Advanced C#, ASP.NET and Web application security
Beyond a solid knowledge in using various security features of .NET and ASP.NET, even for experienced programmers it is essential to have a deep knowledge in Web-related vulnerabilities both on server and client side along with the consequences of the various risks.
The course also deals with the security architecture and components of the .NET framework, including code- and role based access control, permission declaration and checking mechanisms and the transparency model. A brief introduction to the foundations of cryptography provides a common practical baseline for understanding the purpose and the operation of various algorithms, based on which the course presents the cryptographic features that can be used in .NET.
Introduction of different security bugs follows the well-established vulnerability categories, tackling input validation, security features, error handling, time- and state-related problems, the group of general code quality issues, and a special section on ASP.NET-specific vulnerabilities. These topics are concluded with an overview on testing tools that can be used to automatically reveal some of the learnt bugs.
Web developers using ASP.NET
Preparedness: Advanced C# and ASP.NET and Web application
Topics are presented through practical exercises where participants can try out the consequences of certain vulnerabilities, the mitigations, as well as the discussed APIs and tools for themselves.
- Web vulnerabilities: OWASP top 10 and beyond: SQL Injection and other injection flaws, Cross-Site Scripting: persistent and reflected XSS, session handling challenges, using cookies, remote code execution, Insecure Direct Object Reference, Cross-Site Request Forgery (CSRF), restricting URL access.
- .NET and ASP.NET security technologies and services: Code Access Security, permissions, the stack walk, trust levels; Role-based Security; Cryptography basics, symmetric and assymmetric algorithms, hashing, public-key infrastructure (PKI), cryptography in .NET; ASP.NET authentication and authorization solutions, windows and form authentication, Live SDK, roles; session handling; XSS protection, validation features, viewstate protection in ASP.NET
- .NET specific vulnerabilities: input validation problems, using native code, integer overflows in .NET, using the checked keyword, log forging; improper use of cryptographic features, insecure randomness in .NET, challenges of password management, cracking hashed passwords with search engines; improper error and exception handling; time and state problems, race conditions, synchronization and mutual exclusion, deadlocks, file and database race conditions; general code quality issues, object hijacking, immutable objects, serialization of sensitive information; Denial-of-Service (DoS) in.NET, hashtable collision, attacks against ASP.NET, string termination inconsistency, and many more...
- Exercises: exploiting SQL injection step-by-step; exploiting command injection; crafting Cross-Site Scripting attacks through both reflective and persistent XSS; HTML injection; session fixation; uploading and running executable code; insecure direct object reference; committing Cross-Site Request Forgery (CSRF); sandboxing .NET code, using roles, using cryptographic classes in .NET, implementing form authentication, input validation in ASP.NET; crashing native code; unsafe reflections; hash cracking by googling; using reflection to break accessibility modifiers; information leakage through error reporting; missing synchronization; wrong exclusion granularity; avoiding deadlocks; overcoming file race conditions; object hijacking; immutable string; preventing serialization; using hidden and disable controls; value shadowing.
Using security testing tools: security scanners (Nikto/Wikto, Nessus, Netsparker), SQL injection tools (SqlMap, SqlNinja, Safe3 SQL Injector), knowledge sources (CVE, NVD, BSI, SHIELDS), sniffers (Tcpdump, Ngrep, Wireshark), proxy servers (BurpSuite, Paros proxy), static source code analyzers for .NET (FxCop).
Other relevant courses