Developers are notoriously lax in security. Part of the problem is not understanding how our applications are attacked. To protect your applications you need to BE a hacker. You need to understand how your applications are hacked, and therefore, how to protect them. This course goes over the most common hacking techniques using an array of current attacks to show how a web application is exploited.This course covers exploits and protections for both Web Forms and MVC. Covered are such topics as sql injection, parameter tampering, information leakage, cross-site scripting (xss), cross-site request forgery, encryption, hashing, and denial of service all with applicable demos.

Developers are notoriously lax in security. Part of the problem is not understanding how our applications are attacked. To protect your applications you need to BE a hacker. You need to understand how your applications are hacked, and therefore, how to protect them. This course goes over the most common hacking techniques using an array of current attacks to show how a web application is exploited.This course covers exploits and protections for both Web Forms and MVC. Covered are such topics as sql injection, parameter tampering, information leakage, cross-site scripting (xss), cross-site request forgery, encryption, hashing, and denial of service all with applicable demos.

Content
SQL Injection 00:44:59
Introduction 00:08
What is SQL Injection? Four thirteen
Demo - Form based SQL Injection 1 11:27
Demo - Form based SQL Injection 2 two twenty-two
How do you Prevent SQL Injection? 2:23
Demo - SQL Tool Auditor Permissions two twenty-seven
Additional Protections three thirty-nine
Problematic Fixes - blacklisting Routines four twelve
Problematic Fixes - SQL Routines and SQL truncation 4:31
Basic Dynamic Query 5:48 Ideas
Using an ORM 3:23
Additional Information / References 00:26 Information Leakage 00:15:30 Introduction 00:10 What is information Leakage? One five How is IT information gathered? 1:57 Demo - Web App Basic Information Leakage 00:50 Demo - Information Leakage from error 00:36 Page Demo - Information Leakage by Ajax one forty-six How do you Prevent Information Leakage? 8:39 00:27 Additional Reading Cross-Site Scripting (XSS) 1:10:47 00:08 Introduction What is XSS? Three forty How is exploited XSS? 00:46 Demo - Reflected XSS Attack two eight Demo - Persistent XSS Attack 3:47 Demo - Older Style IE6 Content Type Sniffing Attack one thirty-eight Demo - DOM Based XSS 7:02 Demo - Data URI - Link Hijack three thirty-seven Demo - Dangling Markup / Scriptless Attacks five fifty-eight How do you Prevent XSS? Two fifty-three How do you Prevent XSS (Page 2) 1:13 Demo (Prevention) - AntiXss GetSafeHtmlFragment () 1:51 Demo (Prevention) - Specifying UTF-8 Encoding one eleven Demo (Prevention) - Content Security Policy 05: 37 Problems with blacklists / character filtering three thirteen How do you Prevent XSS (last BUT not Least) three forty-five Do not Turn off Request Validation five seven Know your options Encoding 4:41 Demo (Fix) - Fixing Web Forms Repeater two sixteen Demo (Fix) - Fixing Scriptless / HTML Dangling 00:58 Demo (Fix) - Fixing DOM based Attacks 4:22 Tools two twenty-six two nine Summary Additional Information / References 00:21 Parameter Tampering 00:29:00 introduction 00:08 What is parameter tampering? 00:36 How IT is exploited? One twenty-two Parameter Tampering 5:21 MVC Web Forms Parameter Tampering 4:50 EventValidation issues with client script Side one twenty-four Preventing tampering in two forty-four MVC Preventions - Regular Expressions one thirteen Preventions - Data Annotations one twenty Validate your data! 3:19 A few minor Words of caution three twenty-three two thirty Summary Additional Information / References 00:50 Encryption and Hashing 00:45:20 Introduction 00:10 Why Should I encrypt? Five ten How to encrypt - Database Side one six SQL - Encrypt by 2:49 passphrase SQL - Encrypt certificate by 1:50 How to encrypt - Application code 3:51 How to encrypt - configuration Settings two forty-four Forcing SSL - MVC 2:35 Forcing SSL - Web Forms 00:59 Forcing SSL - Additional Information one forty-four Installing SSL on your three fifty-seven Development Box About Hashing one twenty-five How are hashes attacked? 2:35 What's a Salt? 1:21 Demo - Basic hash with one sixteen Salt Demo - Brute force Attack Hash (even with a Salt!) three two Tool Demo - quarter past one Hashcat Choosing the right Approaches four twenty-five Membership provider Support 1:37 BUT I need my lost password functionality! 00:59 Additional Information 00:30 Cross-Site Request forgery (CSRF) 00:38:28 Introduction 00:09 What is CSRF? One one CSRF How is exploited? Two forty Demo - Email Exploit using Image src four fifty-eight Demo - Repeatability is the Key 1:15 Demo - CSRF from XSS one twenty-six POSTS protect Me, do not They? Four thirty-seven Demo - One Click Web Forms Attack - Forge user Interaction 7:31 How do you Prevent CSRF? Two twenty-six Web Forms CSRF Prevention 5:28 MVC CSRF Prevention 4:53 2:04 Summary Denial of Service 00:17:47 Introduction 00:07 How is exploited DoS? Five five Demo - Affecting the Victim's browser two twenty-four Demo - Browser based distributed denial of three thirty-five Service Demo - Slow Page = Easy target 3:55 Preventing DoS 2:07 Additional Information / References 00:34 Session Hijacking and Management 00 : 37:19 Introduction 00:09 ASP.NET Session Id Management Background four thirty-nine Session Management Demo five four Sessions How CAN be attacked? 1:06 Demo - stealing a session 6:03 Preventing Attacks Session one four Syncing Forms authentication and session timeouts timeouts four fifty-six Preventing - Removing the session cookie on login / Logout 2:43 Preventing - Avoid cookieless Sessions 00:59 Custom session ID managers 9:23 1:13 Additional Information