Topics
Day 1
Introduction to Application Security
Why web application risks occur?
How is application security different from network security?
Web application exploits & vulnerabilities
OWASP Top 10
Live hacking examples
.NET Authentication
Authentication scenarios
Weak passwords
Implementing forms authentication
Mitigating brute force attacks
The CAPTCHA mechanism
Implementing Windows authentication
Relationship between IIS and ASP.NET.
External authentication scenarios
Katana (OWIN)
ASP.NET Identity
ASP.NET MVC 5 Authentication
Impersonation
Delegation
.NET Authorization
Authorization models
URL authorization
File authorization
Role Based Access Control (RBAC)
Using least privileged DB user accounts
Working with identities
Claim based authorization
Role manager
MVC 5 new protection approach
ASP.NET Identity
ASP.NET MVC 5 Authentication
MVC 5 authorization filters
Day 2
Performing Input Validation
Injection flaws
OS command injection
Preventing SQL injection
Preventing SQL injection with nHibernate and EntityFramework
Using Parameterized queries to prevent SQL Injection
Stored procedures
Preventing XPATH injection
Mitigating LDAP injection
Using Strong typing
Blacklist VS. Whitelist validation
Regular expressions (Regex)
Model validation for web API services
MVC 5 mass assignment vulnerability
Output Encoding
Preventing HTML injection
Understanding Cross Site Scripting (XSS) attacks
MVC 5 HTML encoding
ASP.NET MVC 5 Request Validator
Browser Manipulation
Cross Site Request Forgery (CSRF)
Anti CSRF token
Preventing CSRF attack for MVC/Web API controllers
CSRF Protection for XHR
The dangers of open redirect mechanisms
Index based redirection
Day 3
File Handling
Path traversal attacks
Canonicalization
Virtual path mapping using MapPath
Sanitizing file names using GetFullPath
Uploaded files backdoors
File extension handling
Directory listing
Cryptography – Data Confidentiality & Integrity
Introduction to cryptography
Avoiding weak “encryption”
Implementing encryption using the System.Security.Cryptography namespace
Symmetric encryption
A-Symmetric encryption
Hashing
Digital signatures
Certificates
The certificate store
Transport level encryption
Storage level encryption
DB encryption
Protecting sensitive strings with SecureString
Key derivation
Password vault
Using DPAPI (Data Protection API)
Application Denial of Service Vulnerabilities
Application / OS crash
CPU starvation
Memory starvation
File system starvation
Resource starvation
Triggering high network bandwidth
User level DoS
Exploiting a specific vulnerability to cause DoS
Day 4
Secure Session & Cookie Management
Session management techniques
Session state options in .NET
Avoiding session hijacking
Cookie based session management
Cookie information leakage
Secure cookie attributes – Expire, Secure, HttpOnly, Domain, Path
Attack Scenarios on session management
Referrer based decisions
Mitigating CSRF (Cross Site Request forgery)
ViewState integrity validation
Preventing ViewState reply attacks
ViewState changes in ASP.NET 4.5
Session management common vulnerabilities
Session management for MVC/Web API controllers
Cryptography changes in session management in MVC 5
.NET Secure Error Handling
Why exposing detailed error messages is bad
Structured exception handling – Try, Catch, Finally
The Fail-Open VS. Fail-Close approach
Configuring ASP.NET error handling in web.config
MVC filters and attributes
Creating custom error pages
HTTP error codes
Handling errors using HttpModule
Page level VS. application level handling
Handling runtime security errors
Error handling strategies
.NET Auditing & Logging
Importance of logging
What should we audit?
Event message structure
Logging best practices
Built-in logging technologies in .NET MVC
ASP.NET trace and System.Diagnostics.Trace
Windows event log
Performance monitor
Windows Management Instrumentation (WMI)
The logn4net framework
.NET Configuration Management
Secure connection to remove services
Protecting connections strings
Disable debugging
Disable tracing