Book description
Programmers: protect and defend your Web apps against attack!
You may know ASP.NET, but if you don't understand how to secure your applications, you need this book. This vital guide explores the often-overlooked topic of teaching programmers how to design ASP.NET Web applications so as to prevent online thefts and security breaches.
You'll start with a thorough look at ASP.NET 3.5 basics and see happens when you don't implement security, including some amazing examples. The book then delves into the development of a Web application, walking you through the vulnerable points at every phase. Learn to factor security in from the ground up, discover a wealth of tips and industry best practices, and explore code libraries and more resources provided by Microsoft and others.
Shows you step by step how to implement the very latest security techniques
Reveals the secrets of secret-keeping—encryption, hashing, and not leaking information to begin with
Delves into authentication, authorizing, and securing sessions
Explains how to secure Web servers and Web services, including WCF and ASMX
Walks you through threat modeling, so you can anticipate problems
Offers best practices, techniques, and industry trends you can put to use right away
Defend and secure your ASP.NET 3.5 framework Web sites with this must-have guide.
Table of contents
- Copyright
- ABOUT THE AUTHOR
- ACKNOWLEDGMENTS
- CREDITS
- INTRODUCTION
- 1. Why Web Security Matters
-
I. The ASP.NET Security Basics
- 2. How the Web Works
- 3. Safely Accepting User Input
- 4. Using Query Strings, Form Fields, Events, and Browser Information
-
5. Controlling Information
- 5.1. CONTROLLING VIEWSTATE
- 5.2. ERROR HANDLING AND LOGGING
- 5.3. LIMITING SEARCH ENGINES
- 5.4. PROTECTING PASSWORDS IN CONFIG FILES
- 5.5. A CHECKLIST FOR QUERY STRINGS, FORMS, EVENTS, AND BROWSER INFORMATION
-
6. Keeping Secrets Secret — Hashing and Encryption
- 6.1. PROTECTING INTEGRITY WITH HASHING
-
6.2. ENCRYPTING DATA
- 6.2.1. Understanding Symmetric Encryption
-
6.2.2. Sharing Secrets with Asymmetric Encryption
- 6.2.2.1. Using Asymmetric Encryption without Certificates
- 6.2.2.2. Using Certificates for Asymmetric Encryption
- 6.2.2.3. Getting a Certificate
- 6.2.2.4. Encrypting Your Data
- 6.2.2.5. Decrypting Your Data
- 6.2.2.6. Ensuring That Data Does Not Change
- 6.2.2.7. Allowing Access to a Certificate's Private Key
- 6.2.2.8. Creating Test Certificates with MAKECERT
- 6.2.2.9. Putting it All Together
- 6.2.3. Using the Windows DPAPI
- 6.3. A CHECKLIST FOR ENCRYPTION
-
II. Securing Common ASP.NET Tasks
-
7. Adding Usernames and Passwords
- 7.1. AUTHENTICATION AND AUTHORIZATION
- 7.2. DISCOVERING YOUR OWN IDENTITY
- 7.3. ADDING AUTHENTICATION IN ASP.NET
- 7.4. AUTHORIZATION IN ASP.NET
- 7.5. A CHECKLIST FOR AUTHENTICATION AND AUTHORIZATION
-
8. Securely Accessing Databases
- 8.1. WRITING BAD CODE: DEMONSTRATING SQL INJECTION
- 8.2. FIXING THE VULNERABILITY
- 8.3. MORE SECURITY FOR SQL SERVER
- 8.4. A CHECKLIST FOR SECURELY ACCESSING DATABASES
- 9. Using the File System
- 10. Securing XML
-
7. Adding Usernames and Passwords
-
III. Advanced ASP.NET Scenarios
-
11. Sharing Data with Windows Communication Foundation
- 11.1. CREATING AND CONSUMING WCF SERVICES
- 11.2. SECURITY AND PRIVACY WITH WCF
- 11.3. ADDING SECURITY TO AN INTERNET SERVICE
- 11.4. SIGNING MESSAGES WITH WCF
- 11.5. LOGGING AND AUDITING IN WCF
- 11.6. VALIDATING PARAMETERS USING INSPECTORS
- 11.7. USING MESSAGE INSPECTORS
- 11.8. THROWING ERRORS IN WCF
- 11.9. A CHECKLIST FOR SECURING WCF
-
12. Securing Rich Internet Applications
- 12.1. RIA ARCHITECTURE
- 12.2. SECURITY IN AJAX APPLICATIONS
- 12.3. SECURITY IN SILVERLIGHT APPLICATIONS
- 12.4. USING ASP.NET AUTHENTICATION AND AUTHORIZATION IN AJAX AND SILVERLIGHT
- 12.5. A CHECKLIST FOR SECURING AJAX AND SILVERLIGHT
- 13. Understanding Code Access Security
-
14. Securing Internet Information Server (IIS)
- 14.1. INSTALLING AND CONFIGURING IIS7
-
14.2. FILTERING REQUESTS
- 14.2.1. Filtering Double-Encoded Requests
- 14.2.2. Filtering Requests with Non-ASCII Characters
- 14.2.3. Filtering Requests Based on File Extension
- 14.2.4. Filtering Requests Based on Request Size
- 14.2.5. Filtering Requests Based on HTTP Verbs
- 14.2.6. Filtering Requests Based on URL Sequences
- 14.2.7. Filtering Requests Based on Request Segments
- 14.2.8. Filtering Requests Based on a Request Header
- 14.2.9. Satus Codes Returned to Denied Requests
- 14.3. USING LOG PARSER TO MINE IIS LOG FILES
- 14.4. USING CERTIFICATES
- 14.5. A CHECKLIST FOR SECURING INTERNET INFORMATION SERVER (IIS)
-
15. Third-Party Authentication
- 15.1. A BRIEF HISTORY OF FEDERATED IDENTITY
- 15.2. USING THE WINDOWS IDENTITY FOUNDATION TO ACCEPT SAML AND INFORMATION CARDS
- 15.3. USING OPENID WITH YOUR WEB SITE
- 15.4. USING WINDOWS LIVE ID WITH YOUR WEB SITE
- 15.5. A STRATEGY FOR INTEGRATING THIRD-PARTY AUTHENTICATION WITH FORMS AUTHENTICATION
- 15.6. SUMMARY
- 16. Secure Development with the ASP.NET MVC Framework
-
11. Sharing Data with Windows Communication Foundation
Product information
- Title: Beginning ASP.NET Security
- Author(s):
- Release date: April 2010
- Publisher(s): Wrox
- ISBN: 9780470743652
You might also like
book
Building Secure Microsoft® ASP.NET Applications
This guide presents a practical, scenario-driven approach to designing and building security-enhanced ASP.NET applications for Microsoft® …
book
ASP.NET 4 Unleashed
The most comprehensive book on Microsoft’s new ASP.NET 4, ASP.NET 4 Unleashed covers all facets of …
book
ASP.NET 4 24-Hour Trainer
This unique book-and-video package introduces ASP.NET 4 to programmers Microsoft ASP.NET allows you to build dynamically …
book
Advanced ASP.NET AJAX Server Controls For .NET Framework 3.5
Microsoft .NET Development Series “Supported by the leaders and principal authorities of core Microsoft technologies, this …