Advanced ASP.NET Core 3 Security: Understanding Hacks, Attacks, and Vulnerabilities to Secure Your Website

Table of Contents
About the Author
About the Technical Reviewer
Acknowledgments
Introduction
Chapter 1: Introducing ASP.NET Core
	Understanding Services
		How Services Are Created
		How Services Are Used
	Kestrel and IIS
	MVC vs. Razor Pages
		MVC
		Razor Pages
	Creating APIs
	Core vs. Framework vs. Standard
	Summary
Chapter 2: General Security Concepts
	What Is Security? (CIA Triad)
		Confidentiality
		Integrity
		Availability
		Definition of “Hacker”
	The Anatomy of an Attack
		Reconnaissance
		Penetrate
		Expand
		Hide Evidence
	Catching Attackers in the Act
		Detecting Possible Criminal Activity
			Detection and Privacy Issues
		Honeypots
			Enticement vs. Entrapment
	When Are You Secure Enough?
		Finding Sensitive Information
		User Experience and Security
	Third-Party Components
		Zero-Day Attacks
	Threat Modeling
		Spoofing
		Tampering
		Repudiation
		Information Disclosure
		Denial of Service
		Elevation of Privilege
	Defining Security Terms
		Brute Force Attacks
		Attack Surface
		Security by Obscurity
		Man-in-the-Middle (MITM) Attacks
			Replay Attacks
		Fail Open vs. Fail Closed
		Separation of Duties
		Fuzzing
		Phishing and Spear Phishing
	Summary
Chapter 3: Cryptography
	Symmetric Encryption
		Symmetric Encryption Types
		Symmetric Encryption Algorithms
			DES and Triple DES
			AES and Rijndael
		Problems with Block Encryption
		Symmetric Encryption in .NET
			Creating an Encryption Service
			Symmetric Encryption Using Bouncy Castle
	Hashing
		Uses for Hashing
		Hash Salts
		Hash Algorithms
			MD5
			SHA (or SHA-1)
			SHA-2
			SHA-3
			PBKDF2, bcrypt, and scrypt
		Hashing and Searches
		Hashing in .NET
			SHA-3 Hashing with Bouncy Castle
			PBKDF2 Hashing in .NET
			Creating a Hashing .NET Service
	Asymmetric Encryption
		Digital Signatures
		Asymmetric Encryption in .NET
	Key Storage
	Don’t Create Your Own Algorithms
	Common Mistakes with Encryption
	Summary
Chapter 4: Web Security Concepts
	Making a Connection
		HTTPS, SSL, and TLS
		Connection Process
	Anatomy of a Request
	Anatomy of a Response
		Response Codes
			1XX – Informational
				100 Continue
				101 Switching Protocols
			2XX – Success
				200 OK
			3XX – Redirection
				301 Moved Permanently
				302 Found
				303 See Other
				307 Temporary Redirect
			4XX – Client Errors
				400 Bad Request
				401 Unauthorized
				403 Forbidden
				404 Not Found
			5XX – Server Errors
				500 Internal Server Error
				502 Bad Gateway
				503 Service Unavailable
		Headers
			Default ASP.NET Headers
				Cache-Control, Pragma, and Expires
				Server
				Set-Cookie
				X-Powered-By
				X-SourceFiles
			Security Headers Easily Configured in ASP.NET
				Strict-Transport-Security
				Cache-Control
			Security Headers Not in ASP.NET by Default
				X-Content-Type-Options
				X-Frame-Options
				X-XSS-Protection
				Content-Security-Policy
	Cross-Request Data Storage
		Cookies
			Cookie Scoping
				path
				samesite
				httponly
		Session Storage
		Hidden Fields
		HTML 5 Storage
		Cross-Request Data Storage Summary
	Insecure Direct Object References
	Burp Suite
	OWASP Top Ten
		A1: 2017 – Injection
		A2: 2017 – Broken Authentication
		A3: 2017 – Sensitive Data Exposure
		A4: 2017 – XML External Entities (XXE)
		A5: 2017 – Broken Access Control
		A6: 2017 – Security Misconfiguration
		A7: 2017 – Cross-Site Scripting (XSS)
		A8: 2017 – Insecure Deserialization
		A9: 2017 – Using Components with Known Vulnerabilities
		A10: 2017 – Insufficient Logging and Monitoring
	Summary
Chapter 5: Understanding Common Attacks
	SQL Injection
		Union Based
		Error Based
		Boolean-Based Blind
		Time-Based Blind
		Second Order
		SQL Injection Summary
	Cross-Site Scripting (XSS)
		XSS and Value Shadowing
		Bypassing XSS Defenses
			Bypassing Script Tag Filtering
				Img Tags, Iframes, and Other Elements
			Attribute-Based Attacks
			Hijacking DOM Manipulation
			JavaScript Framework Injection
			Third-Party Libraries
		Consequences of XSS
	Cross-Site Request Forgery (CSRF)
		Bypassing Anti-CSRF Defenses
	Operating System Issues
		Directory Traversal
		Remote and Local File Inclusion
		OS Command Injection
		File Uploads and File Management
	Other Injection Types
	Clickjacking
	Unvalidated Redirects
	Session Hijacking
	Security Issues Mostly Fixed in ASP.NET
		Verb Tampering
		Response Splitting
		Parameter Pollution
	Business Logic Abuse
	Summary
Chapter 6: Processing User Input
	Validation Attributes
		Validating File Uploads
		User Input and Retrieving Files
	CSRF Protection
		Extending Anti-CSRF Checks with IAntiforgeryAdditionalDataProvider
		CSRF and AJAX
		When CSRF Tokens Aren’t Enough
	Preventing Spam
	Mass Assignment
		Mass Assignment and Scaffolded Code
	Preventing XSS
		XSS Encoding
		XSS and JavaScript Frameworks
		CSP Headers and Avoiding Inline Code
		Ads, Trackers, and XSS
	Detecting Data Tampering
	Summary
Chapter 7: Authentication and Authorization
	Problems with Passwords
		Too Many Passwords Are Easy to Guess
		Username/Password Forms Are Easy to Bypass
		Credential Reuse
	Stepping Back – How to Authenticate
		Stopping Credential Stuffing
	Default Authentication in ASP.NET
		Default Authentication Provider
			Claim-Based Security in ASP.NET
			How Session Tokens in ASP.NET Are Broken
			More Problems with the Default Authentication Provider
		Setting Up Something More Secure
			Fixing Password Hashes
			Protecting Usernames
				Preventing Information Leakage
				Making Usernames Case Sensitive
			Protecting Against Credential Stuffing
			Password History and Expiration
			Fixing Session Token Expiration
		Implementing Multifactor Authentication
		Using External Providers
		Enforcing Authentication for Access
		Using Session for Authentication
	Stepping Back – Authorizing Users
		Types of Access Control
	Role-Based Authorization in ASP.NET
	Using Claims-Based Authorization
	Implementing Other Types of Authorization
	Summary
Chapter 8: Data Access and Storage
	Before Entity Framework
		ADO.NET
			Stored Procedures and SQL Injection
		Third-Party ORMs
	Digging into the Entity Framework
		Running Ad Hoc Queries
		Principle of Least Privilege and Deploying Changes
		Simplifying Filtering
			Filtering Using Hard-Coded Subqueries
			Filtering Using Expressions
		Easy Data Conversion with the ValueConverter
		Other Relational Databases
	Secure Database Design
		Use Multiple Connections
		Use Schemas
		Don’t Store Secrets with Data
		Avoid Using Built-In Database Encryption
		Test Database Backups
	Non-SQL Data Sources
	Summary
Chapter 9: Logging and Error Handling
	New Logging in ASP.NET Core
		Where ASP.NET Core Logging Falls Short
			Logging and Compliance
	Building a Better System
		Why Are We Logging Potential Security Events?
		Better Logging in Action
			Security Logging for Framework Events
			PII and Logging
	Using Logging in Your Active Defenses
		Blocking Credential Stuffing with Logging
		Honeypots
	Proper Error Handling
		Catching Errors
	Summary
Chapter 10: Setup and Configuration
	Setting Up Your Environment
		Web Server Security
		Keep Servers Separated
			Server Separation and Microservices
			A Note About Separation of Duties
		Storing Secrets
	SSL/TLS
		Allow Only TLS 1.2 and TLS 1.3
		Setting Up HSTS
	Setting Up Headers
		Setting Up Page-Specific Headers
	Third-Party Components
		Monitoring Vulnerabilities
		Integrity Hashes
	Secure Your Test Environment
	Web Application Firewalls
	Summary
Chapter 11: Secure Application Life Cycle Management
	Testing Tools
		DAST Tools
			DAST Scanner Strengths
			DAST Scanner Weaknesses
			Differences Between DAST Scanners
		SAST Tools
			Using Visual Studio Scanners as a SAST Scanner
			Final Notes About Free SAST Scanners
			Commercial SAST Scanner Quality
		SCA Tools
		IAST Tools
		Kali Linux
	Integrating Tools into Your CI/CD Process
		CI/CD with DAST Scanners
		CI/CD with SAST Scanners
		CI/CD with IAST Scanners
	Catching Problems Manually
		Code Reviews and Refactoring
		Hiring a Penetration Tester
			Reconnaissance
			Scanning and Enumeration
			Gaining Access
			Maintaining Access
			Covering Tracks
	When to Fix Problems
	Learning More
	Summary
Index