C# and Web Application Security

  • CL-NWA
  • 3 days
  • C#/.NET/ASP.NET, Web

Description

Writing .NET web applications can be rather complex - reasons range from dealing with legacy technologies or underdocumented third-party components to sharp deadlines and code maintainability. Yet, beyond all that, what if we told you that attackers were trying to break into your code right now? How likely would they be to succeed?

This course will change the way you look at your C# code. We'll teach you the common weaknesses and their consequences that can allow hackers to attack your system, and - more importantly - best practices you can apply to protect yourself. We give you a holistic view on the security aspects of the .NET framework as well as common C# programming mistakes you need to be aware of. We also cover typical Web vulnerabilities with a focus on how they affect ASP.NET web apps on the entire stack. We present the entire course through live practical exercises to keep it engaging and fun.

Writing secure code will give you a distinct edge over your competitors. It is your choice to be ahead of the pack - take a step and be a game-changer in the fight against cybercrime.

Participants attending this course will

  • Understand basic concepts of security, IT security and secure coding
  • Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
  • Learn to use various security features of the .NET development environment
  • Have a practical understanding of cryptography
  • Learn about typical coding mistakes and how to avoid them
  • Get sources and further readings on secure coding practices

Outline

  • IT security and secure coding
  • Web application security
  • .NET security architecture and services
  • Practical cryptography
  • Common coding errors and vulnerabilities
  • Principles of security and secure coding
  • Knowledge sources

Course information

Preparedness

General C# and Web application development

Exercises

Hands-on

Delivery methods

Onsite / Virtual classroom

Course reviews

Related courses

Bundle deal

Now Scademy offers a special course package. The AVATAO bundle deal is a value offer, for those who wish to practice what they have learned during the course. For an extra price, you will have access to a yearly AVATAO subscription. This online platform has over 500 secure coding challenges in various coding languages. Fore more information check AVATAO's website: avatao.com

Course registration

Date and time April 23-25, 2025 - CEST
Language English
Delivery Online
Choose a bundle
Register now
Loading...
Registering...

Table of contents

  • Day 1
  • Day 2
  • Day 3
  • IT security and secure coding
    • Security Introduction
      • Nature of security
        • What is risk?
          • IT security vs. secure coding
          • IT security and secure coding - From vulnerabilities to botnets and cybercrime
            • Nature of security flaws
              • From an infected computer to targeted attacks
              • Classification of security flaws
                • Classification of security flaws
                  • Landwehr's taxonomy
                    • The Seven Pernicious Kingdoms 1/2
                      • The Seven Pernicious Kingdoms 2/2
                        • OWASP Top Ten 2021
                      • Web application security
                        • Broken Access Control
                          • Typical access control weaknesses
                            • Insecure direct object reference (IDOR)
                              • Protection against IDOR
                              • Exercise: Insecure direct object reference
                                • Insecure direct object reference 1 / 2
                                  • Insecure direct object reference 2 / 2
                                  • Stealing Your Private YouTube Videos, One Frame at a Time
                                    • Stealing Your Private YouTube Videos, One Frame at a Time 1 / 2
                                      • Stealing Your Private YouTube Videos, One Frame at a Time 2 / 2
                                      • Cryptographic Failures
                                        • Sensitive data exposure
                                        • Cryptographic Failures - Transport layer security
                                          • Transport layer security
                                            • Transport layer security
                                            • Injection
                                              • Injection principles
                                              • Injection - SQL Injection
                                                  • SQL Injection
                                                  • Exercise: SQL injection
                                                    • SQL injection 1 / 2
                                                      • SQL injection 2 / 2
                                                        • Typical SQL Injection attack methods
                                                          • Blind and time-based SQL injection
                                                            • SQL injection protection methods
                                                            • SQL Injection in Entity Framework
                                                              • Effect of data storage frameworks on SQL injection
                                                                • SQL Injection in Entity Framework
                                                                • SQL Injection in Dapper
                                                                  • SQL injection in Dapper
                                                                  • Injection - Code Injection
                                                                    • Script Injection
                                                                      • Command Injection
                                                                      • Exercise: Command injection exercise
                                                                        • Command injection exercise - Setup
                                                                          • Command injection exercise - starting Netcat
                                                                            • Prevention of code injection
                                                                            • Server-side Template Injection in .NET
                                                                              • ASP.NET Razor templating engine
                                                                                • Prevention
                                                                                • Log Injection
                                                                                  • Log injection - Log forging
                                                                                    • Log injection - XSS atacks
                                                                                      • Log injection - Command injection
                                                                                        • Preventing Log Injection Attacks
                                                                                        • Injection - Cookie injection / HTTP parameter pollution
                                                                                          • HTTP parameter pollution in .NET Framework (legacy)
                                                                                            • HTTP parameter pollution in .NET 8
                                                                                              • Value shadowing in .NET 8
                                                                                              • Cross-Site Scripting (XSS)
                                                                                                • Cross-Site Scripting (XSS)
                                                                                                  • Persistent XSS
                                                                                                    • Reflected XSS
                                                                                                      • DOM-based XSS
                                                                                                      • Exercise: Cross Site Scripting (XSS)
                                                                                                        • Cross Site Scripting
                                                                                                          • Exploitation: CSS injection
                                                                                                            • XSS prevention
                                                                                                              • Output encoding API in C#
                                                                                                              • Insecure deserialization
                                                                                                                • Validation of JSON
                                                                                                                  • Open redirects - Dangers of open redirects
                                                                                                                    • Open redirects prevention
                                                                                                                      • Insecure file uploads
                                                                                                                      • Security Misconfiguration
                                                                                                                        • Security misconfiguration
                                                                                                                          • Web API Configuration
                                                                                                                            • CORS configuration
                                                                                                                              • CORS configuration
                                                                                                                                • JWT Token configuration
                                                                                                                                  • Rate limiting
                                                                                                                                • Web application security
                                                                                                                                  • Vulnerable and Outdated Components
                                                                                                                                    • Vulnerability management
                                                                                                                                      • Vulnerability attributes
                                                                                                                                        • Common Vulnerability Scoring System – CVSS
                                                                                                                                        • Supply Chain Security
                                                                                                                                          • Code transparency
                                                                                                                                            • Best practices
                                                                                                                                            • Identification and Authentication Failures
                                                                                                                                              • Session handling threats
                                                                                                                                                • Session handling best practices
                                                                                                                                                  • Session fixation
                                                                                                                                                  • Exercise: Token forgery
                                                                                                                                                    • Token forgery
                                                                                                                                                      • Token forgery
                                                                                                                                                        • Setting cookie attributes - best practices
                                                                                                                                                        • Identification and Authentication Failures - Cross Site Request Forgery (CSRF)
                                                                                                                                                          • Cross Site Request Forgery (CSRF)
                                                                                                                                                            • Login CSRF
                                                                                                                                                              • CSRF prevention
                                                                                                                                                                • CSRF prevention in .NET
                                                                                                                                                                • Exercise: Cross Site Request Forgery (CSRF)
                                                                                                                                                                  • Cross Site Request Forgery
                                                                                                                                                                    • Identification and Authentication - Recommendation
                                                                                                                                                                      • Authentication libraries for .NET
                                                                                                                                                                      • Application Secret Management
                                                                                                                                                                        • Application secret management
                                                                                                                                                                        • Hosting Considerations
                                                                                                                                                                          • Security
                                                                                                                                                                            • Security
                                                                                                                                                                              • Hosting considerations
                                                                                                                                                                              • Security Logging and Monitoring Failures
                                                                                                                                                                                • Insufficient attack protection
                                                                                                                                                                                  • Detection and response
                                                                                                                                                                                    • Logging and log analysis
                                                                                                                                                                                      • Intrusion detection systems and Web application firewalls
                                                                                                                                                                                    • Practical cryptography
                                                                                                                                                                                      • Cryptography Introduction
                                                                                                                                                                                        • Rule #1 of implementing cryptography
                                                                                                                                                                                        • Cryptosystems
                                                                                                                                                                                          • Elements of a cryptosystem
                                                                                                                                                                                            • FIPS 140-3
                                                                                                                                                                                              • .NET cryptographic architecture
                                                                                                                                                                                                • How algorithms are implemented in .NET
                                                                                                                                                                                                • Symmetric-key cryptography
                                                                                                                                                                                                  • Providing confidentiality with symmetric cryptography
                                                                                                                                                                                                    • Symmetric encryption algorithms
                                                                                                                                                                                                      • Modes of operation
                                                                                                                                                                                                        • ECB - Electronic Codebook
                                                                                                                                                                                                          • ECB - Electronic Codebook
                                                                                                                                                                                                            • CBC - Cipher Block Chaining
                                                                                                                                                                                                              • CBC - Cipher Block Chaining
                                                                                                                                                                                                                • CFB – Cipher Feedback
                                                                                                                                                                                                                  • CFB – Cipher Feedback
                                                                                                                                                                                                                    • OFB – Output Feedback
                                                                                                                                                                                                                      • OFB – Output Feedback
                                                                                                                                                                                                                        • CTR – Counter
                                                                                                                                                                                                                          • CTR – Counter
                                                                                                                                                                                                                            • Comparing the modes of operation
                                                                                                                                                                                                                              • Encrypting and decrypting (symmetric)
                                                                                                                                                                                                                              • Other cryptographic algorithms
                                                                                                                                                                                                                                • Hash or message digest
                                                                                                                                                                                                                                  • Hash algorithms
                                                                                                                                                                                                                                    • SHAttered
                                                                                                                                                                                                                                      • Defense against SHAttered attack
                                                                                                                                                                                                                                        • Hashing
                                                                                                                                                                                                                                          • Message Authentication Code (MAC)
                                                                                                                                                                                                                                            • Providing integrity and authenticity with a symmetric key
                                                                                                                                                                                                                                            • Other cryptographic algorithms - Random number generation
                                                                                                                                                                                                                                              • Random numbers and cryptography
                                                                                                                                                                                                                                                • Random numbers and cryptography
                                                                                                                                                                                                                                                  • Cryptographically-strong PRNGs
                                                                                                                                                                                                                                                    • Weak PRNGs in .NET
                                                                                                                                                                                                                                                      • Strong PRNGS in .NET
                                                                                                                                                                                                                                                        • Hardware-based TRNGs
                                                                                                                                                                                                                                                        • Asymmetric (public-key) cryptography
                                                                                                                                                                                                                                                          • Providing confidentiality with public-key encryption
                                                                                                                                                                                                                                                            • Public-key cryptography
                                                                                                                                                                                                                                                              • Rule of thumb – possession of private key
                                                                                                                                                                                                                                                                • Combining symmetric and asymmetric algorithms
                                                                                                                                                                                                                                                                  • Signing with a private key
                                                                                                                                                                                                                                                                  • Asymmetric (public-key) cryptography - The RSA algorithm
                                                                                                                                                                                                                                                                    • Introduction to RSA algorithm
                                                                                                                                                                                                                                                                      • Encrypting with RSA
                                                                                                                                                                                                                                                                        • Digital signing with RSA
                                                                                                                                                                                                                                                                          • Asymmetric algorithms in .NET
                                                                                                                                                                                                                                                                          • Exercise: Using .NET cryptographic classes
                                                                                                                                                                                                                                                                            • Using .NET cryptographic classes
                                                                                                                                                                                                                                                                            • Public Key Infrastructure (PKI) - Root of Trust Concept
                                                                                                                                                                                                                                                                              • Root of Trust Concept
                                                                                                                                                                                                                                                                                • Man-in-the-Middle (MitM) attack
                                                                                                                                                                                                                                                                                  • Man-in-the-Middle (MitM) attack
                                                                                                                                                                                                                                                                                    • Digital certificates against MitM attack
                                                                                                                                                                                                                                                                                      • Certificate Authorities in Public Key Infrastructure
                                                                                                                                                                                                                                                                                        • Digital certificates
                                                                                                                                                                                                                                                                                          • X.509 digital certificate
                                                                                                                                                                                                                                                                                        • Common coding errors and vulnerabilities
                                                                                                                                                                                                                                                                                          • Input validation
                                                                                                                                                                                                                                                                                            • Input validation concepts
                                                                                                                                                                                                                                                                                            • Input validation - Integer problems
                                                                                                                                                                                                                                                                                              • Representation of negative integers
                                                                                                                                                                                                                                                                                                • Integer overflow
                                                                                                                                                                                                                                                                                                  • Arithmetic overflow – guess the output!
                                                                                                                                                                                                                                                                                                  • Exercise: Exercise IntOverflow
                                                                                                                                                                                                                                                                                                    • IntOverflow
                                                                                                                                                                                                                                                                                                      • What is the value of Math.Abs(int.MinValue)?
                                                                                                                                                                                                                                                                                                        • What is the value of Math.Abs(int.MinValue)?
                                                                                                                                                                                                                                                                                                        • Input validation - Integer problem – best practices
                                                                                                                                                                                                                                                                                                          • Integer problem – best practices
                                                                                                                                                                                                                                                                                                            • Avoiding arithmetic overflow – addition
                                                                                                                                                                                                                                                                                                              • Avoiding arithmetic overflow – multiplication
                                                                                                                                                                                                                                                                                                                • Detecting overflow with the *checked* keyword in C#
                                                                                                                                                                                                                                                                                                                  • Exceptions triggered by overflows in C#
                                                                                                                                                                                                                                                                                                                    • Using the checked keyword in C#
                                                                                                                                                                                                                                                                                                                    • Input validation - Path traversal vulnerability
                                                                                                                                                                                                                                                                                                                      • Path traversal vulnerability
                                                                                                                                                                                                                                                                                                                        • Path traversal – weak protections
                                                                                                                                                                                                                                                                                                                          • Path traversal – best practices
                                                                                                                                                                                                                                                                                                                          • Input validation - Unvalidated redirects and forwards
                                                                                                                                                                                                                                                                                                                            • Unvalidated redirects and forwards
                                                                                                                                                                                                                                                                                                                            • Input validation - Log forging
                                                                                                                                                                                                                                                                                                                              • Log forging
                                                                                                                                                                                                                                                                                                                                • Log forging
                                                                                                                                                                                                                                                                                                                                  • Some other typical problems with log files
                                                                                                                                                                                                                                                                                                                                  • Common coding errors and vulnerabilities - Improper use of security features
                                                                                                                                                                                                                                                                                                                                    • Typical problems related to the use of security features
                                                                                                                                                                                                                                                                                                                                    • Improper use of security features - Password management
                                                                                                                                                                                                                                                                                                                                      • Password management
                                                                                                                                                                                                                                                                                                                                        • Weakness of hashed passwords
                                                                                                                                                                                                                                                                                                                                          • Password management and storage
                                                                                                                                                                                                                                                                                                                                            • Special purpose hash algorithms for password storage
                                                                                                                                                                                                                                                                                                                                              • Argon2 and PBKDF2 implementations in .NET
                                                                                                                                                                                                                                                                                                                                                • bcrypt and scrypt implementations in .NET
                                                                                                                                                                                                                                                                                                                                                  • Common hashing mistakes
                                                                                                                                                                                                                                                                                                                                                  • The Ashley Madison data breach
                                                                                                                                                                                                                                                                                                                                                    • The Ashley Madison data breach
                                                                                                                                                                                                                                                                                                                                                      • The loginkey token
                                                                                                                                                                                                                                                                                                                                                        • Revealing the passwords with brute forcing
                                                                                                                                                                                                                                                                                                                                                          • Typical mistakes in password management
                                                                                                                                                                                                                                                                                                                                                            • Sensitive info in memory - minimize the attack surface
                                                                                                                                                                                                                                                                                                                                                            • Exercise: Hard coded passwords
                                                                                                                                                                                                                                                                                                                                                              • Hard coded password
                                                                                                                                                                                                                                                                                                                                                              • Improper use of security features - Accessibility modifiers
                                                                                                                                                                                                                                                                                                                                                                • Accessing private fields with reflection in .NET
                                                                                                                                                                                                                                                                                                                                                                • Exercise: Reflection - Accessing private fields with reflection
                                                                                                                                                                                                                                                                                                                                                                  • Accessing private fields
                                                                                                                                                                                                                                                                                                                                                                  • Common coding errors and vulnerabilities - Improper error and exception handling
                                                                                                                                                                                                                                                                                                                                                                    • Typical problems with error and exception handling
                                                                                                                                                                                                                                                                                                                                                                      • Empty catch block
                                                                                                                                                                                                                                                                                                                                                                        • Overly broad catch
                                                                                                                                                                                                                                                                                                                                                                          • Using multi-catch
                                                                                                                                                                                                                                                                                                                                                                            • Catching NullReferenceException
                                                                                                                                                                                                                                                                                                                                                                              • Catching NullReferenceException
                                                                                                                                                                                                                                                                                                                                                                                • Exception handling – spot the bug!
                                                                                                                                                                                                                                                                                                                                                                                • Exercise: Error handling
                                                                                                                                                                                                                                                                                                                                                                                  • ErrorHandling
                                                                                                                                                                                                                                                                                                                                                                                  • Common coding errors and vulnerabilities - Time and state problems
                                                                                                                                                                                                                                                                                                                                                                                    • Concurrency and threading
                                                                                                                                                                                                                                                                                                                                                                                      • Concurrency in .NET
                                                                                                                                                                                                                                                                                                                                                                                        • Omitted synchronization
                                                                                                                                                                                                                                                                                                                                                                                          • Omitted synchronization
                                                                                                                                                                                                                                                                                                                                                                                            • Omitted synchronization
                                                                                                                                                                                                                                                                                                                                                                                              • Incorrect granularity
                                                                                                                                                                                                                                                                                                                                                                                                • Incorrect granularity
                                                                                                                                                                                                                                                                                                                                                                                                  • Incorrect granularity
                                                                                                                                                                                                                                                                                                                                                                                                    • Deadlocks
                                                                                                                                                                                                                                                                                                                                                                                                      • Avoiding deadlocks
                                                                                                                                                                                                                                                                                                                                                                                                        • Avoiding deadlokcs
                                                                                                                                                                                                                                                                                                                                                                                                          • Lock statement
                                                                                                                                                                                                                                                                                                                                                                                                          • Common coding errors and vulnerabilities - Code quality problems
                                                                                                                                                                                                                                                                                                                                                                                                            • Dangers arising from poor code quality
                                                                                                                                                                                                                                                                                                                                                                                                              • Poor code quality
                                                                                                                                                                                                                                                                                                                                                                                                                • Unreleased resources
                                                                                                                                                                                                                                                                                                                                                                                                                  • Serialization
                                                                                                                                                                                                                                                                                                                                                                                                                  • Exercise: Exercise
                                                                                                                                                                                                                                                                                                                                                                                                                    Serializable Sensitive
                                                                                                                                                                                                                                                                                                                                                                                                                    • Serializable sensitive
                                                                                                                                                                                                                                                                                                                                                                                                                      • Private arrays
                                                                                                                                                                                                                                                                                                                                                                                                                        • Private arrays – typed field returned from a public method
                                                                                                                                                                                                                                                                                                                                                                                                                          • Object hijacking
                                                                                                                                                                                                                                                                                                                                                                                                                            • Class not sealed – object hijacking
                                                                                                                                                                                                                                                                                                                                                                                                                            • Exercise: Exercise
                                                                                                                                                                                                                                                                                                                                                                                                                              Object Hijack
                                                                                                                                                                                                                                                                                                                                                                                                                              • Object hijacking
                                                                                                                                                                                                                                                                                                                                                                                                                                • Immutable string
                                                                                                                                                                                                                                                                                                                                                                                                                                • Exercise: Exercise - Immutable string
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Immutable strings
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Using SecureString
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Principles of security and secure coding
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Principles of security and secure coding
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Matt Bishop's principles of robust programming
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Matt Bishop's principles of robust programming - I
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Matt Bishop's principles of robust programming - II
                                                                                                                                                                                                                                                                                                                                                                                                                                            • The security principles of Saltzer and Schroeder
                                                                                                                                                                                                                                                                                                                                                                                                                                              • The security principles of Saltzer and Schroeder - I
                                                                                                                                                                                                                                                                                                                                                                                                                                                • The security principles of Saltzer and Schroeder - II
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • The security principles of Saltzer and Schroeder - III
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • The security principles of Saltzer and Schroeder - IV
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Knowledge sources
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Knowledge sources
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Secure coding sources - a starter kit
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Vulnerability databases
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • .NET secure coding material at Microsoft Learn
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • .NET secure coding cheat sheets
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Recommended books – .NET and ASP.NET
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Podcasts And Other Resources