1. Attacks
    1. XSS
    2. Social Engineering right to Privacy
    3. XSRF
    4. Form Spoofing
  2. Avoidance
    1. never trust data
    2. HtmlEncoding
      1. avoid WebForms view engine
      2. use Spark or nHaml
    3. use Html.AntiforgeryToken
    4. respect user's privacy
  3. XSS Demo
    1. it's OK to use Asp.Net Membership
    2. a ton of settings
      1. hashed password format
      2. alter ApplicationName
      3. require 8 pwd chars
      4. invalid pwd attempts
      5. require some non-alpha chars
    3. change <forms path=
    4. the problem
      1. enter some JS script into textbox
      2. disable auto page validation
      3. [ValidateInput(false)]
      4. arbitrary JS could scrape cookies etc...
      5. Html.Encode - easy to forget
    5. how to allow input of Html?
    6. AntiXSS library
      1. sanitize HTML
      2. perf. benefit
      3. enocdes for:
      4. JavaScript
      5. HTML
      6. XML
    7. using AntiXss lib
      1. static XssHelper
      2. HtmlEncode
      3. GetSafeHtml
        1. strips bad stuff out
    8. use Spark - encoding on by default
  4. Trickery Demo
    1. using your users against you
    2. getting a site to divulge
    3. mining personal data on the web
    4. you've been HAACKED
  5. Form spoofing Demo
    1. copy form contents
    2. alter the form post to post to (full) originating URL
    3. alter hidden field (username=admin)
    4. change the admin password
    5. ValidateAntiforgeryToken
      1. get the token from the hidden field
      2. (requires same browser)
      3. only guarantees post is coming from same user
      4. don't accept the username as a param from the form
      5. use [Authorize]
    6. Right-highjacking
      1. user could alter an IsAdmin property
      2. whitelist the properties allowed to include on UpdateModel
  6. CSRF demo
    1. the problem
      1. the Black Hats are always smarter than you
      2. see also the HaaHa show
      3. the html contains no info to uniquely identify the user
      4. the 'remember me' cookie
      5. allowing an Avatar without sanitization
      6. script injection
      7. "textarea is an XSS IDE"
      8. invisible IFrame filled with some HTML
      9. broken IMG tags are always a clue
      10. injected JS calls submit on the injected invisible form
      11. any visitor to the site who is ALSO logged into the victim site will execute the bad actions
    2. avoidance
      1. ValidateAntiForgery