Protecting Against XML External Entity and Deserialization Attacks in ASP.NET and ASP.NET Core

By David Berry
We think of XML, JSON and binary serialized data as a way to exchange data between applications, but these data formats can also be used by hackers to attack your applications. This course will teach you how you can prevent them.
Play course overview
Course info
Rating
(17)
Level
Intermediate
Updated
Apr 7, 2020
Duration
28m
Table of contents
Course Overview
Course Overview 1m
XML and Deserialization Based Attacks
Introduction 4m XML External Entity (XXE) Attacks 6m XML Bomb Attacks 7m Insecure Deserialization Attacks 7m Protecting Your Applications 4m
Description
Course info
Rating
(17)
Level
Intermediate
Updated
Apr 7, 2020
Duration
28m
Description

When we think of attacks on websites and applications, we often think about things like SQL Injection, Cross site request forgery, or attacks on our authentication layer. However, there are other avenues of attack into our applications and these can occur any time our application has to read in XML or JSON or binary data and deserialize that data. This course, Protecting Against XML External Entity and Deserialization Attacks in ASP.NET and ASP.NET Core, talks about three such attacks: the XML External Entities (XXE) attack, the XML bomb or Billion laughs attack and the Insecure deserialization family of attacks. Two of these attacks, the XML External Entities and Insecure deserialization attack are important enough that they were each placed on the OWASP top 10 list for 2017. When you are finished with this course, you will learn what each of these attacks seeks to do, how they work and most importantly, how to defend your .NET applications against them.

About the author
David Berry
About the author

David Berry is a software engineer with over 15 years of experience developing applications in languages such as Java and C#. Throughout his career, he has worked extensively with enterprise database systems including Oracle and SQL Server.

More from the author
C# Design Patterns: Decorator
Beginner
32m
Jan 2, 2020
Oracle Autonomous Transaction Processing for Developers
Beginner
1h 18m
Apr 29, 2019
More courses by David Berry
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hello everyone. My name is David Berry, and welcome to my course, Protecting Against XML External Entity and Deserialization Attacks in ASP.NET and ASP.NET Core Applications. You wouldn't think that XML or JSON data could be used to attack your applications, but it is possible. In this course, I'll show you three different attacks, XML External Entities attack, the XML Bomb attack, and the Insecure Deserialization attack, that all use some form of XML, JSON or binary serialized data to attack an application. I'll show you how each attack works and what you need to do to defend your applications against them. Before starting this course, you should be comfortable with the fundamentals of a .NET language like C#. You should also have some basic knowledge of how XML and JSON work. By the end of this course, you'll know everything you need to secure your applications against each of these attacks. I hope you'll join me on this journey to learn how to protect your applications against XML External Entity and Deserialization attacks with this course, on Pluralsight.

You're the smartest person in the room

PROVE IT

Your team won't just close the skills gap

THEY'LL HURDLE IT