Introduction
17m 15s
Introduction
0m 55s
Who's getting hacked?
1m 55s
Who's doing the hacking?
5m 58s
OWASP and the Top 10
5m 29s
Applying security in depth
2m 58s
Injection
49m 29s
Introduction
1m 20s
OWASP overview and risk rating
2m 23s
Demo: Anatomy of an attack
7m 43s
Risk in practice: LulzSec and Sony
0m 59s
Understanding SQL injection
1m 18s
Defining untrusted data
3m 7s
Demo: The principle of least privilege
4m 28s
Demo: Inline SQL parameterisation
3m 4s
Demo: Stored procedure parameterisation
2m 3s
Demo: Whitelisting untrusted data
7m 17s
Demo: Entity Framework’s SQL parameterisation
3m 28s
Demo: Injection through stored procedures
5m 57s
Demo: Injection automation with Havij
4m 5s
Summary
2m 17s
Cross Site Scripting (XSS)
59m 20s
Introduction
1m 18s
OWASP overview and risk rating
1m 21s
Demo: Anatomy of an attack
6m 3s
Risk in practice: My Space and Samy
1m 43s
Understanding XSS
1m 45s
Output encoding concepts
4m 4s
Demo: Implementing output encoding
5m 52s
Demo: Output encoding in web forms
3m 35s
Demo: Output encoding in MVC
3m 3s
Demo: Whitelisting allowable values
3m 10s
Demo: ASP.NET request validation
12m 32s
Demo: Reflective versus persistent XSS
4m 57s
Demo: Native browser defences
4m 26s
Demo: Payload obfuscation
2m 36s
Summary
2m 55s
Introduction
0m 53s
OWASP overview and risk rating
1m 13s
Demo: Anatomy of an attack
2m 34s
Risk in practice: Apple's session fixation
1m 6s
Persisting state in a stateless protocol
0m 58s
The risk of session persistence in the URL versus cookies
3m 0s
Demo: Securely configuring session persistence
3m 36s
Demo: Leveraging ASP.NET membership provider for authentication
4m 12s
Customising session and forms timeouts to minimise risk windows
3m 5s
Siding versus fixed forms timeout
3m 17s
Other broken authentication patterns
2m 27s
Summary
1m 49s
Introduction
0m 45s
OWASP overview and risk rating
1m 12s
Demo: Anatomy of an attack
5m 0s
Risk in practice: Citibank
1m 38s
Understanding direct object references
4m 24s
Demo: Implementing access controls
5m 25s
Understanding indirect reference maps
3m 58s
Demo: Building an indirect reference map
9m 59s
Obfuscation via random surrogate keys
1m 38s
Summary
1m 45s
Introduction
1m 7s
OWASP overview and risk rating
2m 15s
Demo: Anatomy of an attack
5m 37s
Risk in practice: Compromised Brazilian modems
2m 17s
What makes a CSRF attack possible
8m 43s
Understanding anti-forgery tokens
2m 55s
Demo: Implementing an anti-forgery token in MVC
5m 44s
Demo: Web forms approach to anti-forgery tokens
3m 43s
CSRF fallacies and browser defences
3m 32s
Summary
2m 26s
Security Misconfiguration
47m 48s
Introduction
1m 7s
OWASP overview and risk rating
2m 6s
Demo: Anatomy of an attack
6m 3s
Risk in practice: ELMAH
3m 11s
Demo: Correctly configuring custom errors
9m 23s
Demo: Securing web forms tracing
4m 25s
Demo: Keeping frameworks current with NuGet
4m 31s
Demo: Encrypting sensitive parts of the web.config
4m 45s
Demo: Using config transforms to apply secure configurations
5m 38s
Demo: Enabling retail mode on the server
3m 17s
Summary
3m 22s
Introduction
1m 9s
OWASP overview and risk rating
2m 12s
Demo: Anatomy of an attack
9m 35s
Risk in practice: ABC passwords
2m 25s
Understanding password storage and hashing
8m 47s
Understanding salt and brute force attacks
9m 27s
Slowing down hashes with the new Membership Provider
4m 51s
Other stronger hashing implementations
3m 36s
Things to consider when choosing a hashing implementation
5m 18s
Understanding symmetric and asymmetric encryption
3m 35s
Demo: Symmetric encryption using DPAPI
6m 27s
What's not cryptographic
4m 20s
Summary
3m 18s
Introduction
0m 56s
OWASP overview and risk rating
2m 10s
Demo: Anatomy of an attack
2m 45s
Risk in practice: Apple AT&T leak
3m 25s
Demo: Access controls in ASP.NET part 1: web.config locations
6m 37s
Demo: Access controls in ASP.NET part 2: The authorize attribute
7m 15s
Demo: Role based authorisation with the ASP.NET Role Provider
7m 43s
Other access controls risk and misconceptions
7m 18s
Summary
3m 51s
Introduction
1m 40s
OWASP overview and risk rating
3m 13s
Demo: Anatomy of an attack
11m 29s
Risk in practice: Tunisian ISPs
3m 29s
Demo: Understanding secure cookies and forms authentication
8m 54s
Demo: Securing other cookies in ASP.NET
6m 37s
Demo: Forcing web forms to use HTTPS
6m 50s
Demo: Requiring HTTPS on MVC controllers
3m 55s
Demo: Mixed mode HTTPS
6m 17s
HTTP strict transport security
5m 16s
Other insufficient HTTPS patterns
4m 56s
Other HTTPS considerations
5m 38s
Summary
4m 12s
Introduction
0m 59s
OWASP overview and risk rating
3m 13s
Demo: Anatomy of an attack
4m 23s
Risk in practice: US government websites
1m 59s
Understanding the value of unvalidated redirects to attackers
4m 27s
Demo: implementing a whitelist
5m 17s
Demo: implementing referrer checking
5m 15s
Other issues with the unvalidated redirect risk
3m 7s
Summary
2m 9s
Web applications today are being hacked with alarming regularity by hacktivists, online criminals and nation states. Very frequently, it is the same prevalent security risks being exploited which is why the Open Web Application Security Project (OWASP) developed their list of Top 10 Most Critical Web Application Security Risks to help developers build more secure software. This course helps developers apply the Top 10 in ASP.NET using both web forms and MVC by walking through an overview of the risk, demonstrating how it can be exploited in .NET and then delving into the various approaches available to mitigate it by applying security in depth.
Table of Contents
Introduction
17m 15s
Introduction
0m 55s
Who's getting hacked?
1m 55s
Who's doing the hacking?
5m 58s
OWASP and the Top 10
5m 29s
Applying security in depth
2m 58s
Injection
49m 29s
Introduction
1m 20s
OWASP overview and risk rating
2m 23s
Demo: Anatomy of an attack
7m 43s
Risk in practice: LulzSec and Sony
0m 59s
Understanding SQL injection
1m 18s
Defining untrusted data
3m 7s
Demo: The principle of least privilege
4m 28s
Demo: Inline SQL parameterisation
3m 4s
Demo: Stored procedure parameterisation
2m 3s
Demo: Whitelisting untrusted data
7m 17s
Demo: Entity Framework’s SQL parameterisation
3m 28s
Demo: Injection through stored procedures
5m 57s
Demo: Injection automation with Havij
4m 5s
Summary
2m 17s
Cross Site Scripting (XSS)
59m 20s
Introduction
1m 18s
OWASP overview and risk rating
1m 21s
Demo: Anatomy of an attack
6m 3s
Risk in practice: My Space and Samy
1m 43s
Understanding XSS
1m 45s
Output encoding concepts
4m 4s
Demo: Implementing output encoding
5m 52s
Demo: Output encoding in web forms
3m 35s
Demo: Output encoding in MVC
3m 3s
Demo: Whitelisting allowable values
3m 10s
Demo: ASP.NET request validation
12m 32s
Demo: Reflective versus persistent XSS
4m 57s
Demo: Native browser defences
4m 26s
Demo: Payload obfuscation
2m 36s
Summary
2m 55s
Introduction
0m 53s
OWASP overview and risk rating
1m 13s
Demo: Anatomy of an attack
2m 34s
Risk in practice: Apple's session fixation
1m 6s
Persisting state in a stateless protocol
0m 58s
The risk of session persistence in the URL versus cookies
3m 0s
Demo: Securely configuring session persistence
3m 36s
Demo: Leveraging ASP.NET membership provider for authentication
4m 12s
Customising session and forms timeouts to minimise risk windows
3m 5s
Siding versus fixed forms timeout
3m 17s
Other broken authentication patterns
2m 27s
Summary
1m 49s
Introduction
0m 45s
OWASP overview and risk rating
1m 12s
Demo: Anatomy of an attack
5m 0s
Risk in practice: Citibank
1m 38s
Understanding direct object references
4m 24s
Demo: Implementing access controls
5m 25s
Understanding indirect reference maps
3m 58s
Demo: Building an indirect reference map
9m 59s
Obfuscation via random surrogate keys
1m 38s
Summary
1m 45s
Introduction
1m 7s
OWASP overview and risk rating
2m 15s
Demo: Anatomy of an attack
5m 37s
Risk in practice: Compromised Brazilian modems
2m 17s
What makes a CSRF attack possible
8m 43s
Understanding anti-forgery tokens
2m 55s
Demo: Implementing an anti-forgery token in MVC
5m 44s
Demo: Web forms approach to anti-forgery tokens
3m 43s
CSRF fallacies and browser defences
3m 32s
Summary
2m 26s
Security Misconfiguration
47m 48s
Introduction
1m 7s
OWASP overview and risk rating
2m 6s
Demo: Anatomy of an attack
6m 3s
Risk in practice: ELMAH
3m 11s
Demo: Correctly configuring custom errors
9m 23s
Demo: Securing web forms tracing
4m 25s
Demo: Keeping frameworks current with NuGet
4m 31s
Demo: Encrypting sensitive parts of the web.config
4m 45s
Demo: Using config transforms to apply secure configurations
5m 38s
Demo: Enabling retail mode on the server
3m 17s
Summary
3m 22s
Introduction
1m 9s
OWASP overview and risk rating
2m 12s
Demo: Anatomy of an attack
9m 35s
Risk in practice: ABC passwords
2m 25s
Understanding password storage and hashing
8m 47s
Understanding salt and brute force attacks
9m 27s
Slowing down hashes with the new Membership Provider
4m 51s
Other stronger hashing implementations
3m 36s
Things to consider when choosing a hashing implementation
5m 18s
Understanding symmetric and asymmetric encryption
3m 35s
Demo: Symmetric encryption using DPAPI
6m 27s
What's not cryptographic
4m 20s
Summary
3m 18s
Introduction
0m 56s
OWASP overview and risk rating
2m 10s
Demo: Anatomy of an attack
2m 45s
Risk in practice: Apple AT&T leak
3m 25s
Demo: Access controls in ASP.NET part 1: web.config locations
6m 37s
Demo: Access controls in ASP.NET part 2: The authorize attribute
7m 15s
Demo: Role based authorisation with the ASP.NET Role Provider
7m 43s
Other access controls risk and misconceptions
7m 18s
Summary
3m 51s
Introduction
1m 40s
OWASP overview and risk rating
3m 13s
Demo: Anatomy of an attack
11m 29s
Risk in practice: Tunisian ISPs
3m 29s
Demo: Understanding secure cookies and forms authentication
8m 54s
Demo: Securing other cookies in ASP.NET
6m 37s
Demo: Forcing web forms to use HTTPS
6m 50s
Demo: Requiring HTTPS on MVC controllers
3m 55s
Demo: Mixed mode HTTPS
6m 17s
HTTP strict transport security
5m 16s
Other insufficient HTTPS patterns
4m 56s
Other HTTPS considerations
5m 38s
Summary
4m 12s
Introduction
0m 59s
OWASP overview and risk rating
3m 13s
Demo: Anatomy of an attack
4m 23s
Risk in practice: US government websites
1m 59s
Understanding the value of unvalidated redirects to attackers
4m 27s
Demo: implementing a whitelist
5m 17s
Demo: implementing referrer checking
5m 15s
Other issues with the unvalidated redirect risk
3m 7s
Summary
2m 9s
Description
Web applications today are being hacked with alarming regularity by hacktivists, online criminals and nation states. Very frequently, it is the same prevalent security risks being exploited which is why the Open Web Application Security Project (OWASP) developed their list of Top 10 Most Critical Web Application Security Risks to help developers build more secure software. This course helps developers apply the Top 10 in ASP.NET using both web forms and MVC by walking through an overview of the risk, demonstrating how it can be exploited in .NET and then delving into the various approaches available to mitigate it by applying security in depth.
Course authors
