C# and Web Application Security
Description
Writing .NET web applications can be rather complex - reasons range from dealing with legacy technologies or underdocumented third-party components to sharp deadlines and code maintainability. Yet, beyond all that, what if we told you that attackers were trying to break into your code right now? How likely would they be to succeed?
This course will change the way you look at your C# code. We'll teach you the common weaknesses and their consequences that can allow hackers to attack your system, and - more importantly - best practices you can apply to protect yourself. We give you a holistic view on the security aspects of the .NET framework as well as common C# programming mistakes you need to be aware of. We also cover typical Web vulnerabilities with a focus on how they affect ASP.NET web apps on the entire stack. We present the entire course through live practical exercises to keep it engaging and fun.
Writing secure code will give you a distinct edge over your competitors. It is your choice to be ahead of the pack - take a step and be a game-changer in the fight against cybercrime.
Participants attending this course will
- Understand basic concepts of security, IT security and secure coding
- Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
- Learn to use various security features of the .NET development environment
- Have a practical understanding of cryptography
- Learn about typical coding mistakes and how to avoid them
- Get sources and further readings on secure coding practices
Outline
- IT security and secure coding
- Web application security
- .NET security architecture and services
- Practical cryptography
- Common coding errors and vulnerabilities
- Principles of security and secure coding
- Knowledge sources
Course information
Preparedness
General C# and Web application development
Exercises
Hands-on
Delivery methods
Onsite / Virtual classroom
Course reviews
Related courses
Bundle deal
Now Scademy offers a special course package. The AVATAO bundle deal is a value offer, for those who wish to practice what they have learned during the course. For an extra price, you will have access to a yearly AVATAO subscription. This online platform has over 500 secure coding challenges in various coding languages. Fore more information check AVATAO's website: avatao.com
Course registration
Table of contents
- Day 1
- Day 2
- Day 3
- IT security and secure coding
- Security Introduction
- Nature of security
- What is risk?
- IT security vs. secure coding
- Nature of security
- IT security and secure coding - From vulnerabilities to botnets and cybercrime
- Nature of security flaws
- From an infected computer to targeted attacks
- Nature of security flaws
- Classification of security flaws
- Classification of security flaws
- Landwehr's taxonomy
- The Seven Pernicious Kingdoms 1/2
- The Seven Pernicious Kingdoms 2/2
- Classification of security flaws
- OWASP Top Ten 2021
- Security Introduction
- Web application security
- Broken Access Control
- Typical access control weaknesses
- Typical access control weaknesses
- Insecure direct object reference (IDOR)
- Protection against IDOR
- Exercise: Insecure direct object reference
- Insecure direct object reference 1 / 2
- Insecure direct object reference 2 / 2
- Insecure direct object reference 1 / 2
- Stealing Your Private YouTube Videos, One Frame at a Time
- Stealing Your Private YouTube Videos, One Frame at a Time 1 / 2
- Stealing Your Private YouTube Videos, One Frame at a Time 2 / 2
- Stealing Your Private YouTube Videos, One Frame at a Time 1 / 2
- Cryptographic Failures
- Sensitive data exposure
- Sensitive data exposure
- Cryptographic Failures - Transport layer security
- Transport layer security
- Transport layer security
- Transport layer security
- Injection
- Injection principles
- Injection principles
- Injection - SQL Injection
- SQL Injection
- Exercise: SQL injection
- SQL injection 1 / 2
- SQL injection 2 / 2
- SQL injection 1 / 2
- Typical SQL Injection attack methods
- Blind and time-based SQL injection
- SQL injection protection methods
- SQL Injection in Entity Framework
- Effect of data storage frameworks on SQL injection
- SQL Injection in Entity Framework
- Effect of data storage frameworks on SQL injection
- SQL Injection in Dapper
- SQL injection in Dapper
- SQL injection in Dapper
- Injection - Code Injection
- Script Injection
- Command Injection
- Script Injection
- Exercise: Command injection exercise
- Command injection exercise - Setup
- Command injection exercise - starting Netcat
- Command injection exercise - Setup
- Prevention of code injection
- Server-side Template Injection in .NET
- ASP.NET Razor templating engine
- Prevention
- ASP.NET Razor templating engine
- Log Injection
- Log injection - Log forging
- Log injection - XSS atacks
- Log injection - Command injection
- Preventing Log Injection Attacks
- Log injection - Log forging
- Injection - Cookie injection / HTTP parameter pollution
- HTTP parameter pollution in .NET Framework (legacy)
- HTTP parameter pollution in .NET Framework (legacy)
- HTTP parameter pollution in .NET 8
- Value shadowing in .NET 8
- Cross-Site Scripting (XSS)
- Cross-Site Scripting (XSS)
- Persistent XSS
- Reflected XSS
- DOM-based XSS
- Cross-Site Scripting (XSS)
- Exercise: Cross Site Scripting (XSS)
- Cross Site Scripting
- Cross Site Scripting
- Exploitation: CSS injection
- XSS prevention
- Output encoding API in C#
- Insecure deserialization
- Validation of JSON
- Validation of JSON
- Open redirects - Dangers of open redirects
- Open redirects prevention
- Insecure file uploads
- Security Misconfiguration
- Security misconfiguration
- Security misconfiguration
- Web API Configuration
- CORS configuration
- CORS configuration
- JWT Token configuration
- Rate limiting
- Broken Access Control
- Web application security
- Vulnerable and Outdated Components
- Vulnerability management
- Vulnerability attributes
- Common Vulnerability Scoring System – CVSS
- Vulnerability management
- Supply Chain Security
- Code transparency
- Best practices
- Code transparency
- Identification and Authentication Failures
- Session handling threats
- Session handling best practices
- Session handling threats
- Session fixation
- Exercise: Token forgery
- Token forgery
- Token forgery
- Token forgery
- Setting cookie attributes - best practices
- Identification and Authentication Failures - Cross Site Request Forgery (CSRF)
- Cross Site Request Forgery (CSRF)
- Login CSRF
- CSRF prevention
- Cross Site Request Forgery (CSRF)
- CSRF prevention in .NET
- Exercise: Cross Site Request Forgery (CSRF)
- Cross Site Request Forgery
- Cross Site Request Forgery
- Identification and Authentication - Recommendation
- Authentication libraries for .NET
- Application Secret Management
- Application secret management
- Application secret management
- Hosting Considerations
- Security
- Security
- Hosting considerations
- Security
- Security Logging and Monitoring Failures
- Insufficient attack protection
- Detection and response
- Logging and log analysis
- Intrusion detection systems and Web application firewalls
- Insufficient attack protection
- Vulnerable and Outdated Components
- Practical cryptography
- Cryptography Introduction
- Rule #1 of implementing cryptography
- Rule #1 of implementing cryptography
- Cryptosystems
- Elements of a cryptosystem
- FIPS 140-3
- Elements of a cryptosystem
- .NET cryptographic architecture
- How algorithms are implemented in .NET
- Symmetric-key cryptography
- Providing confidentiality with symmetric cryptography
- Symmetric encryption algorithms
- Modes of operation
- ECB - Electronic Codebook
- ECB - Electronic Codebook
- CBC - Cipher Block Chaining
- CBC - Cipher Block Chaining
- Providing confidentiality with symmetric cryptography
- CFB – Cipher Feedback
- CFB – Cipher Feedback
- OFB – Output Feedback
- OFB – Output Feedback
- CTR – Counter
- CTR – Counter
- Comparing the modes of operation
- Encrypting and decrypting (symmetric)
- Other cryptographic algorithms
- Hash or message digest
- Hash algorithms
- Hash or message digest
- SHAttered
- Defense against SHAttered attack
- Hashing
- Message Authentication Code (MAC)
- Providing integrity and authenticity with a symmetric key
- Other cryptographic algorithms - Random number generation
- Random numbers and cryptography
- Random numbers and cryptography
- Cryptographically-strong PRNGs
- Random numbers and cryptography
- Weak PRNGs in .NET
- Strong PRNGS in .NET
- Hardware-based TRNGs
- Asymmetric (public-key) cryptography
- Providing confidentiality with public-key encryption
- Public-key cryptography
- Rule of thumb – possession of private key
- Combining symmetric and asymmetric algorithms
- Signing with a private key
- Providing confidentiality with public-key encryption
- Asymmetric (public-key) cryptography - The RSA algorithm
- Introduction to RSA algorithm
- Introduction to RSA algorithm
- Encrypting with RSA
- Digital signing with RSA
- Asymmetric algorithms in .NET
- Exercise: Using .NET cryptographic classes
- Using .NET cryptographic classes
- Using .NET cryptographic classes
- Public Key Infrastructure (PKI) - Root of Trust Concept
- Root of Trust Concept
- Man-in-the-Middle (MitM) attack
- Man-in-the-Middle (MitM) attack
- Digital certificates against MitM attack
- Certificate Authorities in Public Key Infrastructure
- Digital certificates
- X.509 digital certificate
- Root of Trust Concept
- Cryptography Introduction
- Common coding errors and vulnerabilities
- Input validation
- Input validation concepts
- Input validation concepts
- Input validation - Integer problems
- Representation of negative integers
- Integer overflow
- Arithmetic overflow – guess the output!
- Representation of negative integers
- Exercise: Exercise IntOverflow
- IntOverflow
- IntOverflow
- What is the value of Math.Abs(int.MinValue)?
- What is the value of Math.Abs(int.MinValue)?
- Input validation - Integer problem – best practices
- Integer problem – best practices
- Avoiding arithmetic overflow – addition
- Avoiding arithmetic overflow – multiplication
- Detecting overflow with the *checked* keyword in C#
- Exceptions triggered by overflows in C#
- Integer problem – best practices
- Using the checked keyword in C#
- Input validation - Path traversal vulnerability
- Path traversal vulnerability
- Path traversal – weak protections
- Path traversal – best practices
- Path traversal vulnerability
- Input validation - Unvalidated redirects and forwards
- Unvalidated redirects and forwards
- Unvalidated redirects and forwards
- Input validation - Log forging
- Log forging
- Log forging
- Some other typical problems with log files
- Log forging
- Common coding errors and vulnerabilities - Improper use of security features
- Typical problems related to the use of security features
- Typical problems related to the use of security features
- Improper use of security features - Password management
- Password management
- Weakness of hashed passwords
- Password management and storage
- Special purpose hash algorithms for password storage
- Argon2 and PBKDF2 implementations in .NET
- bcrypt and scrypt implementations in .NET
- Password management
- Common hashing mistakes
- The Ashley Madison data breach
- The Ashley Madison data breach
- The loginkey token
- Revealing the passwords with brute forcing
- The Ashley Madison data breach
- Typical mistakes in password management
- Sensitive info in memory - minimize the attack surface
- Exercise: Hard coded passwords
- Hard coded password
- Hard coded password
- Improper use of security features - Accessibility modifiers
- Accessing private fields with reflection in .NET
- Accessing private fields with reflection in .NET
- Exercise: Reflection - Accessing private fields with reflection
- Accessing private fields
- Accessing private fields
- Common coding errors and vulnerabilities - Improper error and exception handling
- Typical problems with error and exception handling
- Empty catch block
- Overly broad catch
- Using multi-catch
- Catching NullReferenceException
- Catching NullReferenceException
- Exception handling – spot the bug!
- Typical problems with error and exception handling
- Exercise: Error handling
- ErrorHandling
- ErrorHandling
- Common coding errors and vulnerabilities - Time and state problems
- Concurrency and threading
- Concurrency in .NET
- Concurrency and threading
- Omitted synchronization
- Omitted synchronization
- Omitted synchronization
- Incorrect granularity
- Incorrect granularity
- Incorrect granularity
- Deadlocks
- Avoiding deadlocks
- Avoiding deadlokcs
- Lock statement
- Common coding errors and vulnerabilities - Code quality problems
- Dangers arising from poor code quality
- Poor code quality
- Unreleased resources
- Serialization
- Dangers arising from poor code quality
- Exercise: ExerciseSerializable Sensitive
- Serializable sensitive
- Private arrays
- Serializable sensitive
- Private arrays – typed field returned from a public method
- Object hijacking
- Class not sealed – object hijacking
- Exercise: ExerciseObject Hijack
- Object hijacking
- Object hijacking
- Immutable string
- Exercise: Exercise - Immutable string
- Immutable strings
- Immutable strings
- Using SecureString
- Input validation
- Principles of security and secure coding
- Principles of security and secure coding
- Matt Bishop's principles of robust programming
- Matt Bishop's principles of robust programming - I
- Matt Bishop's principles of robust programming - II
- The security principles of Saltzer and Schroeder
- The security principles of Saltzer and Schroeder - I
- The security principles of Saltzer and Schroeder - II
- The security principles of Saltzer and Schroeder - III
- The security principles of Saltzer and Schroeder - IV
- Matt Bishop's principles of robust programming
- Principles of security and secure coding
- Knowledge sources
- Knowledge sources
- Secure coding sources - a starter kit
- Secure coding sources - a starter kit
- Vulnerability databases
- .NET secure coding material at Microsoft Learn
- .NET secure coding cheat sheets
- Recommended books – .NET and ASP.NET
- Podcasts And Other Resources
- Knowledge sources