On tuesday 2007-08-07, I have launched the "Thales Belgium User Group". Around 10 attendees were at the rendez-vous. Not so bad for a first session, hoping to see this number increasing in a near future. This session was dealing with Hacking & Securing an ASP.NET WebSite : POST Attacks.
Unfortunately the conditions were terrible. 40 minutes late to try using a low quality video projector and an deafening ambiant noise due to unplanned works in the building. Was the first one, so it couldn't be perfect, and in the end, I think it was not that bad ;-)
You will find below the agenda we have followed:
- Introduction
- HTML Attacks
- What is an HTML attack ?
- Which security evolutions between the different .NET framework versions ?
- Are we completely safe now ?
- POST Attacks
- What is a post attack ?
- How can we do a post attack ?
- POST attacks demo
- Using a web simulator
- Using the firefox DOM inspector
- By simply copying the page
- Which security evolutions has arrived in .NET 2.0 ?
- How does it work ?
- Explanation of the encryption mechanism in the .NET framework to secure ASP.NET typical hidden fields
- Protecting a web site
- Using a "secured button"
- Using a "secured text box"
- Demo using DropDownlists
- TagMapping demo to propagate the modification to the whole web site
- Conclusion and advice
Downloads:
You can find below the material we provided at the end of the session: Note that the solution has been written using Visual Studio 2008 and that the WebSimulator DLL used for the demo has not been provided. However, this example would be similar using another web simulator product, like WatIn for example.