Web Application Security in C#WASEC-C#CYCydrillCY-WASEC-C#1.0<ul>
<li>Getting familiar with essential cyber security concepts</li><li>Understanding Web application security issues</li><li>Detailed analysis of the OWASP Top Ten elements</li><li>Putting Web application security in the context of C#</li><li>Going beyond the low hanging fruits</li><li>Managing vulnerabilities in third party components</li><li>Identify vulnerabilities and their consequences</li><li>Learn the security best practices in C#</li><li>Input validation approaches and principles</li></ul><p>General C# and Web development</p><p>C# developers working on Web applications</p><ul>
<li>Cyber security basics</li><li>The OWASP Top Ten</li><li>Common software security weaknesses</li><li>Wrap up</li></ul><p><strong>DAY 1 </strong></p>
<p><strong>Cyber security basics</strong>
</p>
<ul>
<li>What is security?</li><li>Threat and risk</li><li>Cyber security threat types</li><li>Consequences of insecure software</li></ul><p><strong>The OWASP Top Ten</strong>
</p>
<ul>
<li>OWASP Top 10 – 2017</li><li>A1 – Injection
<ul>
<li>Injection principles</li><li>Injection attacks</li><li>SQL injection
<ul>
<li>SQL injection basics</li><li>Lab – SQL injection</li><li>Attack techniques</li><li>Content-based blind SQL injection</li><li>Time-based blind SQL injection</li></ul></li><li>SQL injection best practices
<ul>
<li>Input validation</li><li>Parameterized queries</li><li>Additional considerations</li><li>Lab – Using prepared statements</li><li>Case study – Hacking Fortnite accounts</li></ul></li><li>Code injection
<ul>
<li>OS command injection
<ul>
<li>Lab – Command injection</li><li>OS command injection best practices</li><li>Avoiding command injection with the right APIs</li><li>Lab – Command injection best practices</li><li>Case study – Command injection via ping</li></ul></li><li>Script injection</li></ul></li><li>General protection best practices</li></ul></li><li>A2 – Broken Authentication
<ul>
<li>Authentication basics</li><li>Multi-factor authentication</li><li>Authentication weaknesses – spoofing</li><li>Spoofing on the Web</li><li>Case study – PayPal 2FA bypass</li><li>Password management
<ul>
<li>Inbound password management
<ul>
<li>Storing account passwords</li><li>Password in transit</li><li>Lab – Is just hashing passwords enough?</li><li>Dictionary attacks and brute forcing</li><li>Salting</li><li>Adaptive hash functions for password storage</li><li>Password policy
<ul>
<li>NIST authenticator requirements for memorized secrets</li></ul></li><li>Case study – The Ashley Madison data breach
<ul>
<li>The dictionary attack</li><li>The ultimate crack</li><li>Exploitation and the lessons learned</li></ul></li><li>Password database migration
<ul>
<li>(Mis)handling null passwords</li></ul></li></ul></li></ul></li></ul></li></ul><p><strong>DAY 2</strong></p>
<p><strong>The OWASP Top Ten</strong>
</p>
<ul>
<li>A2 – Broken Authentication
<ul>
<li>Session management
<ul>
<li>Session management essentials</li><li>Session ID best practices</li><li>Why do we protect session IDs – Session hijacking</li><li>Session fixation</li><li>Cross-site Request Forgery (CSRF)
<ul>
<li>Lab – Cross-site Request Forgery</li><li>CSRF best practices</li><li>CSRF defense in depth</li><li>Lab – CSRF protection with tokens</li></ul></li><li>Cookie security
<ul>
<li>Cookie security best practices</li><li>Cookie attributes</li></ul></li></ul></li></ul></li><li>A4 – XML External Entities (XXE)
<ul>
<li>DTD and the entities</li><li>Entity expansion</li><li>External Entity Attack (XXE)
<ul>
<li>File inclusion with external entities</li><li>Server-Side Request Forgery with external entities</li><li>Lab – External entity attack</li><li>Case study – XXE vulnerability in SAP Store</li><li>Preventing XXE</li><li>Lab – Prohibiting DTD</li></ul></li></ul></li><li>A5 – Broken Access Control
<ul>
<li>Access control basics</li><li>Failure to restrict URL access</li><li>Confused deputy
<ul>
<li>Insecure direct object reference (IDOR)</li><li>Lab – Insecure Direct Object Reference</li><li>Authorization bypass through user-controlled keys</li><li>Case study – Authorization bypass on Facebook</li><li>Lab – Horizontal authorization</li></ul></li><li>File upload
<ul>
<li>Unrestricted file upload</li><li>Good practices</li><li>Lab – Unrestricted file upload</li></ul></li></ul></li><li>A7 – Cross-site Scripting (XSS)
<ul>
<li>Cross-site scripting basics</li><li>Cross-site scripting types
<ul>
<li>Persistent cross-site scripting</li><li>Reflected cross-site scripting</li><li>Client-side (DOM-based) cross-site scripting</li><li>Lab – Stored XSS</li><li>Lab – Reflected XSS</li><li>Case study – XSS in Fortnite accounts</li></ul></li><li>XSS protection best practices
<ul>
<li>Protection principles – escaping</li><li>XSS protection APIs</li><li>Request validation in ASP.NET</li><li>Further XSS protection techniques</li><li>Lab – XSS fix / stored</li><li>Lab – XSS fix / reflected</li><li>Additional protection layers</li><li>Client-side protection principles</li></ul></li></ul></li><li>A8 – Insecure Deserialization
<ul>
<li>Serialization and deserialization challenges</li><li>Deserializing untrusted streams</li><li>Deserialization best practices</li><li>Property Oriented Programming (POP)
<ul>
<li>Creating payload</li><li>POP best practices</li><li>Lab – Creating a POP payload</li><li>Lab – Using the POP payload</li></ul></li></ul></li><li>A9 – Using Components with Known Vulnerabilities
<ul>
<li>Using vulnerable components</li><li>Assessing the environment</li><li>Hardening</li><li>Untrusted functionality import</li><li>Importing JavaScript</li><li>Lab – Importing JavaScript</li><li>Case study – The British Airways data breach</li><li>Vulnerability management
<ul>
<li>Patch management</li><li>Vulnerability databases</li><li>Lab – Finding vulnerabilities in third-party components</li></ul></li></ul></li></ul><p><strong>DAY 3</strong></p>
<p><strong>The OWASP Top Ten</strong>
</p>
<ul>
<li>Web application security beyond the Top Ten
<ul>
<li>Client-side security</li><li>Tabnabbing</li><li>Lab – Reverse tabnabbing</li><li>Frame sandboxing
<ul>
<li>Cross-Frame Scripting (XFS) attack</li><li>Lab – Clickjacking</li><li>Clickjacking beyond hijacking a click</li><li>Clickjacking protection best practices</li><li>Lab – Using CSP to prevent clickjacking</li></ul></li></ul></li></ul><p><strong>Common software security weaknesses</strong>
</p>
<ul>
<li>Input validation
<ul>
<li>Input validation principles
<ul>
<li>Blacklists and whitelists</li><li>Data validation techniques</li><li>Lab – Input validation</li><li>What to validate – the attack surface</li><li>Where to validate – defense in depth</li><li>How to validate – validation vs transformations</li><li>Output sanitization</li><li>Encoding challenges</li><li>Lab – Encoding challenges</li><li>Validation with regex</li><li>Regular expression denial of service (ReDoS)</li><li>Lab – Regular expression denial of service (ReDoS)</li><li>Dealing with ReDoS</li></ul></li><li>Integer handling problems
<ul>
<li>Representing signed numbers</li><li>Integer visualization</li><li>Integer overflow</li><li>Lab – Integer overflow</li><li>Signed / unsigned confusion</li><li>Case study – The Stockholm Stock Exchange</li><li>Lab – Signed / unsigned confusion</li><li>Integer truncation</li><li>Best practices
<ul>
<li>Upcasting</li><li>Precondition testing</li><li>Postcondition testing</li><li>Using big integer libraries</li><li>Integer handling in C#</li><li>Lab – Checked arithmetics</li></ul></li></ul></li><li>Unsafe reflection
<ul>
<li>Reflection without validation</li><li>Lab – Unsafe reflection</li></ul></li></ul></li><li>Code quality
<ul>
<li>Data handling
<ul>
<li>Initialization and cleanup
<ul>
<li>Class initialization cycles</li><li>Lab – Initialization cycles</li></ul></li></ul></li><li>Object oriented programming pitfalls
<ul>
<li>Inheritance and overriding</li><li>Mutability
<ul>
<li>Lab – Mutable object</li><li>Readonly collections</li></ul></li></ul></li></ul></li></ul><p><strong>Wrap up</strong>
</p>
<ul>
<li>Secure coding principles
<ul>
<li>Principles of robust programming by Matt Bishop</li><li>Secure design principles of Saltzer and Schröder</li></ul></li><li>And now what?
<ul>
<li>Software security sources and further reading</li><li>.NET and C# resources</li></ul></li></ul>- Getting familiar with essential cyber security concepts
- Understanding Web application security issues
- Detailed analysis of the OWASP Top Ten elements
- Putting Web application security in the context of C#
- Going beyond the low hanging fruits
- Managing vulnerabilities in third party components
- Identify vulnerabilities and their consequences
- Learn the security best practices in C#
- Input validation approaches and principlesGeneral C# and Web developmentC# developers working on Web applications- Cyber security basics
- The OWASP Top Ten
- Common software security weaknesses
- Wrap upDAY 1
Cyber security basics
- What is security?
- Threat and risk
- Cyber security threat types
- Consequences of insecure software
The OWASP Top Ten
- OWASP Top 10 – 2017
- A1 – Injection
- Injection principles
- Injection attacks
- SQL injection
- SQL injection basics
- Lab – SQL injection
- Attack techniques
- Content-based blind SQL injection
- Time-based blind SQL injection
- SQL injection best practices
- Input validation
- Parameterized queries
- Additional considerations
- Lab – Using prepared statements
- Case study – Hacking Fortnite accounts
- Code injection
- OS command injection
- Lab – Command injection
- OS command injection best practices
- Avoiding command injection with the right APIs
- Lab – Command injection best practices
- Case study – Command injection via ping
- Script injection
- General protection best practices
- A2 – Broken Authentication
- Authentication basics
- Multi-factor authentication
- Authentication weaknesses – spoofing
- Spoofing on the Web
- Case study – PayPal 2FA bypass
- Password management
- Inbound password management
- Storing account passwords
- Password in transit
- Lab – Is just hashing passwords enough?
- Dictionary attacks and brute forcing
- Salting
- Adaptive hash functions for password storage
- Password policy
- NIST authenticator requirements for memorized secrets
- Case study – The Ashley Madison data breach
- The dictionary attack
- The ultimate crack
- Exploitation and the lessons learned
- Password database migration
- (Mis)handling null passwords
DAY 2
The OWASP Top Ten
- A2 – Broken Authentication
- Session management
- Session management essentials
- Session ID best practices
- Why do we protect session IDs – Session hijacking
- Session fixation
- Cross-site Request Forgery (CSRF)
- Lab – Cross-site Request Forgery
- CSRF best practices
- CSRF defense in depth
- Lab – CSRF protection with tokens
- Cookie security
- Cookie security best practices
- Cookie attributes
- A4 – XML External Entities (XXE)
- DTD and the entities
- Entity expansion
- External Entity Attack (XXE)
- File inclusion with external entities
- Server-Side Request Forgery with external entities
- Lab – External entity attack
- Case study – XXE vulnerability in SAP Store
- Preventing XXE
- Lab – Prohibiting DTD
- A5 – Broken Access Control
- Access control basics
- Failure to restrict URL access
- Confused deputy
- Insecure direct object reference (IDOR)
- Lab – Insecure Direct Object Reference
- Authorization bypass through user-controlled keys
- Case study – Authorization bypass on Facebook
- Lab – Horizontal authorization
- File upload
- Unrestricted file upload
- Good practices
- Lab – Unrestricted file upload
- A7 – Cross-site Scripting (XSS)
- Cross-site scripting basics
- Cross-site scripting types
- Persistent cross-site scripting
- Reflected cross-site scripting
- Client-side (DOM-based) cross-site scripting
- Lab – Stored XSS
- Lab – Reflected XSS
- Case study – XSS in Fortnite accounts
- XSS protection best practices
- Protection principles – escaping
- XSS protection APIs
- Request validation in ASP.NET
- Further XSS protection techniques
- Lab – XSS fix / stored
- Lab – XSS fix / reflected
- Additional protection layers
- Client-side protection principles
- A8 – Insecure Deserialization
- Serialization and deserialization challenges
- Deserializing untrusted streams
- Deserialization best practices
- Property Oriented Programming (POP)
- Creating payload
- POP best practices
- Lab – Creating a POP payload
- Lab – Using the POP payload
- A9 – Using Components with Known Vulnerabilities
- Using vulnerable components
- Assessing the environment
- Hardening
- Untrusted functionality import
- Importing JavaScript
- Lab – Importing JavaScript
- Case study – The British Airways data breach
- Vulnerability management
- Patch management
- Vulnerability databases
- Lab – Finding vulnerabilities in third-party components
DAY 3
The OWASP Top Ten
- Web application security beyond the Top Ten
- Client-side security
- Tabnabbing
- Lab – Reverse tabnabbing
- Frame sandboxing
- Cross-Frame Scripting (XFS) attack
- Lab – Clickjacking
- Clickjacking beyond hijacking a click
- Clickjacking protection best practices
- Lab – Using CSP to prevent clickjacking
Common software security weaknesses
- Input validation
- Input validation principles
- Blacklists and whitelists
- Data validation techniques
- Lab – Input validation
- What to validate – the attack surface
- Where to validate – defense in depth
- How to validate – validation vs transformations
- Output sanitization
- Encoding challenges
- Lab – Encoding challenges
- Validation with regex
- Regular expression denial of service (ReDoS)
- Lab – Regular expression denial of service (ReDoS)
- Dealing with ReDoS
- Integer handling problems
- Representing signed numbers
- Integer visualization
- Integer overflow
- Lab – Integer overflow
- Signed / unsigned confusion
- Case study – The Stockholm Stock Exchange
- Lab – Signed / unsigned confusion
- Integer truncation
- Best practices
- Upcasting
- Precondition testing
- Postcondition testing
- Using big integer libraries
- Integer handling in C#
- Lab – Checked arithmetics
- Unsafe reflection
- Reflection without validation
- Lab – Unsafe reflection
- Code quality
- Data handling
- Initialization and cleanup
- Class initialization cycles
- Lab – Initialization cycles
- Object oriented programming pitfalls
- Inheritance and overriding
- Mutability
- Lab – Mutable object
- Readonly collections
Wrap up
- Secure coding principles
- Principles of robust programming by Matt Bishop
- Secure design principles of Saltzer and Schröder
- And now what?
- Software security sources and further reading
- .NET and C# resources3 jours2250.002250.002250.002250.002250.002250.002250.002250.002250.002250.002250.00