WEBVTT 1 00:00:00.040 --> 00:00:03.160 Welcome back to the deep dive. Today. We're really getting 2 00:00:03.160 --> 00:00:05.960 into some source material you shared with us. It's excerpts 3 00:00:06.040 --> 00:00:09.400 from Advanced ASP dot net Core three security. 4 00:00:09.640 --> 00:00:13.000 That's right, and our mission really is to unpack this, 5 00:00:13.359 --> 00:00:15.119 pull out the key stuff you need to know about 6 00:00:15.119 --> 00:00:18.640 web app security, especially in that ASP dot net core 7 00:00:18.719 --> 00:00:19.640 three context. 8 00:00:19.719 --> 00:00:22.280 Yeah, think of it as a focused tour. We want 9 00:00:22.280 --> 00:00:26.440 to get you the crucial concepts, common attacks, practical defenses, 10 00:00:26.920 --> 00:00:29.120 all straight from this material exactly. 11 00:00:29.160 --> 00:00:31.760 We're aiming for those moments where it clicks, maybe some 12 00:00:31.800 --> 00:00:35.479 surprising bits along the way that really stick. 13 00:00:35.679 --> 00:00:37.799 We'll cover quite a bit starting with the basics what 14 00:00:37.880 --> 00:00:41.359 is security online? Then look at how attacks happen, common 15 00:00:41.359 --> 00:00:42.880 ones like SEQL injection. 16 00:00:42.640 --> 00:00:46.439 EXSS, and specifically how aspnt core three deals with them. 17 00:00:46.840 --> 00:00:52.200 Sometimes the default behavior is well interesting. We'll definitely cover authentication, authorization, testing, 18 00:00:52.640 --> 00:00:53.479 a whole life cycle. 19 00:00:53.520 --> 00:00:55.920 Really, the goal isn't just a list, right, it's the 20 00:00:55.960 --> 00:00:59.079 why why these things matter, so you can build systems 21 00:00:59.119 --> 00:01:00.479 that are genuinely solid. 22 00:01:00.600 --> 00:01:03.200 Absolutely, it's about context, not just checklists. 23 00:01:03.359 --> 00:01:05.400 Okay, so let's kick things off right at the beginning. 24 00:01:05.799 --> 00:01:09.599 Security for websites applications. What are we actually trying to 25 00:01:09.640 --> 00:01:14.640 protect the source brings up the classic model, the CIA triad. 26 00:01:15.040 --> 00:01:20.519 Ah yes, CIA good old confidentiality, integrity and availability. 27 00:01:20.879 --> 00:01:22.280 Simple concepts, but. 28 00:01:22.439 --> 00:01:25.799 Fundamental confidentiality first, keeping things secret. 29 00:01:25.519 --> 00:01:28.439 Pretty much Yeah, making sure only the right people or 30 00:01:28.480 --> 00:01:32.599 systems can access sensitive data, you know, like customer info, 31 00:01:32.760 --> 00:01:34.079 private messages. 32 00:01:33.599 --> 00:01:36.799 That sort of thing. So stopping unauthorized peaking, got it? 33 00:01:36.879 --> 00:01:37.879 And integrity. 34 00:01:37.959 --> 00:01:41.040 Integrity is about trust, Trust that the data hasn't been 35 00:01:41.079 --> 00:01:43.519 messed with, that it's accurate, whether it's sitting in a 36 00:01:43.599 --> 00:01:45.400 database or flying across the network. 37 00:01:45.519 --> 00:01:48.079 Makes sense, like you wouldn't want someone changing order details 38 00:01:48.120 --> 00:01:49.120 mid process. 39 00:01:48.840 --> 00:01:52.959 Exactly or subtly altering content on a website without anyone noticing. 40 00:01:53.159 --> 00:01:54.000 You need to know what's. 41 00:01:53.879 --> 00:01:56.239 Reliable and the last one. Availability. 42 00:01:56.359 --> 00:01:59.400 Availability just means the systems up and running when legitimate 43 00:01:59.480 --> 00:02:02.879 users need it. Think DIDOS attacks trying to knock a 44 00:02:02.920 --> 00:02:05.519 site offline. That's an attack on availability. 45 00:02:05.840 --> 00:02:07.959 Though the source makes a fair point, doesn't it that? 46 00:02:08.000 --> 00:02:11.280 For web developers, our main focus often ends up being 47 00:02:11.280 --> 00:02:16.479 more on confidentiality and integrity. Availability sometimes falls more to 48 00:02:17.360 --> 00:02:18.599 like infrastructure teams. 49 00:02:18.800 --> 00:02:22.560 Often, Yeah, it's a reasonable distinction in practice. Now, who 50 00:02:22.560 --> 00:02:26.120 are we defending against the term hacker gets thrown around 51 00:02:26.159 --> 00:02:29.439 a lot, right. The book outlines a typical attack flow 52 00:02:29.879 --> 00:02:31.199 starts with reconnaissance, just. 53 00:02:31.159 --> 00:02:33.840 Gathering info, scoping things out, YEP. 54 00:02:33.800 --> 00:02:39.400 Finding vulnerabilities, understanding the technology, looking for weak points, all 55 00:02:39.439 --> 00:02:40.680 the homework before the. 56 00:02:40.680 --> 00:02:43.199 Actual attempt, and after recon. 57 00:02:42.960 --> 00:02:43.960 Then comes penetrate. 58 00:02:44.000 --> 00:02:46.680 That's the initial break in exploiting a weakness found during 59 00:02:46.680 --> 00:02:48.240 recon to get that first foothold. 60 00:02:48.280 --> 00:02:50.280 And they don't just stop there, presumably no. 61 00:02:50.240 --> 00:02:54.840 Way next is often hide evidence, covering their tracks, maybe 62 00:02:54.879 --> 00:02:57.280 setting up persistent so they can stay in longer without 63 00:02:57.280 --> 00:02:57.960 being detected. 64 00:02:58.159 --> 00:03:01.000 Makes sense, want to stick around and it's worth remembering. 65 00:03:01.159 --> 00:03:04.240 Like the book says, it's not always super technical exploits, 66 00:03:04.520 --> 00:03:07.479 phishing emails, maybe even a disgruntled employee. 67 00:03:07.560 --> 00:03:08.840 Those are common ways in two. 68 00:03:09.039 --> 00:03:12.840 Yeah, the human element. Okay, some key terms the source clarifies. First, 69 00:03:13.360 --> 00:03:15.560 attack surface, what's the deal there? 70 00:03:15.599 --> 00:03:19.479 Your attack surface is basically while all the different points 71 00:03:19.479 --> 00:03:22.080 where an attacker could possibly try to interact with your system, 72 00:03:22.159 --> 00:03:26.439 think log in forms, APIs, file uploads, anywhere input. 73 00:03:26.159 --> 00:03:28.879 Is accepted, and the general idea is to make that smaller, right, 74 00:03:29.240 --> 00:03:30.639 less places to attack. 75 00:03:30.479 --> 00:03:34.599 Usually yes, minimize the surface, but there's this interesting nuance 76 00:03:34.639 --> 00:03:38.199 mentioned sometimes increasing the number of attack points, like maybe 77 00:03:38.199 --> 00:03:40.919 splitting a sensitive function into its own separate API. 78 00:03:41.199 --> 00:03:42.479 Wait, increasing it helps. 79 00:03:42.840 --> 00:03:45.639 How it sounds weird, I know, but think about the 80 00:03:45.639 --> 00:03:49.319 impact if that separate sensitive API gets breached. Maybe the 81 00:03:49.400 --> 00:03:52.360 damage is contained just to that sensitive data. If it 82 00:03:52.400 --> 00:03:55.159 was all part of one big application, the breach might 83 00:03:55.199 --> 00:03:59.719 expose everything, so larger surface potentially smaller blast radius. 84 00:04:00.199 --> 00:04:05.280 Okay, that's a counterintuitive point. Interesting. Next term security by obscurity. 85 00:04:05.400 --> 00:04:08.719 Ah, this one the idea you can secure something just 86 00:04:08.759 --> 00:04:11.599 by hiding it well, like using a weird port number 87 00:04:11.719 --> 00:04:14.919 or a secret URL. And the verdict is for web apps, 88 00:04:15.000 --> 00:04:18.000 forget it. It's just not a reliable strategy. The web 89 00:04:18.040 --> 00:04:20.319 is designed to be found, and scanners are really good 90 00:04:20.319 --> 00:04:23.040 at finding things no matter how obscure you think you've 91 00:04:23.040 --> 00:04:25.639 made them. Hiding isn't securing. 92 00:04:25.600 --> 00:04:28.560 Right, Okay. A core theme that comes up again and 93 00:04:28.600 --> 00:04:32.720 again is this balance. Security isn't purely technical. 94 00:04:32.879 --> 00:04:36.639 Absolutely, it's a business decision fundamentally. 95 00:04:36.079 --> 00:04:38.600 Like that analogy in the source. Yeah, you don't spend 96 00:04:38.639 --> 00:04:41.439 one hundred bucks to protect a twenty dollars bill exactly. 97 00:04:41.720 --> 00:04:44.319 The effort has to match the value of what you're protecting. 98 00:04:44.639 --> 00:04:51.519 Protecting say PII personally identifiable information or PHI personal health 99 00:04:51.519 --> 00:04:55.639 information that demands way more security effort than I don't know, 100 00:04:55.720 --> 00:04:57.519 a simple brochure website. 101 00:04:57.600 --> 00:04:59.560 Higher stakes, more protection, right. 102 00:05:00.040 --> 00:05:03.839 Leads directly into that classic tension between security and user 103 00:05:03.879 --> 00:05:05.319 experience or UX. 104 00:05:05.399 --> 00:05:07.879 Yeah, the more secure often the more annoying for the user. Right, 105 00:05:08.040 --> 00:05:08.920 more steps, more. 106 00:05:08.800 --> 00:05:11.959 Friction, totally finding that sweet spot is key. You expect 107 00:05:12.160 --> 00:05:15.160 MFA and maybe some extra checks logging into your bank. 108 00:05:15.240 --> 00:05:17.319 You'd be pretty annoyed if a simple form made you 109 00:05:17.399 --> 00:05:20.160 jump through those same hoops. Context is everything. 110 00:05:20.439 --> 00:05:23.759 Okay, foundation's laid. Let's shift into some core tech stuff. 111 00:05:23.800 --> 00:05:30.759 But through that security lens. Cryptography first, symmetric encryption. What's 112 00:05:30.839 --> 00:05:32.000 the key takeaway? 113 00:05:32.079 --> 00:05:33.680 Symmetric means same key. 114 00:05:34.279 --> 00:05:38.360 One key locks the data, encrypts plaintext to ciphertext, the 115 00:05:38.399 --> 00:05:40.959 same key unlocks it decrypts back to plaintext. 116 00:05:41.079 --> 00:05:43.040 And the standard now is AES YEP. 117 00:05:42.959 --> 00:05:46.160 AES based on Rhindale. It's a block cipher. The source 118 00:05:46.199 --> 00:05:49.480 mentions things like ryandale create encryptor just to give the concept. 119 00:05:49.600 --> 00:05:53.000 And there's something called an initialization vector in OIV right. 120 00:05:52.839 --> 00:05:56.720 And IV is basically random data mixed in during encryption. 121 00:05:57.000 --> 00:05:59.040 Its main job is to make sure encrypting the same 122 00:05:59.120 --> 00:06:02.000 data with the same key D produces different results each time. 123 00:06:02.160 --> 00:06:06.160 Ah, so attackers can't spot patterns easily, and it's safe 124 00:06:06.199 --> 00:06:08.120 to store the IV with the encrypted data. 125 00:06:08.199 --> 00:06:11.079 Generally, yes, the security comes from the key, not the 126 00:06:11.120 --> 00:06:12.199 IV's secrecy. 127 00:06:12.279 --> 00:06:15.199 Okay, that's symmetric. Hashing is different, though totally different. 128 00:06:15.240 --> 00:06:16.360 Hashing is a one way street. 129 00:06:16.439 --> 00:06:18.519 You put data in, you get a fixed size string 130 00:06:18.639 --> 00:06:22.000 the hash out, but you can't realistically go backwards from 131 00:06:22.040 --> 00:06:23.519 the hash to the original. 132 00:06:23.279 --> 00:06:24.959 Data, and its main use is in security. 133 00:06:25.160 --> 00:06:29.720 Two big ones highlighted checking integrity, making sure data hasn't changed. 134 00:06:30.120 --> 00:06:34.600 You hash it, store the hash later, rehash it, compare 135 00:06:35.040 --> 00:06:38.399 if they match it's unchanged. Makes sense, And the other 136 00:06:38.639 --> 00:06:40.199 secure password storage. 137 00:06:40.199 --> 00:06:41.000 This is huge. 138 00:06:41.279 --> 00:06:44.120 Instead of storing passwords directly, which is a disaster waiting 139 00:06:44.160 --> 00:06:46.519 to happen if you get breached, you store a hash 140 00:06:46.560 --> 00:06:47.399 of the password. 141 00:06:47.720 --> 00:06:49.800 So when I log in, you hash what I type 142 00:06:49.800 --> 00:06:51.879 and compare it to the stored hash exactly. 143 00:06:52.000 --> 00:06:54.920 If the hash is match, you entered the right password, 144 00:06:55.040 --> 00:06:57.120 but the original password was never stored. 145 00:06:57.319 --> 00:07:00.000 Smart what about hash collisions cou'd bad. 146 00:07:00.439 --> 00:07:02.959 It can be a collision is when two different inputs 147 00:07:03.000 --> 00:07:06.079 happen to produce the exact same hash. If people can 148 00:07:06.120 --> 00:07:09.319 find collisions easily for an algorithm, it weakens it for 149 00:07:09.399 --> 00:07:12.639 things like digital signatures and it gets deprecated. 150 00:07:12.720 --> 00:07:14.040 Think MD five right. 151 00:07:14.120 --> 00:07:17.199 And for password hashing, salts are absolutely. 152 00:07:16.680 --> 00:07:18.160 Critical, oh completely vital. 153 00:07:18.160 --> 00:07:21.199 Assault is just unique random data that you add to 154 00:07:21.240 --> 00:07:23.959 the password before you hash it. Each user gets their 155 00:07:24.000 --> 00:07:26.600 own unique salt stored alongside their password hash. 156 00:07:26.639 --> 00:07:27.920 Why what does that randomness do? 157 00:07:28.319 --> 00:07:31.879 It kills Rainbow table attacks. Rainbow tables are these huge, 158 00:07:32.000 --> 00:07:35.920 pre calculated lists of hashes for common passwords. If you 159 00:07:35.959 --> 00:07:39.160 don't use salts, an attacker steals your database, looks up 160 00:07:39.160 --> 00:07:41.040 the hashes in their table, and boom, they have the 161 00:07:41.040 --> 00:07:43.639 passwords for common ones instantly, but with salts. 162 00:07:43.680 --> 00:07:46.360 If my password is password one T three with SALTA 163 00:07:46.439 --> 00:07:49.519 and yours is also password one two three, but with salty. 164 00:07:49.439 --> 00:07:53.040 The resulting hashes will be totally different. Hashing salted plus 165 00:07:53.040 --> 00:07:55.600 password one two three is different from hashing salt B 166 00:07:55.680 --> 00:07:58.800 plus password one two three. The attacker's pre computed table 167 00:07:58.879 --> 00:08:02.399 is useless. They need a separate table for every possible salt, 168 00:08:02.439 --> 00:08:05.600 which just isn't feasible. The source shows a table demonstrating 169 00:08:05.680 --> 00:08:06.240 this perfectly. 170 00:08:06.319 --> 00:08:09.279 Okay, got it, salts defeat pre computation. What are the 171 00:08:09.319 --> 00:08:11.959 hashing algorithms themselves? SAHA one is a no go. 172 00:08:12.160 --> 00:08:15.160 Yeah, SAHA one is considered broken. SAGA two family like 173 00:08:15.319 --> 00:08:18.199 SAHA two, SAHA five, twelve are the current standards and 174 00:08:18.240 --> 00:08:19.639 dot net core for general hashing. 175 00:08:19.720 --> 00:08:21.040 But for passwords. 176 00:08:20.519 --> 00:08:21.920 Specifically, you want something different. 177 00:08:21.959 --> 00:08:24.160 Yeah, you actually want algorithms designed to be slow and 178 00:08:24.199 --> 00:08:27.000 resource intensive. Things like PBKDF two be. 179 00:08:27.000 --> 00:08:29.959 Crypt script slow. Why slow makes. 180 00:08:29.759 --> 00:08:32.840 It much harder for attackers to brute force guest passwords 181 00:08:33.320 --> 00:08:37.200 If each hash calculation takes significant time, trying billions of 182 00:08:37.240 --> 00:08:41.840 combinations becomes incredibly expensive and slow for them. NIST actually 183 00:08:41.879 --> 00:08:44.600 recommends PBKDF two for password hashing. 184 00:08:44.759 --> 00:08:48.039 Okay. Quick mention of asymmetric encryption like RSA. 185 00:08:48.120 --> 00:08:51.519 Asymmetric uses two keys, a public one you can share 186 00:08:51.559 --> 00:08:54.279 and a private one you keep secret. Encrypt with public, 187 00:08:54.440 --> 00:08:58.639 decrypt with private, or sign with private, verify with public. 188 00:08:58.759 --> 00:09:03.600 It's used everywhere like in TLSSSL. The source does mention 189 00:09:03.639 --> 00:09:07.320 a future concern about quantum computers potentially breaking current algorithms 190 00:09:07.360 --> 00:09:10.039 like RSA, but that's more of a long term heads up. 191 00:09:10.080 --> 00:09:14.039 All right, let's pivot to the Web itself connections requests responses, 192 00:09:14.320 --> 00:09:16.960 but with that security had on HTTPS connections. 193 00:09:17.080 --> 00:09:19.720 So when your browser hits an HTTPS site, there's that 194 00:09:19.879 --> 00:09:23.519 SSLTLS handshake. First, it's a complex back and forth using 195 00:09:23.559 --> 00:09:27.039 asymmetric crypto like RSA to verify the server's identity via 196 00:09:27.120 --> 00:09:29.799 certificate and securely agree on a symmetric key. 197 00:09:30.279 --> 00:09:32.519 So asymmetric sets it up, but then they switch to 198 00:09:32.559 --> 00:09:34.840 faster symmetric encryption for the actual data. 199 00:09:34.879 --> 00:09:35.480 Precisely. 200 00:09:35.879 --> 00:09:39.080 The handshake uses random nonsense too to stop replay attacks, 201 00:09:39.480 --> 00:09:42.559 and your browser checks the certificate against trusted authorities. 202 00:09:42.639 --> 00:09:45.480 We also need to get the basics of a request 203 00:09:45.519 --> 00:09:47.840 in response header's body. 204 00:09:48.200 --> 00:09:51.840 Yeah, understanding what's in those is key. Request headers carry 205 00:09:51.879 --> 00:09:55.120 browser info cookie stuff like that. Response heaters tell the 206 00:09:55.120 --> 00:09:58.200 browser what to do. Set cookies give security instructions and 207 00:09:58.240 --> 00:09:59.039 status codes. 208 00:09:59.240 --> 00:10:03.240 Status codes four or four not found, five hundred, server error, 209 00:10:03.440 --> 00:10:06.759 four to one, unauthorized, four to three forbidden. They tell 210 00:10:06.799 --> 00:10:07.720 a story they really do. 211 00:10:07.879 --> 00:10:09.879 Four oh one means log in, four to three means 212 00:10:09.919 --> 00:10:12.600 you're logged in, but nope, not allowed. The source notes 213 00:10:12.639 --> 00:10:15.320 a small detail ASP met often uses a three zho 214 00:10:15.320 --> 00:10:17.919 two redirect after a post up when technically a three 215 00:10:18.000 --> 00:10:20.519 oh three sec other might be more correct according to 216 00:10:20.519 --> 00:10:23.600 the HDDC spec minor but details count now. 217 00:10:23.679 --> 00:10:26.919 Security headers these sound important. Server tells a browser to 218 00:10:26.919 --> 00:10:27.360 be more. 219 00:10:27.200 --> 00:10:31.519 Secure exactly and often underutilized hsts. Strict transport security is 220 00:10:31.519 --> 00:10:33.440 a big one. After the first visit, it tells the 221 00:10:33.480 --> 00:10:36.159 browser only connect via HTTPS from now on for a 222 00:10:36.200 --> 00:10:38.919 set period. Max age prevents a text that try to 223 00:10:38.960 --> 00:10:40.799 downgrade you to HTTP, but. 224 00:10:40.799 --> 00:10:44.480 It only works after that first successful HTTPS connection. Right, 225 00:10:44.759 --> 00:10:47.120 you still need the initial redirect from HTTP. 226 00:10:47.320 --> 00:10:51.759 Correct, You still need that HGTPS redirect handled properly first. 227 00:10:52.159 --> 00:10:56.919 Then there's CSP Content Security policy, hugely powerful against EXSS. 228 00:10:57.080 --> 00:10:58.240 How does CSP work. 229 00:10:58.399 --> 00:11:01.320 It's a header listing exactly where the browser is allowed 230 00:11:01.320 --> 00:11:05.559 to load resources from scripts, styles, images, fonts. You can 231 00:11:05.600 --> 00:11:09.320 say self only my own domain, lists specific other domains, 232 00:11:09.399 --> 00:11:10.919 or use nonzs. 233 00:11:10.679 --> 00:11:13.559 Nanzs like a one time code for scripts sort of. 234 00:11:13.759 --> 00:11:17.559 You put a unique random value to actionizez one two 235 00:11:17.600 --> 00:11:19.799 three in the CSB header and also as an attribute 236 00:11:19.799 --> 00:11:22.840 on your legitimate script tags. The browser only runs scripts 237 00:11:22.879 --> 00:11:25.720 that have a matching NONCE blocks injected scripts without the. 238 00:11:25.759 --> 00:11:29.000 Nons clever, But the source mentioned managing conflicts CSPs can 239 00:11:29.080 --> 00:11:29.480 be tricky. 240 00:11:29.679 --> 00:11:32.120 It can be, yeah, especially with lots of third party 241 00:11:32.159 --> 00:11:35.519 scripts or inline styles other key headers. X frame option 242 00:11:35.559 --> 00:11:38.759 stops clickjacking, preventing others from loading your site in an iframe. 243 00:11:39.120 --> 00:11:42.240 X content type option stops browsers from guessing file types 244 00:11:42.519 --> 00:11:44.759 mime sniffing, which can lead to security issues. 245 00:11:45.000 --> 00:11:48.519 Okay, last bit for this section. Storing data between requests. 246 00:11:49.320 --> 00:11:51.320 The web's stateless, so we use things. 247 00:11:51.080 --> 00:11:54.919 Like cookies, hidden fields, and forms each MEL five local 248 00:11:55.000 --> 00:11:56.799 storage and session storage. 249 00:11:56.960 --> 00:12:01.960 Cookies in hidden fields are client side visible, tamparable, risky 250 00:12:02.000 --> 00:12:04.720 for sensitive stuff. You can sign cookies for integrity though. 251 00:12:05.000 --> 00:12:07.399 Right, but here's a major warning from the source about 252 00:12:07.679 --> 00:12:10.320 ASP dot net core's default session storage. 253 00:12:10.440 --> 00:12:11.600 This is really important. 254 00:12:11.720 --> 00:12:12.960 Uh oh, what's the issue? 255 00:12:13.000 --> 00:12:16.679 By default, it's tied to the browser session, not necessarily 256 00:12:16.720 --> 00:12:18.399 the authenticated user session. 257 00:12:18.480 --> 00:12:19.759 What's the difference? Why is that bad? 258 00:12:20.039 --> 00:12:22.000 It means the session cookie might hang around on the 259 00:12:22.000 --> 00:12:25.480 browser even after the user logs out. If someone else 260 00:12:25.519 --> 00:12:28.000 sits down at that same computer and uses the same 261 00:12:28.039 --> 00:12:31.519 browser instance before the browser is fully closed, they might 262 00:12:31.559 --> 00:12:34.759 potentially pick up the previous user's session data because the 263 00:12:34.799 --> 00:12:36.960 cookie is still there and valid for the browser. 264 00:12:37.039 --> 00:12:41.279 WHOA seriously, so logging out doesn't reliably kill the session 265 00:12:41.360 --> 00:12:43.320 data access if the browser stays. 266 00:12:43.080 --> 00:12:47.320 Open in the default configuration. Potentially yes. The source is 267 00:12:47.360 --> 00:12:51.320 extremely clear on this. Do not store sensitive data in 268 00:12:51.440 --> 00:12:55.360 ASP dot net core session state period, use other mechanisms 269 00:12:55.399 --> 00:12:57.440 tied properly to user authentication state. 270 00:12:57.519 --> 00:13:01.120 Okay, that is a massive gotcha. Yeah, message received, loud 271 00:13:01.279 --> 00:13:03.919 and clear. Avoid session for sensitive stuff. 272 00:13:04.120 --> 00:13:06.840 It's a common pattern from older frameworks, but you need 273 00:13:06.879 --> 00:13:09.480 to be aware of this default behavior in ASP don. 274 00:13:09.399 --> 00:13:12.279 Netcre All right, let's shift gears to common attacks. The 275 00:13:12.399 --> 00:13:16.000 vulnerability buffet, as the source calls it. Knowing the enemy 276 00:13:16.039 --> 00:13:20.759 helps us defend. First, the classic injection attacks a wass A. 277 00:13:20.840 --> 00:13:23.960 One, and the king of injection is seql injection. This 278 00:13:24.080 --> 00:13:27.759 happens when user input gets improperly mixed into database queries, like. 279 00:13:27.679 --> 00:13:30.200 Building a sequel string by just sticking user input directly 280 00:13:30.240 --> 00:13:32.759 in select from users where name plus user name. 281 00:13:32.600 --> 00:13:34.879 From the input plus exactly if the attacker puts in 282 00:13:34.960 --> 00:13:37.360 something like or one one, the query becomes selectrom users 283 00:13:37.360 --> 00:13:39.679 whre name or one one, and suddenly the database returns 284 00:13:39.679 --> 00:13:41.080 all users because one one. 285 00:13:40.960 --> 00:13:41.879 Is always true. 286 00:13:42.120 --> 00:13:45.799 The source mentions variations union based to grab data from 287 00:13:45.879 --> 00:13:49.080 other tables, air based, where you use database error messages 288 00:13:49.120 --> 00:13:52.120 to figure out the table structure. There's even a screenshot 289 00:13:52.159 --> 00:13:57.159 example of an error revealing info, and blind techniques where 290 00:13:57.159 --> 00:13:59.360 you infer data slowly bit by bit. 291 00:13:59.720 --> 00:14:03.600 The frorst case is something like xbcmdshell running commands on 292 00:14:03.639 --> 00:14:04.480 the server itself. 293 00:14:04.639 --> 00:14:08.279 Oh yeah, if the database account has way too many permissions, 294 00:14:08.440 --> 00:14:11.679 SQL injection can lead to complete server compromise, So the 295 00:14:11.720 --> 00:14:16.879 defense parameterized queries always. Instead of mashing strings together, you 296 00:14:17.000 --> 00:14:20.679 use placeholders in your sequel like at username, and provide 297 00:14:20.679 --> 00:14:23.720 the user input separately as a parameter. The database driver 298 00:14:23.759 --> 00:14:27.320 handles it safely, treating it purely as data, not executable. 299 00:14:27.360 --> 00:14:30.720 Code and Entity Framework uses these by default. 300 00:14:30.320 --> 00:14:34.039 Mostly yes, for standard link queries and things like save changes. 301 00:14:34.120 --> 00:14:37.960 EF uses parameterized queries, which is great, but there's a buttter. 302 00:14:38.519 --> 00:14:41.000 The source points out what it calls a boneheaded bug, 303 00:14:41.120 --> 00:14:44.159 or at least a risky default feature. Asp net core 304 00:14:44.200 --> 00:14:47.879 apps built with EF migrations might by default prompt you 305 00:14:47.960 --> 00:14:51.159 in production to apply database schema updates. If the code 306 00:14:51.240 --> 00:14:51.919 model changes. 307 00:14:52.279 --> 00:14:55.399 Wait, let the web application change the data base schema 308 00:14:55.440 --> 00:14:56.360 in production. 309 00:14:56.200 --> 00:14:59.440 Exactly the database user account for a running web app. 310 00:14:59.440 --> 00:15:02.720 Should app not have permissions to al your tables or schemas. 311 00:15:03.039 --> 00:15:06.519 That needs strict control through separate deployment processes. It's a 312 00:15:06.600 --> 00:15:07.559 dangerous default. 313 00:15:07.679 --> 00:15:14.519 Yikes. Okay noted Moving on cross site scripting xssas a 314 00:15:14.679 --> 00:15:17.399 seven different target here right, not the. 315 00:15:17.360 --> 00:15:21.240 Database, right, EXSS targets the user's browser. The goal is 316 00:15:21.240 --> 00:15:24.000 to inject malicious JavaScript code that runs in the context 317 00:15:24.039 --> 00:15:26.679 of your website but in another user's browser session. 318 00:15:26.720 --> 00:15:29.279 How by getting script tags into places where user content 319 00:15:29.399 --> 00:15:31.320 is displayed, like comment sections. 320 00:15:31.480 --> 00:15:35.039 That's the classic way, inject script telored EXSS script into 321 00:15:35.039 --> 00:15:37.960 a comment and anyone viewing that comment runs the script. 322 00:15:38.240 --> 00:15:41.440 Attackers get clever though, using case variations like script to 323 00:15:41.519 --> 00:15:44.120 t encoding the script to bypass simple filters. 324 00:15:44.360 --> 00:15:46.960 The source showed an I frame example within coded script 325 00:15:47.000 --> 00:15:50.399 and injecting into HTML attributes like on mouseover. 326 00:15:50.240 --> 00:15:51.240 Yeah, on mousover dot. 327 00:15:51.279 --> 00:15:55.240 Malicious code is a common one or hijacking existing JavaScript 328 00:15:55.279 --> 00:15:58.360 on the page that might process user input insecurely. Some 329 00:15:58.519 --> 00:16:00.799 older vectors are blocked by modern browsers. 330 00:16:00.799 --> 00:16:04.080 Now thankfully, what Was that about value shadowing in older 331 00:16:04.080 --> 00:16:05.000 ASP dot Net? 332 00:16:05.200 --> 00:16:08.840 Ah? Yeah, in older versions, if you had say doc 333 00:16:08.879 --> 00:16:11.240 evil in the URL and also a form field named Q, 334 00:16:11.759 --> 00:16:15.000 the framework might prioritize the URL value made it easier 335 00:16:15.039 --> 00:16:18.240 for attackers to inject scripts via the URL reflected EXSS. 336 00:16:18.360 --> 00:16:21.360 Okay, so defense against XSS. How do we display user 337 00:16:21.399 --> 00:16:22.240 content safely? 338 00:16:22.399 --> 00:16:22.919 In code? 339 00:16:22.960 --> 00:16:25.720 And code and code? Before you render any user supplied 340 00:16:25.720 --> 00:16:29.159 content as HTML, you must encode special characters becomes an 341 00:16:29.279 --> 00:16:32.240 ltcode becomes NGDA, quotes become a ket quote, et cetera. 342 00:16:32.360 --> 00:16:34.519 So the browser just shows the characters, it doesn't interpret 343 00:16:34.519 --> 00:16:35.600 them as code exactly. 344 00:16:35.919 --> 00:16:39.120 The source contrasts at HTML raw, which is dangerous because 345 00:16:39.120 --> 00:16:41.600 it skips encoding with safe methods like system, dot net, 346 00:16:41.639 --> 00:16:45.159 dot web, Utility, dot HTML encode using CSP headers with 347 00:16:45.240 --> 00:16:47.080 nonsas as we discussed, is another. 348 00:16:46.840 --> 00:16:50.080 Strong layer right layers of defense. CSP helps limit what 349 00:16:50.120 --> 00:16:53.480 scripts can run. Encoding stops injection into the HTML structure. 350 00:16:53.639 --> 00:16:57.279 And a brief mention of malvertizing malicious ads delivering scripts. 351 00:16:57.679 --> 00:16:59.600 That's a related risk from third parties. 352 00:17:00.080 --> 00:17:05.240 Okay, next attack, cross site request forgery CSRF. This one 353 00:17:05.319 --> 00:17:06.000 sounds sneaky. 354 00:17:06.119 --> 00:17:09.880 It is CSRF forces a logged in user to unknowingly 355 00:17:09.880 --> 00:17:13.400 submit a malicious request to a website they're authenticated with. 356 00:17:13.799 --> 00:17:14.519 How does that work? 357 00:17:14.839 --> 00:17:17.839 Imagine you're logged into your bank and attacker crafts a 358 00:17:17.880 --> 00:17:20.759 link or a hidden form on say an evil website. 359 00:17:20.920 --> 00:17:23.680 Maybe it's coded to transfer money. If you click that 360 00:17:23.759 --> 00:17:26.119 link or even just load the page with the hidden form, 361 00:17:26.359 --> 00:17:30.680 your browser helpfully includes your bank authentication cookies with the request, So. 362 00:17:30.720 --> 00:17:33.319 The bank thinks you willingly said the transfer request, yeah, 363 00:17:33.400 --> 00:17:34.559 because the cookies are valid. 364 00:17:34.799 --> 00:17:38.880 Exactly, the attacker leverages your authenticated session. The source shows 365 00:17:38.880 --> 00:17:41.960 examples using simple image tags or auto submitting forms. 366 00:17:42.039 --> 00:17:43.440 Nasty. How do we stop that? 367 00:17:43.599 --> 00:17:47.119 The standard defense is anti CSRF tokens. Asp dot core 368 00:17:47.160 --> 00:17:50.480 has built in support with the validate anti forgery token attribute, 369 00:17:50.519 --> 00:17:53.559 and they at html dot Anti forgery Token Helper. 370 00:17:53.599 --> 00:17:54.640 How do those tokens work? 371 00:17:54.880 --> 00:17:57.599 When the server renders a form, it generates a unique, 372 00:17:57.799 --> 00:18:01.200 unpredictable token. It put it's this token in a hidden 373 00:18:01.200 --> 00:18:03.799 field in the form and usually in a cookie. When 374 00:18:03.839 --> 00:18:06.359 the form is submitted back, the server checks that the 375 00:18:06.359 --> 00:18:09.640 token from the form matches the token from the cookie, and. 376 00:18:09.599 --> 00:18:12.079 An attacker on another site can't read the cookie from 377 00:18:12.079 --> 00:18:14.759 my bank site, so they can't forge their request with 378 00:18:14.759 --> 00:18:15.440 the right token. 379 00:18:15.640 --> 00:18:19.279 Precisely the same origin policy prevents them reading the cookie. 380 00:18:19.400 --> 00:18:23.799 However, another however, what's the catch with the default ASP 381 00:18:23.920 --> 00:18:24.960 dot net implementation? 382 00:18:25.319 --> 00:18:28.559 The source points out a potential weakness. While the default 383 00:18:28.599 --> 00:18:32.519 tokens stop trivial CSRF, they are often reusable for the 384 00:18:32.519 --> 00:18:34.880 same user session and can remain valid. 385 00:18:34.559 --> 00:18:37.559 For a while reusable, so if an attacker somehow steals 386 00:18:37.559 --> 00:18:38.319 a valid token. 387 00:18:38.559 --> 00:18:41.440 The source describes the scenario where a token captured from 388 00:18:41.480 --> 00:18:45.240 a user's legitimate request could potentially be replayed later in 389 00:18:45.279 --> 00:18:48.759 a malicious request from that same user's browser context, maybe 390 00:18:48.799 --> 00:18:51.680 via XSS, or if the user revisits a malicious site 391 00:18:51.680 --> 00:18:55.240 while still logged in. The default token isn't strictly single 392 00:18:55.359 --> 00:18:58.160 use or tied tightly enough to expire immediately when it 393 00:18:58.200 --> 00:18:58.880 perhaps should. 394 00:18:59.000 --> 00:19:02.160 Wow. Okay, so better than nothing, but not perfect out 395 00:19:02.160 --> 00:19:02.640 of the box. 396 00:19:03.079 --> 00:19:04.400 Needs tightening, seems so. 397 00:19:05.240 --> 00:19:08.960 The fix involves custom code using IANTI forgery, additional data 398 00:19:08.960 --> 00:19:13.240 provider or cookie authentication events to make tokens more strictly 399 00:19:13.319 --> 00:19:17.440 session bound or truly single use. Katcchase can also help 400 00:19:17.480 --> 00:19:19.920 against automated CSRF attemps. 401 00:19:19.559 --> 00:19:22.039