Transcript Slide 1
All Input is Evil (Part 1)
Introduction
Will not cover everything
Healthy level of paranoia
Use my DVD Swap Shop application (week 2)
Security Considerations
Authentication
Authorisation
Secure communication
Software + Hardware
The Login
Provides authentication
asterisks *********
SQL injection attack
Human Problems
A simple conversation
People use words they can remember
Same passwords for many sites
Doctor who fan guess the password
T****S
Dictionary Attacks
If you know a user name throw the dictionary at it
Brute Force Attack
If the password is CC but all we know is that it is two
characters long **
AA
AB
BA
BB
BC
CB
CC
The longer the password the more time we need to crack it.
Countermeasures
Education
Don’t use same password for all sites
Avoid passwords that could be guessed
Don’t use dictionary words
Enforce rules in code
Minimum password length
Non alpha numeric characters
Expiration date
Limit login attempts
Use a Security Framework
Authentication options in .NET
Windows
Passport
Forms
DIY
Securing Stored Passwords
Unsecured Access database
Stored in App_Data folder
(Could store on another
drive/machine)
Plain text password stored in the table
Password Hashing
.NET Cryptography
Encryption is ok
Hashing better
password123
IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY=
Do not store the password in plain text
Adding Salt
If the passwords for John and Fred without salt look
like this...
John
Fred
IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY=
IKSV2XlTzgf7LFJNFuHDkf9f4WQPZPLnEIY=
Adding salt would change the hash values like so...
John
354rlrk8Jv7729qVOrOp0lXUv7RAsdV
Fred
9Wo0irC6+ylay0CJsLVtWBfbJBSn03j4gzhG
Concatenate password + email address
Validation
Who do you trust?
Do you trust me not to make use of that data in some
way?
Do you trust me to write a web application that will not
be compromised in any way?
Not just a matter of what people you trust but what
systems do you trust?
Exclude list = characters we don’t allow
Include list = characters we do allow
Code Injection
Script could run when page is rendered elsewhere in
application
IIS automatically disallows this
Turn Off Debug Mode
By entering bad data a hacker could crash your
program
We now Know
The language of the application (VB.NET)
The names of several parameters SwapTitle
Description etc..
In the light of the above probably the names of some
fields in the database (this way the hacker may refine
the SQL injection attacks.)
The remote path on the server
C:\MyFiles\IMAT1604\content\Widget Swap\Widget
Swap\aswap.aspx.vb
Securing the Communication
Channel
Public and Private Keys
Public and Private Keys
Secure Socket Layer (SSL)
The browser makes a secure HTTP request HTTPS on
port 443
The server sends back a digital certificate verifying its
credentials
The client verifies the certificate with the issuing
agency
Using the public key the data is encrypted between
client and server
Open Ports
Port scanners
Firewalls
IP Filtering
Turn off unused services
Grant Minimum Permissions to Resources