OWASP Top 10 Web Application Security Risks for ASP.NET

Pluralsight

Course Summary

This course introduces the OWASP Top 10 Most Critical Web Application Security Risks including how to demonstrate and mitigate them in ASP.NET.

+
Course Description

Web applications today are being hacked with alarming regularity by hacktivists, online criminals and nation states. Very frequently, it is the same prevalent security risks being exploited which is why the Open Web Application Security Project (OWASP) developed their list of Top 10 Most Critical Web Application Security Risks to help developers build more secure software. This course helps developers apply the Top 10 in ASP.NET using both web forms and MVC by walking through an overview of the risk, demonstrating how it can be exploited in .NET and then delving into the various approaches available to mitigate it by applying security in depth.

Course Description

Web applications today are being hacked with alarming regularity by hacktivists, online criminals and nation states. Very frequently, it is the same prevalent security risks being exploited which is why the Open Web Application Security Project (OWASP) developed their list of Top 10 Most Critical Web Application Security Risks to help developers build more secure software. This course helps developers apply the Top 10 in ASP.NET using both web forms and MVC by walking through an overview of the risk, demonstrating how it can be exploited in .NET and then delving into the various approaches available to mitigate it by applying security in depth.

+
Course Syllabus

Introduction
- 17m 15s

—Introduction 0m 55s
—Who's getting hacked? 1m 55s
—Who's doing the hacking? 5m 58s
—OWASP and the Top 10 5m 29s
—Applying security in depth 2m 58s

Injection
- 49m 29s

—Introduction 1m 20s
—OWASP overview and risk rating 2m 23s
—Demo: Anatomy of an attack 7m 43s
—Risk in practice: LulzSec and Sony 0m 59s
—Understanding SQL injection 1m 18s
—Defining untrusted data 3m 7s
—Demo: The principle of least privilege 4m 28s
—Demo: Inline SQL parameterisation 3m 4s
—Demo: Stored procedure parameterisation 2m 3s
—Demo: Whitelisting untrusted data 7m 17s
—Demo: Entity Framework’s SQL parameterisation 3m 28s
—Demo: Injection through stored procedures 5m 57s
—Demo: Injection automation with Havij 4m 5s
—Summary 2m 17s

Cross Site Scripting (XSS)
- 59m 20s

—Introduction 1m 18s
—OWASP overview and risk rating 1m 21s
—Demo: Anatomy of an attack 6m 3s
—Risk in practice: My Space and Samy 1m 43s
—Understanding XSS 1m 45s
—Output encoding concepts 4m 4s
—Demo: Implementing output encoding 5m 52s
—Demo: Output encoding in web forms 3m 35s
—Demo: Output encoding in MVC 3m 3s
—Demo: Whitelisting allowable values 3m 10s
—Demo: ASP.NET request validation 12m 32s
—Demo: Reflective versus persistent XSS 4m 57s
—Demo: Native browser defences 4m 26s
—Demo: Payload obfuscation 2m 36s
—Summary 2m 55s

Broken Authentication and Session Management
- 28m 10s

—Introduction 0m 53s
—OWASP overview and risk rating 1m 13s
—Demo: Anatomy of an attack 2m 34s
—Risk in practice: Apple's session fixation 1m 6s
—Persisting state in a stateless protocol 0m 58s
—The risk of session persistence in the URL versus cookies 3m 0s
—Demo: Securely configuring session persistence 3m 36s
—Demo: Leveraging ASP.NET membership provider for authentication 4m 12s
—Customising session and forms timeouts to minimise risk windows 3m 5s
—Siding versus fixed forms timeout 3m 17s
—Other broken authentication patterns 2m 27s
—Summary 1m 49s

Insecure Direct Object References
- 35m 44s

—Introduction 0m 45s
—OWASP overview and risk rating 1m 12s
—Demo: Anatomy of an attack 5m 0s
—Risk in practice: Citibank 1m 38s
—Understanding direct object references 4m 24s
—Demo: Implementing access controls 5m 25s
—Understanding indirect reference maps 3m 58s
—Demo: Building an indirect reference map 9m 59s
—Obfuscation via random surrogate keys 1m 38s
—Summary 1m 45s

Cross Site Request Forgery (CSRF)
- 38m 19s

—Introduction 1m 7s
—OWASP overview and risk rating 2m 15s
—Demo: Anatomy of an attack 5m 37s
—Risk in practice: Compromised Brazilian modems 2m 17s
—What makes a CSRF attack possible 8m 43s
—Understanding anti-forgery tokens 2m 55s
—Demo: Implementing an anti-forgery token in MVC 5m 44s
—Demo: Web forms approach to anti-forgery tokens 3m 43s
—CSRF fallacies and browser defences 3m 32s
—Summary 2m 26s

Security Misconfiguration
- 47m 48s

—Introduction 1m 7s
—OWASP overview and risk rating 2m 6s
—Demo: Anatomy of an attack 6m 3s
—Risk in practice: ELMAH 3m 11s
—Demo: Correctly configuring custom errors 9m 23s
—Demo: Securing web forms tracing 4m 25s
—Demo: Keeping frameworks current with NuGet 4m 31s
—Demo: Encrypting sensitive parts of the web.config 4m 45s
—Demo: Using config transforms to apply secure configurations 5m 38s
—Demo: Enabling retail mode on the server 3m 17s
—Summary 3m 22s

Insecure Cryptographic Storage
- 1h 5m

—Introduction 1m 9s
—OWASP overview and risk rating 2m 12s
—Demo: Anatomy of an attack 9m 35s
—Risk in practice: ABC passwords 2m 25s
—Understanding password storage and hashing 8m 47s
—Understanding salt and brute force attacks 9m 27s
—Slowing down hashes with the new Membership Provider 4m 51s
—Other stronger hashing implementations 3m 36s
—Things to consider when choosing a hashing implementation 5m 18s
—Understanding symmetric and asymmetric encryption 3m 35s
—Demo: Symmetric encryption using DPAPI 6m 27s
—What's not cryptographic 4m 20s
—Summary 3m 18s

Failure to Restrict URL Access
- 42m 0s

—Introduction 0m 56s
—OWASP overview and risk rating 2m 10s
—Demo: Anatomy of an attack 2m 45s
—Risk in practice: Apple AT&T leak 3m 25s
—Demo: Access controls in ASP.NET part 1: web.config locations 6m 37s
—Demo: Access controls in ASP.NET part 2: The authorize attribute 7m 15s
—Demo: Role based authorisation with the ASP.NET Role Provider 7m 43s
—Other access controls risk and misconceptions 7m 18s
—Summary 3m 51s

Insufficient Transport Layer Protection
- 1h 12m

—Introduction 1m 40s
—OWASP overview and risk rating 3m 13s
—Demo: Anatomy of an attack 11m 29s
—Risk in practice: Tunisian ISPs 3m 29s
—Demo: Understanding secure cookies and forms authentication 8m 54s
—Demo: Securing other cookies in ASP.NET 6m 37s
—Demo: Forcing web forms to use HTTPS 6m 50s
—Demo: Requiring HTTPS on MVC controllers 3m 55s
—Demo: Mixed mode HTTPS 6m 17s
—HTTP strict transport security 5m 16s
—Other insufficient HTTPS patterns 4m 56s
—Other HTTPS considerations 5m 38s
—Summary 4m 12s

Unvalidated Redirects and Forwards
- 30m 49s

—Introduction 0m 59s
—OWASP overview and risk rating 3m 13s
—Demo: Anatomy of an attack 4m 23s
—Risk in practice: US government websites 1m 59s
—Understanding the value of unvalidated redirects to attackers 4m 27s
—Demo: implementing a whitelist 5m 17s
—Demo: implementing referrer checking 5m 15s
—Other issues with the unvalidated redirect risk 3m 7s
—Summary 2m 9s

Course Fee:

USD 29

Course Type:	Self-Study
Course Status:	Active
Workload:	1 - 4 hours / week

This course is listed under Open Source , Development & Implementations , Data & Information Management and IT Security & Architecture Community

Attended this course? Write a Review

Course Fee:

USD 29

Course Type:	Self-Study
Course Status:	Active
Workload:	1 - 4 hours / week

IT Career Development Platform

OWASP Top 10 Web Application Security Risks for ASP.NET

Pluralsight

Course Summary

Course Description

Course Description

Course Syllabus

Course Type:

Course Status:

Workload:

OWASP (Open Web Application Security Project)

DOT NET (.NET)

Active Server Page (ASP)

ASP DOT NET (ASP.NET)

Web application (Web app)

Application Security

Model View Controller (MVC)

SQL (Structured Query Language)

Hashing

Cross-Site Scripting (XSS)

Attended this course? Write a Review

Course Type:

Course Status:

Workload: