OWASP Top 10 Web Application Security Risks for ASP.NET
This course introduces the OWASP Top 10 Most Critical Web Application Security Risks including how to demonstrate and mitigate them in ASP.NET.
What you'll learn
Web applications today are being hacked with alarming regularity by hacktivists, online criminals, and nation states.
Very frequently, it is the same prevalent security risks being exploited which is why the Open Web Application Security Project (OWASP) developed their list of Top 10 Most Critical Web Application Security Risks to help developers build more secure software.
This course helps developers apply the Top 10 in ASP.NET using both web forms and MVC by walking through an overview of the risk, demonstrating how it can be exploited in .NET and then delving into the various approaches available to mitigate it by applying security in depth.
Table of contents
- Introduction 1m
- OWASP overview and risk rating 2m
- Demo: Anatomy of an attack 8m
- Risk in practice: LulzSec and Sony 1m
- Understanding SQL injection 1m
- Defining untrusted data 3m
- Demo: The principle of least privilege 4m
- Demo: Inline SQL parameterisation 3m
- Demo: Stored procedure parameterisation 2m
- Demo: Whitelisting untrusted data 7m
- Demo: Entity Framework’s SQL parameterisation 3m
- Demo: Injection through stored procedures 6m
- Demo: Injection automation with Havij 4m
- Summary 2m
- Introduction 1m
- OWASP overview and risk rating 1m
- Demo: Anatomy of an attack 6m
- Risk in practice: My Space and Samy 2m
- Understanding XSS 2m
- Output encoding concepts 4m
- Demo: Implementing output encoding 6m
- Demo: Output encoding in web forms 4m
- Demo: Output encoding in MVC 3m
- Demo: Whitelisting allowable values 3m
- Demo: ASP.NET request validation 13m
- Demo: Reflective versus persistent XSS 5m
- Demo: Native browser defences 4m
- Demo: Payload obfuscation 3m
- Summary 3m
- Introduction 1m
- OWASP overview and risk rating 1m
- Demo: Anatomy of an attack 3m
- Risk in practice: Apple's session fixation 1m
- Persisting state in a stateless protocol 1m
- The risk of session persistence in the URL versus cookies 3m
- Demo: Securely configuring session persistence 4m
- Demo: Leveraging ASP.NET membership provider for authentication 4m
- Customising session and forms timeouts to minimise risk windows 3m
- Siding versus fixed forms timeout 3m
- Other broken authentication patterns 2m
- Summary 2m
- Introduction 1m
- OWASP overview and risk rating 1m
- Demo: Anatomy of an attack 5m
- Risk in practice: Citibank 2m
- Understanding direct object references 4m
- Demo: Implementing access controls 5m
- Understanding indirect reference maps 4m
- Demo: Building an indirect reference map 10m
- Obfuscation via random surrogate keys 2m
- Summary 2m
- Introduction 1m
- OWASP overview and risk rating 2m
- Demo: Anatomy of an attack 6m
- Risk in practice: Compromised Brazilian modems 2m
- What makes a CSRF attack possible 9m
- Understanding anti-forgery tokens 3m
- Demo: Implementing an anti-forgery token in MVC 6m
- Demo: Web forms approach to anti-forgery tokens 4m
- CSRF fallacies and browser defences 4m
- Summary 2m
- Introduction 1m
- OWASP overview and risk rating 2m
- Demo: Anatomy of an attack 6m
- Risk in practice: ELMAH 3m
- Demo: Correctly configuring custom errors 9m
- Demo: Securing web forms tracing 4m
- Demo: Keeping frameworks current with NuGet 5m
- Demo: Encrypting sensitive parts of the web.config 5m
- Demo: Using config transforms to apply secure configurations 6m
- Demo: Enabling retail mode on the server 3m
- Summary 3m
- Introduction 1m
- OWASP overview and risk rating 2m
- Demo: Anatomy of an attack 10m
- Risk in practice: ABC passwords 2m
- Understanding password storage and hashing 9m
- Understanding salt and brute force attacks 9m
- Slowing down hashes with the new Membership Provider 5m
- Other stronger hashing implementations 4m
- Things to consider when choosing a hashing implementation 5m
- Understanding symmetric and asymmetric encryption 4m
- Demo: Symmetric encryption using DPAPI 6m
- What's not cryptographic 4m
- Summary 3m
- Introduction 1m
- OWASP overview and risk rating 2m
- Demo: Anatomy of an attack 3m
- Risk in practice: Apple AT&T leak 3m
- Demo: Access controls in ASP.NET part 1: web.config locations 7m
- Demo: Access controls in ASP.NET part 2: The authorize attribute 7m
- Demo: Role based authorisation with the ASP.NET Role Provider 8m
- Other access controls risk and misconceptions 7m
- Summary 4m
- Introduction 2m
- OWASP overview and risk rating 3m
- Demo: Anatomy of an attack 11m
- Risk in practice: Tunisian ISPs 3m
- Demo: Understanding secure cookies and forms authentication 9m
- Demo: Securing other cookies in ASP.NET 7m
- Demo: Forcing web forms to use HTTPS 7m
- Demo: Requiring HTTPS on MVC controllers 4m
- Demo: Mixed mode HTTPS 6m
- HTTP strict transport security 5m
- Other insufficient HTTPS patterns 5m
- Other HTTPS considerations 6m
- Summary 4m
- Introduction 1m
- OWASP overview and risk rating 3m
- Demo: Anatomy of an attack 4m
- Risk in practice: US government websites 2m
- Understanding the value of unvalidated redirects to attackers 4m
- Demo: implementing a whitelist 5m
- Demo: implementing referrer checking 5m
- Other issues with the unvalidated redirect risk 3m
- Summary 2m
Course FAQ
OWASP is the Open Web Application Security Project - a global nonprofit organization whose focus is on improving web security.
OWASP publishes a Top Ten list of the current most vulnerable security risks posed to web applications.
Something to remember is that nobody is safe from determined attackers - but don't let yourself be a low-hanging fruit.
While the OWASP Top 10 is technology agnostic, in this guide, we will be looking specifically at ASP.NET security.
You will need a working knowledge of the .NET platform as this course is designed to show you how to locate and how to implement security in ASP.NET web applications.
This course is aimed at developers who want to protect their web apps from common security exploits.
About the author
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security, an ASPInsider, and a full time Author for Pluralsight—a leader in online training for technology and creative professionals. Troy has been building software for browsers since the very early days of the web and possesses an exceptional ability to distill complex subjects into relatable explanations. This has led Troy to become an industry thought leader in the security space and produce more than twenty top-rated courses ... more