OWASP Top.10 Web Application Security Risks for ASP.NET

[oaxino]

 

OWASP Top 10 Web Application Security Risks for ASP.NET

English | Size: 2.08 GB

Category: CBTs

 

Introduction

Who's getting hacked?

Who's doing the hacking?

OWASP and the Top 10

Applying security in depth

Injection

Introduction

OWASP overview and risk rating

Demo: Anatomy of an attack

Risk in practice: LulzSec and Sony

Understanding SQL injection

Defining untrusted data

Demo: The prin[beeep]le of least privilege

Demo: Inline SQL parameterisation

Demo: Stored procedure parameterisation

Demo: Whitelisting untrusted data

Demo: Entity Framework's SQL parameterisation

Demo: Injection through stored procedure

Demo: Injection automation with Havij

 

Summary

 

 

Cross Site Scripting (XSS)

 

Introduction

 

OWASP overview and risk rating

 

Demo: Anatomy of an attack

 

Risk in practice: My Space and Samy

 

Understanding XSS

 

Output encoding concepts

 

Demo: Implementing output encoding

 

Demo: Output encoding in web forms

 

Demo: Output encoding in MVC

 

Demo: Whitelisting allowable values

 

Demo: ASP.NET request validation

 

Demo: Reflective versus persistent XSS

 

Demo: Native browser defences

 

Demo: Payload obfuscation

 

Summary

 

 

Broken Authentication and Session Management

 

Introduction

 

OWASP overview and risk rating

 

Demo: Anatomy of an attack

 

Risk in practice: Apple's session fixation

 

Persisting state in a stateless protocol

 

The risk of session persistence in the URL versus cookies

 

Demo: Securely configuring session persistence

 

Demo: Leveraging ASP.NET membership provider for authentication

 

Customising session and forms timeouts to minimise risk windows

 

Siding versus fixed forms timeout

 

Other broken authentication patterns

 

Summary

 

 

Insecure Direct Object References

 

Introduction

 

OWASP overview and risk rating

 

Demo: Anatomy of an attack

 

Risk in practice: Citibank

 

Understanding direct object references

 

Demo: Implementing access controls

 

Understanding indirect reference maps

 

Demo: Building an indirect reference map

 

Obfuscation via random surrogate keys

 

Summary

 

 

Cross Site Request Forgery (CSRF)

 

Introduction

 

OWASP overview and risk rating

 

Demo: Anatomy of an attack

 

Risk in practice: Compromised Brazilian modems

 

What makes a CSRF attack possible

 

Understanding anti-forgery tokens

 

Demo: Implementing an anti-forgery token in MVC

 

Demo: Web forms approach to anti-forgery tokens

 

CSRF fallacies and browser defences

 

Summary

 

 

Security Misconfiguration

 

Introduction

 

OWASP overview and risk rating

 

Demo: Anatomy of an attack

 

Risk in practice: ELMAH

 

Demo: Correctly configuring custom errors

 

Demo: Securing web forms tracing

 

Demo: Keeping frameworks current with NuGet

 

Demo: Encrypting sensitive parts of the web.config

 

Demo: Using config transforms to apply secure configurations

 

Demo: Enabling retail mode on the server

 

Summary

 

 

Insecure Cryptographic Storage

 

Introduction

 

OWASP overview and risk rating

 

Demo: Anatomy of an attack

 

Risk in practice: ABC passwords

 

Understanding password storage and hashing

 

Understanding salt and brute force attacks

 

Slowing down hashes with the new Membership Provider

 

Other stronger hashing implementations

 

Things to consider when choosing a hashing implementation

 

Understanding symmetric and asymmetric encryption

 

Demo: Symmetric encryption using DPAPI

 

What's not cryptographic

 

Summary

 

 

Failure to Restrict URL Access

 

Introduction

 

OWASP overview and risk rating

 

Demo: Anatomy of an attack

 

Risk in practice: Apple AT&T leak

 

Demo: Access controls in ASP.NET part 1: web.config locations

 

Demo: Access controls in ASP.NET part 2: The authorize attribute

 

Demo: Role based authorisation with the ASP.NET Role Provider

 

Other access controls risk and misconceptions

 

Summary

 

 

Insufficient Transport Layer Protection

 

Introduction

 

OWASP overview and risk rating

 

Demo: Anatomy of an attack

 

Risk in practice: Tunisian ISPs

 

Demo: Understanding secure cookies and forms authentication

 

Demo: Securing other cookies in ASP.NET

 

Demo: Forcing web forms to use HTTPS

 

Demo: Requiring HTTPS on MVC controllers

 

Demo: Mixed mode HTTPS

 

HTTP strict transport security

 

Other insufficient HTTPS patterns

 

Other HTTPS considerations

 

Summary

 

 

Unvalidated Redirects and Forwards

 

Introduction

 

OWASP overview and risk rating

 

Demo: Anatomy of an attack

 

Risk in practice: US government websites

 

Understanding the value of unvalidated redirects to attackers

 

Demo: implementing a whitelist

 

Demo: implementing referrer checking

 

Other issues with the unvalidated redirect risk

 

Summary

 

Download link:

This is the hidden content, please

• Zaloguj się
• lub
• Zarejestruj się

 

Links are Interchangeable - No Password - Single Extraction