.NET, C# and ASP.NET Security Development
-
COURSE DATES AND LOCATIONS
DATE
Duration
LOCATION
FEES
Book Now
-
INTRODUCTION
A number of programming languages are available today to compile code to.NET and ASP.NET frameworks. The environment provides powerful means for security development, but developers should know how to apply the architecture- and coding- level programming techniques in order to implement the desired security functionality and avoid vulnerabilities or limit their exploitation.
The aim of this course is to teach developers through numerous hands-on exercises how to prevent untrusted code from performing privileged actions, protect resources through strong authentication and authorization, provide remote procedure calls, handle sessions, introduce different implementations for certain functionality, and many more.
Introduction of different vulnerabilities starts with presenting some typical programming problems committed when using.NET, while the discussion of vulnerabilities of the ASP.NET also deals with various environment settings and their effects. Finally, the topic of ASP.NET-specific vulnerabilities not only deals with some general Web application security challenges, but also with special issues and attack methods like attacking the ViewState, or the string termination attacks.
-
COURSE OBJECTIVES
By the end of the course, you‘ll be able to:
- Understand basic concepts of security, IT security and secure coding
- Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
- Learn to use various security features of the .NET development environment
- Get practical knowledge in using security testing tools
- Learn about typical coding mistakes and how to avoid them
- Get information about some recent vulnerabilities in .NET and ASP.NET
- Get sources and further readings on secure coding practices
-
COURSE AUDIENCE
This course is made for :
- ASP Net Developers
- C# Developers
-
COURSE OUTLINE
Day One
OWASP top 10 and beyond:
- SQL Injection and other injection flaws, Cross-Site Scripting: persistent and reflected XSS, session handling challenges, using cookies, remote code execution, Insecure Direct Object Reference, Cross-Site Request Forgery (CSRF), restricting URL access.
Day Two
.NET and ASP.NET security technologies and services:
- Code Access Security, permissions, the stack walk, trust levels
- Role-based Security
- cryptography in.NET; ASP.NET authentication and authorization solutions, windows and form authentication, Live SDK, roles; session handling
- XSS protection, validation features, viewstate protection in ASP.NET
Day Three
.NET specific vulnerabilities:
- input validation problems, using native code, integer overflows in.NET, using the checked keyword, log forging
- improper use of cryptographic features, insecure randomness in.NET, challenges of password management, cracking hashed passwords with search engines
- improper error and exception handling
- time and state problems, race conditions, synchronization and mutual exclusion, deadlocks, file and database race conditions
- general code quality issues, object hijacking, immutable objects, serialization of sensitive information
- Denial-of-Service (DoS) in.NET, hashtable collision, attacks against ASP.NET, string termination inconsistency, and many more…
Day Four
Exercises:
- exploiting SQL injection step-by-step
- exploiting command injection
- crafting Cross-Site Scripting attacks through both reflective and persistent XSS
- HTML injection
- session fixation
- uploading and running executable code
- insecure direct object reference
- committing Cross-Site Request Forgery (CSRF)
Day Five
Exercises
- sandboxing.NET code, using roles, using cryptographic classes in.NET, implementing form authentication, input validation in ASP.NET
- crashing native code
- unsafe reflections
- hash cracking by googling
- using reflection to break accessibility modifiers
- information leakage through error reporting
- missing
