Hack-proofing Your ASP.NET Web Applications
This course provides the developer with techniques for hack-proofing their applications by understanding the attacks that are used, and how to defend against them.
Authored by:
Adam Tuliper
Duration: 5h 0m
Level: Intermediate
Released: 2/3/2012
Features:
Duration: 5h 0m
Level: Intermediate
Released: 2/3/2012
Features:
Course Rating:
You are currently not signed in. Please sign in to access subscriber-only content.
Currently using: {{getCurrentPlayerName()}} [Change]
| expand all | collapse all | Progress | Duration | |
|---|---|---|---|
 SQL Injection |
|
00:45:08 | |
|
Introduction
|
|
00:09 | |
|
What is SQL Injection?
|
|
04:14 | |
|
Demo - Form based SQL Injection 1
|
|
11:28 | |
|
Demo - Form based SQL Injection 2
|
|
02:22 | |
|
How do you prevent SQL Injection?
|
|
02:23 | |
|
Demo - SQL Permissions Auditor Tool
|
|
02:28 | |
|
Additional Protections
|
|
03:40 | |
|
Problematic Fixes - Blacklisting Routines
|
|
04:13 | |
|
Problematic Fixes - SQL Routines and SQL Truncation
|
|
04:32 | |
|
Basic Dynamic Query Ideas
|
|
05:49 | |
|
Using an ORM
|
|
03:24 | |
|
Additional Information / References
|
|
00:26 | |
|
Information Leakage |
|
00:15:36 | |
|
Introduction
|
|
00:10 | |
|
What is information leakage?
|
|
01:06 | |
|
How is it information gathered?
|
|
01:58 | |
|
Demo - Web App Basic Information Leakage
|
|
00:50 | |
|
Demo - Information Leakage from error page
|
|
00:37 | |
|
Demo - Information Leakage by Ajax
|
|
01:47 | |
|
How do you prevent Information Leakage?
|
|
08:40 | |
|
Additional Reading
|
|
00:28 | |
|
Cross-Site Scripting (XSS) |
|
01:11:00 | |
|
Introduction
|
|
00:09 | |
|
What is XSS?
|
|
03:40 | |
|
How is XSS exploited?
|
|
00:47 | |
|
Demo - Reflected XSS Attack
|
|
02:08 | |
|
Demo - Persistent XSS Attack
|
|
03:47 | |
|
Demo - Older Style IE6 Content Type Sniffing Attack
|
|
01:38 | |
|
Demo - DOM Based XSS
|
|
07:02 | |
|
Demo - Data URI - Link Hijack
|
|
03:37 | |
|
Demo - Dangling Markup/Scriptless Attacks
|
|
05:59 | |
|
How do you prevent XSS?
|
|
02:54 | |
|
How do you prevent XSS (page 2)
|
|
01:14 | |
|
Demo (Prevention)- AntiXss GetSafeHtmlFragment()
|
|
01:52 | |
|
Demo (Prevention)- Specifying UTF-8 Encoding
|
|
01:11 | |
|
Demo (Prevention)- Content Security Policy
|
|
05:37 | |
|
Problems with blacklists / character filtering
|
|
03:14 | |
|
How do you prevent XSS (last but not least)
|
|
03:46 | |
|
Don't turn off Request Validation
|
|
05:07 | |
|
Know your encoding options
|
|
04:42 | |
|
Demo (Fix) - Fixing Web Forms Repeater
|
|
02:16 | |
|
Demo (Fix) - Fixing Scriptless / Dangling HTML
|
|
00:59 | |
|
Demo (Fix) - Fixing DOM based attacks
|
|
04:22 | |
|
Tools
|
|
02:27 | |
|
Summary
|
|
02:10 | |
|
Additional Information / References
|
|
00:22 | |
|
Parameter Tampering |
|
00:29:03 | |
|
Introduction
|
|
00:08 | |
|
What is parameter tampering?
|
|
00:37 | |
|
How is it exploited?
|
|
01:22 | |
|
MVC Parameter Tampering
|
|
05:21 | |
|
Web Forms Parameter Tampering
|
|
04:50 | |
|
EventValidation issues with client side script
|
|
01:24 | |
|
Preventing tampering in MVC
|
|
02:45 | |
|
Preventions - Regular Expressions
|
|
01:13 | |
|
Preventions - Data Annotations
|
|
01:20 | |
|
Validate your data!
|
|
03:20 | |
|
A few minor words of caution
|
|
03:23 | |
|
Summary
|
|
02:30 | |
|
Additional Information / References
|
|
00:50 | |
|
Encryption and Hashing |
|
00:45:34 | |
|
Introduction
|
|
00:10 | |
|
Why should I encrypt?
|
|
05:11 | |
|
How to encrypt - database side
|
|
01:07 | |
|
SQL - Encrypt by passphrase
|
|
02:50 | |
|
SQL - Encrypt by certificate
|
|
01:51 | |
|
How to encrypt - application code
|
|
03:51 | |
|
How to encrypt - configuration settings
|
|
02:44 | |
|
Forcing SSL - MVC
|
|
02:36 | |
|
Forcing SSL - Web Forms
|
|
00:59 | |
|
Forcing SSL - Additional Information
|
|
01:45 | |
|
Installing SSL on your development box
|
|
03:58 | |
|
About Hashing
|
|
01:25 | |
|
How are hashes attacked?
|
|
02:36 | |
|
What's a salt?
|
|
01:22 | |
|
Demo - Basic hash with salt
|
|
01:17 | |
|
Demo - Hash brute force attack (even with a salt!)
|
|
03:03 | |
|
Tool Demo - Hashcat
|
|
01:16 | |
|
Choosing the right approaches
|
|
04:25 | |
|
Membership provider support
|
|
01:38 | |
|
But I need my lost password functionality!
|
|
00:59 | |
|
Additional Information
|
|
00:31 | |
|
Cross-Site Request Forgery (CSRF) |
|
00:38:36 | |
|
Introduction
|
|
00:09 | |
|
What is CSRF?
|
|
01:02 | |
|
How is CSRF exploited?
|
|
02:41 | |
|
Demo - Exploit using email image src
|
|
04:59 | |
|
Demo - Repeatability is the key
|
|
01:16 | |
|
Demo - CSRF from XSS
|
|
01:27 | |
|
POSTs protect me, don't they?
|
|
04:38 | |
|
Demo - Web Forms One Click Attack - Forge user interaction
|
|
07:32 | |
|
How do you prevent CSRF?
|
|
02:27 | |
|
Web Forms CSRF Prevention
|
|
05:28 | |
|
MVC CSRF Prevention
|
|
04:53 | |
|
Summary
|
|
02:04 | |
|
Denial of Service |
|
00:17:49 | |
|
Introduction
|
|
00:07 | |
|
How is DoS exploited?
|
|
05:05 | |
|
Demo - Affecting the victim's browser
|
|
02:25 | |
|
Demo - Browser based distributed denial of service
|
|
03:35 | |
|
Demo - Slow page = easy target
|
|
03:55 | |
|
Preventing DoS
|
|
02:07 | |
|
Additional Information / References
|
|
00:35 | |
|
Session Management and Hijacking |
|
00:37:24 | |
|
Introduction
|
|
00:10 | |
|
ASP.NET Session Id Management Background
|
|
04:40 | |
|
Session Management Demo
|
|
05:04 | |
|
How can sessions be attacked?
|
|
01:06 | |
|
Demo - stealing a session
|
|
06:04 | |
|
Preventing Session Attacks
|
|
01:05 | |
|
Syncing Forms authentication timeouts and session timeouts
|
|
04:56 | |
|
Preventing - Removing the session cookie on login/logout
|
|
02:43 | |
|
Preventing - Avoid cookieless sessions
|
|
00:59 | |
|
Custom session id managers
|
|
09:23 | |
|
Additional Information
|
|
01:14 |
