Protecting Against XML External Entity and Deserialization Attacks in ASP.NET and ASP.NET Core
By David Berry
Course info



Course info



Description
When we think of attacks on websites and applications, we often think about things like SQL Injection, Cross site request forgery, or attacks on our authentication layer. However, there are other avenues of attack into our applications and these can occur any time our application has to read in XML or JSON or binary data and deserialize that data. This course, Protecting Against XML External Entity and Deserialization Attacks in ASP.NET and ASP.NET Core, talks about three such attacks: the XML External Entities (XXE) attack, the XML bomb or Billion laughs attack and the Insecure deserialization family of attacks. Two of these attacks, the XML External Entities and Insecure deserialization attack are important enough that they were each placed on the OWASP top 10 list for 2017. When you are finished with this course, you will learn what each of these attacks seeks to do, how they work and most importantly, how to defend your .NET applications against them.
Section Introduction Transcripts
Course Overview
Hello everyone. My name is David Berry, and welcome to my course, Protecting Against XML External Entity and Deserialization Attacks in ASP.NET and ASP.NET Core Applications. You wouldn't think that XML or JSON data could be used to attack your applications, but it is possible. In this course, I'll show you three different attacks, XML External Entities attack, the XML Bomb attack, and the Insecure Deserialization attack, that all use some form of XML, JSON or binary serialized data to attack an application. I'll show you how each attack works and what you need to do to defend your applications against them. Before starting this course, you should be comfortable with the fundamentals of a .NET language like C#. You should also have some basic knowledge of how XML and JSON work. By the end of this course, you'll know everything you need to secure your applications against each of these attacks. I hope you'll join me on this journey to learn how to protect your applications against XML External Entity and Deserialization attacks with this course, on Pluralsight.