In the last chapter, we dealt with security mainly from the authentication and authorization point of view. We saw how to make sure that we know who is accessing our application and exactly what they are allowed to do within the application.

Unfortunately, unauthenticated logins and unauthorized access are not the only aspects that we need to guard against. In your quest as an application developer, you will be tasked with working on different applications of varying security importance. For apps that could motivate someone to actively seek ways in which they could exploit the application, then you, as a developer, need to make sure you can fend off potential hackers.

This chapter prepares you to be aware of the most common ways in which your web applications built with ASP.NET Core 3 could potentially be attacked.

For every application that you build, it is recommended that you look at its security right from the beginning and not only think about it at deployment time.

For some serious applications, as in the case of enterprise applications, it is not uncommon to even have a threat modeling session in which you try and analyze whatever possibilities there are in terms of threats to the application you are about to build, and then take those threats into consideration throughout the development phase. 

In this chapter, you will learn different methods that malicious users usually use to exploit web applications and, apart from having an awareness, you will learn basic ways in which you can make sure that your application is safe from any would-be hackers.

The following topics will be covered in this chapter:

• Cross-Site Scripting (XSS)
• Cookie stealing
• Eavesdropping, message tampering, and message replay
• Open redirects/XSR
• SQL injection
• Cross-Site Request Forgery (XSRF/CSRF)
• JS/JSON hijacking
• Over-posting
• Clickjacking
• Proper error reporting and stack trace