Book Image

ASP.NET Core 5 Secure Coding Cookbook

By : Roman Canlas
Book Image

ASP.NET Core 5 Secure Coding Cookbook

By: Roman Canlas

Overview of this book

ASP.NET Core developers are often presented with security test results showing the vulnerabilities found in their web apps. While the report may provide some high-level fix suggestions, it does not specify the exact steps that you need to take to resolve or fix weaknesses discovered by these tests. In ASP.NET Secure Coding Cookbook, you’ll start by learning the fundamental concepts of secure coding and then gradually progress to identifying common web app vulnerabilities in code. As you progress, you’ll cover recipes for fixing security misconfigurations in ASP.NET Core web apps. The book further demonstrates how you can resolve different types of Cross-Site Scripting. A dedicated section also takes you through fixing miscellaneous vulnerabilities that are no longer in the OWASP Top 10 list. This book features a recipe-style format, with each recipe containing sample unsecure code that presents the problem and corresponding solutions to eliminate the security bug. You’ll be able to follow along with each step of the exercise and use the accompanying sample ASP.NET Core solution to practice writing secure code. By the end of this book, you’ll be able to identify unsecure code causing different security flaws in ASP.NET Core web apps and you’ll have gained hands-on experience in removing vulnerabilities and security defects from your code.

Related Content you might be interested in

Current Title:

Small book image
ASP.NET Core 5 Secure Coding Cookbook
Roman Canlas
Jul, 2021 | 324 pages
Small book image
Customizing ASP.NET Core 5.0
Jrgen Gutsch
Jan, 2021 | 160 pages
Small book image
Modern Web Development with ASP.NET Core 3
Ricardo Peres
Jun, 2020 | 802 pages
Small book image
Customizing ASP.NET Core 6.0
Jrgen Gutsch
Dec, 2021 | 204 pages
Table of Contents (15 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Sections
Get in touch
Share Your Thoughts
1
Chapter 1: Secure Coding Fundamentals
Chapter 1: Secure Coding Fundamentals
Technical requirements
Input validation
Enabling whitelist validation using validation attributes
Whitelist validation using the FluentValidation library
Syntactic and semantic validation
Input sanitization
Input sanitization using the HTMLSanitizer library
Output encoding
Output encoding using HtmlEncoder
Output encoding using UrlEncoder
Output encoding using JavascriptEncoder
Protecting sensitive data using the Data Protection API
Free Chapter
2
Chapter 2: Injection Flaws
Chapter 2: Injection Flaws
Technical requirements
What is SQL injection?
Fixing SQL injection with Entity Framework
Fixing SQL injection in ADO.NET
Fixing NoSQL injection
Fixing command injection
Fixing LDAP injection
Fixing XPath injection
3
Chapter 3: Broken Authentication
Chapter 3: Broken Authentication
Technical requirements
Fixing the incorrect restrictions of excessive authentication attempts
Fixing insufficiently protected credentials
Fixing user enumeration
Fixing weak password requirements
Fixing insufficient session expiration
4
Chapter 4: Sensitive Data Exposure
Chapter 4: Sensitive Data Exposure
Technical requirements
Fixing insufficient protection of data in transit
Fix missing HSTS headers
Fixing weak protocols
Fixing hardcoded cryptographic keys
Disabling caching for critical web pages
5
Chapter 5: XML External Entities
Chapter 5: XML External Entities
Technical requirements
Enabling XML validation
Fixing XXE injection with XmlDocument
Fixing XXE injection with XmlTextReader
Fixing XXE injection with LINQ to XML
6
Chapter 6: Broken Access Control
Chapter 6: Broken Access Control
Technical requirements
Fixing IDOR
Fixing improper authorization
Fixing missing access control
Fixing open redirect vulnerabilities
7
Chapter 7: Security Misconfiguration
Chapter 7: Security Misconfiguration
Technical requirements
Disabling debugging features in non-development environments
Fixing disabled security features
Disabling unnecessary features
Fixing information exposure through an error message
Fixing information exposure through insecure cookies
8
Chapter 8: Cross-Site Scripting
Chapter 8: Cross-Site Scripting
Technical requirements
Fixing reflected XSS
Fixing stored/persistent XSS
Fixing DOM XSS
9
Chapter 9: Insecure Deserialization
Chapter 9: Insecure Deserialization
Technical requirements
Fixing unsafe deserialization
Fixing the use of insecure deserializers
Fixing untrusted data deserialization
10
Chapter 10: Using Components with Known Vulnerabilities
Chapter 10: Using Components with Known Vulnerabilities
Technical requirements
Fixing the use of a vulnerable third-party JavaScript library
Fixing the use of a vulnerable NuGet package
Fixing the use of a library hosted from an untrusted source
11
Chapter 11: Insufficient Logging and Monitoring
Chapter 11: Insufficient Logging and Monitoring
Technical requirements
Fixing insufficient logging of exceptions
Fixing insufficient logging of DB transactions
Fixing excessive information logging
Fixing a lack of security monitoring
12
Chapter 12: Miscellaneous Vulnerabilities
Chapter 12: Miscellaneous Vulnerabilities
Technical requirements
Fixing the disabled anti-Cross-Site Request Forgery protection
Preventing Server-Side Request Forgery
Preventing log injection
Preventing HTTP response splitting
Preventing clickjacking
Fixing insufficient randomness
13
Chapter 13: Best Practices
Chapter 13: Best Practices
Technical requirements
Proper exception handling
Using security-related cookie attributes
Using a Content Security Policy
Fixing leftover debug code
Why subscribe?
14
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The AddTransient method allows our custom validator CustomerValidator to be discoverable by ASP.NET Core."

A block of code is set as follows:

  if (result.Succeeded)
  {
    _logger.LogInformation("User logged in.");
    return LocalRedirect(returnUrl);
  }

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

var result = await _signInManager.PasswordSignInAsync(Input.Email, Input.Password, Input.RememberMe, lockoutOnFailure: true);

Any command-line input or output is written as follows:

git clone https://github.com/PacktPublishing/ASP.NET-Core-Secure-Coding-Cookbook.git
  1. Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select one record and click its Edit link."

    Tips or important notes

    Appear like this.

Previous Section
Next Section