NET, C# and ASP.NET security development

A number of programming languages are available today to compile code to .NET and ASP.NET frameworks. The environment provides powerful means for security development, but developers should know how to apply the architecture- and coding-level programming techniques in order to implement the desired security functionality and avoid vulnerabilities or limit their exploitation.

Audience:

NET, C# and ASP.NET security development 

Prerequisites:

Preparedness: Basic .NET, C# and ASP.NET 

Course outline:

The aim of this course is to teach developers through numerous hands-on exercises how to prevent untrusted code from performing privileged actions, protect resources through strong authentication and authorization, provide remote procedure calls, handle sessions, introduce different implementations for certain functionality, and many more. Introduction of different vulnerabilities starts with presenting some typical programming problems committed when using .NET, while the discussion of vulnerabilities of the ASP.NET also deals with various environment settings and their effects. Finally, the topic of ASP.NET-specific vulnerabilities not only deals with some general Web application security challenges, but also with special issues and attack methods like attacking the PostBack or the ViewState, or the string termination attacks.

  • Security technologies and services::
    Code Access Security, Role Access Security, Remoting Architecture; ASP.NET trust levels; form authentication; session handling; provider model; membership, role management and the Microsoft Passport Network.
  • Vulnerabilities, attacks and mitigations:: 
    :integer overflows in .NET; injection flaws in ASP.NET: SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), log forging; unsafe native calls; Equals() and toString() problems; attacking PostBack and ViewState; string termination attacks; direct call to GC.Collect(); implementation of ICloneable; class comparison methods; using the [Serializable] attribute; unsafe reflection; attacking PostBack and ViewState; string termination attacks; and many more...

Other relevant courses