Black Hat class: Advanced Asp.Net Exploits and Countermeasures

[dinis at ddplus.net (Dinis Cruz)]

<Shameless Plug (with permission from SC-L moderator :)>

For the ones that are going to the next Black Hat in Vegas, I am 
delivering a two day course based on my .Net research which some of you 
might want to attend (or recommend to somebody).

You can read the relevant details at the end of this email or directly 
on http://www.blackhat.com/html/bh-usa-06/train-bh-us-06-io-net.html.

Dinis Cruz
Owasp .Net Project
www.owasp.net




Title: Advanced Asp.Net Exploits and Countermeasures

Overview:

In this 2 day course you will push Asp.Net to the limit and will be 
shown how Asp .NET applications and environments can be exploited by
skilled attackers. Advanced exploitation techniques will be presented 
together with low-level technical analysis of the .Net Framework. You
will also learn advanced defense techniques such as: Building an Asp 
.NET Security Protection layer (also called a Web Application Firewall)
and Real time patching of vulnerabilities in the target application, the 
..Net Framework or the CLR."

Structure:

The Course is made of 4 modules (2 per day, one in the morning and one 
in the afternoon)

Module 1: Security principles and .NET Framework Architecture

Module 2: Guerrilla Threat Modeling and Exploiting Asp.Net Applications

    * Using quick-and-dirty threat models to discover vulnerabilities 
in the target application
    * Exploiting vulnerabilities in Asp.Net applications: Data 
Validation, Authorization, Authentication, SessionState, XSS, Cookies, 
AJAX, Web Services, Remoting, etc.. (using basic and advanced techniques)
    * Exploiting Buffer Overflows and Windows vulnerabilities via 
Asp.Net Applications


Module 3: Exploiting Full Trust and Partial Trust Asp.Net Environments

    * Practical demonstrations of the power of Full Trust Asp.Net: 
Rooting the CLR (e.g. patching the .Net Framework and CLR), Reflection,
    * IIS Metabase, Shellcode injection, Launching internal attacks to 
compromise the server and the data center
    * Full Trust non-verification and Type Safety attacks (via MSIL 
manipulation)
    * Exploiting Insecure Partial Trust Asp.Net Environments

Module 4: Advanced Asp.Net Countermeasures

    * Applying real-time security patches in the target application, 
.Net Framework and CLR
    * Solutions to create secure Data Validation and Authorization 
architectures
    * Creating secure Asp.Net hosting environments
    * Building an Asp.Net Security Protection layer (also called web 
Application Firewall);
    * Using Mono

You will walk away from this class with a much better understanding of 
some of the weaknesses of .NET applications, particularly the internals 
of the .NET framework. You will also get the chance to put your skills 
to the test against a target application over the course of the class.

Requirements:

A laptop with VMWare Player pre-installed. A VMWare image containing all 
necessary lab tools will be provided.

Prerequisites:

This is an advanced course targeted at industry professionals who want 
to understand the weaknesses and the power of the .Net Framework.

To get the most of this course and to be able to do the extensive 
practice material provided (using a VMWare image), the participants must:

    * Have a good understanding of a .NET Language (Ideally C#)
    * Be familiar with MSIL/Assembly
    * Have some experience with debugging user-land applications
    * Have commercial experience on either application development or 
security auditing.

The material is presented at a pace adjusted for experienced developers 
and/or security consultants.


Trainer:

Dinis Cruz is a Senior IOActive Security Consultant based in London (UK) 
and specialized in: ASP.NET Application Security, Active Directory 
deployments, Application Security audits and .NET Security Curriculum 
Development.

Since the 1.1 release of the .Net Framework, Dinis has been one of the 
strongest proponents of the need to write .Net applications that can be 
executed in secure Partially Trusted .Net environments, and has done 
extensive research on: Rooting the CLR, exposing the dangers of Full 
Trust Asp.Net Code, Type Confusion vulnerabilities in Full Trust (i.e. 
non verifiable) code, creating .Net Security Protection Layers and using 
Reflection to dynamically manipulate .Net Client applications.

Dinis is also the current Owasp .Net Project leader and the main 
developer of several of OWASP .Net tools (SAM'SHE, ANBS, SiteGenerator, 
PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).


</Shameless Plug>