Look at security risk in details and learn how it might be exploited in a .NET web application.
OWASP has produced some excellent material over the years, not least of which is The Ten Most Critical Web Application Security Risks – or “Top 10” for short – whose users and adopters include a who’s who of big business.
The Top 10 is a fantastic resource for the purpose of identification and awareness of common security risks. However it’s abstracted slightly from the technology stack in that it doesn’t contain a lot of detail about the execution and required countermeasures at an implementation level. Of course this approach is entirely necessary when you consider the extensive range of programming languages potentially covered by the Top 10.
What author Troy Hunt found when directing .NET developers to the Top 10 is some confusion about how to comply at the coalface of development so he wanted to approach the Top 10 from the angle these people are coming from.
Hunt looks at the security risk in detail, demonstrates – where possible – how it might be exploited in a .NET web application and then details the countermeasures at a code level.
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Invalidated Redirects and Forwards