Call : (+91) 968636 4243
Mail : info@EncartaLabs.com

Web Application Security in C#

( Duration: 3 Days )

Your Web application written in C# works as intended, so you are done, right? But did you consider feeding in incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -1 or -231? Because that’s what the bad guys will do – and the list is far from complete.

This Web Application Security in C# training course goes through the common Web application security issues following the OWASP Top Ten but goes far beyond it both in coverage and the details. All this is put in the context of C#, and extended by core programming issues, discussing security pitfalls of the C# language and .NET framework.

By attending Web Application Security in C# workshop, delegates will learn:

Getting familiar with essential cyber security concepts
Understanding Web application security issues
Detailed analysis of the OWASP Top Ten elements
Putting Web application security in the context of C#
Going beyond the low hanging fruits
Managing vulnerabilities in third party components
Identify vulnerabilities and their consequences
Security best practices in C#
Input validation approaches and principles

General C# and Web development

The Web Application Security in C# class is ideal for:

C# developers working on Web applications

COURSE AGENDA

1

Cyber security basics

What is security?
Threat and risk
Cyber security threat types
Consequences of insecure software

2

The OWASP Top Ten - 1

OWASP Top 10 – 2017
A1 – Injection

Injection principles
Injection attacks
SQL injection

SQL injection basics
Attack techniques
Content-based blind SQL injection
Time-based blind SQL injection

Input validation
Parameterized queries
Additional considerations

Code injection

OS command injection
Avoiding command injection with the right APIs
Script injection

A2 – Broken Authentication

Authentication basics
Multi-factor authentication
Authentication weaknesses – spoofing
Spoofing on the Web
Password management

Inbound password management
Storing account passwords
Password in transit
Dictionary attacks and brute forcing
Salting
Adaptive hash functions for password storage
Password policy
NIST authenticator requirements for memorized secrets
The dictionary attack
The ultimate crack
Exploitation and the lessons learned
Password database migration
(Mis)handling null passwords

3

The OWASP Top Ten - 2

A2 – Broken Authentication

Session management

Session management essentials
Why do we protect session IDs – Session hijacking
Session fixation
Cross-site Request Forgery (CSRF)
CSRF defense in depth
Cookie security
Cookie attributes

A4 – XML External Entities (XXE)

DTD and the entities
Entity expansion
External Entity Attack (XXE)

File inclusion with external entities
Server-Side Request Forgery with external entities
Preventing XXE

A5 – Broken Access Control

Access control basics
Failure to restrict URL access
Confused deputy

Insecure direct object reference (IDOR)
Authorization bypass through user-controlled keys

File upload

Unrestricted file upload
Good practices

A7 – Cross-site Scripting (XSS)

Cross-site scripting basics
Cross-site scripting types

Persistent cross-site scripting
Reflected cross-site scripting
Client-side (DOM-based) cross-site scripting

Protection principles – escaping
XSS protection APIs
Request validation in ASP.NET
Further XSS protection techniques
Additional protection layers
Client-side protection principles

A8 – Insecure Deserialization

Serialization and deserialization challenges
Deserializing untrusted streams
Property Oriented Programming (POP)

Creating payload

A9 – Using Components with Known Vulnerabilities

Using vulnerable components
Assessing the environment
Hardening
Untrusted functionality import
Importing JavaScript
Vulnerability management

Patch management
Vulnerability databases

4

The OWASP Top Ten - 3

Web application security beyond the Top Ten

Client-side security
Tabnabbing
Frame sandboxing

Cross-Frame Scripting (XFS) attack
Clickjacking beyond hijacking a click

5

Common software security weaknesses

Input validation

Input validation principles

Blacklists and whitelists
Data validation techniques
What to validate – the attack surface
Where to validate – defense in depth
How to validate – validation vs transformations
Output sanitization
Encoding challenges
Validation with regex
Regular expression denial of service (ReDoS)
Dealing with ReDoS

Integer handling problems

Representing signed numbers
Integer visualization
Integer overflow
Signed / unsigned confusion
Integer truncation
Upcasting
Precondition testing
Postcondition testing
Using big integer libraries
Integer handling in C#

Unsafe reflection

Reflection without validation

Code quality

Data handling

Initialization and cleanup
Class initialization cycles

Object oriented programming pitfalls

Inheritance and overriding
Mutability
Readonly collections

Encarta Labs Advantage

One Stop Corporate Training Solution Providers for over 6,000 various courses on a variety of subjects
All courses are delivered by Industry Veterans
Get jumpstarted from newbie to production ready in a matter of few days

Trained more than 50,000 Corporate executives across the Globe
All our trainings are conducted in workshop mode with more focus on hands-on sessions

View our other course offerings by visiting https://www.encartalabs.com/course-catalogue-all.php

Contact us for delivering this course as a public/open-house workshop/online training for a group of 10+ candidates.

Top

Notice

X