Following my talk on Securing ASP.Net Applications at last Friday’s Dublin leg of Microsoft’s ASP.Net 2.0 European Roadshow, there were a couple of requests for the slides and code samples. They can be downloaded from here.
Talking with developers afterwards in the bar, it was really interesting to see how many of them had heard of SQL Injection and XSS attacks but had not actually realised how vulnerable an application and the other applications which share the same database can be. Most had never actually seen how an attack would be carried out.
I demonstrated how security on a web site can be compromised by taking advantage of holes within the application code. These holes can be discovered by using a series of probes which disclose whether or not vulnerability exists.
The demonstration attacked the site’s Login page to discover vulnerabilities. These were then exploited to bypass the application security altogether. We were then able to take control of the database for this and other applications which share the database, create our own login accounts with administrative privileges and access the site’s customer’s credit card information.
I also demonstrated using a Cross Site Scripting attack how the Forms Authentication cookie could be stolen and silently sent to an attacker’s website to be stored for later use. Once the attacker is in position of this cookie, they would be able to login to the original web site using someone else’s authentication token.
The key message of the talk was to ensure that all user input is validated before any other processing is done. This together with strict use of secure coding standards would have disabled any attacker’s opportunities.
For more information on writing secure code, please feel free to contact me.
And many thanks to Microsoft for asking me to speak at this great event with the ASP.NET team!