Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • ASP.NET Core 5 Secure Coding Cookbook
  • Toc
  • feedback
ASP.NET Core 5 Secure Coding Cookbook

ASP.NET Core 5 Secure Coding Cookbook

By : Roman Canlas
5 (6)
close
ASP.NET Core 5 Secure Coding Cookbook

ASP.NET Core 5 Secure Coding Cookbook

5 (6)
By: Roman Canlas

Overview of this book

ASP.NET Core developers are often presented with security test results showing the vulnerabilities found in their web apps. While the report may provide some high-level fix suggestions, it does not specify the exact steps that you need to take to resolve or fix weaknesses discovered by these tests. In ASP.NET Secure Coding Cookbook, you’ll start by learning the fundamental concepts of secure coding and then gradually progress to identifying common web app vulnerabilities in code. As you progress, you’ll cover recipes for fixing security misconfigurations in ASP.NET Core web apps. The book further demonstrates how you can resolve different types of Cross-Site Scripting. A dedicated section also takes you through fixing miscellaneous vulnerabilities that are no longer in the OWASP Top 10 list. This book features a recipe-style format, with each recipe containing sample unsecure code that presents the problem and corresponding solutions to eliminate the security bug. You’ll be able to follow along with each step of the exercise and use the accompanying sample ASP.NET Core solution to practice writing secure code. By the end of this book, you’ll be able to identify unsecure code causing different security flaws in ASP.NET Core web apps and you’ll have gained hands-on experience in removing vulnerabilities and security defects from your code.
Table of Contents (15 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Sections
Get in touch
Share Your Thoughts
1
Chapter 1: Secure Coding Fundamentals
Chapter 1: Secure Coding Fundamentals
Technical requirements
Input validation
Enabling whitelist validation using validation attributes
Whitelist validation using the FluentValidation library
Syntactic and semantic validation
Input sanitization
Input sanitization using the HTMLSanitizer library
Output encoding
Output encoding using HtmlEncoder
Output encoding using UrlEncoder
Output encoding using JavascriptEncoder
Protecting sensitive data using the Data Protection API
Free Chapter
2
Chapter 2: Injection Flaws
chevron up
Chapter 2: Injection Flaws
Technical requirements
What is SQL injection?
Fixing SQL injection with Entity Framework
Fixing SQL injection in ADO.NET
Fixing NoSQL injection
Fixing command injection
Fixing LDAP injection
Fixing XPath injection
3
Chapter 3: Broken Authentication
Chapter 3: Broken Authentication
Technical requirements
Fixing the incorrect restrictions of excessive authentication attempts
Fixing insufficiently protected credentials
Fixing user enumeration
Fixing weak password requirements
Fixing insufficient session expiration
4
Chapter 4: Sensitive Data Exposure
Chapter 4: Sensitive Data Exposure
Technical requirements
Fixing insufficient protection of data in transit
Fix missing HSTS headers
Fixing weak protocols
Fixing hardcoded cryptographic keys
Disabling caching for critical web pages
5
Chapter 5: XML External Entities
Chapter 5: XML External Entities
Technical requirements
Enabling XML validation
Fixing XXE injection with XmlDocument
Fixing XXE injection with XmlTextReader
Fixing XXE injection with LINQ to XML
6
Chapter 6: Broken Access Control
Chapter 6: Broken Access Control
Technical requirements
Fixing IDOR
Fixing improper authorization
Fixing missing access control
Fixing open redirect vulnerabilities
7
Chapter 7: Security Misconfiguration
Chapter 7: Security Misconfiguration
Technical requirements
Disabling debugging features in non-development environments
Fixing disabled security features
Disabling unnecessary features
Fixing information exposure through an error message
Fixing information exposure through insecure cookies
8
Chapter 8: Cross-Site Scripting
Chapter 8: Cross-Site Scripting
Technical requirements
Fixing reflected XSS
Fixing stored/persistent XSS
Fixing DOM XSS
9
Chapter 9: Insecure Deserialization
Chapter 9: Insecure Deserialization
Technical requirements
Fixing unsafe deserialization
Fixing the use of insecure deserializers
Fixing untrusted data deserialization
10
Chapter 10: Using Components with Known Vulnerabilities
Chapter 10: Using Components with Known Vulnerabilities
Technical requirements
Fixing the use of a vulnerable third-party JavaScript library
Fixing the use of a vulnerable NuGet package
Fixing the use of a library hosted from an untrusted source
11
Chapter 11: Insufficient Logging and Monitoring
Chapter 11: Insufficient Logging and Monitoring
Technical requirements
Fixing insufficient logging of exceptions
Fixing insufficient logging of DB transactions
Fixing excessive information logging
Fixing a lack of security monitoring
12
Chapter 12: Miscellaneous Vulnerabilities
Chapter 12: Miscellaneous Vulnerabilities
Technical requirements
Fixing the disabled anti-Cross-Site Request Forgery protection
Preventing Server-Side Request Forgery
Preventing log injection
Preventing HTTP response splitting
Preventing clickjacking
Fixing insufficient randomness
13
Chapter 13: Best Practices
Chapter 13: Best Practices
Technical requirements
Proper exception handling
Using security-related cookie attributes
Using a Content Security Policy
Fixing leftover debug code
Why subscribe?
14
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Fixing NoSQL injection

NoSQL databases are a different type of database in which non-relational and semi-structured data is stored. There are many kinds of NoSQL databases to name, such as Cassandra, Redis, DynamoDB, and MongoDB, each with its own query language. Although distinct from one another, these queries are also prone to injection attacks.

In this recipe, we will identify the NoSQL injection vulnerability in code that is using MongoDB as the backend and fix the problem by applying several countermeasures.

Getting ready

Using Visual Studio Code, open the sample Online Banking app folder at Chapter02\nosql-injection\before\OnlineBankingApp.

How to do it…

Let's take a look at the steps for this recipe:

  1. Launch Visual Studio Code and open the starting exercise folder by typing the following command:
    code .
  2. Navigate to Terminal | New Terminal in the menu or simply press Ctrl + Shift + ' in Visual Studio Code.
  3. Type the following command in the terminal to build the sample app to confirm that there are no compilation errors:
    dotnet build
  4. Open the Services/PayeeService.cs file and locate the vulnerable part of the code in the Get(string name) method:
    public List<Payee> Get(string name) {
    var filter = "{$where: \"function()         {return this.Name == '" + name + "'}\"}";
    return payees.Find(filter).ToList();
}
  5. To remediate the NoSQL injection vulnerability, change the preceding highlighted code: 
    public List<Payee> Get(string name) {
    return payees.Find(payee => payee.Name ==         name).ToList();
}  

The filter passed into the Find method is now replaced with a Lambda expression, a much more secure way of searching for a payee by name.

How it works…

The Get method has a string parameter that can be supplied with a non-sanitized or validated value. This value can alter the MongoDB filter composed with it, making the NoSQL database perform an unintended behavior.

The name parameter can be appended with an expression that would evaluate the query into a logical result different from what the query was expected to perform. A JavaScript clause can also be inserted into a query that can terminate the statement and add a new block of arbitrary code.

By way of some general advice, avoid using the $where operator. Simply apply a C# Lambda expression as a filter to prevent any injectable JSON or JavaScript expression.

There's more…

Suppose the preceding options are not possible and it is necessary to use the $where clause, you must then JavaScript-encode the input. Use the JavaScriptEncoder class from the System.Text.Encodings.Web namespace to encode the value being passed into the parameter:

  1. First, modify the PayeeService.cs file to add a reference to the Encoder namespace:
    using System.Text.Encodings.Web;
  2. Next, define a property for JavaScriptEncoder:
    private readonly JavaScriptEncoder _jsEncoder;
  3. Change the PayeeService constructor and add a new parameter to inject JavaScriptEncoder:
    public PayeeService(IOnlineBankDatabaseSettings settings,JavaScriptEncoder jsEncoder)
  4. Lastly, encode the name parameter using the Encode function of JavaScriptEncoder:
    var filter = "{$where: \"function() {return this.Name == '" + _jsEncoder.Encode(name) + "'}\"}";

If a malicious input was passed into the name parameter and was escaped by the Encode method, the C# MongoDB driver will throw an exception if the escaped value could not be interpreted as a valid JavaScript expression.

To prevent NoSQL injections, developers must avoid building dynamic queries using string concatenation. NoSQL databases offer ways to query and process data, but you must be aware of potential security implications a feature might bring into the ASP.NET Core web application.

End of Section 6
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete