUD commands in an Injection
safe way.
Part 2: Application Security
Malicious File Execution
Occurs when an attacker is able to upload
and execute code on a server.
 The ASP.Net MVC Advantage

– Classic ASP.Net served pages from their
corresponding location on the disk.
– ASP.Net MVC routes requests to the
appropriate controller and view.
– Attacker doesn’t know the applications
directory structure.
Insecure Direct Object Reference

Occurs when an application exposes a
direct reference to a resource.
– Files
– Primary keys for database records
Attackers can edit these references to gain
access to protected data.
 Prevention:

– Encrypt any reference data when passing it
between pages.
Cross Site Request Forgery (CSRF)
Tricks logged-on victim's browser to send
a pre-authenticated request to a
vulnerable web application.
 Can cause a user to perform an action
they did not intend to do.
 Example:

CSRF Prevention
Avoid updating user data from HTTP Get
requests.
 ASP.Net MVC AntiForgeryToken

Attack Result
Information Leakage and Improper
Error Handling
Improper error handling exposes
implementation detail.
 Prevention:

– Disable debugging.
– Custom error pages.
– ASP.Net MVC HandleError Attribute
Failure to Restrict URL Access
Web application only protects URL by not
showing them to unauthorized users.
 URL can still be accesses manually.
 Prevention:

– ASP.Net MVC [Authorize] Attribute
Thank You

Kevin Watt
www.list2lend.com

Chris Brousseau
www.windows7ips.com