OWASP Top 10 Web Application Security Risks for ASP.NET

Introduction
Hi, this is Troy Hunt and welcome to the OWASP Top 10 Web Application Security Risks for ASP. NET. I'd like to start with a brief introduction of what we're going to cover in this course and the first thing I want to talk about is who is getting hacked and I normally like to start here just to give a sense of the breadth of websites which are coming under attack from online hackers. I'd also like to talk about who is doing the hacking and those attackers frequently break down into the same three groups that we'll take a look at. We'll then move on to having a look at what OWASP is and where this Top 10 has come from and how it's going to apply to this course. And finally, before we start getting into those Top 10 risks, I want to talk briefly about applying security in depth because that's a very important theme that's going to keep reoccurring throughout this course.

Injection
Hi, this is Troy Hunt and welcome to the first module of the OWASP Top 10 on Injection. In this module, we're going to start out by having a look at how OWASP views the injection risk. We'll then move on and perform an attack against a vulnerable application so you will actually see multiple ways of exploiting SQL injection in an application. We'll then take a closer look at SQL injection and understand the relationship with untrusted data. From there, we'll drill down into the database and look at how we can implement the principle of least privilege in order to restrict the access rights that the web application has to the database. We'll also take a look at parameterization in inline SQL, as well as how we can use stored procedures to reduce injection risk and we'll also have a look at how stored procedures can actually still be vulnerable to injection as well. We'll then move on to take a look at whitelisting and how we can validate our untrusted data against a whitelist using one of several different mechanisms. We'll also take a look at Object Relational Mappers and how tools such as Entity Framework can protect against SQL injection through their use of parameterization. And finally, we'll have a look at some remaining risks, as well as how an attack can be really easily automated using freely available tools.

Cross Site Scripting (XSS)
This is Troy Hunt and welcome to Part 2 of the OWASP Top 10 on Cross Site Scripting or as we kindly refer to it, XSS. In this module, we're going to start out by having a look at how OWASP views the risk and then we'll move on to actually performing an attack and exploiting an application at risk of XSS. We'll then delve a little bit further into XSS and understand how the risk manifests itself in a web application. We'll move on to an overview and an implementation of output encoding in both HTML and JavaScript. Then we'll also take a look at the native output encoding defenses in both Web Forms and MVC. Once again, we'll look at whitelisting as a means of keeping untrusted data sanitized in the system and we'll also talk about using the native request validation in ASP. NET as a defense against malicious input. We'll take a look at reflective versus persistent XSS and how they differ in execution and we'll take a look at the native defenses offered by the browsers because they do differ quite a bit. And finally, we'll talk about some of the approaches an attacker uses to get XSS through to a victim, including payload obfuscation.

Broken Authentication and Session Management
This is Troy Hunt and welcome to Part 3 of the OWASP Top 10 on Broken Authentication and Session Management. In this module, we're going to start out by taking a look at how OWASP actually views the risk and we're then going to move on and actually perform an attack on a vulnerable application. We are going to exploit the risk and we are going to do some session hijacking. I'd then like to talk a little bit more about what it means to persist sessions across http and we'll have a look at some of the secure configuration that we can do within ASP. NET. We'll also take a look at using the native authentication and membership features that are available in ASP. NET and that addresses that membership component of this risk. We're then going to move on and have a look at timeouts as well. There are a couple of different ways that we can configure timeouts to be more secure within ASP. NET.

Insecure Direct Object References
Hi, this is Troy Hunt and welcome to Part 4 of the OWASP Top 10 on Insecure Direct Object References. In this module we'll start out by taking a look at how OWASP views the risk and then we'll move on to actually performing an attack against an application at risk of insecure direct object references. In order to understand the risk a little bit better, we'll then take a look at what a direct object reference is before we move on to implementing access controls to begin mitigating the risk. We'll also build an indirect reference map in order to provide some abstraction between the references that we expose externally and the references that we store internally. And finally, we'll look at a means of object reference obfuscation by using surrogate keys.

Cross Site Request Forgery (CSRF)
Hi, this is Troy Hunt and welcome to Part 5 of the OWASP Top 10 Cross Site Request Forgery. You'll often also see this referred to as CSRF or sometimes XSRF. So you may see the terms used a little bit interchangeably. In this module, we'll start out by taking a look at how OWASP views the risk and how they categorize it. We'll then move on to performing an attack against an application at risk of CSRF. After that, we'll dig a little bit deeper into the risk and try and understand how CSRF manifests itself and how it can be mitigated with anti-forgery tokens. We'll then go and implement that in a vulnerable ASP. NET MVC application and we'll also take a look at how web forms approaches CSRF mitigation because it's quite different to MVC. And finally, we'll take a look at some CSRF fallacies. There are some views on it out there which don't always hold true, plus we'll take a look at some of the native browser defenses, which can help mitigate the risk on top of anything that we implement at the server level.

Security Misconfiguration
Hi, this is Troy Hunt and welcome to Part 6 of the OWASP Top 10 on Security Misconfiguration. In this module, we're going to start out by taking a look at how OWASP views the risk of security misconfiguration. We will then move on to performing an attack on a vulnerable application that has a couple of problems with it. After that, we'll look at correctly configuring custom errors and tracing in the application. We'll also take a look at how we can keep packages current with NuGet and keeping packages current is an important aspect of security misconfiguration. We'll then take a look at what's involved in encrypting sensitive parts of the web. config so that they can't be read outside the server environment, which they deploy to. And we'll take a look at using config transforms to try and avoid the risk of a security misconfiguration flaw slipping through into a deployment. And finally, we'll also check out what it means to enable retail mode on the server. So all of these are what OWASP would refer to as various aspects of security misconfiguration.

Insecure Cryptographic Storage
Hi, this is Troy Hunt and welcome to Part 7 of the OWASP Top 10 on Insecure Cryptographic Storage. In this module, we're going to start out by taking a look at how OWASP views the risk. We're then going to move on to performing an attack against weak password storage, so we're actually going to crack some passwords here. Now once we've done that, we'll work on better understanding password storage and what it means to hash a password. We'll also take a look at how salt can be used to help protect passwords and we'll have a look at where salt can still be vulnerable. Certainly just salting hashes is not enough to properly protect passwords. So after that, we will take a look at how we can create stronger hashes. Now beyond just password storage, we'll also take a look at asymmetric encryption, symmetric encryption, and we'll also take a look at the data protection API or DPAPI as it's commonly known. And finally, we'll also take a look at a few myths and misconceptions about cryptographic storage. Certainly there's a few ideas out there about how data can be secured, which really isn't very secure at all.

Failure to Restrict URL Access
Hi, this is Troy Hunt and welcome to Part 8 of the OWASP Top 10 on Failure to Restrict URL Access. In this module, we'll start out as usual by taking a look at how OWASP views this particular risk and then also as usual we will move on to performing an attack against a vulnerable application, which fails to protect URL access. We'll then move on to understanding some of the access controls we have built into ASP. NET, because there are a few different ways we can apply authorization rules. We'll then move on to talking about why role-based authorization is important and we'll take a good look at the role provider within ASP. NET. And finally, we'll take a look at some other access control risks and misconceptions because there are a few strange ideas out there about what constitutes an access control. So let's move on and take a look at the risk.

Insufficient Transport Layer Protection
Hi, this is Troy Hunt and welcome to Part 9 of the OWASP Top 10 on Insufficient Transport Layer Protection. Throughout this module, you might also see it referred to as TLS, SSL or HTTPS, and whilst there are subtle differences between all of those, the terms do tend to get used a little bit interchangeably. In this module, as with all modules, we'll start out by taking a look at how OWASP views the risk and then we will move on to performing an attack against yet another vulnerable application and this time, we're actually going to be sniffing insecure traffic sent across a hijacked wireless connection. We'll then move on to taking a look at the concept of secure cookies, what the risk is when they're not secure, and how we can properly secure them within ASP. NET. We'll then take a look at how we can force both web forms and ASP. NET MVC to always use a secure connection for certain resources, simply because there are some resources which we never want to load insecurely. We'll take a look at the risk of mixed mode content when nonsecure resources are loaded into a secure page and then we will move on to looking at HTTP-strict transport security or HSTS so that we can force requests to be secure for a particular site. And finally, we will take a look at some HTTPS anti-patterns and have a look at some of the other considerations you need to keep in mind when planning HTTPS for your web application.

Unvalidated Redirects and Forwards
Hi, this is Troy Hunt and welcome to the 10th and final part of the OWASP Top 10 on Unvalidated Redirects and Forwards, which we also often refer to as Open Redirects. In this module, we'll start out as usual by taking a look at how OWASP views the risk of unvalidated redirects and then we will move on to performing an attack against an application, which allows this risk through. We'll then talk about what value unvalidated redirects actually pose to an attacker because it's not really a risk on the site itself, but it does pose other problems. We'll have a look at using whitelists and referrer checking to thwart malicious use of an open redirect and then we'll finish up by having a look at some other general issues with the risk, particularly around the way different organizations view the severity of it. So let's move on to taking a look at that OWASP overview and risk rating.