My slides from the Source Boston conference last week have been posted for public consumption. The talk discussed some of the cool new built-in features of IIS7, like the Integrated Request Pipeline and Request Filtering. Additionally, it covered the new modular architecture of IIS7 and discussed custom modules (like SPF) and various other new add-on modules that the Microsoft IIS team has released for free.

Those of you not familiar with various extensions that the IIS team has released over the past several months should check out IIS.NET. My two favorites are the URL Rewriter for IIS7 (think mod_rewrite for IIS) and Dynamic IP Restrictions Extension, an add-on that dynamically blocks IP addresses that violate connection threshold and timing limits (great for slowing down CGI and App Scans).

Overall, the conference was great…hats off to Stacy and the crew for a job well done. They will be posting videos of the talks on the Source Conference site over the next few weeks, so certainly worth keeping an eye out.

Earlier this week we presented at the OWASP NY/NJ chapter meeting on “Tamper Proofing Web Applications at Run-Time”. The talk presented some strategies and free solutions for protecting web applications from input driven attacks. The goal is to harden web applications so their non-editable inputs cannot be manipulated, which when left unchecked are a root cause of authorization bypass vulnerabilities such as parameter manipulation, forceful browsing, business logic flaws, etc. You can download the presentation slides here.

Non-editable inputs are those that end-users do not need to modify directly ‘ hidden form fields, URIs and QueryString parameters, cookies, etc. Traditional approaches to protecting this data ‘ black list and/or white list validation ‘ are insufficient as they cannot normally prevent authorization flaws within the context of a user’s session.

Our talk demonstrated two freely available solutions that provide this type of protection for existing web applications without the need to modify the underlying application source code. In general, they both operate on the theory that the application should only permit users to perform those actions that the UI has rendered to them. The idea is to leverage HTTP responses at run-time to identify all legitimate requests (forms and links), collect the state of each possible request, and then validate subsequent requests against the stored state information. Specifically, we cover HDIV (HTTP Data Integrity Validator) for J2EE web applications and SPF (Secure Parameter Filter) for .NET web applications. The implementation details of each are discussed as well as related pros and cons.

You can download the presentation slides here.

The slide deck from the “Tamper Proofing Web Applications at Runtime” talk I gave last night at the OWASP Boston meeting are now available for download.

We also released version 1.0.1 of SPF earlier this week and have a public SPF demo site running .NET PetShop v4 from MSDN. More information on SPF can be found on its official page.