Beginning ASP.NET Security
Price includes NZ wide delivery!
Ships from UK supplier
|Format:||Paperback / softback, 436 pages|
|Published In: ||United Kingdom, 22 January 2010|
This is a practical guide to securing ASP.NET sites. "Beginning ASP.NET Security" is for novice to intermediate ASP.NET programmers and provides a step-by-step solution to securing each area of ASP.NET development. Rather than approaching security from a theoretical direction, MVP Barry Dorrans shows you examples of how everyday code can be attacked, and describes the steps necessary for defense. Inside, you'll learn how you can defend your ASP.NET applications using the .NET framework, industry patterns and best practices, code libraries and resources provided by Microsoft and others. "Beginning ASP.NET Security" explores issues with user input including validation, cross-site scripting (XSS) and cross-site request forgery (CSRF). It teaches how to securely access your database and defend against SQL injection attacks. It shares techniques for keeping secrets, including encryption, hashing and preventing information leaks. It examines methods for authenticating and authorizing users, including ASP.NET membership providers and preventing cookie theft. It shares tips for securing your web server, including how ASP.NET uses trust levels and locking down IIS. It unveils ways to securely use WCF web services. It presents security with the Microsoft ASP.NET Ajax framework and Silverlight. It includes an overview of security with the Microsoft MVC framework Wrox. Beginning guides are crafted to make learning programming languages and technologies easier than you think, providing a structured, tutorial format that will guide you through all the techniques involved. wrox.com Programmer Forums: join our Programmer to Programmer forums to ask and answer programming questions about this book, join discussions on the hottest topics in the industry, and connect with fellow programmers from around the world. Code Downloads: take advantage of free code samples from this book, as well as code samples from hundreds of other books, all ready to use. Read More: find articles, ebooks, sample chapters and tables of contents for hundreds of books, and more reference resources on programming topics that matter to you.
About the Author
Barry Dorrans is a consultant, speaker and Microsoft MVP in the "Visual Tools - Security" category. His approach to development and writing blends humor with the paranoia suitable for considering security.
Table of Contents
Acknowledgments. Introduction. Chapter 1 Why Web Security Matters. Anatomy of an Attack. Risks and Rewards. Building Security from the Ground Up. Defense in Depth. Never Trust Input. Fail Gracefully. Watch for Attacks. Use Least Privilege. Firewalls and Cryptography Are Not a Panacea. Security Should Be Your Default State. Code Defensively. The OWASP Top Ten. Moving Forward. Checklists. PART I THE ASP.NET SECURITY BASICS. Chapter 2 How the Web Works. Examining the HTTP. Requesting a Resource. Responding to a Request. Sniffing HTTP Requests and Responses. Understanding HTML Forms. Examining How ASP.NET Works. Understanding How ASP.NET Events Work. Examining the ASP.NET Pipeline. Writing HTTP Modules. Summary. Chapter 3 Safely Accepting User Input. Defining Input. Dealing with Input Safely. Echoing User Input Safely. Mitigating Against XSS. The Microsoft Anti-XSS Library. The Security Run-Time Engine. Constraining Input. Protecting Cookies. Validating Form Input. Validation Controls. Standard ASP.NET Validation Controls. Using the RequiredFileValidator. Using the RangeValidator. Using the RegularExpressionValidator. Using the CompareValidator. Using the CustomValidator. Validation Groups. A Checklist for Handling Input. Chapter 4 Using Query Strings, Form Fields, Events, and Browser Information. Using the Right Input Type. Query Strings. Form Fields. Request Forgery and How to Avoid It. Mitigating Against CSRF. Protecting ASP.NET Events. Avoiding Mistakes with Browser Information. A Checklist for Query Strings, Forms, Events, and Browser Information. Chapter 5 Controlling Information. Controlling ViewState. Validating ViewState. Encrypting ViewState. Protecting Against ViewState One-Click Attacks. Removing ViewState from the Client Page. Disabling Browser Caching. Error Handling and Logging. Improving Your Error Handling. Watching for Special Exceptions. Logging Errors and Monitoring Your Application. Using the Windows Event Log. Using Email to Log Events. Using ASP.NET Tracing. Using Performance Counters. Using WMI Events. Another Alternative: Logging Frameworks. Limiting Search Engines. Controlling Robots with a Metatag. Controlling Robots with robots.txt. Protecting Passwords in Config Files. A Checklist for Query Strings, Forms, Events and Browser Information. Chapter 6 Keeping Secrets Secret - Hashing and Encryption. Protecting Integrity with Hashing. Choosing a Hashing Algorithm. Protecting Passwords with Hashing. Salting Passwords. Generating Secure Random Numbers. Encrypting Data. Understanding Symmetric Encryption. Protecting Data with Symmetric Encryption. Sharing Secrets with Asymmmetric Encryption. Using Asymmetric Encryption without Certificates. Using Certificates for Asymmetric Encryption. Getting a Certificate. Using the Windows DPAPI. A Checklist for Encryption. PART II SECURING COMMON ASP.NET TASKS. Chapter 7 Adding Usernames and Passwords. Authentication and Authorization. Discovering Your Own Identity. Adding Authentication in ASP.NET. Using Forms Authentication. Windows Authentication. Authorization in ASP.NET. Examining and . Role-Based Authorization. Limiting Access to Files and Folders. Checking Users and Roles Programmatically. A Checklist for Authentication and Authorization. Chapter 8 Securely Accessing Databases. Writing Bad Code: Demonstrating SQL Injection. Fixing the Vulnerability. More Security for SQL Server. Connecting Without Passwords. SQL Permissions. Using Views. SQL Express User Instances. Drawbacks for the VS Built-in Web Server. Dynamic SQL Stored Procedures. Using SQL Encryption. A Checklist for Securely Accessing Databases. Chapter 9 Using the File System. Accessing Existing Files Safely. Making Static Files Secure. Making a File Downloadable and Setting Its Name. Adding Further Checks to File Access. Accessing Files on a Remote System. Creating Files Safely. Handling User Uploads. Using the File Upload Control. A Checklist for Securely Accessing Files. Chapter 10 Securing XML. Validating XML. Well-Formed XML. Valid XML. XML Parsers. Querying XML. Avoiding XPath Injection. Securing XML Documents. Encrypting XML Documents. Signing XML Documents. A Checklist for XML. PART III ADVANCED ASP.NET SCENARIOS. Chapter 11 Sharing Data with Windows Communication Foundation. Creating and Consuming WCF Services. Security and Privacy with WCF. Adding Security to an Internet Service. Signing Messages with WCF. Logging and Auditing in WCF. Validating Parameters Using Inspectors. Using Message Inspectors. Throwing Errors in WCF. A Checklist for Securing WCF. Chapter 12 Securing Rich Internet Applications. RIAU Architecture. Security in Ajax Applications. The XMLHttpRequest Object. The Ajax Same Origin Policy. The Microsoft ASP.NET Ajax Framework. Security in Silverlight Applications. Understanding the CoreCLR Security Model. Using the HTML Bridge. Accessing the Local File System. Using Cryptography in Sliverlight. Accessing the Web and Web Services with Silverlight. Using ASP.NET Authentication and Authorization in Ajax and Silverlight. A Checklist for Securing Ajax and Silverlight. Chapter 13 UNDERSTANDING CODE ACCESS SECURITY. Understanding Code Access Security. Using ASP.NET Trust Levels. Demanding Minimum CAS Permissions. Asking and Checking for CAS Permissions. Testing Your Application Under a New Trust Level. Using the Global Assembly Cache to Run Code Under Full Trust. .NET 4 Changes for Trust and ASP.NET. A Checklist for Code not Under Full Trust. Chapter 14 SECURING INTERNET INFORMATION SERVER (IIS). Installing and Configuring IIS7. IIS Role Services. Removing Global Features for an Individual Web Site. Creating and Configuring Application Pools. Configuring Trust Levels in IIS. Locking Trust Levels. Creating Custom Trust Levels. Filtering Requests. Using Log Parser to Mine IIS Log Files. Using Certificates. Requesting an SSL Certificate. Configuring a Site to Use HTTPS. Setting up a Test Certification Authority. A Checklist for Securing Internet Information Server (IIS). Chapter 15 Third-Party Authentication. A Brief History of Federated Identity. Using the Windows Identity Foundation to Accept SAML and Information Cards. Creating a "Claims-Aware" Web Site. Accepting Information Cards. Working with a Claims Identity. Using OpenID with Your Web Site. Using Windows Live ID with Your Web Site. A Strategy for Integrating Third-Party Authentication with Forms Authentication. Summary. Chapter 16 Secure Development with the ASP.NET MVC Framework. MVC Input and Output. Protecting Yourself Against XSS. Protecting an MBC Application Against CSRF. Securing Model Binding. Providing Validation for and Error Messages from Your Model. Authentication and Authorization with ASP.NET MVC. Authorizing Actions and Controllers. Protecting Public Controller Methods. Discovering the Current User. Customizing Authorization with an Authorization Filter. Error Handling with ASP.NET MVC. A Checklist for Secure Development with the ASP.NET MVC Framework. Index.
|Publisher: ||John Wiley & Sons Ltd|
|Dimensions: ||23.52 x 18.95 x 2.46 centimeters (0.79 kg)|