وبلاگ بلیان

ADVANCED ASP.NET CORE 3.0 SECURITY : understanding hacks, attacks, and vulnerabilities to secure... your website

جلد کتاب ADVANCED ASP.NET CORE 3.0 SECURITY : understanding hacks, attacks, and vulnerabilities to secure... your website

معرفی کتاب «ADVANCED ASP.NET CORE 3.0 SECURITY : understanding hacks, attacks, and vulnerabilities to secure... your website» نوشتهٔ Scott Norberg، منتشرشده توسط نشر Apress : Imprint: Apress در سال 2020. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.

Table of Contents About the Author About the Technical Reviewer Acknowledgments Introduction Chapter 1: Introducing ASP.NET Core Understanding Services How Services Are Created How Services Are Used Kestrel and IIS MVC vs. Razor Pages MVC Razor Pages Creating APIs Core vs. Framework vs. Standard Summary Chapter 2: General Security Concepts What Is Security? (CIA Triad) Confidentiality Integrity Availability Definition of “Hacker” The Anatomy of an Attack Reconnaissance Penetrate Expand Hide Evidence Catching Attackers in the Act Detecting Possible Criminal Activity Detection and Privacy Issues Honeypots Enticement vs. Entrapment When Are You Secure Enough? Finding Sensitive Information User Experience and Security Third-Party Components Zero-Day Attacks Threat Modeling Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Defining Security Terms Brute Force Attacks Attack Surface Security by Obscurity Man-in-the-Middle (MITM) Attacks Replay Attacks Fail Open vs. Fail Closed Separation of Duties Fuzzing Phishing and Spear Phishing Summary Chapter 3: Cryptography Symmetric Encryption Symmetric Encryption Types Symmetric Encryption Algorithms DES and Triple DES AES and Rijndael Problems with Block Encryption Symmetric Encryption in .NET Creating an Encryption Service Symmetric Encryption Using Bouncy Castle Hashing Uses for Hashing Hash Salts Hash Algorithms MD5 SHA (or SHA-1) SHA-2 SHA-3 PBKDF2, bcrypt, and scrypt Hashing and Searches Hashing in .NET SHA-3 Hashing with Bouncy Castle PBKDF2 Hashing in .NET Creating a Hashing .NET Service Asymmetric Encryption Digital Signatures Asymmetric Encryption in .NET Key Storage Don’t Create Your Own Algorithms Common Mistakes with Encryption Summary Chapter 4: Web Security Concepts Making a Connection HTTPS, SSL, and TLS Connection Process Anatomy of a Request Anatomy of a Response Response Codes 1XX – Informational 100 Continue 101 Switching Protocols 2XX – Success 200 OK 3XX – Redirection 301 Moved Permanently 302 Found 303 See Other 307 Temporary Redirect 4XX – Client Errors 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 5XX – Server Errors 500 Internal Server Error 502 Bad Gateway 503 Service Unavailable Headers Default ASP.NET Headers Cache-Control, Pragma, and Expires Server Set-Cookie X-Powered-By X-SourceFiles Security Headers Easily Configured in ASP.NET Strict-Transport-Security Cache-Control Security Headers Not in ASP.NET by Default X-Content-Type-Options X-Frame-Options X-XSS-Protection Content-Security-Policy Cross-Request Data Storage Cookies Cookie Scoping path samesite httponly Session Storage Hidden Fields HTML 5 Storage Cross-Request Data Storage Summary Insecure Direct Object References Burp Suite OWASP Top Ten A1: 2017 – Injection A2: 2017 – Broken Authentication A3: 2017 – Sensitive Data Exposure A4: 2017 – XML External Entities (XXE) A5: 2017 – Broken Access Control A6: 2017 – Security Misconfiguration A7: 2017 – Cross-Site Scripting (XSS) A8: 2017 – Insecure Deserialization A9: 2017 – Using Components with Known Vulnerabilities A10: 2017 – Insufficient Logging and Monitoring Summary Chapter 5: Understanding Common Attacks SQL Injection Union Based Error Based Boolean-Based Blind Time-Based Blind Second Order SQL Injection Summary Cross-Site Scripting (XSS) XSS and Value Shadowing Bypassing XSS Defenses Bypassing Script Tag Filtering Img Tags, Iframes, and Other Elements Attribute-Based Attacks Hijacking DOM Manipulation JavaScript Framework Injection Third-Party Libraries Consequences of XSS Cross-Site Request Forgery (CSRF) Bypassing Anti-CSRF Defenses Operating System Issues Directory Traversal Remote and Local File Inclusion OS Command Injection File Uploads and File Management Other Injection Types Clickjacking Unvalidated Redirects Session Hijacking Security Issues Mostly Fixed in ASP.NET Verb Tampering Response Splitting Parameter Pollution Business Logic Abuse Summary Chapter 6: Processing User Input Validation Attributes Validating File Uploads User Input and Retrieving Files CSRF Protection Extending Anti-CSRF Checks with IAntiforgeryAdditionalDataProvider CSRF and AJAX When CSRF Tokens Aren’t Enough Preventing Spam Mass Assignment Mass Assignment and Scaffolded Code Preventing XSS XSS Encoding XSS and JavaScript Frameworks CSP Headers and Avoiding Inline Code Ads, Trackers, and XSS Detecting Data Tampering Summary Chapter 7: Authentication and Authorization Problems with Passwords Too Many Passwords Are Easy to Guess Username/Password Forms Are Easy to Bypass Credential Reuse Stepping Back – How to Authenticate Stopping Credential Stuffing Default Authentication in ASP.NET Default Authentication Provider Claim-Based Security in ASP.NET How Session Tokens in ASP.NET Are Broken More Problems with the Default Authentication Provider Setting Up Something More Secure Fixing Password Hashes Protecting Usernames Preventing Information Leakage Making Usernames Case Sensitive Protecting Against Credential Stuffing Password History and Expiration Fixing Session Token Expiration Implementing Multifactor Authentication Using External Providers Enforcing Authentication for Access Using Session for Authentication Stepping Back – Authorizing Users Types of Access Control Role-Based Authorization in ASP.NET Using Claims-Based Authorization Implementing Other Types of Authorization Summary Chapter 8: Data Access and Storage Before Entity Framework ADO.NET Stored Procedures and SQL Injection Third-Party ORMs Digging into the Entity Framework Running Ad Hoc Queries Principle of Least Privilege and Deploying Changes Simplifying Filtering Filtering Using Hard-Coded Subqueries Filtering Using Expressions Easy Data Conversion with the ValueConverter Other Relational Databases Secure Database Design Use Multiple Connections Use Schemas Don’t Store Secrets with Data Avoid Using Built-In Database Encryption Test Database Backups Non-SQL Data Sources Summary Chapter 9: Logging and Error Handling New Logging in ASP.NET Core Where ASP.NET Core Logging Falls Short Logging and Compliance Building a Better System Why Are We Logging Potential Security Events? Better Logging in Action Security Logging for Framework Events PII and Logging Using Logging in Your Active Defenses Blocking Credential Stuffing with Logging Honeypots Proper Error Handling Catching Errors Summary Chapter 10: Setup and Configuration Setting Up Your Environment Web Server Security Keep Servers Separated Server Separation and Microservices A Note About Separation of Duties Storing Secrets SSL/TLS Allow Only TLS 1.2 and TLS 1.3 Setting Up HSTS Setting Up Headers Setting Up Page-Specific Headers Third-Party Components Monitoring Vulnerabilities Integrity Hashes Secure Your Test Environment Web Application Firewalls Summary Chapter 11: Secure Application Life Cycle Management Testing Tools DAST Tools DAST Scanner Strengths DAST Scanner Weaknesses Differences Between DAST Scanners SAST Tools Using Visual Studio Scanners as a SAST Scanner Final Notes About Free SAST Scanners Commercial SAST Scanner Quality SCA Tools IAST Tools Kali Linux Integrating Tools into Your CI/CD Process CI/CD with DAST Scanners CI/CD with SAST Scanners CI/CD with IAST Scanners Catching Problems Manually Code Reviews and Refactoring Hiring a Penetration Tester Reconnaissance Scanning and Enumeration Gaining Access Maintaining Access Covering Tracks When to Fix Problems Learning More Summary Index Incorporate security best practices into ASP.NET Core. This book covers security-related features available within the framework, explains where these feature may fall short, and delves into security topics rarely covered elsewhere. Get ready to dive deep into ASP.NET Core 3.1 source code, clarifying how particular features work and addressing how to fix problems. For straightforward use cases, the ASP.NET Core framework does a good job in preventing certain types of attacks from happening. But for some types of attacks, or situations that are not straightforward, there is very little guidance available on how to safely implement solutions. And worse, there is a lot of bad advice online on how to implement functionality, be it encrypting unsafely hard-coded parameters that need to be generated at runtime, or articles which advocate for certain solutions that are vulnerable to obvious injection attacks. Even more concerning is the functions in ASP.NET Core that are not as secure as they should be by default. Advanced ASP.NET Core 3 Security is designed to train developers to avoid these problems. Unlike the vast majority of security books that are targeted to network administrators, system administrators, or managers, this book is targeted specifically to ASP.NET developers. Author Scott Norberg begins by teaching developers how ASP.NET Core works behind the scenes by going directly into the framework's source code. Then he talks about how various attacks are performed using the very tools that penetration testers would use to hack into an application. He shows developers how to prevent these attacks. Finally, he covers the concepts developers need to know to do some testing on their own, without the help of a security professional. What You Will Learn Discern which attacks are easy to prevent, and which are more challenging, in the framework Dig into ASP.NET Core 3.1 source code to understand how the security services work Establish a baseline for understanding how to design more secure software Properly apply cryptography in software development Take a deep dive into web security concepts Validate input in a way that allows legitimate traffic but blocks malicious traffic Understand parameterized queries and why they are so important to ASP.NET Core Fix issues in a well-implemented solution Know how the new logging system in ASP.NET Core falls short of security needs Incorporate security into your software development process This book is for software developers who have experience creating websites in ASP.NET and want to know how to make their websites secure from hackers and security professionals who work with a development team that uses ASP.NET Core. A basic understanding of web technologies such as HTML, JavaScript, and CSS is assumed, as is knowledge of how to create a website, and how to read and write C#. You do not need knowledge of security concepts, even those that are often covered in ASP.NET Core documentation. Scott Norberg is a web security specialist currently based in the Seattle, Washington area. He has almost 15 years of experience successfully delivering software products in a wide range of roles. As a security consultant, he has experience with many testing tools and techniques, including Dynamic (DAST) and Static (SAST) testing, as well as manual testing and reviewing source code. Along with the many websites he has designed and built with various versions of ASP.NET, he has performed security assessments for many more. While his language of choice is C#, he has also built websites, components, and other tools in F♯, VB.NET, Python, R, Java, and Pascal. He holds several certifications, including Microsoft Certified Technology Specialist (MCTS), certifications for ASP.NET and SQL Server, and a Certified Information Systems Security Professional (CISSP) certification. He also has an MBA from Indiana University Incorporate security best practices into ASP.NET Core. This book covers security-related features available within the framework, explains where these feature may fall short, and delves into security topics rarely covered elsewhere. Get ready to dive deep into ASP.NET Core 3.1 source code, clarifying how particular features work and addressing how to fix problems. For straightforward use cases, the ASP.NET Core framework does a good job in preventing certain types of attacks from happening. But for some types of attacks, or situations that are not straightforward, there is very little guidance available on how to safely implement solutions. And worse, there is a lot of bad advice online on how to implement functionality, be it encrypting unsafely hard-coded parameters that need to be generated at runtime, or articles which advocate for certain solutions that are vulnerable to obvious injection attacks. Even more concerning is the functions in ASP.NET Core that are not as secure as they should be by default. Advanced ASP.NET Core 3 Security is designed to train developers to avoid these problems. Unlike the vast majority of security books that are targeted to network administrators, system administrators, or managers, this book is targeted specifically to ASP.NET developers. Author Scott Norberg begins by teaching developers how ASP.NET Core works behind the scenes by going directly into the framework's source code. Then he talks about how various attacks are performed using the very tools that penetration testers would use to hack into an application. He shows developers how to prevent these attacks. Finally, he covers the concepts developers need to know to do some testing on their own, without the help of a security professional. What You Will Learn Discern which attacks are easy to prevent, and which are more challenging, in the framework Dig into ASP.NET Core 3.1 source code to understand how the security services work Establish a baseline for understanding how to design more secure software Properly apply cryptography in software development Take a deep dive into web security concepts Validate input in a way that allows legitimate traffic but blocks malicious traffic Understand parameterized queries and why they are so important to ASP.NET Core Fix issues in a well-implemented solution Know how the new logging system in ASP.NET Core falls short of security needs Incorporate security into your software development process Who This Book Is For Software developers who have experience creating websites in ASP.NET and want to know how to make their websites secure from hackers and security professionals who work with a development team that uses ASP.NET Core. A basic understanding of web technologies such as HTML, JavaScript, and CSS is assumed, as is knowledge of how to create a website, and how to read and write C#. You do not need knowledge of security concepts, even those that are often covered in ASP.NET Core documentation. Incorporate best practices with ASP.NET Core security. This book includes security-related features available in the framework, and security topics rarely covered elsewhere. It digs deep into the ASP.NET Core 3.1 source code, explaining how something works (or how to fix a problem). The ASP.NET Core framework does a good job in preventing certain types of attacks from happening, but there are many more non-trivial projects that invariably require developers to think outside the box. For that, there is very little guidance on how to safely venture beyond the simple use cases. And worse, there is a lot of bad advice online on how to implement functionality, be it encrypting unsafely hard-code parameters that need to be generated at runtime, to articles that advocate for certain solutions that are vulnerable to obvious injection attacks. This book aims to train developers to avoid these problems. Unlike the vast majority of security books that are targeted to network administrators, system administrators, or managers, this book is targeted specifically to ASP.NET developers. The book begins by teaching developers how ASP.NET Core works behind the scenes, then talks about how various attacks are performed and how to prevent them. Finally, it dives into the concepts a developer needs to know to do some testing on their own without the help of a security professional. What You Will Learn Discern which attacks are easy to prevent in the framework and which are challenging Dig into ASP.NET Core 3.1 source code to understand how the security services work Establish a baseline for understanding how to design more secure software Properly apply cryptography in software development Take a deep dive into web security concepts Validate input in a way that allows legitimate traffic but blocks malicious traffic Understand parameterized queries and why they are so important to ASP.NET Core Fix issues in a well-implemented solution Know how logging works and its weaknesses in ASP.NET Core Incorporate security in every phase of the software development process Who This Book Is For Software developers who have experience creating websites in ASP.NET and want to know how to make their websites secure from hackers and security professionals who work with a development team that uses ASP.NET Core. A basic understanding of web technologies such as HTML, JavaScript, and CSS is assumed, as is knowledge of how to create a website, and how to read and write C#. You do not need knowledge of security concepts, even those that are often covered in ASP.NET Core documentation.
دانلود کتاب ADVANCED ASP.NET CORE 3.0 SECURITY : understanding hacks, attacks, and vulnerabilities to secure... your website