IQSOFT - John Brice Oktatóközpont
IT Leadership Development Program - ITLDP

.NET, C# and ASP.NET security development

Tanfolyam célja

A number of programming languages are available today to compile code to .NET and ASP.NET frameworks. The environment provides powerful means for security development, but developers should know how to apply the architecture- and coding-level programming techniques in order to implement the desired security functionality and avoid vulnerabilities or limit their exploitation.

The aim of this course is to teach developers through numerous hands-on exercises how to prevent untrusted code from performing privileged actions, protect resources through strong authentication and authorization, provide remote procedure calls, handle sessions, introduce different implementations for certain functionality, and many more.

Introduction of different vulnerabilities starts with presenting some typical programming problems committed when using .NET, while the discussion of vulnerabilities of the ASP.NET also deals with various environment settings and their effects. Finally, the topic of ASP.NET-specific vulnerabilities not only deals with some general web application security challenges, but also with special issues and attack methods like attacking the ViewState, or the string termination attacks.

Tematika

Content:

Web vulnerabilities: OWASP top 10 and beyond: SQL Injection and other injection flaws, Cross-Site Scripting: persistent and reflected XSS, session handling challenges, using cookies, remote code execution, Insecure Direct Object Reference, Cross-Site Request Forgery (CSRF), restricting URL access.

.NET and ASP.NET security technologies and services: Code Access Security, permissions, the stack walk, trust levels; Role-based Security; cryptography in .NET; ASP.NET authentication and authorization solutions, windows and form authentication, Live SDK, roles; session handling; XSS protection, validation features, viewstate protection in ASP.NET.

.NET specific vulnerabilities: input validation problems, using native code, integer overflows in .NET, using the checked keyword, log forging; improper use of cryptographic features, insecure randomness in .NET, challenges of password management, cracking hashed passwords with search engines; improper error and exception handling; time and state problems, race conditions, synchronization and mutual exclusion, deadlocks, file and database race conditions; general code quality issues, object hijacking, immutable objects, serialization of sensitive information; Denial-of-Service (DoS) in.NET, hashtable collision, attacks against ASP.NET, string termination inconsistency, and many more...

Exercises: exploiting SQL injection step-by-step; exploiting command injection; crafting Cross-Site Scripting attacks through both reflective and persistent XSS; HTML injection; session fixation; uploading and running executable code; insecure direct object reference; committing Cross-Site Request Forgery (CSRF); sandboxing .NET code, using roles, using cryptographic classes in .NET, implementing form authentication, input validation in ASP.NET; crashing native code; unsafe reflections; hash cracking by googling; using reflection to break accessibility modifiers; information leakage through error reporting; missing synchronization; wrong exclusion granularity; avoiding deadlocks; overcoming file race conditions; object hijacking; immutable string; preventing serialization; using hidden and disable controls; value shadowing.

controls; value shadowing.
Participants attending this course will

    Understand basic concepts of security, IT security and secure coding
    Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
    Learn to use various security features of the .NET development environment
    Get practical knowledge in using security testing tools
    Learn about typical coding mistakes and how to avoid them
    Get information about some recent vulnerabilities in .NET and ASP.NET
    Get sources and further readings on secure coding practices

Outline

    IT security and secure coding
    Web application security
    .NET security architecture and services
    Using security testing tools
    Common coding errors and vulnerabilities
    Knowledge sources

1. Day

IT security and secure coding

    Nature of security
    IT security related terms
    Definition of risk
    Different aspects of IT security
    Requirements of different application areas
    IT security vs. secure coding
    From vulnerabilities to botnets and cybercrime
        Nature of security flaws
        Reasons of difficulty
        From an infected computer to targeted attacks
    Classification of security flaws
        Landwehr’s taxonomy
        The Fortify taxonomy
        The Seven Pernicious Kingdoms
        OWASP Top Ten 2013
        OWASP Top Ten comparison 2003 – 2013

Web application security

    Injection
        Typical SQL Injection attack methods
        Blind and time-based SQL injection
        SQL Injection protection methods
        Command injection
        Cookie injection / HTTP parameter pollution
        Exercise – Value shadowing
    Broken authentication and session management
        Insecure session cookie parameters
        Session fixation
    Cross-Site Scripting (XSS)
        Cross-Site Scripting (XSS)
        CSS injection
        Exploitation: injection through other HTML tags
        XSS prevention
        XSS protection in ASP.NET
        Validations and encoding done by validateRequest
        Web Protection Library (WPL)
    Insecure direct object reference
        Protection against insecure direct object reference
    Missing function level access control
        Filtering file uploads
    Cross Site Request Forgery (CSRF)
        Login CSRF
        CSRF prevention
    Unvalidated redirects and forwards

.NET security architecture and services

    .NET architecture
    Code Access Security
        Evidence classes
        Permissions
        Code access permission classes
        .NET runtime permission checking
        The Stack Walk
        Effects of Assert()
        Class and method-level declarative permission
        Imperative (programmatic) permission checking
        Security transparency model from .NET 4.0
        Using transparency attributes
        Exercise – sandboxing .NET code
    Role-based security
        Principal-based authorization
        Exercise – adding role-based authorization
    Cryptography in .NET
        .NET cryptographic architecture
        Hashing
        Using random numbers
        Encrypting and decrypting (symmetric)
        Asymmetric algorithms in .NET
        Exercise – using .NET cryptographic classes
        SSL/TLS in .NET
        Protecting .NET code
        Web vulnerability scanners
            Exercise – Using a vulnerability scanner
            SQL injection tools
            Exercise – Using SQL injection tools
            Exercise – Using SQL injection tools
        Static code analysis
            Static code analysis
            Static code analysis
            Exercise – Using static code analysis tools

2. day

Common coding errors and vulnerabilities
        Input validation
            Input validation concepts
            Integer problems
                Representation of negative integers
                Integer overflow
                What is the value of #abs#?
            Integer problem mitigation
                Integer problem mitigation
                Avoiding arithmetic overflow – addition
                Avoiding arithmetic overflow – multiplication
                Detecting arithmetic overflow with the checked keyword in C#
                Exercise – Using the checked keyword
                Exceptions triggered by overflows in C#
            Case study –Integer overflow in .NET
                A real-world integer overflow vulnerability
                Exploiting the integer overflow vulnerability
            Path traversal vulnerability
                Path traversal vulnerability
                Path traversal mitigation
            Unsafe native calls
                Unsafe native calls
            Unsafe reflection
                Implementation of a command dispatcher
                Unsafe reflection – spot the bug!
                Mitigation of unsafe reflection
            Log forging
                Some other typical problems with log files
        Improper use of security features
            Problems related to the use of security features
            Insecure randomness
                Weak PRNGs in .NET
            Password management
                Exercise – Google cracking
                Password management and storage
                Special purpose hash algorithms for password storage
                BDKDF2 and bcrypt implementations in .NET
                Case study – the Ashley Madison data breach
                Cracking bcrypted passwords
                Some other typical password management problems
                Exercise Hard coded passwords
                Exercise – Hard coded password
                Accessing private fields with reflection in .NET
                Exercise Reflection – Accessing private fields with reflection
        Improper error and exception handling
            Typical problems with error and exception handling
            Empty catch block
            Overly broad catch
            Catching NullReferenceException
            Exception handling – spot the bug!
            Exercise – Information leakage through error reporting
        Time and state problems
            Concurrency and threading
            Concurrency in .NET
            Omitted synchronization – spot the bug!
            Exercise – Omitted synchronization
            Incorrect granularity – spot the bug!
            Exercise – Incorrect granularity
            Deadlocks
            Avoiding deadlocks
            Exercise – Avoiding deadlocks
            Lock statement
            Race condition with files – spot the bug!
            Preventing file race condition
            Optimistic vs. pessimistic locking
            Optimistic locking
            Pessimistic locking
            Setting the isolation level
        Code quality problems
            Dangers arising from poor code quality
            Poor code quality – spot the bug!
            Unreleased resources
            Misspelled method – spot the bug!
            Exercise – Misspelled method
            Sensitive data – spot the bug!
            Exercise – Serializable sensitive
            Class not sealed – object hijacking
            Exercise – Object hijacking
            Immutable String – spot the bug!
            Exercise – Immutable strings
            Using SecureString
        Features and vulnerabilities
            Custom protected configuration providers
            Postback validation
            Viewstate protection
            Event validation
            Accessing disabled and hidden controls
            Control sequence attacks
            NULL byte termination vulnerability
            Case study – Forms Authentication Bypass
                The Forms Authentication Bypass vulnerability in the code
                Exploiting the Forms Authentication Bypass
    Knowledge sources
        Secure coding sources – a starter kit
        Vulnerability databases
        .NET secure coding guidelines at MSDN
        .NET secure coding cheat sheets
        Recommended books – .NET and ASP.NET

Kapcsolódó tanfolyamok