Book Image

ASP.NET Core 5 Secure Coding Cookbook

By : Roman Canlas
Book Image

ASP.NET Core 5 Secure Coding Cookbook

By: Roman Canlas

Overview of this book

ASP.NET Core developers are often presented with security test results showing the vulnerabilities found in their web apps. While the report may provide some high-level fix suggestions, it does not specify the exact steps that you need to take to resolve or fix weaknesses discovered by these tests. In ASP.NET Secure Coding Cookbook, you’ll start by learning the fundamental concepts of secure coding and then gradually progress to identifying common web app vulnerabilities in code. As you progress, you’ll cover recipes for fixing security misconfigurations in ASP.NET Core web apps. The book further demonstrates how you can resolve different types of Cross-Site Scripting. A dedicated section also takes you through fixing miscellaneous vulnerabilities that are no longer in the OWASP Top 10 list. This book features a recipe-style format, with each recipe containing sample unsecure code that presents the problem and corresponding solutions to eliminate the security bug. You’ll be able to follow along with each step of the exercise and use the accompanying sample ASP.NET Core solution to practice writing secure code. By the end of this book, you’ll be able to identify unsecure code causing different security flaws in ASP.NET Core web apps and you’ll have gained hands-on experience in removing vulnerabilities and security defects from your code.

Related Content you might be interested in

Current Title:

Small book image
ASP.NET Core 5 Secure Coding Cookbook
Roman Canlas
Jul, 2021 | 324 pages
Small book image
Customizing ASP.NET Core 5.0
Jrgen Gutsch
Jan, 2021 | 160 pages
Small book image
Modern Web Development with ASP.NET Core 3
Ricardo Peres
Jun, 2020 | 802 pages
Small book image
Customizing ASP.NET Core 6.0
Jrgen Gutsch
Dec, 2021 | 204 pages
Table of Contents (15 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Sections
Get in touch
Share Your Thoughts
1
Chapter 1: Secure Coding Fundamentals
Chapter 1: Secure Coding Fundamentals
Technical requirements
Input validation
Enabling whitelist validation using validation attributes
Whitelist validation using the FluentValidation library
Syntactic and semantic validation
Input sanitization
Input sanitization using the HTMLSanitizer library
Output encoding
Output encoding using HtmlEncoder
Output encoding using UrlEncoder
Output encoding using JavascriptEncoder
Protecting sensitive data using the Data Protection API
Free Chapter
2
Chapter 2: Injection Flaws
Chapter 2: Injection Flaws
Technical requirements
What is SQL injection?
Fixing SQL injection with Entity Framework
Fixing SQL injection in ADO.NET
Fixing NoSQL injection
Fixing command injection
Fixing LDAP injection
Fixing XPath injection
3
Chapter 3: Broken Authentication
Chapter 3: Broken Authentication
Technical requirements
Fixing the incorrect restrictions of excessive authentication attempts
Fixing insufficiently protected credentials
Fixing user enumeration
Fixing weak password requirements
Fixing insufficient session expiration
4
Chapter 4: Sensitive Data Exposure
Chapter 4: Sensitive Data Exposure
Technical requirements
Fixing insufficient protection of data in transit
Fix missing HSTS headers
Fixing weak protocols
Fixing hardcoded cryptographic keys
Disabling caching for critical web pages
5
Chapter 5: XML External Entities
Chapter 5: XML External Entities
Technical requirements
Enabling XML validation
Fixing XXE injection with XmlDocument
Fixing XXE injection with XmlTextReader
Fixing XXE injection with LINQ to XML
6
Chapter 6: Broken Access Control
Chapter 6: Broken Access Control
Technical requirements
Fixing IDOR
Fixing improper authorization
Fixing missing access control
Fixing open redirect vulnerabilities
7
Chapter 7: Security Misconfiguration
Chapter 7: Security Misconfiguration
Technical requirements
Disabling debugging features in non-development environments
Fixing disabled security features
Disabling unnecessary features
Fixing information exposure through an error message
Fixing information exposure through insecure cookies
8
Chapter 8: Cross-Site Scripting
Chapter 8: Cross-Site Scripting
Technical requirements
Fixing reflected XSS
Fixing stored/persistent XSS
Fixing DOM XSS
9
Chapter 9: Insecure Deserialization
Chapter 9: Insecure Deserialization
Technical requirements
Fixing unsafe deserialization
Fixing the use of insecure deserializers
Fixing untrusted data deserialization
10
Chapter 10: Using Components with Known Vulnerabilities
Chapter 10: Using Components with Known Vulnerabilities
Technical requirements
Fixing the use of a vulnerable third-party JavaScript library
Fixing the use of a vulnerable NuGet package
Fixing the use of a library hosted from an untrusted source
11
Chapter 11: Insufficient Logging and Monitoring
Chapter 11: Insufficient Logging and Monitoring
Technical requirements
Fixing insufficient logging of exceptions
Fixing insufficient logging of DB transactions
Fixing excessive information logging
Fixing a lack of security monitoring
12
Chapter 12: Miscellaneous Vulnerabilities
Chapter 12: Miscellaneous Vulnerabilities
Technical requirements
Fixing the disabled anti-Cross-Site Request Forgery protection
Preventing Server-Side Request Forgery
Preventing log injection
Preventing HTTP response splitting
Preventing clickjacking
Fixing insufficient randomness
13
Chapter 13: Best Practices
Chapter 13: Best Practices
Technical requirements
Proper exception handling
Using security-related cookie attributes
Using a Content Security Policy
Fixing leftover debug code
Why subscribe?
14
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Preface

ASP.NET Core is fast becoming the web application framework of choice for developers and is now in the top ranks of platform popularity. ASP.NET Core web applications are also no exception when it comes to being targets for malicious attacks. As more and more web developers write code to create these ASP.NET Core web applications, the need to educate developers on writing secure code also increases.

An ASP.NET Core application developed with secure code can withstand attacks and help reduce its risk of exploitation. With proper guidance on fixing security flaws in code, ASP.NET Core web applications can prevent or stop security problems.

This book covers code examples written in C# with steps on remediating various ASP.NET Core web application vulnerabilities discovered by a secure code review or security test. You'll find practical examples and different ways to solve the security bugs introduced by insecure code in a recipe-style format.

This book begins with a chapter on the fundamentals of secure coding, but the succeeding content is patterned using the OWASP Top 10 (2017 version). The OWASP Top 10 is the de facto standard documentation for the most common risks to web applications.

Each chapter in this book (starting with Chapter 2, Injection Flaws) represents problem-solution content for each type of risk. Chapter 12, Miscellaneous Vulnerabilities focuses on various other vulnerabilities that were previously in the OWASP Top 10 for additional coverage. The last chapter discusses secure coding best practices.

By the end of this book, you will be able to identify the different types of vulnerabilities in ASP.NET Core web applications and will have the know-how to remediate them in code.

Previous Section
Next Section