.NET, C# and ASP.NET security development

Basic.NET, C# and ASP.NET

A number of programming languages are available today to compile code to.NET and ASP.NET frameworks. The environment provides powerful means for security development, but developers should know how to apply the architecture- and coding- level programming techniques in order to implement the desired security functionality and avoid vulnerabilities or limit their exploitation.

The aim of this course is to teach developers through numerous hands-on exercises how to prevent untrusted code from performing privileged actions, protect resources through strong authentication and authorization, provide remote procedure calls, handle sessions, introduce different implementations for certain functionality, and many more.

Introduction of different vulnerabilities starts with presenting some typical programming problems committed when using.NET, while the discussion of vulnerabilities of the ASP.NET also deals with various environment settings and their effects. Finally, the topic of ASP.NET-specific vulnerabilities not only deals with some general Web application security challenges, but also with special issues and attack methods like attacking the ViewState, or the string termination attacks.

Web vulnerabilities:

OWASP top 10 and beyond:

• SQL Injection and other injection flaws, Cross-Site Scripting: persistent and reflected XSS, session handling challenges, using cookies, remote code execution, Insecure Direct Object Reference, Cross-Site Request Forgery (CSRF), restricting URL access.

.NET and ASP.NET security technologies and services:

• Code Access Security, permissions, the stack walk, trust levels
• Role-based Security
• cryptography in.NET; ASP.NET authentication and authorization solutions, windows and form authentication, Live SDK, roles; session handling
• XSS protection, validation features, viewstate protection in ASP.NET

.NET specific vulnerabilities:

• input validation problems, using native code, integer overflows in.NET, using the checked keyword, log forging
• improper use of cryptographic features, insecure randomness in.NET, challenges of password management, cracking hashed passwords with search engines
• improper error and exception handling
• time and state problems, race conditions, synchronization and mutual exclusion, deadlocks, file and database race conditions
• general code quality issues, object hijacking, immutable objects, serialization of sensitive information
• Denial-of-Service (DoS) in.NET, hashtable collision, attacks against ASP.NET, string termination inconsistency, and many more...

Exercises:

• exploiting SQL injection step-by-step
• exploiting command injection
• crafting Cross-Site Scripting attacks through both reflective and persistent XSS
• HTML injection
• session fixation
• uploading and running executable code
• insecure direct object reference
• committing Cross-Site Request Forgery (CSRF)
• sandboxing.NET code, using roles, using cryptographic classes in.NET, implementing form authentication, input validation in ASP.NET
• crashing native code
• unsafe reflections
• hash cracking by googling
• using reflection to break accessibility modifiers
• information leakage through error reporting
• missing

Un certificat de formation est remis à chaque participant à la fin du cours.