Today, I delivered a basic 3-hour session on areas to focus on when hardening security in WA State Agencies. I mainly focused the first half of the presentation on common best-practice methods like clear lines of communication between Project Managers and Network, Security, and Database Administrators as well as practicing good coding practices such as peer-programming, code-reviews, and the like. I finished off the first 2 hours be demonstrating the use of Fiddler2 and how it could be used to probe, and then attack an ASP.NET MVC application.
In the second half of the presentation, I demonstrated how ASP.NET MVC’s default behavior for the “Model Binder” could be leveraged by saavy users of Fiddler2 to overwrite somebody elses “User” information on a basic application. In both scenarios, I demonstrated how to defeat the hack by writing a bit more extra code to validate that the user logged in was actually the same as the user-data being updated or queried.
I’ll be posting the links to the ZIPPED source-code that I was demonstrating shortly… (Monday, May 2nd, 2011)
Drop me a line if you have any questions or wanted to discuss something else!