OWASP Top 10 Web Application Security Risks for ASP.NET
By Troy Hunt
This course introduces the OWASP Top 10 Most Critical Web Application Security Risks including how to demonstrate and mitigate them in ASP.NET.
Course info
Rating
Level
Intermediate
Updated
Apr 30, 2013
Duration
8h 6m
Table of contents
Introduction
Introduction
1m
Who's getting hacked?
2m
Who's doing the hacking?
6m
OWASP and the Top 10
5m
Applying security in depth
3m
Injection
Introduction
1m
OWASP overview and risk rating
2m
Demo: Anatomy of an attack
8m
Risk in practice: LulzSec and Sony
1m
Understanding SQL injection
1m
Defining untrusted data
3m
Demo: The principle of least privilege
4m
Demo: Inline SQL parameterisation
3m
Demo: Stored procedure parameterisation
2m
Demo: Whitelisting untrusted data
7m
Demo: Entity Framework’s SQL parameterisation
3m
Demo: Injection through stored procedures
6m
Demo: Injection automation with Havij
4m
Summary
2m
Cross Site Scripting (XSS)
Introduction
1m
OWASP overview and risk rating
1m
Demo: Anatomy of an attack
6m
Risk in practice: My Space and Samy
2m
Understanding XSS
2m
Output encoding concepts
4m
Demo: Implementing output encoding
6m
Demo: Output encoding in web forms
4m
Demo: Output encoding in MVC
3m
Demo: Whitelisting allowable values
3m
Demo: ASP.NET request validation
13m
Demo: Reflective versus persistent XSS
5m
Demo: Native browser defences
4m
Demo: Payload obfuscation
3m
Summary
3m
Broken Authentication and Session Management
Introduction
1m
OWASP overview and risk rating
1m
Demo: Anatomy of an attack
3m
Risk in practice: Apple's session fixation
1m
Persisting state in a stateless protocol
1m
The risk of session persistence in the URL versus cookies
3m
Demo: Securely configuring session persistence
4m
Demo: Leveraging ASP.NET membership provider for authentication
4m
Customising session and forms timeouts to minimise risk windows
3m
Siding versus fixed forms timeout
3m
Other broken authentication patterns
2m
Summary
2m
Insecure Direct Object References
Introduction
1m
OWASP overview and risk rating
1m
Demo: Anatomy of an attack
5m
Risk in practice: Citibank
2m
Understanding direct object references
4m
Demo: Implementing access controls
5m
Understanding indirect reference maps
4m
Demo: Building an indirect reference map
10m
Obfuscation via random surrogate keys
2m
Summary
2m
Cross Site Request Forgery (CSRF)
Introduction
1m
OWASP overview and risk rating
2m
Demo: Anatomy of an attack
6m
Risk in practice: Compromised Brazilian modems
2m
What makes a CSRF attack possible
9m
Understanding anti-forgery tokens
3m
Demo: Implementing an anti-forgery token in MVC
6m
Demo: Web forms approach to anti-forgery tokens
4m
CSRF fallacies and browser defences
4m
Summary
2m
Security Misconfiguration
Introduction
1m
OWASP overview and risk rating
2m
Demo: Anatomy of an attack
6m
Risk in practice: ELMAH
3m
Demo: Correctly configuring custom errors
9m
Demo: Securing web forms tracing
4m
Demo: Keeping frameworks current with NuGet
5m
Demo: Encrypting sensitive parts of the web.config
5m
Demo: Using config transforms to apply secure configurations
6m
Demo: Enabling retail mode on the server
3m
Summary
3m
Insecure Cryptographic Storage
Introduction
1m
OWASP overview and risk rating
2m
Demo: Anatomy of an attack
10m
Risk in practice: ABC passwords
2m
Understanding password storage and hashing
9m
Understanding salt and brute force attacks
9m
Slowing down hashes with the new Membership Provider
5m
Other stronger hashing implementations
4m
Things to consider when choosing a hashing implementation
5m
Understanding symmetric and asymmetric encryption
4m
Demo: Symmetric encryption using DPAPI
6m
What's not cryptographic
4m
Summary
3m
Failure to Restrict URL Access
Introduction
1m
OWASP overview and risk rating
2m
Demo: Anatomy of an attack
3m
Risk in practice: Apple AT&T leak
3m
Demo: Access controls in ASP.NET part 1: web.config locations
7m
Demo: Access controls in ASP.NET part 2: The authorize attribute
7m
Demo: Role based authorisation with the ASP.NET Role Provider
8m
Other access controls risk and misconceptions
7m
Summary
4m
Insufficient Transport Layer Protection
Introduction
2m
OWASP overview and risk rating
3m
Demo: Anatomy of an attack
11m
Risk in practice: Tunisian ISPs
3m
Demo: Understanding secure cookies and forms authentication
9m
Demo: Securing other cookies in ASP.NET
7m
Demo: Forcing web forms to use HTTPS
7m
Demo: Requiring HTTPS on MVC controllers
4m
Demo: Mixed mode HTTPS
6m
HTTP strict transport security
5m
Other insufficient HTTPS patterns
5m
Other HTTPS considerations
6m
Summary
4m
Unvalidated Redirects and Forwards
Introduction
1m
OWASP overview and risk rating
3m
Demo: Anatomy of an attack
4m
Risk in practice: US government websites
2m
Understanding the value of unvalidated redirects to attackers
4m
Demo: implementing a whitelist
5m
Demo: implementing referrer checking
5m
Other issues with the unvalidated redirect risk
3m
Summary
2m
Description
Course info
Rating
Level
Intermediate
Updated
Apr 30, 2013
Duration
8h 6m
Description
Web applications today are being hacked with alarming regularity by hacktivists, online criminals and nation states. Very frequently, it is the same prevalent security risks being exploited which is why the Open Web Application Security Project (OWASP) developed their list of Top 10 Most Critical Web Application Security Risks to help developers build more secure software. This course helps developers apply the Top 10 in ASP.NET using both web forms and MVC by walking through an overview of the risk, demonstrating how it can be exploited in .NET and then delving into the various approaches available to mitigate it by applying security in depth.
About the author
About the author
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security. He's a regular conference speaker, frequent blogger at troyhunt.com and is the creator of the data breach notification service known as “Have I Been Pwned”.
More from the author
More courses by Troy Hunt