SlideShare une entreprise Scribd logo

DNNcon 2016: Are There Security Flaws in Your DNN Modules?

Télécharger en tant que PPT, PDF
Engage Software
Engage Software

A presentation by Joshua Bradley, DNN developer, on the subject of developing more secure modules for DNN (formerly DotNetNuke) and Evoq CMS. While DNN, and .Net in general, are very good at protecting you from the biggest security attacks, they can't protect you from writing bad code. With security in web development getting increasingly more important it is good to take a moment and make sure you're not shooting yourself in the foot with your module development. This talk will go over XSS (Cross-Site scripting), CSRF (Cross-Site Request Forgery), and SQLi (SQL Injection), to make sure that you are not opening yourself up to potential vulnerabilities when developing your modules.

Internet
1  sur  27
@DNNConDon’t forget to include #DNNCon in your tweets! Are There Security Flaws in Your Modules? Joshua Bradley / Web Developer Engage Software @JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets! THANKS TO ALL OF OUR GENEROUS SPONSORS!
@DNNConDon’t forget to include #DNNCon in your tweets! Agenda • Introduction • Cross Site Scripting • SQL Injection • Cross Site Request Forgery • Insecure Direct Object References • Q & A
@DNNConDon’t forget to include #DNNCon in your tweets! Goal For Developers -To think about possible security vulnerabilities while developing your modules. For Everyone -Be able to recognize potential vulnerabilities when testing websites.
@DNNConDon’t forget to include #DNNCon in your tweets! Introduction
@DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Scripting
@DNNConDon’t forget to include #DNNCon in your tweets! Reflective XSS
@DNNConDon’t forget to include #DNNCon in your tweets! Reflective XSS Example
@DNNConDon’t forget to include #DNNCon in your tweets! Stored XSS
@DNNConDon’t forget to include #DNNCon in your tweets! Stored XSS Example
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Summary • Html Encode when not needing HTML • Use Anti XSS library when needing to accept HTML from user input.
@DNNConDon’t forget to include #DNNCon in your tweets! SQL Injection
@DNNConDon’t forget to include #DNNCon in your tweets! SQLi Example
@DNNConDon’t forget to include #DNNCon in your tweets! SQLi Summary • Never do string concatenation with SQL. • Use an ORM or Parameterized Stored Procedure.
@DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Request Forgery
@DNNConDon’t forget to include #DNNCon in your tweets! CSRF Example
@DNNConDon’t forget to include #DNNCon in your tweets! CSRF Summary • Use HttpPost • ValidateAntiForgery • Never Allow Access from any host
@DNNConDon’t forget to include #DNNCon in your tweets! Insecure Direct Object References
@DNNConDon’t forget to include #DNNCon in your tweets! IDOR Example
@DNNConDon’t forget to include #DNNCon in your tweets! IDOR Summary • Use built in Folder and File Manager. • Avoid using user input when selecting file.
@DNNConDon’t forget to include #DNNCon in your tweets! Available on GitHub & Slideshare • http://www.engagesoftware.com/blog
@DNNConDon’t forget to include #DNNCon in your tweets! Questions @JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://www.owasp.org/index.php/OW • http://www.dnnsoftware.com/wi ki/analysis-of-dotnetnuke- compliance-against-owasp-top- 10-2013
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2012/12/sto • https://www.owasp.org/index.php/Ma • http://www.jwaffinityit.com/Portals/28
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://msdn.microsoft.com/en-us/libr aspx • https:// weblog.west-wind.com/posts/2012/Ju • http:// www.computerweekly.com/tip/C ross-site-request-forgery- Lessons-from-a-CSRF-attack- example
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://resources.infosecinstitute .com/dumping-a-database- using-sql-injection/ • https://www.sql- programmers.com/sql- injection.aspx • https://msdn.microsoft.com/en- us/library/bb386929.aspx • https://msdn.microsoft.com/en- us/library/cc716760.aspx
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2013/ 07/everything-you-wanted-to- know-about-sql.html • https://github.com/malcomvett er/WidgetSender

Recommandé

Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Engage Software
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsEngage Software
 
Social Bookmark Api
Social Bookmark ApiSocial Bookmark Api
Social Bookmark ApiSira Sujjinanont
 
Configuring the Yoast Wordpress SEO Plugin
Configuring the Yoast Wordpress SEO PluginConfiguring the Yoast Wordpress SEO Plugin
Configuring the Yoast Wordpress SEO PluginSearch Commander, Inc.
 
Seek and ye shall find - 28.10.2016
Seek and ye shall find - 28.10.2016Seek and ye shall find - 28.10.2016
Seek and ye shall find - 28.10.2016Sonja Riesterer
 
Google Analytics Referral Spam - Pubcon Las Vegas 2015
Google Analytics Referral Spam - Pubcon Las Vegas 2015Google Analytics Referral Spam - Pubcon Las Vegas 2015
Google Analytics Referral Spam - Pubcon Las Vegas 2015Search Commander, Inc.
 
Yoast SEO Plugin - 2015 Pubcon Vegas
Yoast SEO Plugin - 2015 Pubcon VegasYoast SEO Plugin - 2015 Pubcon Vegas
Yoast SEO Plugin - 2015 Pubcon VegasSearch Commander, Inc.
 
7 Secrets Of A Successful Facebook Page
7 Secrets Of A Successful Facebook Page7 Secrets Of A Successful Facebook Page
7 Secrets Of A Successful Facebook PageDD Flynn
 

Recommandé

Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Engage Software
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsEngage Software
 
Social Bookmark Api
Social Bookmark ApiSocial Bookmark Api
Social Bookmark ApiSira Sujjinanont
 
Configuring the Yoast Wordpress SEO Plugin
Configuring the Yoast Wordpress SEO PluginConfiguring the Yoast Wordpress SEO Plugin
Configuring the Yoast Wordpress SEO PluginSearch Commander, Inc.
 
Seek and ye shall find - 28.10.2016
Seek and ye shall find - 28.10.2016Seek and ye shall find - 28.10.2016
Seek and ye shall find - 28.10.2016Sonja Riesterer
 
Google Analytics Referral Spam - Pubcon Las Vegas 2015
Google Analytics Referral Spam - Pubcon Las Vegas 2015Google Analytics Referral Spam - Pubcon Las Vegas 2015
Google Analytics Referral Spam - Pubcon Las Vegas 2015Search Commander, Inc.
 
Yoast SEO Plugin - 2015 Pubcon Vegas
Yoast SEO Plugin - 2015 Pubcon VegasYoast SEO Plugin - 2015 Pubcon Vegas
Yoast SEO Plugin - 2015 Pubcon VegasSearch Commander, Inc.
 
7 Secrets Of A Successful Facebook Page
7 Secrets Of A Successful Facebook Page7 Secrets Of A Successful Facebook Page
7 Secrets Of A Successful Facebook PageDD Flynn
 
BC BMPR Pres: Technical Resources
BC BMPR Pres: Technical ResourcesBC BMPR Pres: Technical Resources
BC BMPR Pres: Technical ResourcesJason Teitelman
 
Asychronous javascript using LAX
Asychronous javascript using LAXAsychronous javascript using LAX
Asychronous javascript using LAXSikha Baid ☁
 
Rich text editing with Draft.js
Rich text editing with Draft.jsRich text editing with Draft.js
Rich text editing with Draft.jsNikolaus Graf
 
Competitive keyword research | VE PEOPLE
Competitive keyword research | VE PEOPLECompetitive keyword research | VE PEOPLE
Competitive keyword research | VE PEOPLECarl Pantaleon
 
Getting started-checklist
Getting started-checklistGetting started-checklist
Getting started-checklistBrittany Weickert
 
Popular SEO plugin for WordPress - WordCamp Pune 2015
Popular SEO plugin for WordPress - WordCamp Pune 2015Popular SEO plugin for WordPress - WordCamp Pune 2015
Popular SEO plugin for WordPress - WordCamp Pune 2015Alexander Gounder
 
seo for blogspot
seo for blogspotseo for blogspot
seo for blogspotzaman khan
 
SES SF 2010 - Whats Next for SEO and News
SES SF 2010 - Whats Next for SEO and NewsSES SF 2010 - Whats Next for SEO and News
SES SF 2010 - Whats Next for SEO and NewsTopher Kohan
 
Podcasts
PodcastsPodcasts
PodcastsDavid Kamerer
 
Links4
Links4Links4
Links4shiking
 
20110611 Facebook Case Study
20110611 Facebook Case Study20110611 Facebook Case Study
20110611 Facebook Case StudyYuki MAEJIMA
 
The Ultimate Free Digital Marketing Toolkit
The Ultimate Free Digital Marketing ToolkitThe Ultimate Free Digital Marketing Toolkit
The Ultimate Free Digital Marketing ToolkitSteve Lock
 
One Hit Wonder's Guide to WordPress SEO
One Hit Wonder's Guide to WordPress SEOOne Hit Wonder's Guide to WordPress SEO
One Hit Wonder's Guide to WordPress SEOBen Cook
 
WordPress Myths Uncovered
WordPress Myths UncoveredWordPress Myths Uncovered
WordPress Myths UncoveredLauren Jeffcoat
 
Dnn Con Baltimore Security Flaws
Dnn Con Baltimore Security FlawsDnn Con Baltimore Security Flaws
Dnn Con Baltimore Security FlawsJoshua Bradley
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnjsheely83
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobileashishpd
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackJess Coburn
 
Dnncon Palm Beach presentation about DNN intranets by Don Bishop
Dnncon Palm Beach presentation about DNN intranets by Don BishopDnncon Palm Beach presentation about DNN intranets by Don Bishop
Dnncon Palm Beach presentation about DNN intranets by Don BishopDon Bishop
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1ashishpd
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Will Strohl
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 

Contenu connexe

Tendances

BC BMPR Pres: Technical Resources
BC BMPR Pres: Technical ResourcesBC BMPR Pres: Technical Resources
BC BMPR Pres: Technical ResourcesJason Teitelman
 
Asychronous javascript using LAX
Asychronous javascript using LAXAsychronous javascript using LAX
Asychronous javascript using LAXSikha Baid ☁
 
Rich text editing with Draft.js
Rich text editing with Draft.jsRich text editing with Draft.js
Rich text editing with Draft.jsNikolaus Graf
 
Competitive keyword research | VE PEOPLE
Competitive keyword research | VE PEOPLECompetitive keyword research | VE PEOPLE
Competitive keyword research | VE PEOPLECarl Pantaleon
 
Popular SEO plugin for WordPress - WordCamp Pune 2015
Popular SEO plugin for WordPress - WordCamp Pune 2015Popular SEO plugin for WordPress - WordCamp Pune 2015
Popular SEO plugin for WordPress - WordCamp Pune 2015Alexander Gounder
 
seo for blogspot
seo for blogspotseo for blogspot
seo for blogspotzaman khan
 
SES SF 2010 - Whats Next for SEO and News
SES SF 2010 - Whats Next for SEO and NewsSES SF 2010 - Whats Next for SEO and News
SES SF 2010 - Whats Next for SEO and NewsTopher Kohan
 
20110611 Facebook Case Study
20110611 Facebook Case Study20110611 Facebook Case Study
20110611 Facebook Case StudyYuki MAEJIMA
 
The Ultimate Free Digital Marketing Toolkit
The Ultimate Free Digital Marketing ToolkitThe Ultimate Free Digital Marketing Toolkit
The Ultimate Free Digital Marketing ToolkitSteve Lock
 
One Hit Wonder's Guide to WordPress SEO
One Hit Wonder's Guide to WordPress SEOOne Hit Wonder's Guide to WordPress SEO
One Hit Wonder's Guide to WordPress SEOBen Cook
 
WordPress Myths Uncovered
WordPress Myths UncoveredWordPress Myths Uncovered
WordPress Myths UncoveredLauren Jeffcoat
 

Tendances (14)

BC BMPR Pres: Technical Resources
BC BMPR Pres: Technical ResourcesBC BMPR Pres: Technical Resources
BC BMPR Pres: Technical Resources
 
Asychronous javascript using LAX
Asychronous javascript using LAXAsychronous javascript using LAX
Asychronous javascript using LAX
 
Rich text editing with Draft.js
Rich text editing with Draft.jsRich text editing with Draft.js
Rich text editing with Draft.js
 
Competitive keyword research | VE PEOPLE
Competitive keyword research | VE PEOPLECompetitive keyword research | VE PEOPLE
Competitive keyword research | VE PEOPLE
 
Getting started-checklist
Getting started-checklistGetting started-checklist
Getting started-checklist
 
Popular SEO plugin for WordPress - WordCamp Pune 2015
Popular SEO plugin for WordPress - WordCamp Pune 2015Popular SEO plugin for WordPress - WordCamp Pune 2015
Popular SEO plugin for WordPress - WordCamp Pune 2015
 
seo for blogspot
seo for blogspotseo for blogspot
seo for blogspot
 
SES SF 2010 - Whats Next for SEO and News
SES SF 2010 - Whats Next for SEO and NewsSES SF 2010 - Whats Next for SEO and News
SES SF 2010 - Whats Next for SEO and News
 
Podcasts
PodcastsPodcasts
Podcasts
 
Links4
Links4Links4
Links4
 
20110611 Facebook Case Study
20110611 Facebook Case Study20110611 Facebook Case Study
20110611 Facebook Case Study
 
The Ultimate Free Digital Marketing Toolkit
The Ultimate Free Digital Marketing ToolkitThe Ultimate Free Digital Marketing Toolkit
The Ultimate Free Digital Marketing Toolkit
 
One Hit Wonder's Guide to WordPress SEO
One Hit Wonder's Guide to WordPress SEOOne Hit Wonder's Guide to WordPress SEO
One Hit Wonder's Guide to WordPress SEO
 
WordPress Myths Uncovered
WordPress Myths UncoveredWordPress Myths Uncovered
WordPress Myths Uncovered
 

Similaire à DNNcon 2016: Are There Security Flaws in Your DNN Modules?

Dnn Con Baltimore Security Flaws
Dnn Con Baltimore Security FlawsDnn Con Baltimore Security Flaws
Dnn Con Baltimore Security FlawsJoshua Bradley
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnjsheely83
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobileashishpd
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackJess Coburn
 
Dnncon Palm Beach presentation about DNN intranets by Don Bishop
Dnncon Palm Beach presentation about DNN intranets by Don BishopDnncon Palm Beach presentation about DNN intranets by Don Bishop
Dnncon Palm Beach presentation about DNN intranets by Don BishopDon Bishop
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1ashishpd
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Will Strohl
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_templatePhilipp Becker
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionKris Buytaert
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is hereGil Fink
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Adrian Roselli
 
Rapid Application Development with Docker
Rapid Application Development with DockerRapid Application Development with Docker
Rapid Application Development with DockerNiklas Heidloff
 
Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017Daniel Lebrero
 
RSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamRSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamAhmed Sallam
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...JAXLondon2014
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"Daniel Bryant
 
Angular 2 : learn TypeScript already with Angular 1
Angular 2 : learn TypeScript already with Angular 1Angular 2 : learn TypeScript already with Angular 1
Angular 2 : learn TypeScript already with Angular 1David Amend
 

Similaire à DNNcon 2016: Are There Security Flaws in Your DNN Modules? (20)

Dnn Con Baltimore Security Flaws
Dnn Con Baltimore Security FlawsDnn Con Baltimore Security Flaws
Dnn Con Baltimore Security Flaws
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnn
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobile
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure Pack
 
Dnncon Palm Beach presentation about DNN intranets by Don Bishop
Dnncon Palm Beach presentation about DNN intranets by Don BishopDnncon Palm Beach presentation about DNN intranets by Don Bishop
Dnncon Palm Beach presentation about DNN intranets by Don Bishop
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_template
 
PS error handling and debugging
PS error handling and debuggingPS error handling and debugging
PS error handling and debugging
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 Edition
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is here
 
engage 2014 - JavaBlast
engage 2014 - JavaBlastengage 2014 - JavaBlast
engage 2014 - JavaBlast
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016
 
Rapid Application Development with Docker
Rapid Application Development with DockerRapid Application Development with Docker
Rapid Application Development with Docker
 
Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017
 
RSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallamRSA SF Conference talk-2009-ht2-401 sallam
RSA SF Conference talk-2009-ht2-401 sallam
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
 
Angular 2 : learn TypeScript already with Angular 1
Angular 2 : learn TypeScript already with Angular 1Angular 2 : learn TypeScript already with Angular 1
Angular 2 : learn TypeScript already with Angular 1
 

Plus de Engage Software

The Importance of UX in Association Website Design
The Importance of UX in Association Website Design The Importance of UX in Association Website Design
The Importance of UX in Association Website Design Engage Software
 
Millennial Engagement Strategies for Associations
Millennial Engagement Strategies for AssociationsMillennial Engagement Strategies for Associations
Millennial Engagement Strategies for AssociationsEngage Software
 
Enterprise Social Networking
Enterprise Social NetworkingEnterprise Social Networking
Enterprise Social NetworkingEngage Software
 
Responsive Views with Knockout
Responsive Views with KnockoutResponsive Views with Knockout
Responsive Views with KnockoutEngage Software
 
JavaScript: The Language
JavaScript: The LanguageJavaScript: The Language
JavaScript: The LanguageEngage Software
 
Packaging DNN extensions
Packaging DNN extensionsPackaging DNN extensions
Packaging DNN extensionsEngage Software
 
Considerations with Writing JavaScript in your DotNetNuke site
Considerations with Writing JavaScript in your DotNetNuke siteConsiderations with Writing JavaScript in your DotNetNuke site
Considerations with Writing JavaScript in your DotNetNuke siteEngage Software
 
Building A Membership Provider For DotNetNuke 4.X.X
Building A Membership Provider For DotNetNuke 4.X.XBuilding A Membership Provider For DotNetNuke 4.X.X
Building A Membership Provider For DotNetNuke 4.X.XEngage Software
 
Building DotNetNuke Modules
Building DotNetNuke ModulesBuilding DotNetNuke Modules
Building DotNetNuke ModulesEngage Software
 
The Right Way To Install Upgrade Dnn
The Right Way To Install Upgrade DnnThe Right Way To Install Upgrade Dnn
The Right Way To Install Upgrade DnnEngage Software
 
What’s New In DotNetNuke 5 (Cambrian)
What’s New In DotNetNuke 5 (Cambrian)What’s New In DotNetNuke 5 (Cambrian)
What’s New In DotNetNuke 5 (Cambrian)Engage Software
 

Plus de Engage Software (12)

The Importance of UX in Association Website Design
The Importance of UX in Association Website Design The Importance of UX in Association Website Design
The Importance of UX in Association Website Design
 
Millennial Engagement Strategies for Associations
Millennial Engagement Strategies for AssociationsMillennial Engagement Strategies for Associations
Millennial Engagement Strategies for Associations
 
Enterprise Social Networking
Enterprise Social NetworkingEnterprise Social Networking
Enterprise Social Networking
 
Responsive Views with Knockout
Responsive Views with KnockoutResponsive Views with Knockout
Responsive Views with Knockout
 
JavaScript: The Language
JavaScript: The LanguageJavaScript: The Language
JavaScript: The Language
 
Packaging DNN extensions
Packaging DNN extensionsPackaging DNN extensions
Packaging DNN extensions
 
Considerations with Writing JavaScript in your DotNetNuke site
Considerations with Writing JavaScript in your DotNetNuke siteConsiderations with Writing JavaScript in your DotNetNuke site
Considerations with Writing JavaScript in your DotNetNuke site
 
Building A Membership Provider For DotNetNuke 4.X.X
Building A Membership Provider For DotNetNuke 4.X.XBuilding A Membership Provider For DotNetNuke 4.X.X
Building A Membership Provider For DotNetNuke 4.X.X
 
Building DotNetNuke Modules
Building DotNetNuke ModulesBuilding DotNetNuke Modules
Building DotNetNuke Modules
 
DotNetNuke In An Hour
DotNetNuke In An HourDotNetNuke In An Hour
DotNetNuke In An Hour
 
The Right Way To Install Upgrade Dnn
The Right Way To Install Upgrade DnnThe Right Way To Install Upgrade Dnn
The Right Way To Install Upgrade Dnn
 
What’s New In DotNetNuke 5 (Cambrian)
What’s New In DotNetNuke 5 (Cambrian)What’s New In DotNetNuke 5 (Cambrian)
What’s New In DotNetNuke 5 (Cambrian)
 

Dernier

Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 

Dernier (20)

Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 

DNNcon 2016: Are There Security Flaws in Your DNN Modules?

  • 1. @DNNConDon’t forget to include #DNNCon in your tweets! Are There Security Flaws in Your Modules? Joshua Bradley / Web Developer Engage Software @JRBradley1
  • 2. @DNNConDon’t forget to include #DNNCon in your tweets! THANKS TO ALL OF OUR GENEROUS SPONSORS!
  • 3. @DNNConDon’t forget to include #DNNCon in your tweets! Agenda • Introduction • Cross Site Scripting • SQL Injection • Cross Site Request Forgery • Insecure Direct Object References • Q & A
  • 4. @DNNConDon’t forget to include #DNNCon in your tweets! Goal For Developers -To think about possible security vulnerabilities while developing your modules. For Everyone -Be able to recognize potential vulnerabilities when testing websites.
  • 5. @DNNConDon’t forget to include #DNNCon in your tweets! Introduction
  • 6. @DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Scripting
  • 7. @DNNConDon’t forget to include #DNNCon in your tweets! Reflective XSS
  • 8. @DNNConDon’t forget to include #DNNCon in your tweets! Reflective XSS Example
  • 9. @DNNConDon’t forget to include #DNNCon in your tweets! Stored XSS
  • 10. @DNNConDon’t forget to include #DNNCon in your tweets! Stored XSS Example
  • 11. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Summary • Html Encode when not needing HTML • Use Anti XSS library when needing to accept HTML from user input.
  • 12. @DNNConDon’t forget to include #DNNCon in your tweets! SQL Injection
  • 13. @DNNConDon’t forget to include #DNNCon in your tweets! SQLi Example
  • 14. @DNNConDon’t forget to include #DNNCon in your tweets! SQLi Summary • Never do string concatenation with SQL. • Use an ORM or Parameterized Stored Procedure.
  • 15. @DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Request Forgery
  • 16. @DNNConDon’t forget to include #DNNCon in your tweets! CSRF Example
  • 17. @DNNConDon’t forget to include #DNNCon in your tweets! CSRF Summary • Use HttpPost • ValidateAntiForgery • Never Allow Access from any host
  • 18. @DNNConDon’t forget to include #DNNCon in your tweets! Insecure Direct Object References
  • 19. @DNNConDon’t forget to include #DNNCon in your tweets! IDOR Example
  • 20. @DNNConDon’t forget to include #DNNCon in your tweets! IDOR Summary • Use built in Folder and File Manager. • Avoid using user input when selecting file.
  • 21. @DNNConDon’t forget to include #DNNCon in your tweets! Available on GitHub & Slideshare • http://www.engagesoftware.com/blog
  • 22. @DNNConDon’t forget to include #DNNCon in your tweets! Questions @JRBradley1
  • 23. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://www.owasp.org/index.php/OW • http://www.dnnsoftware.com/wi ki/analysis-of-dotnetnuke- compliance-against-owasp-top- 10-2013
  • 24. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2012/12/sto • https://www.owasp.org/index.php/Ma • http://www.jwaffinityit.com/Portals/28
  • 25. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://msdn.microsoft.com/en-us/libr aspx • https:// weblog.west-wind.com/posts/2012/Ju • http:// www.computerweekly.com/tip/C ross-site-request-forgery- Lessons-from-a-CSRF-attack- example
  • 26. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://resources.infosecinstitute .com/dumping-a-database- using-sql-injection/ • https://www.sql- programmers.com/sql- injection.aspx • https://msdn.microsoft.com/en- us/library/bb386929.aspx • https://msdn.microsoft.com/en- us/library/cc716760.aspx
  • 27. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2013/ 07/everything-you-wanted-to- know-about-sql.html • https://github.com/malcomvett er/WidgetSender