book

ASP.NET Core 5 Secure Coding Cookbook

by Roman Canlas

July 2021

Intermediate to advanced

324 pages

5h 35m

English

Packt Publishing

Read now

Unlock full access

ForewordContributorsAbout the authorAbout the reviewers
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesDownload the color imagesConventions usedSectionsGetting readyHow to do it…How it works…There's more…See alsoGet in touchShare Your Thoughts
Technical requirementsInput validationEnabling whitelist validation using validation attributesGetting readyHow to do it…How it works…Whitelist validation using the FluentValidation libraryGetting readyHow to do it…How it works…There's more…See also…Syntactic and semantic validationCreating a custom validation attribute to implement semantic validationGetting readyHow to do it…How it works…Input sanitizationGetting readyHow to do it…How it works…Input sanitization using the HTMLSanitizer libraryGetting readyHow to do it…How it works…Output encodingOutput encoding using HtmlEncoderGetting readyHow to do it…How it works…Output encoding using UrlEncoderGetting readyHow to do it…How it works…Output encoding using JavascriptEncoderGetting readyHow to do it…How it works…Protecting sensitive data using the Data Protection APIGetting readyHow to do it…How it works…See also
Technical requirementsWhat is SQL injection?Fixing SQL injection with Entity FrameworkGetting readyHow to do it…How it works…There's more…Fixing SQL injection in ADO.NETGetting readyHow to do it…How it works…There's more…Fixing NoSQL injectionGetting readyHow to do it…How it works…There's more…Fixing command injectionGetting readyHow to do it…How it works…There's more…Fixing LDAP injectionGetting readyHow to do it…How it works…Fixing XPath injectionGetting readyHow to do it…How it works…There's more…
Technical requirementsFixing the incorrect restrictions of excessive authentication attemptsGetting readyHow to do it…How it works…There's more…Fixing insufficiently protected credentialsGetting readyHow to do it…How it works…Fixing user enumerationGetting readyHow to do it…How it works…Fixing weak password requirementsGetting readyHow to do it…How it works…Fixing insufficient session expirationGetting readyHow to do it…How it works…
Technical requirementsFixing insufficient protection of data in transitGetting readyHow to do it…How it works…Fix missing HSTS headersGetting readyHow to do it…How it works…There's more…Fixing weak protocolsGetting readyHow to do it…How it works…Fixing hardcoded cryptographic keysGetting readyHow to do it…How it works…There's more…Disabling caching for critical web pagesGetting readyHow to do it…How it works…
Technical requirementsEnabling XML validationGetting readyHow to do it…How it works…There's more…Fixing XXE injection with XmlDocumentGetting readyHow to do it…How it works…There's more…Fixing XXE injection with XmlTextReaderGetting readyHow to do it…How it works…Fixing XXE injection with LINQ to XMLGetting readyHow to do it…How it works…
Technical requirementsFixing IDORGetting readyHow to do it…How it works…Fixing improper authorizationTesting improper authorizationGetting readyHow to do it…How it works…Fixing missing access controlGetting readyHow to do it…How it works…Fixing open redirect vulnerabilitiesGetting readyHow to do it…How it works…
Technical requirementsDisabling debugging features in non-development environmentsGetting readyHow to do it…How it works…Fixing disabled security featuresGetting readyHow to do it…How it works…Disabling unnecessary featuresGetting readyHow to do it…How it works…Fixing information exposure through an error messageGetting readyHow to do it…How it worksFixing information exposure through insecure cookiesGetting readyHow to do it…How it works
Technical requirementsFixing reflected XSSGetting readyHow to do it…How it works…Fixing stored/persistent XSSGetting readyHow it works…There's more…Fixing DOM XSSGetting readyHow to do it…How it works…

Technical requirementsFixing unsafe deserialization Getting readyTesting unsafe deserializationHow to do it…How it works…There's more…Fixing the use of insecure deserializersGetting readyHow to do it…How it works…There's more…Fixing untrusted data deserializationTesting untrusted data deserializationGetting readyHow to do it…How it works…
Technical requirementsFixing the use of a vulnerable third-party JavaScript libraryGetting readyTesting outdated and vulnerable third-party librariesHow to do it…How it works…There's more…See alsoFixing the use of a vulnerable NuGet packageGetting readyTesting vulnerable NuGet packagesHow to do it…How it works…Fixing the use of a library hosted from an untrusted sourceGetting readyHow to do it…How it works…There's more…
Technical requirementsFixing insufficient logging of exceptionsGetting readyHow to do it…How it works…Fixing insufficient logging of DB transactionsHow to do it…How it works…Fixing excessive information loggingHow to do it…How it works…Fixing a lack of security monitoringHow to do it…How it works…There's more…
Technical requirementsFixing the disabled anti-Cross-Site Request Forgery protectionGetting readyHow to do it…How it works…There's more…Preventing Server-Side Request ForgeryGetting readyHow to do it…How it works…There's more…Preventing log injectionGetting readyHow to do it…How it works…There's more…Preventing HTTP response splittingGetting readyHow to do it…How it works…There's more…Preventing clickjackingGetting readyClickjacking proof of concept (PoC)How to do it…How it works…Fixing insufficient randomnessGetting readyHow to do it…How it works…
Technical requirementsGetting readyProper exception handlingGetting readyHow to do it…How it works…There's more…Using security-related cookie attributesGetting readyHow to do it…How it works…Using a Content Security PolicyGetting readyHow to do it…How it works…There's more…Fixing leftover debug codeGetting readyHow to do it…How it works…There's more…
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Content preview from ASP.NET Core 5 Secure Coding Cookbook

Chapter 6: Broken Access Control

Authorization is just as significant and essential as authentication. It defines what an authenticated user can perform and execute, and resources and web pages need to have defined privileges to limit unauthorized access. Permission bypass and missing or improper access controls are some of the broken access control vulnerabilities discovered in an ASP.NET Core web application.

In this chapter, we're going to cover the following recipes:

Fixing insecure direct object references (IDOR)
Fixing improper authorization
Fixing missing access control
Fixing open redirect vulnerabilities

By the end of this chapter, you will have learned how to use the built-in authorization mechanism in ASP.NET Core. You will properly ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Hands-On RESTful Web Services with ASP.NET Core 3

Publisher Resources

ISBN: 9781801071567Supplemental Content

ASP.NET Core 5 Secure Coding Cookbook

by Roman Canlas

Chapter 6: Broken Access Control

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Hands-On RESTful Web Services with ASP.NET Core 3

ASP.NET Core and Vue.js

ASP.NET Core Security

Customizing ASP.NET Core 5.0

Publisher Resources

Chapter 6: Broken Access Control

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Hands-On RESTful Web Services with ASP.NET Core 3

ASP.NET Core and Vue.js

ASP.NET Core Security

Customizing ASP.NET Core 5.0

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.