SlideShare a Scribd company logo

C# Security Testing and Debugging

Download as PPTX, PDF
Rich Helton
Rich Helton

This document discusses various tools and techniques for security testing and debugging web applications developed in C#. It provides information on static analysis tools like FxCop and CAT.NET that can analyze source code. It also covers automated testing tools like NUnit, HTMLUnit, and Selenium that can test web applications without using a real browser. The document demonstrates how to integrate these tools into testing workflows and addresses related topics like logging, exception handling, and custom error pages.

Technology
1 of 40
Security Testing/Debugging From Rich Helton’s October 2010 C# Web Security
Security Testing -FXCop -CAT.NET -Nunit -HTMLUnit -Seleniumin
White Box Testing  White-Box testing is testing the system based on the internal perspective of the system.  In this case, this is also known as Static Analysis.  These tools can find issues with the source code before the code is actually executed.  A list of tools can be found at http://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal ysis
CAT.NET (A plugin that can be added from the Windows SDK)  CAT.NET can be used with Visual Studio to analyze the current solution, here is a Visual Studio 2008 popup after selecting Tools- >CAT.NET Analysis Tool from the menu:
CAT.NET (After pushing the Excel report button)
FXCop  CAT.NET rules can can be run in FXCop instead of Visual Studio.  FXCop examines the assemblies and object code and not the source. It can be downloaded as part of the Windows SDK.
NUNIT  White-Box testing is testing the system based on the internal perspective of the system.  See www.nunit.org  These tools can find issues with the source code before the code is actually executed.  A list of tools can be found at http://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal ysis
NUNIT
Headless Browser  Headless Browser Automation  Can replicate a real world browser.  Can automate the test.  Provides low-level control over the HTML and HTTP.  Reference http://blog.stevensanderson.com/2010/03/30/using- htmlunit-on-net-for-headless-browser-automation/
HTMLUnit steps  Download HTMLUnit http://sourceforge.net/projects/htmlunit/  Download IKVM http://sourceforge.net/projects/ikvm/files/  Create the HTMLUnit DLL:  Run “ikvmc –out:htmlunit-2.7.dll *.jar”  Include the htmlunit, IKVM.OpenJDK, and nunit dll’s in the external assemblies.  Can automate the test.  Provides low-level control over the HTML and HTTP.  Reference http://blog.stevensanderson.com/2010/03/30/using- htmlunit-on-net-for-headless-browser-automation/
What about the HTML?  HTTPUnit is great for HTTP Requests and Responses, but what if I want to parse the HTML code directly from the Web Server and examine the HTML before doing any work.  HTMLUnit allows a “getPage()” routine to examine the HTML source code.  This allows the walking through of “HREF”, images, and others pieces of the HTML code before executing on the item.  Selenium IDE is another Open Source concept that is a Integrated Development Environment running on top of the FireFox browser as a plugin.  This allows a recording of the browser actions that can be played back execute buttons being pushed and actions inside the browser.  Assertions can be executed on the HTML pages itself for checking specific information.  The test itself can be exported into Junit Java code to execute in Java.
HtmlUnit on C#
HtmlUnit on C# (Nunit Test) (Under Construction page)
HtmlUnit on C# (Nunit Test) (Page not found)
Selenium IDE  Selenium IDE is another Open Source concept that is a Integrated Development Environment running on top of the FireFox browser as a plugin.  Supports load testing.  This allows a recording of the browser actions that can be played back execute buttons being pushed and actions inside the browser.  Assertions can be executed on the HTML pages itself for checking specific information.  The test itself can be exported into Java, .NET, Perl, Ruby, etc, and then code to execute the tests in that language.
Selenium IDE Test
Does the framework matter?  JWebUnit wraps both HTMLUnit and Selenium so that code can be written for either framework using a unified framwork.  This way code can once in a single framework and executed using multiple HTML frameworks. http://jwebunit.sourceforge.net/
Security Debugging -Logging -Exceptions -Log4Net -NLog -Error Pages
Has my system been compromised?  Logging and Error handling is one of the most important concept in Security.  When an incident happens, the first questions are always “How did they get in?” and “What data was compromised?”.  The least favorite answer is usually “No one knows.”  With efficient logging of authorization, access to secure information, and any anomalous interaction with the system, a proper recovery of the system is usually insured.  The logs should be store into a different system in case the Web system is ever compromised, one where the Web system sends them but never asks for them back.  Logging is a fundamental API that comes with the Java and .NET languages.
Logging the C# way…. using System; using System.Diagnostics; class EventLogExample { static void Main(string[] args) { string sSource = "my warning message"; string sLog = "Application"; string sEvent = "Sample Event"; if (!EventLog.SourceExists(sSource)) EventLog.CreateEventSource(sSource, sLog); EventLog.WriteEntry(sSource, sEvent); EventLog.WriteEntry(sSource, sEvent, EventLogEntryType.Warning, 234); } }
The C# Logger output….
Exception Handling  Exception handling has helped debugging immensely. It allows a programmer to code for anomalies and handle a bizarre behavior.  There are 3 components of handling an exception, and they are the “try”, “catch” and “finally” blocks.  The “try” block will throw an exception from normal code, the “catch” block will catch the exception and handle it, and the “finally” block will process the cleanup afterwards.  The “catch” block can log the anomaly, stop the program, or process it in a hundred different ways.  You can write your own custom exception classes to trace specific pieces of code.
C# Exception Handling code…. class TestException{ static void Main(string[] args){ StreamReader myReader = null; try{ // constructor will throw FileNotFoundException myReader = new StreamReader("IamNotHere.txt"); }catch (FileNotFoundException e){ Console.WriteLine("FileNotFoundException was {0}", e.Message); }catch (IOException e){ Console.WriteLine("IOException was {0}" + e.Message); }finally{ if (myReader != null){ try{ myReader.Close(); }catch (IOException e){ Console.WriteLine("IOException was {0}" + e.Message);}}}}} Output-> FileNotFoundException was Could not find file ‘C:IamNotHere.txt'.
Log4net  The previous logging and exception handling example has many hard coded pieces. Log4Net offers more de-coupling by being separated as highly configurable framework.  http://logging.apache.org/log4net/  Even though the basic CLR logging framework can accept changes on destination through its Handler in the “logging.properties”, Log4Net offers more advanced features in its XML use of its Appender class.  Log4Net supports XML configuration and a text configuration in log4Net.properties.  Log4Net supports Appenders that will append the logs to databases, emails, files, etc. http://logging.apache.org/log4net/release/config-examples.html
Log4Net ASP.NET code
Log4j Console output
Adding an Appender #1  Let’s read the XML Appender from app.config.  Change the BasicConfigurator to XmlConfigurator:
Adding an Appender #2  Add app.config for "c:Loglog.txt”:
Adding an Appender Running  Reading "c:Loglog.txt”:
NLog  Nlog is similar to Log4Net. The difference is that Log4Net is a .Net version of Log4J and is a framework. NLog is a plugin to Visual Studio with templates.  http://nlog-project.org/
NLog  Adding log configuration with Visual 2010 plugin:
NLog  When debugging from VS2010, the default logging directory maps to C:Program FilesCommon FilesMicrosoft SharedDevServer10.0 .  This Nlog.config will append the logger in to a file named after the classname, i.e Webapplication1._Default.txt:
Nlog code  From the WebApplication1 Class, Default.aspx.cs code:
Nlog log file  Printing the Webapplication1._Default.txt:
Error Pages  Default Error pages may display unintentional information. For instance, some error pages may display database information in an exception.  An error page giving details, like a database or table name, may be more than enough to give an attacker enough information launch an attack at the website.  To correct bad error handling in pages, Tomcat, Struts and other Web engines will allow default configurations to throw a specific error page for any unknown exceptions. For instance, many Web Application Firewalls (WAFs) will generate a error page 500 “Internal Server Error” for blocking an attack.
Hackme Books (Bad error handling)
Send something more generic (based on business input)
Web Error pages…. Many web sites use the default error pages that show the user exceptions and even exceptions into the database. The database exceptions have a tendency to display table names and invalid SQL statements that can be used for further probing. To send all errors to a custom Error page, the web.config file for IIS: <customErrors mode="On" defaultRedirect="errors/ErrorPage.aspx"> </customErrors>
Custom Errors in ASP.NET  A good resource on the issue is http://www.codeproject.com/KB/aspnet/customerrorsinaspnet.as px  The idea is to redirect the error to a generic error.html page by the web.config configuration.
Send something more generic (based on business input)

Recommended

c#.Net Windows application
c#.Net Windows application c#.Net Windows application
c#.Net Windows application
veera
 
Intents in Android
Intents in AndroidIntents in Android
Intents in Android
ma-polimi
 
introduction computer programming languages
introduction computer programming languages introduction computer programming languages
introduction computer programming languages
BakhatAli3
 
Operating systems Overview
Operating systems OverviewOperating systems Overview
Operating systems Overview
NAILBITER
 
Software Project Proposal- Result Analysis Tool
Software Project Proposal- Result Analysis ToolSoftware Project Proposal- Result Analysis Tool
Software Project Proposal- Result Analysis Tool
Minhas Kamal
 
What is software engineering
What is software engineeringWhat is software engineering
What is software engineering
Jennifer Polack
 
What is programming what are its benefits
What is programming what are its benefits What is programming what are its benefits
What is programming what are its benefits
Vijay Singh Khatri
 
Android presentation
Android presentationAndroid presentation
Android presentation
Dipesh Shome
 

Recommended

c#.Net Windows application
c#.Net Windows application c#.Net Windows application
c#.Net Windows application
veera
 
Intents in Android
Intents in AndroidIntents in Android
Intents in Android
ma-polimi
 
introduction computer programming languages
introduction computer programming languages introduction computer programming languages
introduction computer programming languages
BakhatAli3
 
Operating systems Overview
Operating systems OverviewOperating systems Overview
Operating systems Overview
NAILBITER
 
Software Project Proposal- Result Analysis Tool
Software Project Proposal- Result Analysis ToolSoftware Project Proposal- Result Analysis Tool
Software Project Proposal- Result Analysis Tool
Minhas Kamal
 
What is software engineering
What is software engineeringWhat is software engineering
What is software engineering
Jennifer Polack
 
What is programming what are its benefits
What is programming what are its benefits What is programming what are its benefits
What is programming what are its benefits
Vijay Singh Khatri
 
Android presentation
Android presentationAndroid presentation
Android presentation
Dipesh Shome
 
Android activities & views
Android activities & viewsAndroid activities & views
Android activities & views
ma-polimi
 
Off the-shelf components (cots)
Off the-shelf components (cots)Off the-shelf components (cots)
Off the-shelf components (cots)
Himanshu
 
Component based-software-engineering
Component based-software-engineeringComponent based-software-engineering
Component based-software-engineering
Wasim Raza
 
Seminar on mobile application development with android
Seminar on mobile application development with androidSeminar on mobile application development with android
Seminar on mobile application development with android
Noor Mohammed Anik
 
System Performance and Feasibility Study
System Performance and Feasibility StudySystem Performance and Feasibility Study
System Performance and Feasibility Study
Saifur Rahman
 
Hardware vs. Software Presentations
Hardware vs. Software PresentationsHardware vs. Software Presentations
Hardware vs. Software Presentations
primeteacher32
 
Computer virus
Computer virusComputer virus
Computer virus
Walden University
 
Software engineering critical systems
Software engineering critical systemsSoftware engineering critical systems
Software engineering critical systems
Dr. Loganathan R
 
Vb.net class notes
Vb.net class notesVb.net class notes
Vb.net class notes
priyadharshini murugan
 
Rajul computer presentation
Rajul computer presentationRajul computer presentation
Rajul computer presentation
Neetu Jain
 
Os file
Os fileOs file
Os file
mominabrar
 
Sofware Team Organizations
Sofware Team OrganizationsSofware Team Organizations
Sofware Team Organizations
Deniz Kılınç
 
Ch10-Software Engineering 9
Ch10-Software Engineering 9Ch10-Software Engineering 9
Ch10-Software Engineering 9
Ian Sommerville
 
Software engineering presentation
Software engineering presentationSoftware engineering presentation
Software engineering presentation
MJ Ferdous
 
Meaning Of VB
Meaning Of VBMeaning Of VB
Meaning Of VB
Mohit Verma
 
Android application structure
Android application structureAndroid application structure
Android application structure
Alexey Ustenko
 
Android ppt
Android pptAndroid ppt
Android ppt
Sunil Kumar
 
Fundamentals of programming final
Fundamentals of programming finalFundamentals of programming final
Fundamentals of programming final
Ricky Recto
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
Android Components
Android ComponentsAndroid Components
Android Components
Aatul Palandurkar
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
Rich Helton
 
Using HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaUsing HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in Java
Sandeep Tol
 

More Related Content

What's hot

Rajul computer presentation
Rajul computer presentationRajul computer presentation
Rajul computer presentation
Neetu Jain
 
Ch10-Software Engineering 9
Ch10-Software Engineering 9Ch10-Software Engineering 9
Ch10-Software Engineering 9
Ian Sommerville
 
Software engineering presentation
Software engineering presentationSoftware engineering presentation
Software engineering presentation
MJ Ferdous
 
Android application structure
Android application structureAndroid application structure
Android application structure
Alexey Ustenko
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 

What's hot (20)

Android activities & views
Android activities & viewsAndroid activities & views
Android activities & views
 
Off the-shelf components (cots)
Off the-shelf components (cots)Off the-shelf components (cots)
Off the-shelf components (cots)
 
Component based-software-engineering
Component based-software-engineeringComponent based-software-engineering
Component based-software-engineering
 
Seminar on mobile application development with android
Seminar on mobile application development with androidSeminar on mobile application development with android
Seminar on mobile application development with android
 
System Performance and Feasibility Study
System Performance and Feasibility StudySystem Performance and Feasibility Study
System Performance and Feasibility Study
 
Hardware vs. Software Presentations
Hardware vs. Software PresentationsHardware vs. Software Presentations
Hardware vs. Software Presentations
 
Computer virus
Computer virusComputer virus
Computer virus
 
Software engineering critical systems
Software engineering critical systemsSoftware engineering critical systems
Software engineering critical systems
 
Vb.net class notes
Vb.net class notesVb.net class notes
Vb.net class notes
 
Rajul computer presentation
Rajul computer presentationRajul computer presentation
Rajul computer presentation
 
Os file
Os fileOs file
Os file
 
Sofware Team Organizations
Sofware Team OrganizationsSofware Team Organizations
Sofware Team Organizations
 
Ch10-Software Engineering 9
Ch10-Software Engineering 9Ch10-Software Engineering 9
Ch10-Software Engineering 9
 
Software engineering presentation
Software engineering presentationSoftware engineering presentation
Software engineering presentation
 
Meaning Of VB
Meaning Of VBMeaning Of VB
Meaning Of VB
 
Android application structure
Android application structureAndroid application structure
Android application structure
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Fundamentals of programming final
Fundamentals of programming finalFundamentals of programming final
Fundamentals of programming final
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
Android Components
Android ComponentsAndroid Components
Android Components
 

Similar to C# Security Testing and Debugging

Using HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaUsing HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in Java
Sandeep Tol
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
UI Automation_White_CodedUI common problems and tricks
UI Automation_White_CodedUI common problems and tricksUI Automation_White_CodedUI common problems and tricks
UI Automation_White_CodedUI common problems and tricks
Tsimafei Avilin
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
tybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notestybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notes
WE-IT TUTORIALS
 
Innoplexia DevTools to Crawl Webpages
Innoplexia DevTools to Crawl WebpagesInnoplexia DevTools to Crawl Webpages
Innoplexia DevTools to Crawl Webpages
d0x
 
.NET TECHNOLOGIES
.NET TECHNOLOGIES.NET TECHNOLOGIES
.NET TECHNOLOGIES
Prof Ansari
 
Comparative Development Methodologies
Comparative Development MethodologiesComparative Development Methodologies
Comparative Development Methodologies
elliando dias
 

Similar to C# Security Testing and Debugging (20)

Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Using HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaUsing HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in Java
 
Exploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version EnglishExploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version English
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Siebel Open UI Debugging (Siebel Open UI Training, Part 7)
Siebel Open UI Debugging (Siebel Open UI Training, Part 7)Siebel Open UI Debugging (Siebel Open UI Training, Part 7)
Siebel Open UI Debugging (Siebel Open UI Training, Part 7)
 
UI Automation_White_CodedUI common problems and tricks
UI Automation_White_CodedUI common problems and tricksUI Automation_White_CodedUI common problems and tricks
UI Automation_White_CodedUI common problems and tricks
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
Selenium Automation in Java Using HttpWatch Plug-in
Selenium Automation in Java Using HttpWatch Plug-in Selenium Automation in Java Using HttpWatch Plug-in
Selenium Automation in Java Using HttpWatch Plug-in
 
tybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notestybsc it asp.net full unit 1,2,3,4,5,6 notes
tybsc it asp.net full unit 1,2,3,4,5,6 notes
 
Innoplexia DevTools to Crawl Webpages
Innoplexia DevTools to Crawl WebpagesInnoplexia DevTools to Crawl Webpages
Innoplexia DevTools to Crawl Webpages
 
.NET TECHNOLOGIES
.NET TECHNOLOGIES.NET TECHNOLOGIES
.NET TECHNOLOGIES
 
PVS-Studio vs Chromium. 3-rd Check
PVS-Studio vs Chromium. 3-rd CheckPVS-Studio vs Chromium. 3-rd Check
PVS-Studio vs Chromium. 3-rd Check
 
Php
PhpPhp
Php
 
Ef Poco And Unit Testing
Ef Poco And Unit TestingEf Poco And Unit Testing
Ef Poco And Unit Testing
 
Comparative Development Methodologies
Comparative Development MethodologiesComparative Development Methodologies
Comparative Development Methodologies
 
Mastering Test Automation: How To Use Selenium Successfully
Mastering Test Automation: How To Use Selenium SuccessfullyMastering Test Automation: How To Use Selenium Successfully
Mastering Test Automation: How To Use Selenium Successfully
 

More from Rich Helton

Python For Droid
Python For DroidPython For Droid
Python For Droid
Rich Helton
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
Rich Helton
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 Final
Rich Helton
 

More from Rich Helton (20)

Java for Mainframers
Java for MainframersJava for Mainframers
Java for Mainframers
 
I pad uicatalog_lesson02
I pad uicatalog_lesson02I pad uicatalog_lesson02
I pad uicatalog_lesson02
 
Mongo db rev001.
Mongo db rev001.Mongo db rev001.
Mongo db rev001.
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101
 
AspMVC4 start101
AspMVC4 start101AspMVC4 start101
AspMVC4 start101
 
Entity frameworks101
Entity frameworks101Entity frameworks101
Entity frameworks101
 
Tumbleweed intro
Tumbleweed introTumbleweed intro
Tumbleweed intro
 
Azure rev002
Azure rev002Azure rev002
Azure rev002
 
Salesforce Intro
Salesforce IntroSalesforce Intro
Salesforce Intro
 
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
 
Learning C# iPad Programming
Learning C# iPad ProgrammingLearning C# iPad Programming
Learning C# iPad Programming
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in Android
 
NServiceBus
NServiceBusNServiceBus
NServiceBus
 
Python For Droid
Python For DroidPython For Droid
Python For Droid
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
 
Python Final
Python FinalPython Final
Python Final
 
Overview of CSharp MVC3 and EF4
Overview of CSharp MVC3 and EF4Overview of CSharp MVC3 and EF4
Overview of CSharp MVC3 and EF4
 
Adobe Flex4
Adobe Flex4 Adobe Flex4
Adobe Flex4
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 Final
 
Jira Rev002
Jira Rev002Jira Rev002
Jira Rev002
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

C# Security Testing and Debugging

  • 1. Security Testing/Debugging From Rich Helton’s October 2010 C# Web Security
  • 3. White Box Testing  White-Box testing is testing the system based on the internal perspective of the system.  In this case, this is also known as Static Analysis.  These tools can find issues with the source code before the code is actually executed.  A list of tools can be found at http://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal ysis
  • 4. CAT.NET (A plugin that can be added from the Windows SDK)  CAT.NET can be used with Visual Studio to analyze the current solution, here is a Visual Studio 2008 popup after selecting Tools- >CAT.NET Analysis Tool from the menu:
  • 5. CAT.NET (After pushing the Excel report button)
  • 6. FXCop  CAT.NET rules can can be run in FXCop instead of Visual Studio.  FXCop examines the assemblies and object code and not the source. It can be downloaded as part of the Windows SDK.
  • 7. NUNIT  White-Box testing is testing the system based on the internal perspective of the system.  See www.nunit.org  These tools can find issues with the source code before the code is actually executed.  A list of tools can be found at http://en.wikipedia.org/wiki/List_of_tools_for_static_code_anal ysis
  • 9. Headless Browser  Headless Browser Automation  Can replicate a real world browser.  Can automate the test.  Provides low-level control over the HTML and HTTP.  Reference http://blog.stevensanderson.com/2010/03/30/using- htmlunit-on-net-for-headless-browser-automation/
  • 10. HTMLUnit steps  Download HTMLUnit http://sourceforge.net/projects/htmlunit/  Download IKVM http://sourceforge.net/projects/ikvm/files/  Create the HTMLUnit DLL:  Run “ikvmc –out:htmlunit-2.7.dll *.jar”  Include the htmlunit, IKVM.OpenJDK, and nunit dll’s in the external assemblies.  Can automate the test.  Provides low-level control over the HTML and HTTP.  Reference http://blog.stevensanderson.com/2010/03/30/using- htmlunit-on-net-for-headless-browser-automation/
  • 11. What about the HTML?  HTTPUnit is great for HTTP Requests and Responses, but what if I want to parse the HTML code directly from the Web Server and examine the HTML before doing any work.  HTMLUnit allows a “getPage()” routine to examine the HTML source code.  This allows the walking through of “HREF”, images, and others pieces of the HTML code before executing on the item.  Selenium IDE is another Open Source concept that is a Integrated Development Environment running on top of the FireFox browser as a plugin.  This allows a recording of the browser actions that can be played back execute buttons being pushed and actions inside the browser.  Assertions can be executed on the HTML pages itself for checking specific information.  The test itself can be exported into Junit Java code to execute in Java.
  • 13. HtmlUnit on C# (Nunit Test) (Under Construction page)
  • 14. HtmlUnit on C# (Nunit Test) (Page not found)
  • 15. Selenium IDE  Selenium IDE is another Open Source concept that is a Integrated Development Environment running on top of the FireFox browser as a plugin.  Supports load testing.  This allows a recording of the browser actions that can be played back execute buttons being pushed and actions inside the browser.  Assertions can be executed on the HTML pages itself for checking specific information.  The test itself can be exported into Java, .NET, Perl, Ruby, etc, and then code to execute the tests in that language.
  • 17. Does the framework matter?  JWebUnit wraps both HTMLUnit and Selenium so that code can be written for either framework using a unified framwork.  This way code can once in a single framework and executed using multiple HTML frameworks. http://jwebunit.sourceforge.net/
  • 19. Has my system been compromised?  Logging and Error handling is one of the most important concept in Security.  When an incident happens, the first questions are always “How did they get in?” and “What data was compromised?”.  The least favorite answer is usually “No one knows.”  With efficient logging of authorization, access to secure information, and any anomalous interaction with the system, a proper recovery of the system is usually insured.  The logs should be store into a different system in case the Web system is ever compromised, one where the Web system sends them but never asks for them back.  Logging is a fundamental API that comes with the Java and .NET languages.
  • 20. Logging the C# way…. using System; using System.Diagnostics; class EventLogExample { static void Main(string[] args) { string sSource = "my warning message"; string sLog = "Application"; string sEvent = "Sample Event"; if (!EventLog.SourceExists(sSource)) EventLog.CreateEventSource(sSource, sLog); EventLog.WriteEntry(sSource, sEvent); EventLog.WriteEntry(sSource, sEvent, EventLogEntryType.Warning, 234); } }
  • 21. The C# Logger output….
  • 22. Exception Handling  Exception handling has helped debugging immensely. It allows a programmer to code for anomalies and handle a bizarre behavior.  There are 3 components of handling an exception, and they are the “try”, “catch” and “finally” blocks.  The “try” block will throw an exception from normal code, the “catch” block will catch the exception and handle it, and the “finally” block will process the cleanup afterwards.  The “catch” block can log the anomaly, stop the program, or process it in a hundred different ways.  You can write your own custom exception classes to trace specific pieces of code.
  • 23. C# Exception Handling code…. class TestException{ static void Main(string[] args){ StreamReader myReader = null; try{ // constructor will throw FileNotFoundException myReader = new StreamReader("IamNotHere.txt"); }catch (FileNotFoundException e){ Console.WriteLine("FileNotFoundException was {0}", e.Message); }catch (IOException e){ Console.WriteLine("IOException was {0}" + e.Message); }finally{ if (myReader != null){ try{ myReader.Close(); }catch (IOException e){ Console.WriteLine("IOException was {0}" + e.Message);}}}}} Output-> FileNotFoundException was Could not find file ‘C:IamNotHere.txt'.
  • 24. Log4net  The previous logging and exception handling example has many hard coded pieces. Log4Net offers more de-coupling by being separated as highly configurable framework.  http://logging.apache.org/log4net/  Even though the basic CLR logging framework can accept changes on destination through its Handler in the “logging.properties”, Log4Net offers more advanced features in its XML use of its Appender class.  Log4Net supports XML configuration and a text configuration in log4Net.properties.  Log4Net supports Appenders that will append the logs to databases, emails, files, etc. http://logging.apache.org/log4net/release/config-examples.html
  • 27. Adding an Appender #1  Let’s read the XML Appender from app.config.  Change the BasicConfigurator to XmlConfigurator:
  • 28. Adding an Appender #2  Add app.config for "c:Loglog.txt”:
  • 29. Adding an Appender Running  Reading "c:Loglog.txt”:
  • 30. NLog  Nlog is similar to Log4Net. The difference is that Log4Net is a .Net version of Log4J and is a framework. NLog is a plugin to Visual Studio with templates.  http://nlog-project.org/
  • 31. NLog  Adding log configuration with Visual 2010 plugin:
  • 32. NLog  When debugging from VS2010, the default logging directory maps to C:Program FilesCommon FilesMicrosoft SharedDevServer10.0 .  This Nlog.config will append the logger in to a file named after the classname, i.e Webapplication1._Default.txt:
  • 33. Nlog code  From the WebApplication1 Class, Default.aspx.cs code:
  • 34. Nlog log file  Printing the Webapplication1._Default.txt:
  • 35. Error Pages  Default Error pages may display unintentional information. For instance, some error pages may display database information in an exception.  An error page giving details, like a database or table name, may be more than enough to give an attacker enough information launch an attack at the website.  To correct bad error handling in pages, Tomcat, Struts and other Web engines will allow default configurations to throw a specific error page for any unknown exceptions. For instance, many Web Application Firewalls (WAFs) will generate a error page 500 “Internal Server Error” for blocking an attack.
  • 37. Send something more generic (based on business input)
  • 38. Web Error pages…. Many web sites use the default error pages that show the user exceptions and even exceptions into the database. The database exceptions have a tendency to display table names and invalid SQL statements that can be used for further probing. To send all errors to a custom Error page, the web.config file for IIS: <customErrors mode="On" defaultRedirect="errors/ErrorPage.aspx"> </customErrors>
  • 39. Custom Errors in ASP.NET  A good resource on the issue is http://www.codeproject.com/KB/aspnet/customerrorsinaspnet.as px  The idea is to redirect the error to a generic error.html page by the web.config configuration.
  • 40. Send something more generic (based on business input)