Advanced ASP.NET Core 8 Security Move Beyond ASP.NET Documentation and Learn Real Security

Table of Contents
About the Author
About the Technical Reviewer
Acknowledgments
Introduction
Chapter 1: Intro to Security
	What Is Security? The CIA Triad
		Confidentiality
		Integrity
			Nonrepudiation
		Availability
		Setting Priorities
	Term Definitions
		Vulnerability
		Threat
		Risk
		Exploit
	The Anatomy of an Attack
		Reconnaissance
		Penetrate
		Expand
		Hide Evidence
	Catching Attackers
		Detecting Possible Criminal Activity
			Detection and Privacy Issues
		Honeypots
			Enticement vs. Entrapment
	Types of Attacks
		Social Engineering Attacks
			Phishing and Spear-Phishing
			Pretexting
			Baiting
			Quid pro quo
			Reverse Social Engineering
		Brute Force Attacks
		Machine-in-the-Middle (MitM) Attacks
			Replay Attacks
		Attack Chaining
		Ransomware
	Primary vs. Compensating Controls
	Defense in Depth
		Zero Trust
	Organizations to Know
		International Organization for Standardization (ISO)
		National Institute of Standards and Technology (NIST)
	Standards and Regulations to Know
		PCI DSS (Payment Card Industry Data Security Standard)
		HIPAA (Health Insurance Portability and Accountability Act)
		GDPR (General Data Protection Regulation)
		Security vs. Compliance
	When Are You Secure Enough?
		Vulnerability Risk Scoring
			Common Vulnerability Scoring System (CVSS)
			Exploit Prediction Scoring System (EPSS)
	Summary
Chapter 2: Software Security Overview
	Code Sourcing
		Third-Party Components
			Software Bill of Materials (SBOM)
			Zero-Day Attacks
		Example Code Online
	Secrets and Source Control
	Threat Modeling
		Spoofing
		Tampering
		Repudiation
		Information Disclosure
		Denial of Service
		Elevation of Privilege
	Authentication and Passwords
		Username/Password Forms Can Be Easy to Bypass
		Too Many Passwords Are Easy to Guess
		Credential Stuffing Attacks
		Multi-Factor Authentication
	Authorization
		Types of Access Control
	When Are You Secure Enough?
		Finding Sensitive Information
		User Experience and Security
	Other Security Concepts
		Security by Obscurity
		Secure by Default
		Fail Open vs. Fail Closed
	Summary
Chapter 3: Web Security
	Making a Connection
		HTTPS, SSL, and TLS
		Connection Process
	Anatomy of a Request
	Anatomy of a Response
		Response Codes
			1XX – Informational
				100 Continue
				101 Switching Protocols
			2XX – Success
				200 OK
			3XX – Redirection
				301 Moved Permanently
				302 Found
				303 See Other
				307: Temporary Redirect
			4XX – Client Errors
				400 Bad Request
				401 Unauthorized
				403 Forbidden
				404 Not Found
				405 Method Not Allowed
			5XX – Server Errors
				500 Internal Server Error
				502 Bad Gateway
				503 Service Unavailable
		Headers
			Default ASP.NET Headers
				Cache-Control, Pragma, and Expires
				Server
				Set-Cookie
			Security Headers Easily Configured in ASP.NET
				Strict-Transport-Security
				Cache-Control
				Cross-Origin Resource Sharing (CORS)
			Security Headers Not in ASP.NET by Default
				X-Content-Type-Options
				X-Frame-Options
				X-XSS-Protection
				Content-Security-Policy
	Cross-Request Data Storage
		Cookies
			Cookie Scoping
				path
				samesite
				httponly
		Session Storage
		Hidden Fields
		HTML5 Storage
		Cross-Request Data Storage Summary
	Insecure Direct Object References
	Web Sockets
	WebAssembly (Wasm)
	Open Worldwide Application Security Project (OWASP)
		OWASP Top Ten Web Application Security Risks
			A01:2021-Broken Access Control
			A02:2021-Cryptographic Failures
			A03:2021-Injection
			A04:2021-Insecure Design
			A05:2021-Security Misconfiguration
			A06:2021-Vulnerable and Outdated Components
			A07:2021-Identification and Authentication Failures
			A08:2021-Software and Data Integrity Failures
			A09:2021-Security Logging and Monitoring Failures
			A10:2021-Server-Side Request Forgery
			How to Use the Top Ten
		Software Assurance Maturity Model (SAMM)
		Application Security Verification Standard (ASVS)
		OWASP Cheat Sheets
		Juice Shop
	Summary
Chapter 4: Thinking Like a Hacker
	Burp Suite
	SQL Injection
		Union-Based
		Error-Based
		Boolean-based Blind
		Time-Based Blind
		Second-Order
		SQL Injection Summary
	Cross-Site Scripting (XSS)
		Bypassing XSS Defenses
			Bypassing Script Tag Filtering
				Img Tags, Iframes, and Other Elements
			Attribute-Based Attacks
			Hijacking DOM Manipulation
			JavaScript Framework Injection
			Third-Party Libraries
		Consequences of XSS
	Other Injection Types
	Cross-Site Request Forgery (CSRF)
		Bypassing Anti-CSRF Defenses
	Operating System Issues
		Directory Traversal
		Remote and Local File Inclusion
		OS Command Injection
		File Uploads and File Management
	Other Web Attacks
		Timing-Based Attacks
		Clickjacking
		Unvalidated Redirects
		Session Hijacking
		Mass Assignment/Overposting
		Value Shadowing
			XSS and Value Shadowing
		Server-Side Request Forgery (SSRF)
	Security Issues Mostly Fixed in ASP.NET
		Verb Tampering
		Response Splitting
		Parameter Pollution
	Business Logic Abuse
	Summary
Chapter 5: Introduction to ASP.NET Core Security
	Middleware and Services
		Deeper Dive into Services
			Accessing Services
			How ASP.NET Handles Dependencies
		Configuration
	Filters
	Model Binding
		Binding Sources
	MVC vs. Razor Pages
	ASP.NET and APIs
	Kestrel and IIS
	Summary
Chapter 6: Cryptography
	Symmetric Encryption
		Symmetric Encryption Types
		Symmetric Encryption Algorithms
			DES and Triple DES
			AES and Rijndael
		Problems with Block Encryption
		Symmetric Encryption in .NET
			Key Generation
			Creating an Encryption Service
			Symmetric Encryption Using Bouncy Castle
	Hashing
		Uses for Hashing
		Hash Salts
		Keyed Hashes (HMAC)
		Hash Algorithms
			MD5
			SHA (or SHA-1)
			SHA-2
			SHA-3
			PBKDF2, bcrypt, and scrypt
		Hashing and Searches
		Hashing in .NET
			SHA-3 Hashing with Bouncy Castle
			Creating a Hashing .NET Service
	Asymmetric Encryption
		Digital Signatures
		Asymmetric Encryption in .NET
	Key Storage
	Don’t Create Your Own Algorithms
	Common Mistakes with Encryption
	Summary
Chapter 7: Processing User Input
	Preventing XSS
		Encoding
			Encoding and JavaScript Frameworks
		CSP Headers
		Ads, Trackers, and XSS
	Validation Attributes
		Validating Your Models
		Validating File Uploads
		User Input and Retrieving Files
		Allow Lists and Deny Lists
	CSRF Protection
		ASP.NET CSRF Protection Deeper Dive
		Extending Anti-CSRF Checks with IAntiforgeryAdditional DataProvider
		CSRF and Unauthenticated Forms
		When CSRF Tokens Aren’t Enough
	Mass Assignment
		Mass Assignment and Scaffolded Code
	Preventing Spam
	Preventing SSRF
	Business Logic Abuse
	Summary
Chapter 8: Data Access and Storage
	Before Entity Framework
		ADO.NET
			Stored Procedures and SQL Injection
		Third-Party ORMs
	Digging into the Entity Framework
		Running Ad Hoc Queries
		Principle of Least Privilege and Deploying Changes
		Simplifying Filtering
			Filtering Using Hard-Coded Subqueries
			Filtering Using Expressions
		Easy Data Conversion with the ValueConverter
			ValueConverters and Detecting Tampering
		Other Relational Databases
	Secure Database Design
		Use Multiple Connections
		Use Schemas
		Don’t Store Secrets with Data
		Avoid Using Built-In Database Encryption
		Test Database Backups
	Non-SQL Data Sources
	Summary
Chapter 9: Authentication and Authorization
	Authentication Functionality
		Functionality Enabled Out of the Box
			Claim-Based Security
			Easy Authorization Checking
			Easy Multi-Factor Authentication
		Functionality Requiring Configuration
			Brute Force Password Attacks Protection
				Turning On User Lockouts
				Password Strength
			Password Hash Strength
			Authentication Token Expiration
		Missing Functionality
			Lack of Protection Against Username Leakage
			Stopping Credential Stuffing
			Protecting Login-Related PII
	Important Authentication Services
		SignInManager
		UserManager
		IUserStore
		IOptions
	Using External Providers
	Setting Up Something More Secure
		Upgrading the Hashing Algorithm
		Protecting Usernames
			Preventing Information Leakage
			Making Usernames Case Sensitive
		Protecting Against Credential Stuffing
		Fixing Authentication Token Expiration
		Changing the Default Login Page
		Modernizing Password Complexity Requirements
		Using Session for Authentication
	Authorization in ASP.NET
		Role-Based Authorization
		Using Policies
			RequireRole
			RequireClaim
			RequireAssertion
			RequireAuthenticatedUser
			RequireUserName
			Policies for MAC or DAC Access Controls
		Using IAuthorizationRequirement
		Using IActionFilter
	Summary
Chapter 10: Advanced Web Security
	APIs and Microservices
		Choosing an Architecture
			Maximizing Availability
		Authentication and Authorization
			JWTs
				JWTs in .NET
			Server-to-Server Authentication
				Basic Authentication
				Tokens
				OAuth 2.0
				Digital Signatures
		Input Validation
		Data Access
			Mass Assignment
			Information Leakage
		Swagger Files
	JavaScript
		Secrets and JavaScript
		JavaScript and XSS
		JavaScript and Input Validation
		Using JavaScript Frameworks
		CSRF
	New Technologies
		NoSQL Databases
		WebAssembly/Blazor
		Docker and Kubernetes
		Chatbots and AI
			Output Is Not Reliable
			Privacy Is Not Guaranteed
			Garbage In, Garbage Out
			Prompt Injection
	Summary
Chapter 11: Logging and Error Handling
	New Logging in ASP.NET Core
		Where ASP.NET Core Logging Falls Short
			Logging Request Information
			Logging and Compliance
	Building a Better System
		Why Are We Logging Potential Security Events?
		Better Logging in Action
			Security Logging for Framework Events
			PII and Logging
		When Not to Log for Security
	Using Logging in Your Active Defenses
		Blocking Credential Stuffing with Logging
		Honeypots
	Log Injections
	Proper Error Handling
		Exception Handling via Middleware
		Importance of Catching Errors
	Summary
Chapter 12: Setup and Configuration
	Setting Up Your Environment
		Web Server Security
		Keep Servers Separated
			Server Separation and Microservices
			A Note About Separation of Duties
		Storing Secrets
	Setting Up Headers
		HSTS
			Allow Only TLS 1.2 and TLS 1.3
			Setting Up HSTS
		CORS
		CSP
		Cookies
		Setting Up Page-Specific Headers
	Third-Party Components
		Monitoring Vulnerabilities
	Deploying Your Code
	Secure Your Test Environment
	Summary
Chapter 13: Secure Software Development Lifecycle (SSDLC)
	Traditional Security Tools
		Dynamic Application Security Testing (DAST)
			DAST Scanner Strengths
			DAST Scanner Weaknesses
			Differences Between DAST Scanners
		Static Application Security Testing (SAST)
			Final Notes About Free SAST Scanners
			Commercial SAST Scanners
			SAST Scanning and Roslyn
		Software Composition Analysis (SCA)
		Interactive Application Security Testing (IAST)
		Kali Linux
	Other Security Tools
		Application Security Posture Management (ASPM)
		Web Application Firewall (WAF)
		Runtime Application Self-Protection (RASP)
		Secret Scanning
	Integrating Tools into Your CI/CD Process
		CI/CD with DAST Scanners
		CI/CD with SAST scanners
		CI/CD with IAST scanners
	Catching Problems Manually
		Code Reviews and Refactoring
		Hiring a Penetration Tester
			Reconnaissance
			Scanning and Enumeration
			Gaining Access
			Maintaining Access
			Covering Tracks
	Inventory Management
		SBOM
	When to Fix Problems
	Getting Buy-In for Fixing Problems
	Learning More
	Summary