Advanced ASP.NET Core 3 Security
Understanding Hacks, Attacks, and Vulnerabilities to Secure Your Website
1st ed.
A lot of resources exist if you want to learn how to use the security features built into ASP.NET Core. Features like checking for authorization, Cross-Site Request Forgery (CSRF) prevention, and Cross-Site Scripting (XSS) prevention are either well documented or hard to get wrong. But what if you need to secure your system beyond what comes with the default implementation? If you need to encrypt data, how do you choose an algorithm and store your keys? If you need to make changes to the default login functionality to add password history and IP address verification, how would you go about doing so? How would you implement PCI- or HIPAA-compliant logs?
Perhaps most importantly, what else do you need to know to be sure your website is secure?
This book will certainly cover the former concepts, i.e., it will cover best practices with ASP.NET Core security that you can find elsewhere. But the true value of this book is to provide you the information you won’t find in such sources. In addition to explaining security-related features available in the framework, it will cover security-related topics not covered often in development textbooks and training, sometimes digging deep into the ASP.NET Core source code explaining how something works (or how to fix a problem).
In short, this is meant to be a book about web security that just happens to use ASP.NET Core as its framework, not a book about ASP.NET Core that just happens to cover security.
Who Should Read This Book
If you’re a software developer who has some experience creating websites in some flavor of ASP.NET and you want to know more about making your website secure from hackers, you should find this book useful. You should already know the basics of web technologies like HTML, JavaScript, and CSS, how to create a website, and how to read and write C#. If you are brand new to web development, though, you may find that some of the concepts are too in depth for you, so you should consider reading some books on website development before tackling advanced security.
You do not need to have much previous knowledge of security concepts, even those that are often covered under other materials that attempt to teach you ASP.NET Core. In order to ensure everyone has a similar understanding of security, this book starts by going over general concepts from a security perspective, then going over web-related security concepts, and then finally applying those concepts directly to ASP.NET Core.
If your background is in security and you are working with a development team that uses ASP.NET Core at least part of the time, you may find it useful to read the book to understand what attacks are easy to prevent in the framework as it is intended to be used and which are hard.
An Overview of This Book
This book is intended to be read in order, and each chapter builds on the previous ones. It starts with general concepts, applies them to real-world problems, and then finishes by diving into web-specific security concepts that may be new material to you as a software developer.
Chapter 1 – Introducing ASP.NET Core
Chapters 1–5 cover topics that serve as a foundation to all subsequent chapters. Chapter 1 covers much of what makes each version of ASP.NET Core, Razor Pages and MVC, different from its predecessors, ASP.NET Web Forms and ASP.NET MVC. It focuses on areas that you will need to know about in creating a secure website, such as knowing how to set up services properly and how to replace them as needed.
Chapter 2 – General Security Concepts
This chapter covers concepts that full-time security professionals worry about that don’t get covered in most programming courses or textbooks but are important to know for excellent application development security. I will start by describing what security is (beyond just stopping hackers) so we have a baseline for discussions and move into concepts that will help you design more secure software.
Chapter 3 – Cryptography
Cryptography is an extremely important concept in building secure systems but is not covered in depth in most programming textbooks and courses. At least in my experience, that results in an uneven knowledge of how to properly apply cryptography in software. You will learn about the differences between symmetric and asymmetric cryptography, what hashing is and where it’s useful, and how to securely store the keys necessary to keep your data secure.
Chapter 4 – Web Security Concepts
After discussing security in general, it will be time to cover security-related topics specific to web. Most of the topics in this chapter should look familiar to you as a web developer, but the goal is to dive deeper into each topic than is needed to program most websites in order to better understand where your website might be vulnerable. This chapter also introduces Burp Suite, a popular software product used by penetration testers around the world, which you can use to perform basic penetration tests on your own.
Chapter 5 – Understanding Common Attacks
The idea behind this chapter is to show you most of the common types of attacks to which ASP.NET Core websites can be vulnerable. It will not only cover the most basic forms of each attack that occur in other textbooks but also show you more advanced versions that real hackers use to get around common defenses.
Chapter 6 – Processing User Input
Chapter 6 is the start of the chapters that dive more deeply into ASP.NET Core itself. Chapters 6–8 will cover implementing existing best practices, as well as extending the framework to meet advanced security needs.
Perhaps the biggest challenge to keeping websites secure is that the vast majority of websites must accept user input in some way. Validating that input in a way that allows all legitimate traffic but blocks malicious traffic is more difficult than it seems. Removing apostrophes can help stop many types of SQL injection attacks, but then adding the business name “Joe’s Deli” becomes impossible. Preventing XSS is much harder if you need to display HTML content that incorporates user input. This chapter will cover ways in which you can (more) safely accept and process user input in your ASP.NET Core website.
Chapter 7 – Authentication and Authorization
This is the aspect of security that seems to be the best documented in ASP.NET Core materials. This is for good reason – knowing who is accessing your site and keeping them from accessing the wrong places is vital to your security. However, I believe that the built-in username and password tracking in a default ASP.NET Core site is easily the most insecure part of the default site. Stealing user credentials on an ASP.NET Core website with a reasonable number of users is trivial. This chapter will cover the issues that exist even in a well-implemented solution and how to fix them.
Chapter 8 – Data Access and Storage
The solution to solving security issues around data access – using parameterized queries for every call to the database – has been well established for well over a decade now. Yet these issues still crop up in the wild, even in my experience evaluating ASP.NET Core–based sites. What parameterized queries are, why they’re so important, and how the ASP.NET Core framework uses them by default are covered in this chapter. I will also show you some techniques to create easily reusable ways to filter your Entity Framework (EF) query results to only items your users should see.
Chapter 9 – Logging and Error Handling
Chapters 9–11 cover additional topics that, in my opinion, every developer needs to know about security in order to be considered knowledgeable about the topic.
Many readers will be tempted to skip Chapter 9 because logging is one of the least exciting topics here. It also may be one of the most important in detecting (and therefore stopping) potential criminals. Logging is much improved in ASP.NET Core over previous versions, but unfortunately that logging framework is built for finding programming problems, not finding potentially malicious activity. This chapter is about how logging works in ASP.NET Core, where its weaknesses are, and how to build something better.
Chapter 10 – Setup and Configuration
With the introduction of Kestrel, an intermediate layer in between the web server and the web framework, more of the responsibility for keeping the website secure on a server level falls into the developer’s sphere of responsibility. Even if you’re a developer in a larger shop with another team that is responsible for configuring web servers, you should be aware of most of the content in this chapter.
Chapter 11 – Secure Application Life Cycle Management
Building software and then trying to secure it afterward almost never works. Building secure software requires that you incorporate security into every phase of your process, from planning to development to testing to deployment to support. If you’re relatively new to mature security, though, starting such processes might be daunting. This chapter covers tools and concepts that help you verify that your website is reasonably secure and helps you keep it that way.
Contacting the Author
If you have any questions about any of this content, or if you want to inquire about hiring me for a project, please reach out to me at [email protected].
It would be impossible to truly acknowledge everyone who had a hand, directly or indirectly, in this book. I owe a lot to Pat Emmons and Mat Agee at Adage Technologies, who not only gave me my first programming job but also gave me the freedom to learn and grow to become the programmer I am today. Before that, I owe a lot to the professors and teachers who taught me how to write well, especially Karen Cherewatuk at St. Olaf College. I also learned quite a bit from my first career in band instrument repair, especially from my instructors, John Huth and Ken Cance, about the importance of always doing the right thing, but doing it in a way that is not too expensive for your customer. And of course, I also want to thank my editors at Apress, Laura Berendson, Jill Balzano, and especially Joan Murray, without whom this book wouldn’t be possible.
But most of all, I owe a lot to my wife, Kristin. She was my editor during my blogging days, and patiently waited while I chased one business idea after another, two of which became the backbone of this book. This book would not have been written without her support.
is a web security specialist with almost 15 years of experience in various technology and programming roles, focusing on developing and securing websites built with ASP.NET. As a security consultant, he specializes on blue team (defensive) techniques such as Dynamic Application Security Testing (DAST), code reviews, and manual penetration testing. He also has an interest in building plug-and-play software libraries that developers can use to secure their sites with little to no extra effort. As a developer, Scott has primarily built websites with C# and various versions of ASP.NET, and he has also built several tools and components using F#, VB.NET, Python, R, Java, and Pascal.
He holds several certifications, including Microsoft Certified Technology Specialist (MCTS) certifications for ASP.NET and SQL Server, and a Certified Information Systems Security Professional (CISSP) certification. He also has an MBA from Indiana University.
Scott is currently working as a contractor and consultant through his business, Norberg Consulting Group, LLC. You can see his latest ideas and projects at https://scottnorberg.com .
is a senior consultant and a senior analyst/developer using Microsoft technologies. He works for NuovoIMAIE (www.nuovoimaie.it ). He is a Microsoft Certified Solution Developer for .NET, a Microsoft Certified Application Developer for .NET, a Microsoft Certified Professional, and a prolific author and technical reviewer. Over the past 10 years, he’s written articles for Italian and international magazines and coauthored more than ten books on a variety of computer topics.