Kurs i Microsoft .NET 4.5 og Visual Studio 2012

Glasspaper er en komplett
kurs-leverandør for utviklere!


Advanced C#, ASP.NET and Web application security

Kursavgift: kr 17 900 | Varighet: 3 dager

Beskrivelse:

Beyond a solid knowledge in using various security features of .NET and ASP.NET, even for experienced programmers it is essential to have a deep knowledge in Web-related vulnerabilities both on server and client side along with the consequences of the various risks.

In this course the general web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained in the context of ASP.NET. A special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5.

The course also deals with the security architecture and components of the .NET framework, including code- and role based access control, permission declaration and checking mechanisms and the transparency model. A brief introduction to the foundations of cryptography provides a common practical baseline for understanding the purpose and the operation of various algorithms, based on which the course presents the cryptographic features that can be used in .NET.

Introduction of different security bugs follows the well-established vulnerability categories, tackling input validation, security features, error handling, time- and state-related problems, the group of general code quality issues, and a special section on ASP.NET-specific vulnerabilities. These topics are concluded with an overview on testing tools that can be used to automatically reveal some of the learnt bugs.





Målgruppe:

Web developers using ASP.NET


Forkunnskaper:

Preparedness: Advanced C# and ASP.NET and Web application



Innhold:

Topics are presented through practical exercises where participants can try out the consequences of certain vulnerabilities, the mitigations, as well as the discussed APIs and tools for themselves.


  • Web vulnerabilities:
    OWASP top 10 and beyond: SQL Injection and other injection flaws, Cross-Site Scripting: persistent and reflected XSS, session handling challenges, using cookies, remote code execution, Insecure Direct Object Reference, Cross-Site Request Forgery (CSRF), restricting URL access.

  • Client-side security:
    JavaScript same origin policy, authentication and password management in JavaScript, obfuscating JavaScript code, ClickJacking; Ajax security, XSS and CSRF in Ajax; HTML5 ClickJacking, form tampering, cross-origin requests, client-side include.

  • .NET and ASP.NET security technologies and services:
    Code Access Security, permissions, the stack walk, trust levels; Role-based Security; Cryptography basics, symmetric and assymmetric algorithms, hashing, public-key infrastructure (PKI), cryptography in .NET; ASP.NET authentication and authorization solutions, windows and form authentication, Live SDK, roles; session handling; XSS protection, validation features, viewstate protection in ASP.NET.

  • .NET specific vulnerabilities:
    input validation problems, using native code, integer overflows in .NET, using the checked keyword, log forging; improper use of cryptographic features, insecure randomness in .NET, challenges of password management, cracking hashed passwords with search engines; improper error and exception handling; time and state problems, race conditions, synchronization and mutual exclusion, deadlocks, file and database race conditions; general code quality issues, object hijacking, immutable objects, serialization of sensitive information; Denial-of-Service (DoS) in.NET, hashtable collision, attacks against ASP.NET, string termination inconsistency, and many more...

  • Exercises:
    exploiting SQL injection step-by-step; exploiting command injection; crafting Cross-Site Scripting attacks through both reflective and persistent XSS; HTML injection; session fixation; uploading and running executable code; insecure direct object reference; committing Cross-Site Request Forgery (CSRF); sandboxing .NET code, using roles, using cryptographic classes in .NET, implementing form authentication, input validation in ASP.NET; crashing native code; unsafe reflections; hash cracking by googling; using reflection to break accessibility modifiers; information leakage through error reporting; missing synchronization; wrong exclusion granularity; avoiding deadlocks; overcoming file race conditions; object hijacking; immutable string; preventing serialization; using hidden and disable controls; value shadowing.

    Using security testing tools: security scanners (Nikto/Wikto, Nessus, Netsparker), SQL injection tools (SqlMap, SqlNinja, Safe3 SQL Injector), knowledge sources (CVE, NVD, BSI, SHIELDS), sniffers (Tcpdump, Ngrep, Wireshark), proxy servers (BurpSuite, Paros proxy), static source code analyzers for .NET (FxCop).




Epost mottat


Du er nå meldt på nyhetsbrevlisten

Epost mottat


Du er nå meldt på nyhetsbrevlisten

Bestill kurset her

arrow

Velg kurssted

    arrow

    Velg dato

    kurs merket med * har startgaranti

    arrow

    Mailen er sendt:

    Ditt tips er registrert og sendt!
    Vi håper snarlig å se deg på kurs hos oss!

    Feilmelding:

    OBS! Vi har problemer med å sende ditt tips!

    Vi anbefaler deg å sjekke om du har skrevet inn en gyldig mailadresse.

    Tips sjefen

    Lyst til å delta på dette kurset, men må overbevise sjefen først?

    Glasspaper har laget en tips funksjon, som gjør det enklere for deg å overbevise din sjef om at dette kurset er perfekt for deg.
    Det eneste du trenger å gjøre er å fylle ut kontaktinformasjon, så sender vi relevant informasjon om kurset rett til dine utvalgte kontaktpersoner.
    Bruk gjerne funksjonen til å tipse venner og kollegaer om at dette er et nyttig kurs for dem





    Kontakt oss

    Kursansvarlig

    Henning Solberg

    93 09 01 29

    henning@glasspaper.no


    Glasspaper er kåret til Årets Microsoft Kurspartner 2017 - dette er åttende år på rad vi mottar denne hedersprisen