Defensive Programming 101 v3
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 150 | |
| Author | ||
| License | CC Attribution - NonCommercial - ShareAlike 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
| Identifiers | 10.5446/51481 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
NDC Oslo 201361 / 150
3
4
5
6
8
11
12
15
17
22
26
27
31
32
39
40
41
42
44
47
51
53
56
57
59
60
61
63
64
66
67
68
69
71
72
79
80
81
82
83
85
87
89
90
93
94
95
97
98
99
100
101
102
103
106
108
109
110
114
118
119
120
122
125
126
130
132
133
134
135
136
137
138
139
140
141
142
145
00:00
Computer programMessage passingInformation securityWeb 2.0Computer programmingSoftware developerTwitterStructural loadSpeech synthesisBit rateDisk read-and-write headSystem administratorIndividualsoftwareApplication service providerXMLUMLComputer animation
00:50
Information securitySoftwareProcess (computing)Goodness of fitSpywareCodeSoftware developerRight angleGodComputer configurationProgrammer (hardware)DivisorRadical (chemistry)MereologyPlanningEvoluteStudent's t-testWater vaporHacker (term)Canadian Mathematical SocietyComputer animation
03:16
Web 2.0Computer programmingRoundness (object)NeuroinformatikHacker (term)Different (Kate Ryan album)FamilyKeyboard shortcutSoftwarePower (physics)Coefficient of determinationSoftware developerWordSelf-organization
04:49
Web-DesignerControl flowDifferent (Kate Ryan album)Software developerFamilySoftwareRow (database)Information securityBitWeb 2.0Data managementWebsiteNatural numberOpen setCodeValidity (statistics)Computer animation
07:09
NumberWeb 2.0Server (computing)File Transfer ProtocolApplication service providerUniversal product codeConfiguration spaceComputer fileRight angleSystem administratorFile formatMathematicsNP-hardEmailData storage deviceInformation2 (number)Open setType theoryUniform resource locatorCuboidConnected spaceDefault (computer science)Figurate numberString (computer science)Product (business)Hacker (term)Communications protocolInternetworkingGoogolElement (mathematics)Observational studyPasswordWeb-DesignerPlanningSet (mathematics)Computer animationMeeting/Interview
10:36
EncryptionBuffer overflowHash functionType theoryPasswordInformation securityGoodness of fitInternetworkingStack (abstract data type)Connected spaceWebsiteInternet service providerFacebookRight angleInformationCellular automatonCuboidEmailExecution unitView (database)DataflowComputer animation
12:28
Regular graphPasswordDreizehnTrajectorySoftware crackingStandard deviationGraphics processing unitInformation securityTouchscreenElectronic data interchangeInformationApplication service providerRight angleInternet service providerGraphics processing unitPasswordPower (physics)Mathematics2 (number)CalculationComputer animation
13:27
Regular graphPasswordPasswordMultiplication signApplication service providerStandard deviationHash functionGradientComputer hardwareCore dumpAlgorithmInformation security2 (number)Insertion lossMessage passingDreizehnWordView (database)Intelligent NetworkCuboidTable (information)Internet service providerComputer animation
14:52
PasswordWeb-DesignerPatch (Unix)String (computer science)Server (computing)PasswordHash functionSoftwareComputing platformDependent and independent variablesVulnerability (computing)Metropolitan area networkComplex (psychology)Software developerNumberProcess (computing)EmailMaxima and minimaApplication service providerMultilaterationPoint (geometry)2 (number)Set (mathematics)LengthValidity (statistics)Centralizer and normalizerRollback (data management)Client (computing)Multiplication signBitInternetworkingNeuroinformatikSource codeGraphics tabletRoundness (object)RoutingType theoryWebsiteWhiteboardEncryptionMereologyInjektivitätInternet service providerMassBoss CorporationMessage passingError messageGodProcedural programmingDatabaseLine (geometry)Right angleTotal S.A.Rule of inferenceLogic gateLevel (video gaming)Formal verificationData storage deviceTable (information)Moving averageProduct (business)DataflowComputer animation
22:34
Error messageServer (computing)String (computer science)Function (mathematics)SynchronizationLinear subspacePhysical systemBoolean algebraControl flowMenu (computing)Application service providerDuality (mathematics)Coma BerenicesInformationError messageComputer fileWeb 2.0Default (computer science)Right angleSoftware testingWebsiteProduct (business)Arithmetic meanDifferent (Kate Ryan album)Server (computing)Transformation (genetics)Remote procedure callType theoryConfiguration spaceGodTracing (software)Mobile appSpeech synthesisInsertion lossControl flowPhysical systemDistanceSoftware developerComputer virusFingerprintHoaxClient (computing)Maxima and minimaComputer animation
24:43
PlastikkarteComputer programmingStandard deviationServer (computing)Default (computer science)AuthenticationProcess (computing)NumberMobile appSoftware developerMereologyDatabaseEmailWindowPhysical systemCartesian coordinate systemInformation securitySet (mathematics)BitDisk read-and-write headAuthorizationConnected spaceString (computer science)NeuroinformatikFlow separationSingle-precision floating-point formatSoftwareReading (process)System callInternet service providerRight angleOffice suiteWordMultiplication signDoubling the cubeDirectory serviceLoginKerberos <Kryptologie>Client (computing)Price indexFunctional (mathematics)CodecControl flowArithmetic progressionPhysical lawSequelData storage deviceProcedural programmingDemo (music)Computer animation
29:38
Error messageDifferent (Kate Ryan album)Directory serviceTraverse (surveying)Message passingBitNeuroinformatikServer (computing)ExistenceElectronic mailing listComa BerenicesRight angleProjective planeAreaComputer animation
30:52
Annulus (mathematics)outputScalable Coherent InterfaceOvalString (computer science)Query languageQuantumDemo (music)GodServer (computing)Medical imagingRight angleDirectory serviceInformationTraverse (surveying)Computer fileWeb pageInformation securityInheritance (object-oriented programming)Projective planeElectronic visual displayNormal (geometry)Physical systemAreaDependent and independent variablesRevision controlHeat transferSingle-precision floating-point formatMultiplication signTransmitterRoundness (object)Computer animation
33:16
Annulus (mathematics)Menu (computing)Configuration spaceRing (mathematics)AuthenticationCompilation albumBoss CorporationRevision controlPhysical systemInformation securityGraphical user interfaceScripting languageOvalGenderComputer fileSource codeString (computer science)Rule of inferenceDependent and independent variablesChi-squared distributionWeb 2.0Visualization (computer graphics)Fiber bundleWebsiteRevision controlComputer fileProof theorySoftware developerTransmitterDirectory serviceTraverse (surveying)Right anglePasswordPoint (geometry)Data dictionaryNormal (geometry)File formatMeta elementClient (computing)Machine codeWordUniform resource locatorCartesian coordinate systemElectric generatorNumberFunction (mathematics)Keyboard shortcutInformationSystem callWeightApplication service providerMedical imagingStreaming mediaCodeServer (computing)Dependent and independent variablesType theoryVirtual machineInternetworkingCoprocessor2 (number)Key (cryptography)Validity (statistics)Data miningDressing (medical)Message passingMultiplication signProcess (computing)NeuroinformatikResultantVideo gameSequelBitSurfaceWater vaporGoodness of fitEqualiser (mathematics)Group actionoutputPlastikkarteLevel (video gaming)Computer animation
38:36
Point (geometry)Right angleRippingProcess (computing)Software developerNumberInjektivitätSurface3 (number)Type theoryCross-site scriptingScripting languageBitData miningComputer configurationFacebookMultiplication signMetropolitan area networkLogin2 (number)MereologyMeta elementStructural loadRevision controlConnected spaceExploit (computer security)InformationHacker (term)Web browserDatabaseInternetworkingDifferent (Kate Ryan album)Software frameworkCuboidFormal languageAutomatic differentiationVideo gameFigurate numberSoftware testingCausalityEmailCrash (computing)Reading (process)Subject indexingSocial classCodeFrame problemMedical imagingTraffic reportingCartesian coordinate systemComputer animationSource code
43:36
HTTP cookieMonster groupHTTP cookieAuthenticationRight angleLoginInformation securityPasswordPhysical systemCartesian coordinate systemLevel (video gaming)Type theoryCodeTrailMessage passingInformationToken ringFault-tolerant systemTransportation theory (mathematics)Scripting languageComputer animation
44:48
PlanningHTTP cookieNumberVideo gameBitInjektivitätMultiplication signWeb-DesignerApplication service providerComputer animation
45:33
Spherical harmonicsOvalString (computer science)QuarkServer (computing)Error messageCodeSource codeException handlingLine (geometry)Annulus (mathematics)SQL Server 7.0Software developerBuildingSQL ServerPasswordArithmetic meanNewton's law of universal gravitationMaxima and minimaTable (information)Software protection dongleRule of inferenceQuantumEvent horizonInterior (topology)MereologyInformationDatabaseExpressionDefault (computer science)WebsiteInternet service providerNear-ringError messageInjektivitätApplication service providerBitWeb pageBuildingSystem administratorWindowEscape characterInformation securityQuery languageAuthenticationForm (programming)EncryptionInformationTable (information)PasswordType theoryRight angleMachine codeElectronic mailing listStandard deviationNumberString (computer science)Server (computing)Key (cryptography)Software developerVirtual machine2 (number)Forcing (mathematics)AreaProcess (computing)NeuroinformatikSequelBoss CorporationView (database)CASE <Informatik>FamilyComputer animation
49:28
Annulus (mathematics)Sign (mathematics)PasswordEmailInternet service providerMenu (computing)Complete metric spaceInterior (topology)Form (programming)Partial derivativeOvalHand fanString (computer science)Color managementDefault (computer science)Convex hullData typeTable (information)InformationMaxima and minimaSimulationQuantumKey (cryptography)Query languageWeb 2.0PasswordReal numberDifferent (Kate Ryan album)Virtual machineEncryptionSet (mathematics)GodAnalytic continuationEmailSystem administrator1 (number)Application service providerElement (mathematics)Configuration spaceInferencePhysical systemReading (process)Bounded variationRight angleProcess (computing)InternetworkingVideo gameComa BerenicesReverse engineeringMassSequelNumberInternet service providerLevel (video gaming)Computer animation
53:36
Demo (music)NumberEmailBitProof theoryMetropolitan area networkBit ratePhysical systemCycle (graph theory)Computer animation
54:24
Information securityWikiWeightApplication service providerComputer configurationFrame problemUniform resource locatorPenetrationstestComputer-generated imageryTwitterBlogBitApplication service providerWikiControl flowCartesian coordinate system.NET FrameworkComputer configurationMathematicsInformation securityWeb 2.0Online helpSoftware testingRow (database)Medical imagingEvoluteTwitterStudent's t-test1 (number)InternetworkingComputer animation
56:21
XMLUML
Transcript: English(auto-generated)
00:05
All right, ladies and gentlemen, this is Defensive Programming 101, and my name is Niall Merrigan. And today I will host a whole lot of crap that we do on the web as web developers, and we will show you how security can be really bad, and what you do with it, and why you do it wrong, and why it costs you money, and why people laugh at you
00:22
when you send out tweets, the stuff's encrypted, et cetera. So, if you are tweeting, please use NDC Oslo hashtag. I am admin N Merrigan. And I am Irish. I am very Irish, I live here in Norway, and I have been living here for the last seven years. Yesnak e flit na norsk, but I won't be doing that today.
00:41
I am the head of custom software development for Capgemini in Stavanger, and I'm an ASP.NET MVP and a friend of Redgate. So, let's talk about you developers. Why don't devs write secure code? Go on, the first person to give me an answer gets a book.
01:00
Oh Jesus, here, well done. So all of a sudden you offer stuff, I want this. I've only got three books total, so sorry. Yes, they don't, what did you say? They don't know better. Yeah, it's close enough. Mainly it actually comes down to, marketing guy comes in and says, yeah, we've got a new sales opportunity.
01:21
I'm like, yeah, cool, what you got? He goes, CMS. I was like, yeah, I can do that. When do you want it, four hours? I'm like, okay. Do you want security with that? Yes, no. Security is a very difficult process, mainly because the fact is, we as developers are creators. I create code, it is mine.
01:41
My god, I created it. And I don't want to break it. Why would you want to break it? So we look at things, we go, right, yeah, I've created that, that works, it's good, it's done, good luck. Finished. And then we don't think about security. If you want to think like how security evolves, think of airline security.
02:01
Who's got the thing? In 1971, you could get on a plane and you just walked through the terminal, got on the plane, that was it. 1972, after a couple of little hijackings, they said you now have to go through a metal detector. 1986, it got a stronger metal detector. In 2004, I came up to Norway with four litres of alcohol in my bag.
02:22
I then realised I was smuggling alcohol because I thought you guys were part of the EU. And then, no. But I could still bring four litres of alcohol onto a plane in my hand luggage. Now, they say, excuse me sir, that 100ml bottle of water, you need to put that over here because it may blow us up. You think they haven't thought that stuff through,
02:40
but the evolution of security is it's reactive. So as programmers, we write stuff and we go, that's what we want to do, that's what we want to make, it's done. Someone goes, I'm going to break that. And you go, why? Because you didn't say I couldn't. I'm saying you can't now. Tough, I've done it.
03:01
Because if you look at the current hacks that are appearing and stuff, someone says, I can hack an iPhone by plugging it into the wall. Why would you go through the security channel or the electricity channel to do that? Because you didn't say I couldn't. Okay. Now, we design software for these lovely people. He's very happy. This is our happy family.
03:21
We design for users. Users are a known story in programming. They're what we design software for. We secure against these people, our very posh hackers. He's wearing a tie, uses a MacBook, and has a balaclava. Posh hacker. I'm going to do a quick round of check.
03:40
How many of you, if I took away the mouse from your computer now, would go, what's the difference? Yeah? No, there's about four. Does anyone not know the keyboard shortcuts, in other words? Oh, sorry, I'll ask it again. How many of you, I asked you to just use keyboard shortcuts and a day-to-day working would actually be okay with that? Okay, there we go.
04:01
You guys are my advanced users. If I say the way to go through this program is A, B, C, you will go, why do I need B? And I'll say, because you need it. And you go, no, I don't. I'll go A to C. Users will go A, B, C. As an advanced user, you have great power. You will look for stuff. You will look for shortcuts. The difference is a hacker will use his power for evil
04:21
or, well, money or something. So, we need to go off and fix our developers. And not like when you send your dog to see the vet and he goes to get tutored, or neutered, sorry. And he comes back looking like, where did they all go? We need to fix developers by educating them and showing them that the web is a fantastically scary place.
04:49
And then I find this zombie walk and I find zombie clowns really, really disturbing. This was taken in France, which means the guy was like, wine. We as developers need to be educated that the web is a very unsafe place
05:02
and we're going to try and fix. Because, OK, how many of you are web devs? Quite a few. Let the record show there's quite a few people to raise their hand. How many of you, if you've launched a public-facing website, tell your mates, who are also web developers, that you have launched said public-facing website?
05:22
Let the record show no one is that stupid. The reason most of us don't tell our friends we've launched a public-facing website is because, like all of our friends, we will go in and break it. I wonder, did he check for validation? I wonder, did he do this? I wonder, did he do that? Of course. We're children, really. It's like, I'll press that.
05:41
It'll break. We'll do something. You owe me a beer because I found that. And in Norway, that ain't cheap. Sorry, I can feed a whole Somalian family on that. We don't want to do it, mainly because we're afraid that someone will actually find a hole in our software and then expose it and we'll be all screwed
06:01
and have to go back and explain why we wrote bad software. What I'm going to show you is ten different examples of stuff we do as web developers. We may natively do it. We may forget about stuff. Or we might just say, it doesn't really matter. And it'll give you a little bit of an eye-opener.
06:21
What I ask you to do in this session is, I will show you ten things. Take all ten things and see how many you've actually done or are doing right now. On average, I've done this talk for about five years. On average, I get people saying, I do about four of those things. And I go, okay, that's not too bad. Some people say I've done six or seven.
06:41
Some people say I've done ten. If you get zero and you are a developer not in management or sales or something else, you're actually working in code, please come talk to me. You'll be the first person in five years who has done that. Okay? Five years. Because we will say, oh, I never make secure mistakes or insecure mistakes.
07:00
We all do. It's the nature of our business. We forget about stuff. We assume things. And assume, as we know, makes an ass out of you and me. We don't want to do it, but we will. So in the kind of very countdown-ish let's go through ten stupid things. Number ten, believe it or not, is leaving administration info on the web server
07:22
and telling everyone about it. Okay. Just another quick show of hands again. You've deployed a website. You're doing it manually. You're not using any of the kind of rapid deployment tools or whatever. You do right click, zip the file up, copy it somewhere on the server and then deploy the new changes.
07:40
Anyone ever done that? Quite a few. Now, have you ever decided to go look for that file via Google? Like going, in URL, bang, bang, bang, filetype.zip. And it goes, oh, I found that. I'll download that all for you. Very, very common. Or you say, right,
08:00
my web server is running IIS 4 with ASP.NET 1 or something like that. You don't turn off the headers. You leave administration info. You leave something on there. You leave trace.axt open. You leave elma.axt open, for example. Troy Hunt did a fantastic post on what happens if you incorrectly configure elma.axt
08:21
and the amount of information that it exposes. The new guys here at Glimpse, they've also got a glimpse.axt. And if that's incorrectly configured, now out of the box it's very, very secure. But if you want to open it, for example, because you're doing some support work and you forget to re-secure it, then it'll show you a hell of a lot more information. It'll show you connection strings. It's like Fiddler and Firebug all rolled into one.
08:43
This type of information is very, very useful. And it's the initial attack. You probe into your server. You say, right, what are they doing? I'm running this. I'm running that. OK, so you're running this. You're running that. You're not patched against this. I can start crafting an attack against your server straight away. And as web developers, we don't really care. We never think of that.
09:02
We never turn off these chatty headers. We never do anything like that. You can Google most of this stuff. Google is a fantastic hacking tool for things like this. I will show you, if I can remember to find the actual URL for it. There is a nicely crafted URL where people have left open the FTP sites,
09:22
the default FTP settings, on IIS. And you go in URL, web, config type, config, and then protocol type FTP. And it shows you FTP servers that are running production code with web config. So you go off and go, I'll just download the web config. OK, right. This will make hacking this server hard.
09:43
It's very, very stupid. It's very, very easy. But it's a simple mistake to make. I once, when I was doing this about three or four years ago, I said, I'm going to look for PST files. And for those of you wondering what a PST file, it is an Outlook storage file, personal storage file.
10:01
And I found one. And it was an Israeli businessman's PST file unlocked. And inside was his sales figures for the next sales production figures for about two months ahead, and his sales figures from the previous thing, along with mypasswords.xls.
10:20
I went, too easy. The only thing is, because it was Israeli, I was kind of thinking, this has to be a honeypot. There is no way on earth that someone has done this legitimately. All right, number nine. All right, this one is fun. I like this one because it's very common. What's your password?
10:40
What is your password? And how do you store passwords? Right, another show of hands. You're going to get a good work out of this. Show of hands. Any of you use Hotmail, Gmail, Facebook? Any of those type of services? OK, good. We're all internet connected. There's one guy down the back going, what's the internet?
11:02
Where's the IBM security guy, actually? Is he here? He's probably asleep down the back, that's all right. The thing is, how many of you use the same password for all services? I would have done that before. There's one guy willing to admit it. Here, because you're good.
11:20
Here, have a book. Learn how to secure your stuff. There you go. He's like, I don't do that, I swear. Sorry, chap. It was too easy. So, did you all see Spolsky's talk yesterday? The keynote? Right, you know the other founder of Stack Overflow
11:41
is Jeff Atwood, yeah? In 2009, Jeff Atwood's password was compromised for Stack Overflow. Due to, he'd created a password on a fairly insecure site and the person had guessed his OpenID provider. And using those two pieces of information,
12:01
logged into Stack Overflow as him. So when that happened, the nice person actually just logged back out in sheer shock and went, I'll email him and say, by the way, you should change your password. It is not so much that we have to secure our password, we just have to remember to tell users that they shouldn't be using the same password in all services.
12:20
We have this concept that encrypted is better than hashed sometimes. Encrypted is reversible, hashed is not. We should always store passwords hashed. All sense of information should be, if it's going to be that kind of way, it should be hashed up. The out-of-the-box ASP.NET provider is SHA-1, which is pretty crap, to be honest.
12:42
If we, I want to see if I can do this right and this may not work for me. One sec, just done something crazy. Panic, panic, panic. This little thing here. For those of you who do not know what that is, that is a Radeon cluster, comprising of 25 GPUs,
13:02
able to crack 118 billion passwords a second. Now, for those of you doing the maths here, and there's probably a couple of people after lunch not really able to do this, but that is approximately about 30 passwords per person in the world per second. I don't have 30 passwords myself, but they are able to crack that much that quickly,
13:23
mainly because GPUs are designed to be very, very fast in doing calculations and power and stuff, and we're back to normal, are we? I think so. Wait. Not all kinds of passwords. Sorry, what did you say? Not all kinds. Not all kinds of passwords. Very true. Not all kinds of passwords.
13:41
It can crack quite a lot. They use a thing called Hashcat, for example, which will just do compare of hashes. You'll have rainbow tables, and it'll try and grade passwords and stuff like that. They're very, very fast. The problem is that out-of-the-box technology says SHA-1, which is supposed to be quite secure. It isn't secure enough, and then there's this trade-off between
14:02
really securing it and the user taking 15 minutes to generate a password, or kind of saying it's secure enough that if we get compromised, it probably will take them too long to crack the password by the time we notice the intrusion. LinkedIn's password is what? The password dump is cracked within about 15 minutes. Between 15 and 45 minutes.
14:21
ABC's 50,000 passwords done in under 45 on standard consumer hardware. Most stuff is cracked very quickly. You can use things like bcrypt and zetetic. They can plug into your ASP.net providers, and we'll replace the hashing algorithm to use these new technologies. Half a second or a quarter of a second
14:42
versus doing it instantly, near instantly, I'd take the quarter of a second to secure stuff up. Your main thing... Let's see if this works. It might be working. Is this working? Yes. The main thing with passwords is make sure they're encrypted. Not encrypted. Make sure they're hashed. Do not encrypt them.
15:02
We always say, my passwords are very secure. I'm using ROT13. There's a couple of people going, ROT13, I got this. And they're doubly secure. We're using ROT26. Plain text. I love it. Tesco got absolutely nailed by this. Honestly, our passwords are very secure. We copy them out in plain text to email them to users.
15:22
Yeah, okay. Then they're not secure. A lot of places like, for example, passwordfail.com will show sites that are not encrypting their passwords correctly. You shouldn't be part of that whole mess. Please, please, please, encrypt passwords, or hash passwords correctly, and store them correctly.
15:42
Number eight. Number eight is one that will probably catch a lot of us because, how many of you talk to your IT department? How many of you don't like talking to your IT department? I don't like talking to your IT department. Sorry, guys. Yeah, you've got to keep your servers patched.
16:00
And this is a kind of, that's one something for the next, next, next finish, guys. They can take care of that. What happens the second Tuesday of every month? Thank you. You get a book later. I don't want to throw it down there. I'll probably take someone's head off. What happens on the second Monday of every month?
16:25
Second Monday is backup Monday. Second Tuesday is patch Tuesday, and what is the second Wednesday of every month? Thursday. No, it's not Thursday. It's rollback Wednesday. It's when you realize the patch broke something
16:41
and we've got it now. Oh, bugger. Thursday. What have you been drinking down there? Were you on that boat cruise last night? It's like the small little Norwegian viking pirate thing. Sorry. Patching servers. We had the Oracle padding patch from ASP.net which got patched fairly very quickly, but it still is out there.
17:03
People are still kind of not bothering to patch servers. People who don't patch servers or leave unpatched vulnerabilities in their software will end up getting screwed. It's really, really simple. Unfortunately, this is one of those things where, as developers, we forget about the platform we were so used to just deploy and forget that we assume that the IT department is doing their job.
17:22
But we have to kind of work out that sometimes these guys are looking at stuff. They're not looking the same way we are. They say, oh, it doesn't need to be patched. It's OK. Or it's not a high-criticality patch or anything like that. And these things, they appear. And if you look at some of the vulnerability databases, they appear daily.
17:40
And this happens as then you leave your server open to actually saying, OK, this is going to cause me a problem later on. So make sure to patch your servers. It's one of those things with IT departments. You have to haggle them or get at them a bit more and just say, right, let's get it done. Number seven is validation.
18:04
Now, have you ever browsed the internet with JavaScript turned off? Yeah, some people do. You find it fun? No, it's not fun. Everything just breaks. Nothing works. It's all kind of funny. And the problem is most developers are now kind of saying,
18:21
if we're going to do validation, it's going to be on the client and that's it. Because if we stop it at the gates, it's fine. Let's talk about bouncers and barmen. A bouncer says, hi, are you over 18? He shows his ID and he goes, fine. Lets the guy into the club. Looks to another person and says, I think you're over 18, I'll let you in.
18:41
Whose responsibility is when the person's been served alcohol to check? It's the barman, not the bouncer. The bouncer just says, I think you're OK. The barman actually has to take the responsibility. So in the exact same way, you don't do single-stage verification, you do dual-stage, two-stage. Anything hitting your server should be validated on the server
19:02
at the minimum. Let's repeat that again, everybody together. Minimum server validation. If it hits your database, it goes through your server walls. It has to check it out. Do not ever assume that data coming from the client is good.
19:21
If you make that assumption, it's not going to work for you. So, how do we do better validation? Use a central validation source. Whereby, if I say, I want you to have the following type of phone number. For example, do the following.
19:41
You don't want to have to write that every single time. You just write that as a validation source on the server, and then route everything through it. Because if tomorrow they say, OK, we need to check a different type, you can do that. And it just changes across the board. Now, validate against RFC rules. They're not going to change that often. Validate XML against an ecstasy or a schema.
20:01
Now this one, I think, works well in Norway. What is better? A whitelist or a blacklist? Whitelist. Why? Well done. To quote the man here, you refuse everything you don't know.
20:21
Rather than saying, a blacklist is, here's all the stuff I don't want, allow everything else. Now I ask this question, as an Irish person, we have like, O apostrophe and something. Which means that nearly all Irish websites are not susceptible to SQL injection. Because we will always find a guy who's like, O'Connor will test the server.
20:41
And he goes, oh, that won't work. So he adds the escaping procedure, and off he goes. He's happy. Move over to the US and by God, we break stuff. No, no, no, no. Irish man at the server. There you go. He's just beating it up with potatoes. The problem is that we then look at stuff and we go,
21:01
OK, yeah, I blacked this. I'm going to ignore this, this, and this. All right, fine. But we then get a person like a Norwegian and say, I have a... and my name and they go, OK, that's fine. But it might be an invalid character. You see that when it pops up then in email. They don't have UTF-8 or for example, and it just comes up bad. That's another problem.
21:21
You always should use whitelists. Very, very simple. It's just doing that. And there's another thing. This is a completely different side. I can't understand why you should restrict password complexity. Like, I see things saying, you're allowed between 7 and 10 characters and you're only allowed to use exclamation points
21:41
and ampersands and hash, and that's it. After that, you're not allowed to use it. So you're now just telling everyone, we're limiting you to this set of character strings and that's what we're going to do, rather than saying go nuts and whatever thing. It just, yeah, sorry. If you're a web developer and you say, we're restricting our password length to 6 to 8 characters
22:01
and we're only limiting to 29 characters total, or was it 52, 55 characters total, you're really reducing the amount of our possibilities that someone's going to... Sorry, let's try again this time in English. Take two. We're going to try and make sure to reduce the amount of computations
22:21
that the person's going to have to do to crack that password. Can I get a round of applause for saying that right? Thanks. It's so hard being Irish up here. Anyway, number six. Yes, Ikea, go team. I actually thought when I saw this, you're going to have to put this error together yourself.
22:42
You know, there's going to be a screw loose here. Never show in production error messages like this, please. Just because you can't read them doesn't mean I can't. I see this a hell of a lot. I see stack traces going out and I go, Oh, God. Right. OK, so now I'm going to see.
23:01
Could not find file C clients, IMA. Right, so I now know where stuff is and this is from a production server and I'm thinking, right, you know, how much information does this give you? A hell of a lot. So you just kind of go, all right, now I know they haven't turned off error messages, I know I can do stuff.
23:21
Yeah, and it gives, like, sorry, I can actually see what they're, there's way too much information. It's like, right, here I go, I can just break it all open. Right. In production, or sorry, in testing and development, this is fine. We all need this. At the minimum, if you do nothing else and take anything else out of this kind of session as well,
23:41
in your web config, set the custom errors to remote only, by default. Go off and download from Saeed Hashimi, he's got this thing called Slow Cheetah, which is web config and app config transforms. So when you push into production, you can set all these values up. If you go to test, it'll set all the correct values for you,
24:01
so that when you actually build a production system, everything's done right. But people forget this stuff too easily. They leave debug on, they leave the trace.axt available, they leave error messages like this stuff up and running. It is way too easy once you see this type of information to start going, I will break this further. And even if we're just being nice, I found this on the Irish Examiner website,
24:22
which is a very large newspaper, and I emailed the webmaster twice with two different screenshots and saying, listen, you need to do this. And eventually they kind of fixed it, and I think it might have been just an intermittent error, but it still was enough that I said, if I can find your error messages, do it like this, please, you need to fix it. It was also written in VB.net, but anyway.
24:42
Right. Number five. Permissioning. This is really one of those things that I think that developers get, but they choose to ignore. If I asked you, how many connection strings do you have in your system,
25:01
most people will say, one. I have a single connection string to my database. And I said, okay, what are the permissions? And he says, it's got read and write. It's a data reader and data writer. I said, okay. Why does search need write? A search function, why does it need write? And he goes, I don't know.
25:21
I said, so why not have a separate connection string that is only working with read operations? He goes, I don't know. It's hard. I'm like, okay. Do you have an ORM? And he goes, yes. And I said, can you swipe out stuff? And he goes, yeah. And I said, okay, right. So the question I ask you is,
25:42
what permissions does your system need, and does it need all of them? Now, in the olden days, before the OpenXML SDK, and you wanted to do office automation on the server, most people installed Excel or Word on the computer, on the server. They installed it to see program files, blah, blah, blah. Standard default.
26:00
They tried to do the automation stuff, and then it would go, cannot access directory. So they would go, okay, I'll try and do that up. And then they'd eventually give up and say, we're going to elevate the app pool to administrator. And then it would work. And then they would say, that's okay. And then I said, so you found the security problem. You know it's an actual security issue,
26:21
but your fix is to give it God and leave it. And he goes, yeah. Okay. So, permissioning and sufficient permissions. Like, within SQL Server, did you know you can actually just restrict the entire thing to stored procedures, and just take away all the permissions on the tables and views?
26:40
So everything goes through the stored procedure, and that's it. And then you just grant execute and the correct permissions on that, and you're done. You can restrict to data reader and data writer. App pools should be only restricted to the actual permissions they need. They shouldn't allow cross permission in sets. Another issue that pops up every so often is what we call double hop authentication.
27:01
And with an IIS, that means that the person has logged onto the computer from the client, and has tried to access the database, and the database says, I cannot access under network service. So then you see, inside in the server, someone has gone and added computer name, network service, to the security logins. So allow this computer the whole way through.
27:22
So you got the, and I see this a lot. When I go into clients, I say, okay, see SQL Server, look into it, and I say, you've had computer, computer, computer, computer, did you have a double hop authentication problem? Double hop what? I said, did it fail the login the first time you tried it outside of development? Yes. Right. Here's your problem. And then you watch their heads explode.
27:40
Because the whole concept is difficult and delegation and Kerberos and blah, blah, blah, blah. They just go, it was easier doing it this way. And that is most times what developers will end up going, it was easier doing it this way. It's okay, it lasts, it works, honest. No one will break it. My mother says to me, is it okay if I send my credit card number to you? I said, sure. Can I send it by email? I said, hell no.
28:01
She goes, why not? I said, it's not secure. But Niall, I was brought up to be trusting. And I said, so was I, but hell no. I said, you can trust the email all you like, but I won't. So I just, yeah. I had this actually, this is something that probably pops into my head a bit more often than yours. I had a phone call from a hotel and I said, hi, we know you're staying with us
28:21
in a week and a half's time. Can we get your credit card number to pre-authorize for you? And it was like, no. I don't know who you are. Well, you can ring back this number and we'll answer for you. I said, still don't know who you are. It's like, and the person on the phone was getting really upset that I would not hand over my credit card details to someone I didn't know.
28:41
And they were, yes. Do you have a question? Or are you just waving at me? Sorry, no problem. And I was like, okay, that's just odd and no, I won't do that. And they kind of said, okay, you can be a bit paranoid and you can pay when you get here. And I was like, okay. Because we even say this, don't give away your credit card at a restaurant without being able to see it
29:00
because someone will just clone it. Because you don't know. This person could be sitting there with his pen and paper and just going writing it down and then saying, job done. So it's a bit aside, but it's permission. Like, would you allow someone into your system willy-nilly or kind of just blindly? We do this with authorization. We do this with everything. Permissioning is a very, very important part of our application.
29:21
Unfortunately, a lot of developers do not understand how actual Windows permissioning and permissioning sets work anymore. I see this more often, that they actually don't understand how empty auth actually works under the hoods. And it's something I think you should always take a look at. Now, number four, we start getting into more interesting things. And this is a bit of a demo.
29:40
It's actually directory traversal. And directory traversal is where you say, I'm going into this directory and I actually go somewhere else. Can I ask someone, what is the difference between 403 and 404 in an error code? Yeah, permission denied and not found. Now, if I put up a computer
30:01
and I say, right, wack, wack, wack, wack, server.com forward slash downloads and it goes, access denied. What do I now know? Thank you, it exists. What does error 404 tell me? It doesn't exist. But it may exist, we just have changed the error 403
30:20
to turn the error 404 message. All of a sudden someone's going, carry the one. Yeah, the carry the one bit. The 403 versus the 404, this is a probing technique and it says okay, I'm going to try and just ping what directories I think will exist and see do I get a 403 back
30:41
or do I get a directory listing. Now, let's see. We'll just duplicate this if it works. There we go. Let's pray to the demo gods. Where am I going? Right.
31:01
Okay, I have a little project thing here. I call this project Swiss cheese. It's super secure. I'll show you some new stuff. I have, am I on the right? I'm on the wrong, sorry, I'll start this again. I have this done with, I just need to set this over
31:20
to the Cassini server. Apparently Cassini is dead now, so we're all good. We're going to upload a file. This person has decided
31:40
they will upload files. Normally we get pictures and do stuff like that and we say no. We're going to do something more fun. We're going to upload a thing called badstuff.aspx and save and show. It does nothing. We do copy image URL, paste and go. Ooh, what's that?
32:02
Sorry, if you can't see that, this little badstuff.aspx is an example of where all it is, is a file explorer in a single page. Nothing more advanced than that. Now, what it also allows me to do is the following. Download dfiles.
32:21
Because what I've said to do is response.transmitfile on this. So it just ignores everything and just downloads stuff. Now I didn't have enough time, or just too lazy to be honest, to add it to do more kind of traverse up and out of the current directory. But what the person here has done, i.e. me, because I wanted to do it and not because I'm stupid and Irish and et cetera,
32:41
but what I said I would do is I would allow people to upload pictures and display them. But I never checked to see what file I was uploading. Now we always say when you upload an .exe file, for example, the system will actually check this. This is an ASPX file. I uploaded it and I said right, now let's do something with it. So I said fine.
33:01
And as we all know, web.config cannot be downloaded from ASP.NS. I beg to differ. I didn't click an open show info. It's gonna... Microsoft official allow access. How often do I open up web.config in Visual Studio? Come on.
33:20
Come on. Come on. That's the old web.config. That's the other one. Hang on a second. There's another one here. web.config again too. And what I've done is I've downloaded the web.config for this site. I know this is a very trivial example, but I've actually found this in the wild where someone allowed an upload of a file
33:41
and said I want you to upload Word documents and didn't check what files they were uploading. I then found out where the file was coming from and said okay, then using kind of the probing techniques, looking at say downloads, uploads, kind of things like that, I had one where they uploaded it and they converted the name to Tix and then I said right, so I'm gonna have to figure out
34:00
so I just set the Tix seeding point to the correct point where I thought it'd be and try to match it up. It took a little bit of time, but eventually I got the Tix right or I just said right, let's crawl it and give it a number where I can just generate Tix numbers and off it went and it just downloaded this file. So now you can see here, if I actually do tools, change the font, a little bit louder.
34:24
16. We can all see that on the back, even the blind people. Good call. Right. We can now see what they're running. We can see the SQL server. We can see the password. We can see they've got the machine key and validation keys and I'm going woohoo, lovely. I can now decrypt stuff. I can do other bits and pieces. This is basically machine-owned goodnight.
34:44
Now we all know that it is very difficult to decompile a .NET DLL, right? Or is it just me that doesn't know that? Yeah. So I showed this as a kind of proof of concept to someone and they needed to wear brown shorts after that.
35:04
They were not a happy bunny, especially when I proved this on their live site and showed them this and they were like, okay, right. We might have to fix that little bit. Yeah, it might. So this is a directory traversal. This is where I'm actually doing something I'm not supposed to do. I'm uploading a file or I'm browsing into a file to get it.
35:22
The most common one, and you see this more often than you'd want to, is someone says, download file at ASPX question mark file type or file name equals because they don't know how to do the meta downloads. They just want to do response.redirect, for example. Or response.transmit. If I show you how this file is written,
35:42
I'll show you what it's actually doing. As you can see, this is very, very simple. Just says, where are the current application paths? So I'm working out where I am. And then I just do a kind of directory info
36:01
where the current path is and just try and list all the files and then bind that to a repeater. Very, very simple. The trick here is this thing here called output stream.write. What that does is it allows me to transmit the file without completely bypassing the pipelines. It just kind of says, I'm transmitting the file. I have to force the download. Yes, sir, question.
36:27
If you rename an ASPX file to an image and upload it, it will not work, because the image will actually be processed through IIS rather than the ASP.NET pipeline, which is where this is making, this is being processed by ASP.NET DLL,
36:43
or whatever the actual processor is. Good question, but yes. You could probably craft it in a way to do it, but there was a kind of the old concept of, what was it, in Internet Explorer, one of the versions, it didn't check the mime types correctly and executed the files arbitrarily.
37:00
And allowed you to run, for example, executable code on the client computer. But I think they've long fixed that because it was Internet Explorer 5 or something, way back in the day. But yeah, as what this does, is it just reads all the files and transmits it all out for you. It's a very, very simple kind of concept, but if I asked you, how would this work on your website today
37:21
if you upload files, would you be secure? Or is it something like that you go, I've never seen anyone do this, and why would you do this? Can I get a show of hands? How many would say, I've never thought of doing something like this before? You guys need to check your websites.
37:40
If you've never thought of doing something like this before, you should. This is the kind of stuff that I think that, when you're in development mode, if you're in a team, and you say, right, we're going to try and break the server software, or we're going to break the server, try and do stuff, look at things of, what would I never do normally, and try and break it, and this is kind of one of those things I said, I wonder what happens if they don't check the actual inputs.
38:02
Again, a validation issue, again, a problem with very, very simple of, that they would say, I'm not going to bother with it, I'm just going to let people upload files, and I'm not going to do much with it after that, and I've now downloaded it. So that is a directory traversal. It's becoming one of those things that, especially with a probing text, and kind of like using a kind of dictionary
38:22
of normal URLs you use for things to see what response codes you get back. Because then you can start going, I can start building a directory structure. This one just tells you what everything is. So it's very, very simple. It's, yeah, you know. Let's see if this works now. PowerPoint, in the right place, no.
38:43
Right. So that was directory, no, that's wrong place. Hang on a second, we're going to try this again. I always do this when I duplicate stuff. Come on. PowerPoint's not my speciality, okay? I'm a developer.
39:00
I'm not marketing. Number three. Injections. Cross-site scripting, CSRF, all this fun things. All right. Are we all familiar with what cross-site scripting is? Anyone not familiar with it? Want me to explain it? One person there, two people there, okay. Cross-site scripting is where
39:21
you allow text to be put in, in your application, and then you don't escape it so it is rendered as what you put in. For example, and I'll try and do that again in a better language, it means I type in JavaScript in a submit box, and I click submit, and then when it comes up, it pops up alert because you have not escaped the text out. That is a very, very simple version of it.
39:42
There are more advanced versions of XSS. There is persistent, which is the most kind of one you don't really, really want to find out. It's where you store information in a database and you render it every time and it pops up and does stuff. Non-persistent, basically you try and inject a cleverly-clafted URL and it brings it up for the next person, and then there's DOM attacks which look at
40:01
specific aspects of the DOM. Cross-site scripting mixed with man-in-the-middle attacks are becoming a little bit more prevalent right now. So, you've all heard of jQuery? And we become, think that jQuery is the kind of standard now way of doing JavaScript technology. It is ubiquitous. We use it for everything.
40:22
What I'm always going to be worried is someone's going to end up figuring out a way of poisoning jQuery on the CDN or something, and then we're all screwed. But a man-in-the-middle attack where you say, right, I'm going to load jQuery from somewhere, and I just inject mine to load the script, my script first, and then ignore yours. So I own your jQuery now, and I say I'm going to do whatever the hell I like with it.
40:42
Very, very common, very, very evil attack. Have you seen the Wi-Fi pineapple? This lovely little funky little toy from Hack Shop or Hack 5. Wi-Fi pineapple is a rogue access point. It's a small little access point, a little Wi-Fi reader that sits, and I should have brought it with me, but I didn't.
41:00
You plug it in here, and it goes, all your stuff goes, I'm looking for Stavanger Airport, I'm looking for Oslo Flea Plaza, and I'm looking for this. And it'll go, hi, I'm all those. Connect to me. And that'll go, okay. And then I own your internets. I really do. So my little box sitting here, it's saying I'm routing everything through you. And I'm routing everything from you through me.
41:22
You want to go to Facebook. I say, you should really log in. I show you the Facebook login. You click Submit. I just capture your details. Bang it off. Okay. That's a man in the middle tag. How many of you have seen, how many of you use Facebook? Quite a lot of you have used Facebook. How many of you have seen that lovely thing,
41:40
I can't believe they let her out looking like that picture thingy appear on someone's wall with this person likes that? Huh? You've seen it? I think everyone's seen it. And you just go, oh. Click jacking. Number one kind of new XSS thingy. What a click jack does
42:01
is it layers an iframe over your actual, a transparent iframe and a higher z-index number over your image, or an image. And you say, oh, I'm going to click the play button. You go. And all I'm doing is capturing like, like, like, like, like, like, like. I really like this person.
42:20
Okay, I'm going to be arrested. It's a very, very common problem, and we see it more often. And it's a huge spam issue within Facebook because people are automatically logged in. They just say, I'm going to click this, and we just put a load of FVML behind the code and do that. It's, if you look at something like Metasploit,
42:40
which is a tooling for this type of thing, or BEEF, if you have a look at it, the Browser Exploitation Framework. BEEF is actually pretty awesome because it allows you to craft particular exploits against different browsers and then test them and control them and do stuff. Click jacking, that type of thing, allows you to do, or with this type of, is more and more common on Facebook and is becoming one of those things
43:02
that people get really annoyed by, and it's caused a lot of spam. You can prevent a lot of this, actually, by putting as an ex-frame options equals deny. It's a new tag in the header, and you say that any time an iframe is loaded, not from my domain, we're going to deny that it actually can load.
43:20
Okay, because that's the iframe loading injection in there. It's not, if it's in the meta tags, it's ignored, but if it's in the headers, it'll be accepted, and you can add it as part of the kind of global, global.sax in the request and say, begin request, set this header, or you can just go into IIS and actually set it up automatically. So we've, if you were at Dominic Byer's talk
43:41
just before lunch, he was on about that we should never use cookies. I should switch over to a token-based authentication system. Totally agree with him, but for a lot of us who are probably not dealing with that level of security right now, we are still using cookies. And the thing with cookies is that people will put like base64 encoded password
44:01
and username in it and then go, it's secure, and send it over HTTP. Your cookies should not be accessible, especially your authentication cookies and any other type of information, should not be accessible from script, and should definitely be sent over SSL. If you're not SSL-ing your application for logins, don't bother having a login.
44:22
Who needs one? We'll just break it anyway. When you think about it, I'm saying, hi, I'd like you to be very, very secure and log in, great, but I'm not gonna give you secure transport layers to do it. Okay, so it's saying, we're gonna get you to go really, really fast around this racetrack. You're gonna really enjoy it, but we're gonna give you no actual
44:41
safety equipment whatsoever. There's gonna be no fun. So, stop being bad cookies and make your cookies happy. Send them securely, they like going securely. Very, very simple. Like my airline captain said, we want to be very safe, not like the last plane who went down in flames.
45:02
Thanks, dude. You want happy cookies. Happy cookies make a happy life. If we go on to number two, I have a lot more on that. I actually, I'm kind of running out of time, but I will actually, if you find me afterwards, I'll talk to you a bit more about it because I really want to do this one. Number two is SQL injection.
45:21
After so long, this is still one of the top problems for ASP.net, or sorry, web developers in general. Hi. And it causes more and more problems than you'd want to know. So, let's look at the anatomy of an SQL injection attack. Shift-A5. All right.
45:41
We are going to F5 this again, and no, actually, I'll do this on the, yeah, it'll be fine. So, we're going to our search, standard text, and I'm going to type in IRL, because this is my thing, and I searched with IRL. Okay. Ireland. Ooh, okay, return some information.
46:00
That's all right. Nothing serious there. It's just standard, what the num codes and bits and pieces are. Wonder what happens when I press this. Search. It errors out. That's fine. That's fine. And we go back. In unclosed mark after character string, incorrect syntax near. Yay.
46:21
This means developer was stupid and has not done escaping. This is a kind of simple probe attack. I'm just going to try and do a malformed query to see what happens, see if they're doing anything about it. We're then now going to do a nice union query. Oops, sorry, my bad. We'll try and see if this still works. Yeah, I think this is wrong. We'll now do a union query,
46:41
which I've now prepared one earlier specially for you. Hm. What's that say? SQL Server 2012 SP1, running on this. Right, so now I know I'm running on SQL Server 2012. They've done this. It's running on, this I can see it's running on Windows 8.
47:02
X64, standard build. Okay, cool. Now, if I go and just, I think a little bit, and I say I'm going to go to the admin page here, I see this login. What does this tell you? If I showed you this, not to ask, and I just say, what do you think this is?
47:22
Anyone willing to take a guess? Anyone? Last chance. Is that forms authentication for you? Looks like forms off. Now, if you're doing forms authentication in ASP.NET, what happens? You have a standard schema that works.
47:41
So, we can kind of assume they're running with forms authentication. All right, not too major. But to prove it, we will run another query here. Union this. You'll notice there there's actually a little comment which tends to close, to ignore the other quotation mark and we'll close it out.
48:01
So, I'll just show you. And we'll do a search here. So, now I can see the exact list of tables I've got in this computer. Views, et cetera. So, I can actually see, all right, I don't have to probe it anymore. I can actually, because they've been stupid enough to allow this information schema table to be accessible like this, I can do that.
48:21
All right. Let's try another one. This will be a bit more fun. Okay. Dun, dun, dun. These are just known as, most people think when you're going to do an SQL injection attack, you're just going to do drop tables. The old bobby tables concept, you know? For those of you who did not get that,
48:41
look at xkcd and bobby tables. You'll get it after that. Your search was this. Why does that not work? Oh, don't be, come on, search. Oh, it would help if I did a union, right? Search. Cool. All right. So, I've got the username and passwords in encryption.
49:01
All right. And probably as I've done this before, I found out I know the machine key and stuff like that. But let's have a little bit of fun. We're going to make a password for this user and we're going to make a new one and we're just going to do something so to show you there's not so much strings and mirrors in this. ASP.NET configuration as security. I'm just going to create a new user here.
49:20
We're going to call in ndc-oslo. Right, someone shout out a letter. A. Another letter. Sorry? One second. I'm going to have to put this in a notepad because I'm going to have to do it twice. I'll get two different sets of passwords. It won't really work. So we've got A. Next. Z. Apostrophe.
49:41
There's always one joker in the pack. He's like apostrophe. Right, next. Question mark. We'll do those four. Is that okay with four characters? Do you think that's a strong password? Do you want to do two more? Is there one? Two more? Okay. So we're going to do that. Password in. Let's hope that this works. Password in. Password in. Email is this.
50:03
ndcoslo at foo dot com. Create user. User's been successfully created. And I'm going to go back here and F5 that. Yes, continue. So we now have our ndc-oslo user.
50:21
Because we managed to download the web config previously, we now have a nice little tool here. Try F5 that. That will read in the encryption, or read in the machine key, and allow me to decrypt this. Because I have actually said this, not with SHA-1, but I've set this to be encrypted, not hashed. This is just a kind of a real goofy, stupid attack
50:43
that shows that encryption is actually reversible. So we now pray to whatever god you believe in. And we take this, and we go here, and we go decrypt me. And if I look there, I see az apostrophe question mark.
51:04
You can decrypt it, and I've just said right. Now, most people go, eh, I guess so, it's pretty good. But what if I said I didn't have the encryption key for this already? But I do know the salt, and I do know,
51:21
because what I've done here is actually in my query here, what I've done is I've brought up, we'll probably show it better on the web. What I've done here is I've just shown the current, like the username and password, but I could actually bring up the salt as well. What if I just reset the password to a password I knew? For example, the admin user.
51:40
And then log in. Why do I need to try and crack the password when I can just reset it to something better or easier? It's just an example. This is just a simple thing of someone says, oh, I've got to crack the password. Why? If I can inject the SQL, and they will do pieces, I can actually do an insert into this, create the user.
52:01
Because I know it's the ASP.net membership provider, I can write and just generate my own ones for it, and then get it to log in. Yes. The comment is that will tell them they're hacked in a way. Very true.
52:21
But it depends. To be honest, if they're at this level, I don't think it matters. But it is a fair comment. Do you want to be the kind of, I'm going to do the slash and burn, and you'll know you're hacked? Or do you want to do the, I'm in your systems hacking your internet? Yes, sir.
52:41
Oh, thank you. I'll buy you a beer for that, because that's actually where I was going with this. Yes. I now know your username and your password. And by inference and cross-pollination, and the fact that users are users, and they will go, I'll probably have the same password somewhere else.
53:01
And if you see, for example, somethingsomethingatgmail.com, and I say, cool, and they use a password, you can probably assume that it's either that variation or that password that will allow them to do it. These are what your mistakes will cause people. So what I'm trying to get you at is that
53:21
your mistakes have consequences, and they'll affect others. Now imagine you're going into a system, and you're trusting that they're doing that for you correctly, okay? I'm going to make this all freely available. There will be all the webs and stuff, and kind of things, and you can go play with them and just annoy people. The number one thing to do.
53:42
Never trust your users. Never. Be paranoid. Assume they're going to break it. If you've got kids, they say you should baby-proof a house. Some people say you should house-proof the children, but most people say you should baby-proof the house.
54:02
And that's the thing. You have to assume your users are going to be a little bit kind of cocky. You're not going to get all nice people who are going to actually say, hi, I broke your system, but I didn't want to screw it up, so I just sent you an email to say, you should fix that. Here are my rates. They're not going to do that. It will leave you hyper-frustrated. You're just going to have to assume
54:20
that everyone's out there to destroy stuff, and they're going to break everything. There's a lot of ASP.NET resources. Troy Hunt, being a very nice man, has created this OWASP Top 10, and it's freely available. The books I gave away are from Barry Dorrance. He's a senior SDE from Microsoft, and he wrote a beginning.asp.net security,
54:41
and without his help and Troy's help, this session would not have actually happened, so thanks to them, and thanks to my wife, being extremely patient about everything. You can see this combating click-jacking with x-frame options. This is very, very handy. Just throw this in. It's a very quick change. Gets rid of a lot of click-jacking issues. And DXSS, if you're using anything less than the .NET Framework 4.5,
55:00
install it and have it running. Save for web to check it, and then there's the ASP.NET security wiki. For IIS, you have the security guidance, the lockdown tool, which is very handy. Be careful if you use the lockdown tool. It can sometimes lock it down too hard, and your application breaks. So, you know, be careful. Make sure you're doing all right. URL scan to have a look at what's going on,
55:21
configuring security tools. There's a penetration testing tools list, which is there, which will kind of let you have a go with stuff. You've got to use mostly often Unix to kind of do things like Metasploit. Oh, what's the, there's, Metasploit is one of the other ones. There's a WAF or something like that will do it for you and a couple of other bits and pieces.
55:41
And then I have all my image credits, which take forever. Contact details. If you want to have a chat with me, I will be floating around for the rest of the day. I'm not here Friday, unfortunately. But please do get in contact, ping me on Twitter, anything like that. And finally, any questions? Comments?
56:00
Did anyone get zero? Yes! Let the record show I have five years and still no one with zero. Or else just there's one person going, what, I just woke up. Ladies and gentlemen, thank you very much and thank you for listening. Have a great day.