A presentation by Joshua Bradley, DNN developer, on the subject of developing more secure modules for DNN (formerly DotNetNuke) and Evoq CMS.
While DNN, and .Net in general, are very good at protecting you from the biggest security attacks, they can't protect you from writing bad code. With security in web development getting increasingly more important it is good to take a moment and make sure you're not shooting yourself in the foot with your module development. This talk will go over XSS (Cross-Site scripting), CSRF (Cross-Site Request Forgery), and SQLi (SQL Injection), to make sure that you are not opening yourself up to potential vulnerabilities when developing your modules.
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
DNNcon 2016: Are There Security Flaws in Your DNN Modules?
1. @DNNConDon’t forget to include #DNNCon in your tweets!
Are There Security Flaws in Your
Modules?
Joshua Bradley / Web Developer
Engage Software
@JRBradley1
2. @DNNConDon’t forget to include #DNNCon in your tweets!
THANKS TO ALL OF OUR GENEROUS
SPONSORS!
3. @DNNConDon’t forget to include #DNNCon in your tweets!
Agenda
• Introduction
• Cross Site Scripting
• SQL Injection
• Cross Site Request Forgery
• Insecure Direct Object
References
• Q & A
4. @DNNConDon’t forget to include #DNNCon in your tweets!
Goal
For Developers
-To think about possible security
vulnerabilities while developing your
modules.
For Everyone
-Be able to recognize potential
vulnerabilities when testing websites.
11. @DNNConDon’t forget to include #DNNCon in your tweets!
XSS Summary
• Html Encode when not needing
HTML
• Use Anti XSS library when
needing to accept HTML from
user input.
14. @DNNConDon’t forget to include #DNNCon in your tweets!
SQLi Summary
• Never do string concatenation
with SQL.
• Use an ORM or Parameterized
Stored Procedure.
20. @DNNConDon’t forget to include #DNNCon in your tweets!
IDOR Summary
• Use built in Folder and File
Manager.
• Avoid using user input when
selecting file.
21. @DNNConDon’t forget to include #DNNCon in your tweets!
Available on GitHub & Slideshare
• http://www.engagesoftware.com/blog
23. @DNNConDon’t forget to include #DNNCon in your tweets!
Resources
• https://www.owasp.org/index.php/OW
• http://www.dnnsoftware.com/wi
ki/analysis-of-dotnetnuke-
compliance-against-owasp-top-
10-2013
24. @DNNConDon’t forget to include #DNNCon in your tweets!
Resources
• http://www.troyhunt.com/2012/12/sto
• https://www.owasp.org/index.php/Ma
• http://www.jwaffinityit.com/Portals/28
25. @DNNConDon’t forget to include #DNNCon in your tweets!
Resources
• https://msdn.microsoft.com/en-us/libr
aspx
• https://
weblog.west-wind.com/posts/2012/Ju
• http://
www.computerweekly.com/tip/C
ross-site-request-forgery-
Lessons-from-a-CSRF-attack-
example
26. @DNNConDon’t forget to include #DNNCon in your tweets!
Resources
• http://resources.infosecinstitute
.com/dumping-a-database-
using-sql-injection/
• https://www.sql-
programmers.com/sql-
injection.aspx
• https://msdn.microsoft.com/en-
us/library/bb386929.aspx
• https://msdn.microsoft.com/en-
us/library/cc716760.aspx
27. @DNNConDon’t forget to include #DNNCon in your tweets!
Resources
• http://www.troyhunt.com/2013/
07/everything-you-wanted-to-
know-about-sql.html
• https://github.com/malcomvett
er/WidgetSender