Advanced C# Programming (edit)

Training course

Understanding values and references 

Implement Data Access

Microsoft Visual C# Step by Step, 9th Edition

Design and Implement an Azure Storage Strategy

Design data implementation

The Security Development Lifecycle

Advanced C#, ASP.NET and Web application security

Beyond a solid knowledge in using various security features of .NET and ASP.NET, even for experienced programmers it is essential to have a deep knowledge in Web-related vulnerabilities both on server and client side along with the consequences of the various risks.

In this course the general web-based vulnerabilities are demonstrated through presenting the relevant attacks, while the recommended coding techniques and mitigation methods are explained in the context of ASP.NET. A special focus is given to client-side security tackling security issues of JavaScript, Ajax and HTML5.


Web developers using ASP.NET

Prior knowledge

Preparedness: Advanced C# and ASP.NET and Web application


The course is taught in English (Contact us if you prefer Swedish).


Material in English

The course also deals with the security architecture and components of the .NET framework, including code- and role based access control, permission declaration and checking mechanisms and the transparency model. A brief introduction to the foundations of cryptography provides a common practical baseline for understanding the purpose and the operation of various algorithms, based on which the course presents the cryptographic features that can be used in .NET.

Introduction of different security bugs follows the well-established vulnerability categories, tackling input validation, security features, error handling, time- and state-related problems, the group of general code quality issues, and a special section on ASP.NET-specific vulnerabilities. These topics are concluded with an overview on testing tools that can be used to automatically reveal some of the learnt bugs.

Topics are presented through practical exercises where participants can try out the consequences of certain vulnerabilities, the mitigations, as well as the discussed APIs and tools for themselves.

Web vulnerabilities: OWASP top 10 and beyond: SQL Injection and other injection flaws, Cross-Site Scripting: persistent and reflected XSS, session handling challenges, using cookies, remote code execution, Insecure Direct Object Reference, Cross-Site Request Forgery (CSRF), restricting URL access.

Client-side security: JavaScript same origin policy, authentication and password management in JavaScript, obfuscating JavaScript code, ClickJacking; Ajax security, XSS and CSRF in Ajax; HTML5 ClickJacking, form tampering, cross-origin requests, client-side include.

.NET and ASP.NET security technologies and services: Code Access Security, permissions, the stack walk, trust levels; Role-based Security; Cryptography basics, symmetric and assymmetric algorithms, hashing, public-key infrastructure (PKI), cryptography in .NET; ASP.NET authentication and authorization solutions, windows and form authentication, Live SDK, roles; session handling; XSS protection, validation features, viewstate protection in ASP.NET.

.NET specific vulnerabilities: input validation problems, using native code, integer overflows in .NET, using the checked keyword, log forging; improper use of cryptographic features, insecure randomness in .NET, challenges of password management, cracking hashed passwords with search engines; improper error and exception handling; time and state problems, race conditions, synchronization and mutual exclusion, deadlocks, file and database race conditions; general code quality issues, object hijacking, immutable objects, serialization of sensitive information; Denial-of-Service (DoS) in.NET, hashtable collision, attacks against ASP.NET, string termination inconsistency, and many more...

Exercises: exploiting SQL injection step-by-step; exploiting command injection; crafting Cross-Site Scripting attacks through both reflective and persistent XSS; HTML injection; session fixation; uploading and running executable code; insecure direct object reference; committing Cross-Site Request Forgery (CSRF); sandboxing .NET code, using roles, using cryptographic classes in .NET, implementing form authentication, input validation in ASP.NET; crashing native code; unsafe reflections; hash cracking by googling; using reflection to break accessibility modifiers; information leakage through error reporting; missing synchronization; wrong exclusion granularity; avoiding deadlocks; overcoming file race conditions; object hijacking; immutable string; preventing serialization; using hidden and disable controls; value shadowing.

Using security testing tools: security scanners (Nikto/Wikto, Nessus, Netsparker), SQL injection tools (SqlMap, SqlNinja, Safe3 SQL Injector), knowledge sources (CVE, NVD, BSI, SHIELDS), sniffers (Tcpdump, Ngrep, Wireshark), proxy servers (BurpSuite, Paros proxy), static source code analyzers for .NET (FxCop).

Clean Architecture & Onion Architecture

The term "Clean Architecture" is just the name of the article. The onion architecture is a specific application of the concepts explained in the article.