RSS feed logo header graphic

Black Hat USA 2008 Training

Caesars Palace Las Vegas • August 2-7

Advanced Asp.Net Exploits and Countermeasures


registration button

Course Description

In this 2 day course you will push Asp.Net to the limit and will be shown how Asp .NET applications and environments can be exploited by skilled attackers. Advanced exploitation techniques will be presented together with low-level technical analysis of the .Net Framework. You will also learn advanced defense techniques such as: Building an Asp .NET Security Protection layer (also called a Web Application Firewall) and Real time patching of vulnerabilities in the target application, the .Net Framework or the CLR.


The Course is made of 4 modules (2 per day, one in the morning and one in the afternoon)

Module 1: Security principles and .NET Framework Architecture

Module 2: Guerrilla Threat Modeling and Exploiting Asp.Net Applications

  • Using quick-and-dirty threat models to discover vulnerabilities in the target application
  • Exploiting vulnerabilities in Asp.Net applications: Data Validation, Authorization, Authentication, SessionState, XSS, Cookies, AJAX, Web Services, Remoting, etc. (using basic and advanced techniques)
  • Exploiting Buffer Overflows and Windows vulnerabilities via Asp.Net Applications

Module 3: Exploiting Full Trust and Partial Trust Asp.Net Environments

  • Practical demonstrations of the power of Full Trust Asp.Net
  • Rooting the CLR (e.g. patching the .Net Framework and CLR), Reflection, IIS Metabase, Shellcode injection, Launching internal attacks to compromise the server and the data center
  • Full Trust non-verification and Type Safety attacks (via MSIL manipulation)
  • Exploiting Insecure Partial Trust Asp.Net Environments

Module 4: Advanced Asp.Net Countermeasures

  • Applying real-time security patches in the target application, .Net Framework and CLR
  • Solutions to create secure Data Validation and Authorization architectures
  • Creating secure Asp.Net hosting environments
  • Building an Asp.Net Security Protection layer (also called web Application Firewall)
  • Using Mono
  • You will walk away from this class with a much better understanding of some of the weaknesses of .NET applications, particularly the internals of the .NET framework. You will also get the chance to put your skills to the test against a target application over the course of the class.


    This is an advanced course targeted at industry professionals who want to understand the weaknesses and the power of the .Net Framework.

    To get the most of this course and to be able to do the extensive practice material provided (using a VMWare image), the participants must:

    • Have a good understanding of a .NET Language (Ideally C#)
    • Be familiar with MSIL/Assembly
    • Have some experience with debugging user-land applications
    • Have commercial experience on either application development or security auditing.

    The material is presented at a pace adjusted for experienced developers and/or security consultants.


    Dinis Cruz is a Senior IOActive Security Consultant based in London (UK) and specialized in: ASP.NET Application Security, Active Directory deployments, Application Security audits and .NET Security Curriculum Development.

    Since the 1.1 release of the .Net Framework, Dinis has been one of the strongest proponents of the need to write .Net applications that can be executed in secure Partially Trusted .Net environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust Asp.Net Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.

    Dinis is also the current Owasp .Net Project leader and the main developer of several of OWASP .Net tools (SAM'SHE, ANBS, SiteGenerator, PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).

    registration button







1997-2009 Black Hat ™