ASP.NET Core 5 Secure Coding Cookbook

By : Roman Canlas

ASP.NET Core 5 Secure Coding Cookbook

By: Roman Canlas

Overview of this book

ASP.NET Core developers are often presented with security test results showing the vulnerabilities found in their web apps. While the report may provide some high-level fix suggestions, it does not specify the exact steps that you need to take to resolve or fix weaknesses discovered by these tests. In ASP.NET Secure Coding Cookbook, you’ll start by learning the fundamental concepts of secure coding and then gradually progress to identifying common web app vulnerabilities in code. As you progress, you’ll cover recipes for fixing security misconfigurations in ASP.NET Core web apps. The book further demonstrates how you can resolve different types of Cross-Site Scripting. A dedicated section also takes you through fixing miscellaneous vulnerabilities that are no longer in the OWASP Top 10 list. This book features a recipe-style format, with each recipe containing sample unsecure code that presents the problem and corresponding solutions to eliminate the security bug. You’ll be able to follow along with each step of the exercise and use the accompanying sample ASP.NET Core solution to practice writing secure code. By the end of this book, you’ll be able to identify unsecure code causing different security flaws in ASP.NET Core web apps and you’ll have gained hands-on experience in removing vulnerabilities and security defects from your code.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Chapter 1: Secure Coding Fundamentals

Technical requirements

Input validation

Enabling whitelist validation using validation attributes

Whitelist validation using the FluentValidation library

Syntactic and semantic validation

Input sanitization

Input sanitization using the HTMLSanitizer library

Output encoding

Output encoding using HtmlEncoder

Output encoding using UrlEncoder

Output encoding using JavascriptEncoder

Protecting sensitive data using the Data Protection API

Free Chapter

Chapter 2: Injection Flaws

Technical requirements

What is SQL injection?

Fixing SQL injection with Entity Framework

Fixing SQL injection in ADO.NET

Fixing NoSQL injection

Fixing command injection

Fixing LDAP injection

Fixing XPath injection

Chapter 3: Broken Authentication

Technical requirements

Fixing the incorrect restrictions of excessive authentication attempts

Fixing insufficiently protected credentials

Fixing user enumeration

Fixing weak password requirements

Fixing insufficient session expiration

Chapter 4: Sensitive Data Exposure

Technical requirements

Fixing insufficient protection of data in transit

Fix missing HSTS headers

Fixing weak protocols

Fixing hardcoded cryptographic keys

Disabling caching for critical web pages

Chapter 5: XML External Entities

Technical requirements

Enabling XML validation

Fixing XXE injection with XmlDocument

Fixing XXE injection with XmlTextReader

Fixing XXE injection with LINQ to XML

Chapter 6: Broken Access Control

Technical requirements

Fixing IDOR

Fixing improper authorization

Fixing missing access control

Fixing open redirect vulnerabilities

Chapter 7: Security Misconfiguration

Technical requirements

Disabling debugging features in non-development environments

Fixing disabled security features

Disabling unnecessary features

Fixing information exposure through an error message

Fixing information exposure through insecure cookies

Chapter 8: Cross-Site Scripting

Technical requirements

Fixing reflected XSS

Fixing stored/persistent XSS

Fixing DOM XSS

Chapter 9: Insecure Deserialization

Technical requirements

Fixing unsafe deserialization

Fixing the use of insecure deserializers

Fixing untrusted data deserialization

Chapter 10: Using Components with Known Vulnerabilities

Technical requirements

Fixing the use of a vulnerable third-party JavaScript library

Fixing the use of a vulnerable NuGet package

Fixing the use of a library hosted from an untrusted source

Chapter 11: Insufficient Logging and Monitoring

Technical requirements

Fixing insufficient logging of exceptions

Fixing insufficient logging of DB transactions

Fixing excessive information logging

Fixing a lack of security monitoring

Chapter 12: Miscellaneous Vulnerabilities

Technical requirements

Fixing the disabled anti-Cross-Site Request Forgery protection

Preventing Server-Side Request Forgery

Preventing log injection

Preventing HTTP response splitting

Preventing clickjacking

Fixing insufficient randomness

Chapter 13: Best Practices

Technical requirements

Proper exception handling

Using security-related cookie attributes

Using a Content Security Policy

Fixing leftover debug code

Why subscribe?

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 star

4 star

3 star

2 star

1 star

What this book covers

Chapter 1, Securing Coding Fundamentals, is about basic secure coding patterns that every ASP.NET Core developer must know.

Chapter 2, Injection Flaws, explores recipes for various injection flaws, such as SQL injection, NoSQL injection, command injection, LDAP injection, and XPath injection.

Chapter 3, Broken Authentication, covers recipes for vulnerabilities that focus on insufficiently protected credentials, user enumeration, weak password requirements, and insufficient session expiration.

Chapter 4, Sensitive Data Exposure, shows how to implement HTTPS in our ASP.NET Core web applications, enable HSTS, ensure that the latest version of TLS is applied, and secure the cryptographic keys to prevent data leakage

Chapter 5, XML External Entities, covers recipes for remediating malicious XML External Entities. This chapter explains a sample insecure code snippet on XXE injection. An explanation of how to fix XXE injection will be discussed.

Chapter 6, Broken Access Control, explores recipes that use the built-in authorization mechanism in ASP.NET Core and the steps to implement role-based authorization to prevent unauthorized access to resources in your web application.

Chapter 7, Security Misconfiguration, discusses recipes to prevent security misconfiguration by turning debugging off in code, adding security features, and stopping unwanted information leaks to prying attackers with proper application settings.

Chapter 8, Cross-Site Scripting, covers recipes for remediating different types of XSS. This chapter explains insecure code for Reflected, Stored, and DOM XSS. This chapter also explains how to fix these cross-site scripting vulnerabilities in code.

Chapter 9, Insecure Deserialization, covers recipes on how to safely deserialize input using properly configured libraries, mitigate risks that an obsolete .NET class brings in your ASP.NET Core web application, and use a better deserializer alternative to securely deserialize data streams.

Chapter 10, Using Components with Known Vulnerabilities, discusses recipes for fixing ASP.NET Core web applications that use components with known vulnerabilities.

Chapter 11, Insufficient Logging and Monitoring, explores recipes for fixing insufficient logging and monitoring in ASP.NET Core web applications and explains how the lack of these features puts web applications at risk.

Chapter 12, Miscellaneous Vulnerabilities, discusses recipes for fixing vulnerabilities that are no longer in the OWASP Top 10 list and various ASP.NET Core web application vulnerabilities.

Chapter 13, Best Practices, covers best practice recipes with proven patterns that enable ASP.NET Core security features.

ASP.NET Core 5 Secure Coding Cookbook

By : Roman Canlas

ASP.NET Core 5 Secure Coding Cookbook

By: Roman Canlas

Overview of this book

Related Content you might be interested in

Current Title:

ASP.NET Core 5 Secure Coding Cookbook

Customizing ASP.NET Core 5.0

Modern Web Development with ASP.NET Core 3

Customizing ASP.NET Core 6.0

What this book covers