OWASP Top 10, C# Secure Coding Fundamentals Eğitimi

• Understand basic concepts of security, IT security and secure coding
• Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
• Learn about XML security
• Learn client-side vulnerabilities and secure coding practices
• Learn about typical coding mistakes and how to avoid them
• Get sources and further readings on secure coding practices

• IT security and secure coding
• Web application security
• Common coding errors and vulnerabilities
• Principles of security and secure coding
• Knowledge sources

Day 1

IT security and secure coding

• Nature of security
• What is risk?
• IT security vs. secure coding
• From vulnerabilities to botnets and cybercrime
  • Nature of security flaws
  • From an infected computer to targeted attacks
  • The Seven Pernicious Kingdoms
  • OWASP Top Ten 2017

Web application security

• Injection
  • Injection principles
  • SQL injection
    • Exercise – SQL injection
    • Typical SQL Injection attack methods
    • Blind and time-based SQL injection
    • SQL injection protection methods
    • Effect of data storage frameworks on SQL injection
  • Other injection flaws
    • Command injection
    • Command injection exercise – starting Netcat
  • HTTP parameter pollution
    • Cookie injection / HTTP parameter pollution
    • Exercise – Value shadowing
• Broken authentication
  • Session handling threats
  • Session fixation
  • Exercise – Session fixation
  • Session handling best practices
  • Setting cookie attributes – best practices
  • Cross site request forgery (CSRF)
    • CSRF prevention
• XML external entity (XXE)
  • XML Entity introduction
  • XML external entity attack (XXE) – resource inclusion
  • XML external entity attack – URL invocation
  • XML external entity attack – parameter entities
  • Exercise – XXE attack
  • Preventing entity-related attacks
  • Case study – XXE in Google Toolbar
• Broken access control
  • Typical access control weaknesses
  • Insecure direct object reference (IDOR)
  • Exercise – Insecure direct object reference
  • Protection against IDOR
  • Case study – Facebook Notes
• Cross-Site Scripting (XSS)
  • Persistent XSS
  • Reflected XSS
  • DOM-based XSS
  • Exercise – Cross Site Scripting
  • XSS prevention
  • Output encoding API in C#
  • XSS protection in ASP.NET – validateRequest
• HTML5 security
  • New XSS possibilities in HTML5
  • HTML5 clickjacking attack – text field injection
  • HTML5 clickjacking – content extraction
  • Form tampering
  • Exercise – Form tampering
  • Cross-origin requests
  • HTML proxy with cross-origin request
  • Exercise – Client side include
• Insecure deserialization
  • Serialization and deserialization basics
  • Security challenges of deserialization
  • Deserialization in .NET
  • From deserialization to code execution
  • POP payload targeting MulticastDelegate (C#)
  • Real-world .NET deserialization vulnerabilities
  • Issues with deserialization – JSON
  • Best practices against deserialization vulnerabilities
  • Case study – Windows PowerShell RCE
    • CVE-2017-8565 – Windows PowerShell RCE
    • Example XML triggering the RCE
• Using components with known vulnerabilities
  • Vulnerability attributes
  • Common Vulnerability Scoring System – CVSS
• Insufficient logging and monitoring
  • Detection and response
  • Logging and log analysis
  • Intrusion detection systems and Web application firewalls

Day 2

Common coding errors and vulnerabilities

• Input validation
  • Input validation concepts
  • Integer problems
    • Representation of negative integers
    • Integer overflow
    • Exercise IntOverflow
    • What is the value of Math.Abs(int.MinValue)?
    • Integer problem – best practices
  • Path traversal vulnerability
    • Path traversal – weak protections
    • Path traversal – best practices
  • Unvalidated redirects and forwards
  • Log forging
    • Some other typical problems with log files
• Improper use of security features
  • Typical problems related to the use of security features
  • Password management
    • Exercise – Weakness of hashed passwords
    • Password management and storage
    • Special purpose hash algorithms for password storage
    • Argon2 and PBKDF2 implementations in .NET
    • bcrypt and scrypt implementations in .NET
    • Case study – the Ashley Madison data breach
    • Typical mistakes in password management
    • Exercise – Hard coded passwords
  • Accessibility modifiers
    • Accessing private fields with reflection in .NET
    • Exercise Reflection – Accessing private fields with reflection
• Improper error and exception handling
  • Typical problems with error and exception handling
  • Empty catch block
  • Overly broad catch
  • Using multi-catch
  • Catching NullReferenceException
  • Exception handling – spot the bug!
  • Exercise – Error handling
• Time and state problems
  • Concurrency and threading
  • Concurrency in .NET
  • Omitted synchronization – spot the bug!
  • Exercise – Omitted synchronization
  • Incorrect granularity – spot the bug!
  • Exercise – Incorrect granularity
  • Deadlocks
  • Avoiding deadlocks
  • Exercise – Avoiding deadlocks
  • Lock statement
• Code quality problems
  • Dangers arising from poor code quality
  • Poor code quality – spot the bug!
  • Unreleased resources
  • Serialization – spot the bug!
  • Exercise – Serializable sensitive
  • Private arrays – spot the bug!
  • Private arrays – typed field returned from a public method
  • Class not sealed – object hijacking
  • Exercise – Object hijacking
  • Immutable string – spot the bug!
  • Exercise – Immutable strings
  • Using SecureString

Principles of security and secure coding

• Matt Bishop’s principles of robust programming
• The security principles of Saltzer and Schroeder

Knowledge sources

• Secure coding sources – a starter kit
• Vulnerability databases
• .NET secure coding guidelines at MSDN
• .NET secure coding cheat sheets
• Recommended books – .NET and ASP.NET