book

ASP.NET Core 5 Secure Coding Cookbook

by Roman Canlas

July 2021

Intermediate to advanced

324 pages

5h 35m

English

Packt Publishing

Read now

Unlock full access

ForewordContributorsAbout the authorAbout the reviewers
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesDownload the color imagesConventions usedSectionsGetting readyHow to do it…How it works…There's more…See alsoGet in touchShare Your Thoughts
Technical requirementsInput validationEnabling whitelist validation using validation attributesGetting readyHow to do it…How it works…Whitelist validation using the FluentValidation libraryGetting readyHow to do it…How it works…There's more…See also…Syntactic and semantic validationCreating a custom validation attribute to implement semantic validationGetting readyHow to do it…How it works…Input sanitizationGetting readyHow to do it…How it works…Input sanitization using the HTMLSanitizer libraryGetting readyHow to do it…How it works…Output encodingOutput encoding using HtmlEncoderGetting readyHow to do it…How it works…Output encoding using UrlEncoderGetting readyHow to do it…How it works…Output encoding using JavascriptEncoderGetting readyHow to do it…How it works…Protecting sensitive data using the Data Protection APIGetting readyHow to do it…How it works…See also
Technical requirementsWhat is SQL injection?Fixing SQL injection with Entity FrameworkGetting readyHow to do it…How it works…There's more…Fixing SQL injection in ADO.NETGetting readyHow to do it…How it works…There's more…Fixing NoSQL injectionGetting readyHow to do it…How it works…There's more…Fixing command injectionGetting readyHow to do it…How it works…There's more…Fixing LDAP injectionGetting readyHow to do it…How it works…Fixing XPath injectionGetting readyHow to do it…How it works…There's more…
Technical requirementsFixing the incorrect restrictions of excessive authentication attemptsGetting readyHow to do it…How it works…There's more…Fixing insufficiently protected credentialsGetting readyHow to do it…How it works…Fixing user enumerationGetting readyHow to do it…How it works…Fixing weak password requirementsGetting readyHow to do it…How it works…Fixing insufficient session expirationGetting readyHow to do it…How it works…
Technical requirementsFixing insufficient protection of data in transitGetting readyHow to do it…How it works…Fix missing HSTS headersGetting readyHow to do it…How it works…There's more…Fixing weak protocolsGetting readyHow to do it…How it works…Fixing hardcoded cryptographic keysGetting readyHow to do it…How it works…There's more…Disabling caching for critical web pagesGetting readyHow to do it…How it works…
Technical requirementsEnabling XML validationGetting readyHow to do it…How it works…There's more…Fixing XXE injection with XmlDocumentGetting readyHow to do it…How it works…There's more…Fixing XXE injection with XmlTextReaderGetting readyHow to do it…How it works…Fixing XXE injection with LINQ to XMLGetting readyHow to do it…How it works…
Technical requirementsFixing IDORGetting readyHow to do it…How it works…Fixing improper authorizationTesting improper authorizationGetting readyHow to do it…How it works…Fixing missing access controlGetting readyHow to do it…How it works…Fixing open redirect vulnerabilitiesGetting readyHow to do it…How it works…
Technical requirementsDisabling debugging features in non-development environmentsGetting readyHow to do it…How it works…Fixing disabled security featuresGetting readyHow to do it…How it works…Disabling unnecessary featuresGetting readyHow to do it…How it works…Fixing information exposure through an error messageGetting readyHow to do it…How it worksFixing information exposure through insecure cookiesGetting readyHow to do it…How it works
Technical requirementsFixing reflected XSSGetting readyHow to do it…How it works…Fixing stored/persistent XSSGetting readyHow it works…There's more…Fixing DOM XSSGetting readyHow to do it…How it works…

Technical requirementsFixing unsafe deserialization Getting readyTesting unsafe deserializationHow to do it…How it works…There's more…Fixing the use of insecure deserializersGetting readyHow to do it…How it works…There's more…Fixing untrusted data deserializationTesting untrusted data deserializationGetting readyHow to do it…How it works…
Technical requirementsFixing the use of a vulnerable third-party JavaScript libraryGetting readyTesting outdated and vulnerable third-party librariesHow to do it…How it works…There's more…See alsoFixing the use of a vulnerable NuGet packageGetting readyTesting vulnerable NuGet packagesHow to do it…How it works…Fixing the use of a library hosted from an untrusted sourceGetting readyHow to do it…How it works…There's more…
Technical requirementsFixing insufficient logging of exceptionsGetting readyHow to do it…How it works…Fixing insufficient logging of DB transactionsHow to do it…How it works…Fixing excessive information loggingHow to do it…How it works…Fixing a lack of security monitoringHow to do it…How it works…There's more…
Technical requirementsFixing the disabled anti-Cross-Site Request Forgery protectionGetting readyHow to do it…How it works…There's more…Preventing Server-Side Request ForgeryGetting readyHow to do it…How it works…There's more…Preventing log injectionGetting readyHow to do it…How it works…There's more…Preventing HTTP response splittingGetting readyHow to do it…How it works…There's more…Preventing clickjackingGetting readyClickjacking proof of concept (PoC)How to do it…How it works…Fixing insufficient randomnessGetting readyHow to do it…How it works…
Technical requirementsGetting readyProper exception handlingGetting readyHow to do it…How it works…There's more…Using security-related cookie attributesGetting readyHow to do it…How it works…Using a Content Security PolicyGetting readyHow to do it…How it works…There's more…Fixing leftover debug codeGetting readyHow to do it…How it works…There's more…
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Content preview from ASP.NET Core 5 Secure Coding Cookbook

Chapter 5: XML External Entities

eXtensible Markup Language (XML) is a standard markup language that's used to define data. XML is also a format that an ASP.NET Core web application can use to parse information. To achieve this, a developer can use any number of .NET XML parsers readily available in the framework.

XML being a source of input is likely to be prone to malicious data injection. A feature called XML External Entity (XXE) allows XML to define a custom entity using a URL or file path. This ability to represent external entities in XML can be abused or exploited. Unrestricted external entity references can allow attackers to send sensitive information and files outside the applications' trusted domains and into the perpetrator-controlled ...