Presentation Demos for the IT Security Symposium
JavaScript HTML C# CSS
Latest commit 7030bf2 Jun 16, 2015 @srkirkland just add in the pub
Permalink
Failed to load latest commit information.
Backup convert! Jun 11, 2015
BadGuy overbinding like a boss Jun 15, 2015
Filler Added beginning of bank example for CSRF May 6, 2011
ITSecuritySymposium
packages
.gitignore
Data Validation in Web Applications.pdf
ITSecuritySymposium.sln
Principles of Secure Web Application Development.pdf added slide deck for principles of secure web application development Jun 15, 2011
README
UpgradeLog.htm

README

Demo stuff for the 2011 UCDavis IT Security Symposium.

http://itsecuritysymposium.ucdavis.edu/

--
CSRF:
 
* Demo the banking application
* Now to the evil side
* First we can do a get request that changes money.  This is bad, only idempotent operations should be GET.
* Change to post, now it will not work.
* Now evil bank does post example, which works.  This is of course because there is no authorization being preformed.
* Showing the above is optional really, not a CSRF attack
* Now, lock down to authorize
* For CSRF #1, get user to visit http://localhost:5416/Csrf/GetForgeryPage.  This is the GET attack example.
* For CSRF #2, get user to visit http://localhost:5416/Csrf/PostForgeryPage.  This is the POST attack.
* Solve the post attack by adding an antiforgerytoken.