Black Hat class: Advanced Asp.Net Exploits and Countermeasures

[Dinis Cruz <dinis () ddplus net>]

<Shameless Plug>

For the ones that are going to the next Black Hat in Vegas, I am 
delivering a two day course based on my .Net research which some of you 
might want to attend (or recommend to somebody).

You can read the relevant details at the end of this email or directly 
on http://www.blackhat.com/html/bh-usa-06/train-bh-us-06-io-net.html.

Dinis Cruz
Owasp .Net Project
www.owasp.net <http://www.owasp.net>

Title: Advanced Asp.Net Exploits and Countermeasures

Overview:

In this 2 day course you will push Asp.Net to the limit and will be
shown how Asp .NET applications and environments can be exploited by
skilled attackers. Advanced exploitation techniques will be presented
together with low-level technical analysis of the .Net Framework. You
will also learn advanced defense techniques such as: Building an Asp
.NET Security Protection layer (also called a Web Application Firewall)
and Real time patching of vulnerabilities in the target application, the
.Net Framework or the CLR."

Structure:

The Course is made of 4 modules (2 per day, one in the morning and one
in the afternoon)

Module 1: Security principles and .NET Framework Architecture

Module 2: Guerrilla Threat Modeling and Exploiting Asp.Net Applications
-    Using quick-and-dirty threat models to discover vulnerabilities in
the target application
-    Exploiting vulnerabilities in Asp.Net applications: Data
Validation, Authorization, Authentication, SessionState, XSS, Cookies,
AJAX, Web Services, Remoting, etc.. (using basic and advanced techniques)
-    Exploiting Buffer Overflows and Windows vulnerabilities via Asp.Net
Applications

Module 3: Exploiting Full Trust and Partial Trust Asp.Net Environments
-    Practical demonstrations of the power of Full Trust Asp.Net:
Rooting the CLR (e.g. patching the .Net Framework and CLR), Reflection,
IIS Metabase, Shellcode injection, Launching internal attacks to
compromise the server and the data center
-    Full Trust non-verification and Type Safety attacks (via MSIL
manipulation)
-    Exploiting Insecure Partial Trust Asp.Net Environments

Module 4: Advanced Asp.Net Countermeasures
-    Applying real-time security patches in the target application, .Net
Framework and CLR
-    Solutions to create secure Data Validation and Authorization
architectures
-    Creating secure Asp.Net hosting environments
-    Building an Asp.Net Security Protection layer (also called web
Application Firewall);
-    Using Mono

You will walk away from this class with a much better understanding of
some of the weaknesses of .NET applications, particularly the internals
of the .NET framework. You will also get the chance to put your skills
to the test against a target application over the course of the class.

Requirements:

A laptop with VMWare Player pre-installed. A VMWare image containing all
necessary lab tools will be provided.


Prerequisites:

This is an advanced course targeted at industry professionals who want
to understand the weaknesses and the power of the .Net Framework.

To get the most of this course and to be able to do the extensive
practice material provided (using a VMWare image), the participants must:

-    Have a good understanding of a .NET Language (Ideally C#)
-    Be familiar with MSIL/Assembly
-    Have some experience with debugging user-land applications
-    Have commercial experience on either application development or
security auditing.

The material is presented at a pace adjusted for experienced developers
and/or security consultants.


Trainer:

Dinis Cruz is a Senior IOActive Security Consultant based in London (UK)
and specialized in: ASP.NET Application Security, Active Directory
deployments, Application Security audits and .NET Security Curriculum
Development.

Since the 1.1 release of the .Net Framework, Dinis has been one of the
strongest proponents of the need to write .Net applications that can be
executed in secure Partially Trusted .Net environments, and has done
extensive research on: Rooting the CLR, exposing the dangers of Full
Trust Asp.Net Code, Type Confusion vulnerabilities in Full Trust (i.e.
non verifiable) code, creating .Net Security Protection Layers and using
Reflection to dynamically manipulate .Net Client applications.

Dinis is also the current Owasp .Net Project leader and the main
developer of several of OWASP .Net tools (SAM'SHE, ANBS, SiteGenerator,
PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).



</Shameless Plug>


-------------------------------------------------------------------------
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web 
application security assessments should be considered a crucial phase in 
the development of any web application. What methodology should be 
followed? What tools can accelerate the assessment process? 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------