book

ASP.NET Core Security

by Christian Wenz

July 2022

Beginner to intermediate

368 pages

9h 48m

English

Manning Publications

Read now

Unlock full access

prefaceacknowledgmentsabout this bookWho should read this book?How this book is organized: a roadmapAbout the codeliveBook discussion forumabout the authorabout the cover illustration
1.1 ASP.NET Core: History and options1.1.1 ASP.NET Core version history1.1.2 MVC1.1.3 Razor Pages1.1.4 Web API1.1.5 Blazor1.2 Identifying and mitigating threats1.2.1 Web application components1.2.2 Defense in depth1.3 Security-related APIs1.4 Security is importantSummary
2.1 Anatomy of a cross-site scripting attack2.2 Preventing cross-site scripting2.2.1 Understanding the same-origin policy2.2.2 Escaping HTML2.2.3 Escaping in a different context2.3 Content Security Policy2.3.1 Sample application2.3.2 How Content Security Policy works2.3.3 Refactoring applications for Content Security Policy2.3.4 Content Security Policy best practices2.3.5 Content Security Policy Level 3 features2.4 More browser safeguardsSummary
3.1 Anatomy of a session management attack3.1.1 Stealing session cookies3.1.2 Cookies and session management3.2 ASP.NET Core cookie and session settings3.3 Enforcing HTTPS3.4 Detecting session hijackingSummary

4.1 Anatomy of a cross-site request forgery attack4.2 Cross-site request forgery countermeasures4.2.1 Making the HTTP request unpredictable4.2.2 Securing the session cookie4.3 Clickjacking4.4 Cross-origin resource sharingSummary
5.1 Looking at HTTP5.2 ASP.NET Core validation5.3 Mass assignment5.4 Secure deserializationSummary
6.1 Anatomy of an SQL injection attack6.2 Prepared statements6.3 Entity Framework Core6.4 XML external entities6.5 Other injectionsSummary
7.1 On encryption7.2 Secret Manager7.3 The appsettings.json file7.4 Storing secrets in the cloud7.4.1 Storing secrets in Azure7.4.2 Storing secrets in AWS7.4.3 Storing secrets in Google Cloud7.5 Using the data protection API7.6 Storing secrets locally with BlazorSummary
8.1 From data leak to password theft8.2 Implementing password hashing8.2.1 MD5 (and why not to use it)8.2.2 PBKDF28.2.3 Argon28.2.4 scrypt8.2.5 bcrypt8.3 Analyzing ASP.NET Core templatesSummary
9.1 Hiding server information9.2 Browser security headers9.2.1 Referrer Policy9.2.2 Feature and permissions policy9.2.3 Preventing content sniffing9.2.4 Cross-origin policies9.2.5 Further headersSummary
10.1 Error pages for web applications10.1.1 Custom error pages10.1.2 Status code error pages10.2 Handling errors in APIsSummary
11.1 Health checks11.1.1 Health check setup11.1.2 Advanced heath checks11.1.3 Formatting the output11.1.4 Health checks UI11.2 Logging11.2.1 Creating log entries11.2.2 Log levels11.2.3 Log scopesSummary
12.1 ASP.NET Core Identity setup12.2 ASP.NET Core Identity fundamentals12.3 Advanced ASP.NET Core Identity features12.3.1 Password options12.3.2 Cookie options12.3.3 Locking out users12.3.4 Working with claims12.3.5 Two-factor authentication12.3.6 Authenticating with external providersSummary
13.1 Securing APIs with tokens13.2 OAuth and OpenID Connect13.2.1 OAuth vs. OpenID Connect13.2.2 OAuth flows13.3 Securing applications13.3.1 Third-party tools13.3.2 Client credentials13.3.3 Authorization code + PKCE13.3.4 SPAs and BFFSummary
14.1 Using npm audit14.2 Keeping NuGet dependencies up-to-dateSummary
15.1 Finding vulnerabilities15.2 OWASP ZAP15.3 Security Code Scan15.4 GitHub Advanced SecuritySummary
16.1 OWASP Top 1016.1.1 Top 10 creation process16.1.2 #1: Broken access control16.1.3 #2: Cryptographic failures16.1.4 #3: Injection16.1.5 #4: Insecure design16.1.6 #5: Security misconfiguration16.1.7 #6: Vulnerable and outdated components16.1.8 #7: Identification and authentication failures16.1.9 #8: Software and data integrity failures16.1.10 #9: Security logging and monitoring failures16.1.11 #10: Server-side request forgery16.2 OWASP API Top 1016.3 Other listsSummary

Content preview from ASP.NET Core Security

15 Audit tools

This chapter covers

Finding security vulnerabilities in a web application
Using OWASP ZAP to automatically scan for vulnerabilities
Using Security Code Scan and other static code analyzers
Learning how GitHub Advanced Security helps find security issues

In September 2019, GitHub acquired Semmle, a company providing a code analysis platform for securing software. About a year later, they had integrated and improved the code analysis service and published the results of a 5-month beta phase: 12,000 repositories were scanned, and over 20,000 security issues were identified (see http://mng.bz/woA2).

Not all security issues are visible when just looking at the code, especially for websites. As we have discussed previously in this ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Pro ASP.NET Core Identity: Under the Hood with Authentication and Authorization in ASP.NET Core 5 and 6 Applications

Adam Freeman

ASP.NET Core 5 Secure Coding Cookbook

Roman Canlas

Advanced ASP.NET Core 3 Security: Understanding Hacks, Attacks, and Vulnerabilities to Secure Your Website

Scott Norberg

Hands-On RESTful Web Services with ASP.NET Core 3

Samuele Resca

Publisher Resources

ISBN: 9781633439986Publisher Support Other Publisher Website Supplemental Content Errata Page Purchase Link