DNN Community Blog

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


OpenForce07 Tuesday Afternoon: DNN Development Security

Cathal Connely's session is covering the basic security aspects of DNN and how you can utilize these functions within your own modules. Here we go:

Is DNN Secure, recent issues fixed in 4.7.0, Cathal will be blogging about the recent issues and make note of them in Gemini over the next few days.

DNN can only be as secure as the code itself and the modules installed. Third party modules can be culprits of security issues, check with your third party providers.

Top security issues

  • IIS patches not applied
  • Running default, anonymous FTP, passwords that haven't been changed
  • Third Party Components
  • DNN code issues

Security issues are all posted on the DNN security page, full details aren't listed as to not expose how to exploit, but enough information to allow an administrator to understand if the issue may effect them or not.

Many eyes theory doesn't work well in practice. Some companies will pay other providers to conduct security audits, and provide results back to the core team.

Web Application Security, Web Cohort report that 92% of web applications suffer from 1 or more vulnerabilities, which fall into the common groupings of

  • Cross-site scripting
  • SQL Injection
  • Parameter tampering
  • Cookie poisoning
  • Database server
  • Web Server
  • Buffer Overflow

http://www.imperva.com/company/news/2004-feb02.html

Types of user input, Querystring, form collection, cookies, sessions, server variables, viewstate

Framework Protection - Cookies, authentication cookie encrypted. 4.3.5 release separates out temporary persistent cookie timeouts. Sessions aren't used within the core framework. Server variables, inputfilter.nomarkup userd where referenced. Viewstate, uses SHA1 to ensure viewstate cannot be tampered with, and 3DES encryption to stop viewing

Filtering user input

  • Multiline - is really not a security function, replaces CRLF with <br /> tags
  • NoMarkup - replaces HTML markup with html encoding equivalent
  • NoScripting - search and strip any suspect HTML from strings.
  • NoSQL - calls a function that searches string and strips anything out that might be a SQL injection attack

Cross Site scription

Relies on un-sanitized user input. Malicious script is sent to app, eventually echoed back to user's browser and executes

Commonly gains access to a user's cookie, javascript redirects for phishing.

SQL Injection

Sql is injected with hopes of being run when added to a database, dropping tables, data, etc.

Filtering User Input Demo

SQL injection demo, deleted commonts from a quick shoutbox demo

Starter Kit Module Demo

It looks like my battery is about to die so that is all for Cathal's presentation.

My opinion, Cathal is a great speaker, very enteraining for a 6'3" 45 year old blonde female.

 

Sorry for getting this posted so late. After we left the conference center we headed to dinner and out on the strip. Now I need to do some tweaks on my presentation for tomorrow morning! Another late night in Vegas

Comments

There are currently no comments, be the first to post one.

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (15)
Alec Whittington (11)
Alex Shirley (10)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (32)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (209)
Chris Paterra (55)
Clinton Patterson (40)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (154)
Dave Buckner (2)
David Poindexter (4)
David Rodriguez (3)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (74)
Geoff Barlow (10)
George Alatrash (6)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matthias Schlomann (15)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (28)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott S (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (2)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (165)
William Severance (5)

Content Layout

Subscribe to DNN Digest

DNN Digest is our monthly email newsletter. It highlights news and content from around the DNN ecosystem, such as new modules and themes, messages from leadership, blog posts and notable tweets. Keep your finger on the pulse of the ecosystem by subscribing.  


Copyright 2017 by DNN Corp Terms of Use Privacy
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out