T1516

Ladda ner som PDF

Advanced C#, ASP.NET and Web application security

Beyond a solid knowledge in using various security features of .NET and ASP.NET, even for experienced programmers it is essential to have a deep knowledge in Web-related vulnerabilities both on server and client side along with the consequences of the various risks.

In this course the general web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained in the context of ASP.NET. A special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5.

Audience

Web developers using ASP.NET

Prior knowledge

Preparedness: Advanced C# and ASP.NET and Web application

Language

The course is taught in English (Contact us if you prefer Swedish).

Courseware

Material in English

Informator Training Cloud

Our training portal supports your development throughout the training. The portal saves you time and is designed to give you a more effective learning experience - leading to better results and greater knowledge enforcement after the course. Read more >

The course also deals with the security architecture and components of the .NET framework, including code- and role based access control, permission declaration and checking mechanisms and the transparency model. A brief introduction to the foundations of cryptography provides a common practical baseline for understanding the purpose and the operation of various algorithms, based on which the course presents the cryptographic features that can be used in .NET.

Introduction of different security bugs follows the well-established vulnerability categories, tackling input validation, security features, error handling, time- and state-related problems, the group of general code quality issues, and a special section on ASP.NET-specific vulnerabilities. These topics are concluded with an overview on testing tools that can be used to automatically reveal some of the learnt bugs.

Topics are presented through practical exercises where participants can try out the consequences of certain vulnerabilities, the mitigations, as well as the discussed APIs and tools for themselves.

Web vulnerabilities:OWASP top 10 and beyond: SQL Injection and other injection flaws, Cross-Site Scripting: persistent and reflected XSS, session handling challenges, using cookies, remote code execution, Insecure Direct Object Reference, Cross-Site Request Forgery (CSRF), restricting URL access.

Client-side... Läs mer

The course also deals with the security architecture and components of the .NET framework, including code- and role based access control, permission declaration and checking mechanisms and the transparency model. A brief introduction to the foundations of cryptography provides a common practical baseline for understanding the purpose and the operation of various algorithms, based on which the course presents the cryptographic features that can be used in .NET.

Introduction of different security bugs follows the well-established vulnerability categories, tackling input validation, security features, error handling, time- and state-related problems, the group of general code quality issues, and a special section on ASP.NET-specific vulnerabilities. These topics are concluded with an overview on testing tools that can be used to automatically reveal some of the learnt bugs.

Topics are presented through practical exercises where participants can try out the consequences of certain vulnerabilities, the mitigations, as well as the discussed APIs and tools for themselves.

Web vulnerabilities:OWASP top 10 and beyond: SQL Injection and other injection flaws, Cross-Site Scripting: persistent and reflected XSS, session handling challenges, using cookies, remote code execution, Insecure Direct Object Reference, Cross-Site Request Forgery (CSRF), restricting URL access.

Client-side security: JavaScript same origin policy, authentication and password management in JavaScript, obfuscating JavaScript code, ClickJacking; Ajax security, XSS and CSRF in Ajax; HTML5 ClickJacking, form tampering, cross-origin requests, client-side include.

.NET and ASP.NET security technologies and services:Code Access Security, permissions, the stack walk, trust levels; Role-based Security; Cryptography basics, symmetric and assymmetric algorithms, hashing, public-key infrastructure (PKI), cryptography in .NET; ASP.NET authentication and authorization solutions, windows and form authentication, Live SDK, roles; session handling; XSS protection, validation features, viewstate protection in ASP.NET.

.NET specific vulnerabilities:input validation problems, using native code, integer overflows in .NET, using the checked keyword, log forging; improper use of cryptographic features, insecure randomness in .NET, challenges of password management, cracking hashed passwords with search engines; improper error and exception handling; time and state problems, race conditions, synchronization and mutual exclusion, deadlocks, file and database race conditions; general code quality issues, object hijacking, immutable objects, serialization of sensitive information; Denial-of-Service (DoS) in.NET, hashtable collision, attacks against ASP.NET, string termination inconsistency, and many more...

Exercises:exploiting SQL injection step-by-step; exploiting command injection; crafting Cross-Site Scripting attacks through both reflective and persistent XSS; HTML injection; session fixation; uploading and running executable code; insecure direct object reference; committing Cross-Site Request Forgery (CSRF); sandboxing .NET code, using roles, using cryptographic classes in .NET, implementing form authentication, input validation in ASP.NET; crashing native code; unsafe reflections; hash cracking by googling; using reflection to break accessibility modifiers; information leakage through error reporting; missing synchronization; wrong exclusion granularity; avoiding deadlocks; overcoming file race conditions; object hijacking; immutable string; preventing serialization; using hidden and disable controls; value shadowing.

Using security testing tools: security scanners (Nikto/Wikto, Nessus, Netsparker), SQL injection tools (SqlMap, SqlNinja, Safe3 SQL Injector), knowledge sources (CVE, NVD, BSI, SHIELDS), sniffers (Tcpdump, Ngrep, Wireshark), proxy servers (BurpSuite, Paros proxy), static source code analyzers for .NET (FxCop).

Utbildningen levereras i samarbete med

Kurs-ID: T1516
Längd: 3 dagar
Pris exkl moms: 26 950 kr

Frågor om kursen?

Har du frågor om kursens innehåll, leveransdatum/ort eller behöver en företagsanpassad variant? Fyll i formuläret nedan!


Kan betalas med:
TRAINING CARD

Ort och datum

Stockholm
13 mar-15 mar
Boka nu!
26 jun-28 jun
Boka nu!
Göteborg
13 mar-15 mar R
Boka nu!
26 jun-28 jun R
Boka nu!
Malmö
13 mar-15 mar R
Boka nu!
26 jun-28 jun R
Boka nu!
Cloud Access
i Läs mer

Delta på kursen från ditt hem, jobb eller annan plats.

13 mar-15 mar
Boka nu!
26 jun-28 jun
Boka nu!

Tipsa