book

ASP.NET Core Security

Name: ASP.NET Core Security
Author: Christian Wenz
ISBN: 9781633439986

by Christian Wenz

July 2022

Beginner to intermediate

368 pages

9h 48m

English

Manning Publications

Read now

Unlock full access

ASP.NET Core Security
Copyright
dedication
contents
front matter
prefaceacknowledgmentsabout this bookWho should read this book?How this book is organized: a roadmapAbout the codeliveBook discussion forumabout the authorabout the cover illustration
Part 1 First steps
1 On web application security
1.1 ASP.NET Core: History and options1.1.1 ASP.NET Core version history1.1.2 MVC1.1.3 Razor Pages1.1.4 Web API1.1.5 Blazor1.2 Identifying and mitigating threats1.2.1 Web application components1.2.2 Defense in depth1.3 Security-related APIs1.4 Security is importantSummary
Part 2 Mitigating common attacks
2 Cross-site scripting (XSS)
2.1 Anatomy of a cross-site scripting attack2.2 Preventing cross-site scripting2.2.1 Understanding the same-origin policy2.2.2 Escaping HTML2.2.3 Escaping in a different context2.3 Content Security Policy2.3.1 Sample application2.3.2 How Content Security Policy works2.3.3 Refactoring applications for Content Security Policy2.3.4 Content Security Policy best practices2.3.5 Content Security Policy Level 3 features2.4 More browser safeguardsSummary
3 Attacking session management
3.1 Anatomy of a session management attack3.1.1 Stealing session cookies3.1.2 Cookies and session management3.2 ASP.NET Core cookie and session settings3.3 Enforcing HTTPS3.4 Detecting session hijackingSummary

4 Cross-site request forgery
4.1 Anatomy of a cross-site request forgery attack4.2 Cross-site request forgery countermeasures4.2.1 Making the HTTP request unpredictable4.2.2 Securing the session cookie4.3 Clickjacking4.4 Cross-origin resource sharingSummary
5 Unvalidated data
5.1 Looking at HTTP5.2 ASP.NET Core validation5.3 Mass assignment5.4 Secure deserializationSummary
6 SQL injection (and other injections)
6.1 Anatomy of an SQL injection attack6.2 Prepared statements6.3 Entity Framework Core6.4 XML external entities6.5 Other injectionsSummary
Part 3 Secure data storage
7 Storing secrets
7.1 On encryption7.2 Secret Manager7.3 The appsettings.json file7.4 Storing secrets in the cloud7.4.1 Storing secrets in Azure7.4.2 Storing secrets in AWS7.4.3 Storing secrets in Google Cloud7.5 Using the data protection API7.6 Storing secrets locally with BlazorSummary
8 Handling passwords
8.1 From data leak to password theft8.2 Implementing password hashing8.2.1 MD5 (and why not to use it)8.2.2 PBKDF28.2.3 Argon28.2.4 scrypt8.2.5 bcrypt8.3 Analyzing ASP.NET Core templatesSummary
Part 4 Configuration
9 HTTP headers
9.1 Hiding server information9.2 Browser security headers9.2.1 Referrer Policy9.2.2 Feature and permissions policy9.2.3 Preventing content sniffing9.2.4 Cross-origin policies9.2.5 Further headersSummary
10 Error handling
10.1 Error pages for web applications10.1.1 Custom error pages10.1.2 Status code error pages10.2 Handling errors in APIsSummary
11 Logging and health checks
11.1 Health checks11.1.1 Health check setup11.1.2 Advanced heath checks11.1.3 Formatting the output11.1.4 Health checks UI11.2 Logging11.2.1 Creating log entries11.2.2 Log levels11.2.3 Log scopesSummary
Part 5 Authentication and authorization
12 Securing web applications with ASP.NET Core Identity
12.1 ASP.NET Core Identity setup12.2 ASP.NET Core Identity fundamentals12.3 Advanced ASP.NET Core Identity features12.3.1 Password options12.3.2 Cookie options12.3.3 Locking out users12.3.4 Working with claims12.3.5 Two-factor authentication12.3.6 Authenticating with external providersSummary
13 Securing APIs and single page applications
13.1 Securing APIs with tokens13.2 OAuth and OpenID Connect13.2.1 OAuth vs. OpenID Connect13.2.2 OAuth flows13.3 Securing applications13.3.1 Third-party tools13.3.2 Client credentials13.3.3 Authorization code + PKCE13.3.4 SPAs and BFFSummary
Part 6 Security as a process
14 Secure dependencies
14.1 Using npm audit14.2 Keeping NuGet dependencies up-to-dateSummary
15 Audit tools
15.1 Finding vulnerabilities15.2 OWASP ZAP15.3 Security Code Scan15.4 GitHub Advanced SecuritySummary
16 OWASP Top 10
16.1 OWASP Top 1016.1.1 Top 10 creation process16.1.2 #1: Broken access control16.1.3 #2: Cryptographic failures16.1.4 #3: Injection16.1.5 #4: Insecure design16.1.6 #5: Security misconfiguration16.1.7 #6: Vulnerable and outdated components16.1.8 #7: Identification and authentication failures16.1.9 #8: Software and data integrity failures16.1.10 #9: Security logging and monitoring failures16.1.11 #10: Server-side request forgery16.2 OWASP API Top 1016.3 Other listsSummary
index
inside back cover

Overview

Secure your ASP.NET applications before you get hacked! This practical guide includes secure coding techniques with annotated examples and full coverage of built-in ASP.NET Core security tools.

In ASP.NET Core Security, you will learn how to:

Understand and recognize common web app attacks
Implement attack countermeasures
Use testing and scanning tools and libraries
Activate built-in browser security features from ASP.NET
Take advantage of .NET and ASP.NET Core security APIs
Manage passwords to minimize damage from a data leak
Securely store application secrets

ASP.NET Core Security teaches you the skills and countermeasures you need to keep your ASP.NET Core apps secure from the most common web application attacks. With this collection of practical techniques, you will be able to anticipate risks and introduce practices like testing as regular security checkups. You’ll be fascinated as the author explores real-world security breaches, including rogue Firefox extensions and Adobe password thefts. The examples present universal security best practices with a sharp focus on the unique needs of ASP.NET Core applications.

About the Technology
Your ASP.NET Core applications are under attack now. Are you ready? Th ere are specific countermeasures you can apply to keep your company out of the headlines. This book demonstrates exactly how to secure ASP.NET Core web applications, including safe browser interactions, recognizing common threats, and deploying the framework’s unique security APIs.

About the Book
ASP.NET Core Security is a realistic guide to securing your web applications. It starts on the dark side, exploring case studies of cross-site scripting, SQL injection, and other weapons used by hackers. As you go, you’ll learn how to implement countermeasures, activate browser security features, minimize attack damage, and securely store application secrets. Detailed ASP.NET Core code samples in C# show you how each technique looks in practice.

What's Inside

Understand and recognize common web app attacks
Testing tools, helper libraries, and scanning tools
Activate built-in browser security features
Take advantage of .NET and ASP.NET Core security APIs
Manage passwords to minimize damage from a data leak

About the Reader
For experienced ASP.NET Core web developers.

About the Author
Christian Wenz is a web pioneer, consultant, and entrepreneur.

Quotes
The best book I’ve found on ASP.NET security. Goes into details that I never even thought about, which is a little scary. Great job!
- Tom Gueth, Binary Star Technology

If you care about security, you need to read this book.
- Darren Gillis, Alibi Software

Even experienced security professionals will learn something new from this book.
- Dorogoy Dmitry Sergevich, One Inc

Clear and detailed. This book is a joy, and I highly recommend it for beginners and advanced developers alike.
- Nik Rimington, Spindogs

Write secure code by thinking how others will try to break it.
- Marcin Sęk, e-Xim IT

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Advanced ASP.NET Core 3 Security: Understanding Hacks, Attacks, and Vulnerabilities to Secure Your Website

Publisher Resources

ISBN: 9781633439986Publisher Support Publisher Website Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills