New C# and web application security

Nowadays, the .NET and ASP.NET environment is one of the most common tools for program development, as there are many programming languages available to develop for this platform. The development environment fully supports secure program development, but software designers and developers still need to be aware of certain architectural and coding level issues to avoid potential vulnerabilities.

The training aims to show how to correctly configure and use the various .NET components to prevent any code from running in privileged mode, how to protect resources through proper authentication and authorization, how to implement secure remote procedure calls, session management, and so on.

On the other hand, we will cover various .NET based vulnerabilities. In addition to general web application issues, these will be covered, including .NET-specific input validation flaws, the use of proper security methods, error and exception handling, and timing and state management flaws.

The course is recommended for programmers, developers, software designers, security professionals who want to learn professional techniques for creating the most secure programs and applications in .NET/ASP.NET environments. The training is also available as a stand-alone course in combination with other development environments and technologies.

• From IT security to secure programming: the nature of security, What is risk? IT security vs. secure coding, from vulnerabilities to botnets and cybercrime, the nature of security flaws, from infected computers to targeted attacks.
• Common coding mistakes and vulnerabilities: input validation (concepts), integer problem: representing negative integers, integer overflow, IntOverflow exercise, what is the value of Math.Abs(int.MinValue), best gyaykorlats. Path traversal vulnerability: weak protection and best practices. invalidated redirects and forwardings. Log forgery. Improper use of security functions and typical problems, password management (Password management and storage, special purpose hash algorithms for storing passwords, Argon2 and PBKDF2 implementations in .NET, bcrypt and scrypt implementations in .NET, typical mistakes in password management.
• NET security architecture and features: code access security: full and partial trust, evidence classes, permissions, code access permission classes, deriving permissions from evidence, defining custom permissions, .NET runtime permission checking, Stack Walk, effects of Assert(), class and method level declarative authorization, imperative (programming) permission checking.
• Practical cryptography: first rule of cryptography implementation, cryptosystems: elements of a cryptosystem, .NET cryptographic architecture. Symmetric key cryptography: ensuring confidentiality, symmetric encryption algorithms, modes of operation, Encrypting and decrypting (symmetric). Other cryptographic algorithms: Hash or message digest, Hash algorithms, SHAttered, Hashing, Message Authentication Code (MAC), ensuring integrity and authenticity with symmetric keys, random number generation. Asymmetric (public key) cryptography: ensuring confidentiality with public key cryptography, rule of thumb - private key ownership, the RSA algorithm: introduction, encryption with RSA, combining symmetric and asymmetric algorithms, digital signature with RSA, asymmetric algorithms in .NET, practice Sign. Public Key Infrastructure (PKI): man-in-the-middle (MitM) attack, digital certificates against MitM attack, certificate authorities in public key infrastructure, X.509 digital certificate. Accessibility modifiers: accessing private fields by reflection in .NET, Reflection.
• Web Application Security: Injection: basic principles, SQL injection (typical SQL injection attack methods, Blind and time-based SQL injection, SQL injection protection methods, impact of data storage frameworks on SQL injection). Broken authentication: session management threats and session capture, session management best practices, Cookie attribute configuration, Cross-site request forgery - CSRF (CSRF prevention). XML External Entity (XXE): XML Entity Introduction, XML External Entity Attack (XXE) (Resource Involvement, URL Invocation, Parameter Entity, Prevention). Broken access control: Typical access control weaknesses, Insecure Direct Object Reference (IDOR), Protection against IDOR. Cross-Site Scripting (XSS): persistent, reflected, DOM-based. XSS prevention, output encoding API in C#, XSS protection in ASP.NET - validateRequest. Insecure deserialization: basics of Serialization and deserialization, security challenges, Deserialization in .NET, from deserialization to code execution, POP payload targeting MulticastDelegate (C#), real .NET deserialization vulnerabilities, problems with deserialization - JSON, best practices against deserialization vulnerabilities.
• Client-side security: JavaScript security, same origin policy, simple requests, preflight requests, clickjacking (protection against clickjacking, protection against frame-busting - rejecting protection scripts, protection against frame-busting). AJAX security: XSS in AJAX, script injection attack in AJAX, XSS protection in AJAX, CSRF protection in AJAX - JavaScript hijacking). HTML5 security: new XSS possibilities in HTML5, HTML5 clickjacking attack - text field injection, HTML5 clickjacking - content extraction, forms manipulation, cross-origin requests, HTML proxy with cross-origin requests.
• Incorrect error and exception handling.
• Timing and state handling errors: parallelism and threading, parallelism in .NET. Deadlocks, how to avoid deadlocks, lock statement.
• Code quality issues: dangers of poor code quality, unreleased resources, serialization, Private arrays - typed field returned from public method, Class not sealed - object hijacking, Immutable string, Using SecureString.

Principles of security and secure coding: principles of Matt Bishop's robust programming, Saltzer and Schroeder's security principles.

C# programming skills and at least two years of experience in .NET / ASP.NET programming. A basic working knowledge of basic cryptographic concepts and methods is recommended. As the course material is in English, basic English language skills at document reading level are required. The lecture will be held in Hungarian.