book

ASP.NET Core 5 Secure Coding Cookbook

by Roman Canlas

July 2021

Intermediate to advanced

324 pages

5h 35m

English

Packt Publishing

Read now

Unlock full access

ForewordContributorsAbout the authorAbout the reviewers
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesDownload the color imagesConventions usedSectionsGetting readyHow to do it…How it works…There's more…See alsoGet in touchShare Your Thoughts
Technical requirementsInput validationEnabling whitelist validation using validation attributesGetting readyHow to do it…How it works…Whitelist validation using the FluentValidation libraryGetting readyHow to do it…How it works…There's more…See also…Syntactic and semantic validationCreating a custom validation attribute to implement semantic validationGetting readyHow to do it…How it works…Input sanitizationGetting readyHow to do it…How it works…Input sanitization using the HTMLSanitizer libraryGetting readyHow to do it…How it works…Output encodingOutput encoding using HtmlEncoderGetting readyHow to do it…How it works…Output encoding using UrlEncoderGetting readyHow to do it…How it works…Output encoding using JavascriptEncoderGetting readyHow to do it…How it works…Protecting sensitive data using the Data Protection APIGetting readyHow to do it…How it works…See also
Technical requirementsWhat is SQL injection?Fixing SQL injection with Entity FrameworkGetting readyHow to do it…How it works…There's more…Fixing SQL injection in ADO.NETGetting readyHow to do it…How it works…There's more…Fixing NoSQL injectionGetting readyHow to do it…How it works…There's more…Fixing command injectionGetting readyHow to do it…How it works…There's more…Fixing LDAP injectionGetting readyHow to do it…How it works…Fixing XPath injectionGetting readyHow to do it…How it works…There's more…
Technical requirementsFixing the incorrect restrictions of excessive authentication attemptsGetting readyHow to do it…How it works…There's more…Fixing insufficiently protected credentialsGetting readyHow to do it…How it works…Fixing user enumerationGetting readyHow to do it…How it works…Fixing weak password requirementsGetting readyHow to do it…How it works…Fixing insufficient session expirationGetting readyHow to do it…How it works…
Technical requirementsFixing insufficient protection of data in transitGetting readyHow to do it…How it works…Fix missing HSTS headersGetting readyHow to do it…How it works…There's more…Fixing weak protocolsGetting readyHow to do it…How it works…Fixing hardcoded cryptographic keysGetting readyHow to do it…How it works…There's more…Disabling caching for critical web pagesGetting readyHow to do it…How it works…
Technical requirementsEnabling XML validationGetting readyHow to do it…How it works…There's more…Fixing XXE injection with XmlDocumentGetting readyHow to do it…How it works…There's more…Fixing XXE injection with XmlTextReaderGetting readyHow to do it…How it works…Fixing XXE injection with LINQ to XMLGetting readyHow to do it…How it works…
Technical requirementsFixing IDORGetting readyHow to do it…How it works…Fixing improper authorizationTesting improper authorizationGetting readyHow to do it…How it works…Fixing missing access controlGetting readyHow to do it…How it works…Fixing open redirect vulnerabilitiesGetting readyHow to do it…How it works…
Technical requirementsDisabling debugging features in non-development environmentsGetting readyHow to do it…How it works…Fixing disabled security featuresGetting readyHow to do it…How it works…Disabling unnecessary featuresGetting readyHow to do it…How it works…Fixing information exposure through an error messageGetting readyHow to do it…How it worksFixing information exposure through insecure cookiesGetting readyHow to do it…How it works
Technical requirementsFixing reflected XSSGetting readyHow to do it…How it works…Fixing stored/persistent XSSGetting readyHow it works…There's more…Fixing DOM XSSGetting readyHow to do it…How it works…

Technical requirementsFixing unsafe deserialization Getting readyTesting unsafe deserializationHow to do it…How it works…There's more…Fixing the use of insecure deserializersGetting readyHow to do it…How it works…There's more…Fixing untrusted data deserializationTesting untrusted data deserializationGetting readyHow to do it…How it works…
Technical requirementsFixing the use of a vulnerable third-party JavaScript libraryGetting readyTesting outdated and vulnerable third-party librariesHow to do it…How it works…There's more…See alsoFixing the use of a vulnerable NuGet packageGetting readyTesting vulnerable NuGet packagesHow to do it…How it works…Fixing the use of a library hosted from an untrusted sourceGetting readyHow to do it…How it works…There's more…
Technical requirementsFixing insufficient logging of exceptionsGetting readyHow to do it…How it works…Fixing insufficient logging of DB transactionsHow to do it…How it works…Fixing excessive information loggingHow to do it…How it works…Fixing a lack of security monitoringHow to do it…How it works…There's more…
Technical requirementsFixing the disabled anti-Cross-Site Request Forgery protectionGetting readyHow to do it…How it works…There's more…Preventing Server-Side Request ForgeryGetting readyHow to do it…How it works…There's more…Preventing log injectionGetting readyHow to do it…How it works…There's more…Preventing HTTP response splittingGetting readyHow to do it…How it works…There's more…Preventing clickjackingGetting readyClickjacking proof of concept (PoC)How to do it…How it works…Fixing insufficient randomnessGetting readyHow to do it…How it works…
Technical requirementsGetting readyProper exception handlingGetting readyHow to do it…How it works…There's more…Using security-related cookie attributesGetting readyHow to do it…How it works…Using a Content Security PolicyGetting readyHow to do it…How it works…There's more…Fixing leftover debug codeGetting readyHow to do it…How it works…There's more…
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Content preview from ASP.NET Core 5 Secure Coding Cookbook

Chapter 2: Injection Flaws

Injection flaws in code can have the most devastating effects on ASP.NET Core web applications. The lack of validation and sanitization of untrusted input allows this vulnerability to be exploited, leading to the execution of arbitrary OS commands, authentication bypass, unexpected data manipulation, and content. At worse, it can disclose sensitive information and lead to an eventual data breach.

This chapter introduces you to various injection flaws and explains how you can remediate this security defect in code.

In this chapter, we're going to cover the following recipes:

Fixing SQL injection with Entity Framework
Fixing SQL injection in ADO.NET
Fixing NoSQL injection
Fixing command injection
Fixing LDAP injection ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Hands-On RESTful Web Services with ASP.NET Core 3

Publisher Resources

ISBN: 9781801071567Supplemental Content

ASP.NET Core 5 Secure Coding Cookbook

by Roman Canlas

Chapter 2: Injection Flaws

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Hands-On RESTful Web Services with ASP.NET Core 3

ASP.NET Core and Vue.js

ASP.NET Core Security

Customizing ASP.NET Core 5.0

Publisher Resources

Chapter 2: Injection Flaws

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Hands-On RESTful Web Services with ASP.NET Core 3

ASP.NET Core and Vue.js

ASP.NET Core Security

Customizing ASP.NET Core 5.0

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.