Simple play icon Course

Protecting Against XML External Entity and Deserialization Attacks in ASP.NET and ASP.NET Core

by David Berry

We think of XML, JSON and binary serialized data as a way to exchange data between applications, but these data formats can also be used by hackers to attack your applications. This course will teach you how you can prevent them.

What you'll learn

When we think of attacks on websites and applications, we often think about things like SQL Injection, Cross site request forgery, or attacks on our authentication layer. However, there are other avenues of attack into our applications and these can occur any time our application has to read in XML or JSON or binary data and deserialize that data. This course, Protecting Against XML External Entity and Deserialization Attacks in ASP.NET and ASP.NET Core, talks about three such attacks: the XML External Entities (XXE) attack, the XML bomb or Billion laughs attack and the Insecure deserialization family of attacks. Two of these attacks, the XML External Entities and Insecure deserialization attack are important enough that they were each placed on the OWASP top 10 list for 2017. When you are finished with this course, you will learn what each of these attacks seeks to do, how they work and most importantly, how to defend your .NET applications against them.

About the author

David Berry is a software engineer with over 15 years of application development experience. He started developing software in Java 1.0 using an Oracle 7 backend. Making the switch to Microsoft .NET when it was released, he has worked with every version of .NET since. He has also worked with every version of Oracle since Oracle 7 and ever version of SQL Server since SQL Server 7. His experience spans a broad range of industries including semiconductors, financial services, insurance an gove... more

Ready to upskill? Get started