OWASP Top 10 Web Application Security Risks for ASP.NET

By Troy Hunt
This course introduces the OWASP Top 10 Most Critical Web Application Security Risks including how to demonstrate and mitigate them in ASP.NET.
Course info
Rating
(1067)
Level
Intermediate
Updated
Apr 30, 2013
Duration
8h 6m
Table of contents
Introduction
Introduction 1m Who's getting hacked? 2m Who's doing the hacking? 6m OWASP and the Top 10 5m Applying security in depth 3m
Injection
Introduction 1m OWASP overview and risk rating 2m Demo: Anatomy of an attack 8m Risk in practice: LulzSec and Sony 1m Understanding SQL injection 1m Defining untrusted data 3m Demo: The principle of least privilege 4m Demo: Inline SQL parameterisation 3m Demo: Stored procedure parameterisation 2m Demo: Whitelisting untrusted data 7m Demo: Entity Framework’s SQL parameterisation 3m Demo: Injection through stored procedures 6m Demo: Injection automation with Havij 4m Summary 2m
Cross Site Scripting (XSS)
Introduction 1m OWASP overview and risk rating 1m Demo: Anatomy of an attack 6m Risk in practice: My Space and Samy 2m Understanding XSS 2m Output encoding concepts 4m Demo: Implementing output encoding 6m Demo: Output encoding in web forms 4m Demo: Output encoding in MVC 3m Demo: Whitelisting allowable values 3m Demo: ASP.NET request validation 13m Demo: Reflective versus persistent XSS 5m Demo: Native browser defences 4m Demo: Payload obfuscation 3m Summary 3m
Broken Authentication and Session Management
Introduction 1m OWASP overview and risk rating 1m Demo: Anatomy of an attack 3m Risk in practice: Apple's session fixation 1m Persisting state in a stateless protocol 1m The risk of session persistence in the URL versus cookies 3m Demo: Securely configuring session persistence 4m Demo: Leveraging ASP.NET membership provider for authentication 4m Customising session and forms timeouts to minimise risk windows 3m Siding versus fixed forms timeout 3m Other broken authentication patterns 2m Summary 2m
Insecure Direct Object References
Introduction 1m OWASP overview and risk rating 1m Demo: Anatomy of an attack 5m Risk in practice: Citibank 2m Understanding direct object references 4m Demo: Implementing access controls 5m Understanding indirect reference maps 4m Demo: Building an indirect reference map 10m Obfuscation via random surrogate keys 2m Summary 2m
Cross Site Request Forgery (CSRF)
Introduction 1m OWASP overview and risk rating 2m Demo: Anatomy of an attack 6m Risk in practice: Compromised Brazilian modems 2m What makes a CSRF attack possible 9m Understanding anti-forgery tokens 3m Demo: Implementing an anti-forgery token in MVC 6m Demo: Web forms approach to anti-forgery tokens 4m CSRF fallacies and browser defences 4m Summary 2m
Security Misconfiguration
Introduction 1m OWASP overview and risk rating 2m Demo: Anatomy of an attack 6m Risk in practice: ELMAH 3m Demo: Correctly configuring custom errors 9m Demo: Securing web forms tracing 4m Demo: Keeping frameworks current with NuGet 5m Demo: Encrypting sensitive parts of the web.config 5m Demo: Using config transforms to apply secure configurations 6m Demo: Enabling retail mode on the server 3m Summary 3m
Insecure Cryptographic Storage
Introduction 1m OWASP overview and risk rating 2m Demo: Anatomy of an attack 10m Risk in practice: ABC passwords 2m Understanding password storage and hashing 9m Understanding salt and brute force attacks 9m Slowing down hashes with the new Membership Provider 5m Other stronger hashing implementations 4m Things to consider when choosing a hashing implementation 5m Understanding symmetric and asymmetric encryption 4m Demo: Symmetric encryption using DPAPI 6m What's not cryptographic 4m Summary 3m
Failure to Restrict URL Access
Introduction 1m OWASP overview and risk rating 2m Demo: Anatomy of an attack 3m Risk in practice: Apple AT&T leak 3m Demo: Access controls in ASP.NET part 1: web.config locations 7m Demo: Access controls in ASP.NET part 2: The authorize attribute 7m Demo: Role based authorisation with the ASP.NET Role Provider 8m Other access controls risk and misconceptions 7m Summary 4m
Insufficient Transport Layer Protection
Introduction 2m OWASP overview and risk rating 3m Demo: Anatomy of an attack 11m Risk in practice: Tunisian ISPs 3m Demo: Understanding secure cookies and forms authentication 9m Demo: Securing other cookies in ASP.NET 7m Demo: Forcing web forms to use HTTPS 7m Demo: Requiring HTTPS on MVC controllers 4m Demo: Mixed mode HTTPS 6m HTTP strict transport security 5m Other insufficient HTTPS patterns 5m Other HTTPS considerations 6m Summary 4m
Unvalidated Redirects and Forwards
Introduction 1m OWASP overview and risk rating 3m Demo: Anatomy of an attack 4m Risk in practice: US government websites 2m Understanding the value of unvalidated redirects to attackers 4m Demo: implementing a whitelist 5m Demo: implementing referrer checking 5m Other issues with the unvalidated redirect risk 3m Summary 2m
Description
Course info
Rating
(1067)
Level
Intermediate
Updated
Apr 30, 2013
Duration
8h 6m
Description

Web applications today are being hacked with alarming regularity by hacktivists, online criminals, and nation states.

Very frequently, it is the same prevalent security risks being exploited which is why the Open Web Application Security Project (OWASP) developed their list of Top 10 Most Critical Web Application Security Risks to help developers build more secure software.

This course helps developers apply the Top 10 in ASP.NET using both web forms and MVC by walking through an overview of the risk, demonstrating how it can be exploited in .NET and then delving into the various approaches available to mitigate it by applying security in depth.

Course FAQ
Course FAQ
Who is OWASP?

OWASP is the Open Web Application Security Project - a global nonprofit organization whose focus is on improving web security.

What is the OWASP Top 10?

OWASP publishes a Top Ten list of the current most vulnerable security risks posed to web applications.

Is my web app vulnerable?

Something to remember is that nobody is safe from determined attackers - but don't let yourself be a low-hanging fruit.

What will I learn in this course?

While the OWASP Top 10 is technology agnostic, in this guide, we will be looking specifically at ASP.NET security.

What prerequisites are needed?

You will need a working knowledge of the .NET platform as this course is designed to show you how to locate and how to implement security in ASP.NET web applications.

Who is this course for?

This course is aimed at developers who want to protect their web apps from common security exploits.

About the author
Troy Hunt
About the author

Troy Hunt is a Microsoft Regional Director and MVP for Developer Security. He's a regular conference speaker, frequent blogger at troyhunt.com and is the creator of the data breach notification service known as “Have I Been Pwned”.

More from the author
Ethical Hacking: Denial of Service
Beginner
2h 49m
Sep 17, 2019
Ethical Hacking: SQL Injection
Beginner
5h 25m
Sep 16, 2019
Ethical Hacking: Session Hijacking
Beginner
3h 27m
Sep 16, 2019
More courses by Troy Hunt

You're the smartest person in the room

PROVE IT

Your team won't just close the skills gap

THEY'LL HURDLE IT