Course Outline - EC-Council

EC-Council Certified Secure Programmer Exam 312-93Course OutlineEC-Council Certified Secure Programmer-.NETCourse OutlineModule 01: Introduction to .NET Application Security• Microsoft .NET Application Securityo .NET Application Securityo Need for .NET Application Securityo .NET Application Attack Statisticso Understanding Application Securityo End-to-End Securityo What is Secure Coding?o Why are Security Mistakes Made?o Key Elements of .NET Framework Architecture Securityo .NET Security Featureso .NET Framework Security Namespaceso ASP.NET Security Architecture• Common Security Threats on .NETo Web Application Security Frameo Common Security Threats on .NETo OWASP Top 10 Attacks on .NET Security Misconfiguration Cross-Site Scripting (XSS) Attacks SQL Injection Attacks Cross-Site Request Forgery (CSRF) Attack Failure to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards Insecure Direct Object References Broken Authentication and Session Management Insecure Cryptographic Storage• Secure Development Lifecycle (SDL)o Phases of SDLPage | 1EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course Outlineo SDL Processo Integrating Security into the Development Lifecycleo Security in the Design Stage: Threat Modelingo Threat Modeling Process The STRIDE model The DREAD modelo Guidelines for Applying Security in Implementation Phase of SDLo Security Testing• Secure Coding Principles• Guidelines for Developing Secure CodesModule 02: .NET Framework Security• Introduction to .NET Frameworko .NET Framework Architectureo Basic Components of .NET Framework• .Net Runtime Securityo .NET Framework Runtime Security Modelo Role-Based Security Role-Based Security: Windows Principal Role-Based Security: Generic Principalo Code Access Security (CAS) Using Code Access Security in ASP.NET Evidence-Based Security Permissions Code Access Permissions Identity Permissions Role-Based Security Permissions Permissions Classes in .NET Type Safety SkipVerification Stack Walk Declarative and Imperative Security Syntaxo Isolated StoragePage | 2EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course Outline• .NET Security Toolso Code Access Security Policy Tool: Caspol.exe Caspol.exe Parameterso Software Publisher Certificate Test Tool: Cert2spc.exeo Certificate Manager Tool: Certmgr.exe Options in Certmgr.exeo Certificate Creation Tool: Makecert.exe Options in Makecert.exeo PEVerify Tool: Peverify.exe Options in Peverify.exeo .NET Security Annotator Tool: SecAnnotate.exeo Sign Tool: SignTool.exeo Strong Name Tool: Sn.exeo Isolated Storage Tool: Storeadm.exe• Best Practices for .NET Framework SecurityModule 03: Input Validation and Output Encoding• Input Validationo Why Input Validation?o Input Validationo Input Validation Specificationo Input Validation Approaches Client-side Input Validation Server-side Input Validation Client-Server Input Validation Reliabilityo Input Filtering Input Filtering Technique: Black Listing Input Filtering Technique: White Listingo Perform Input Validation and Filtering using a Regular Expressiono String Manipulation and Comparisono Data Type Conversiono ASP.NET Validation Controls Set of ASP.NET Validation ControlsPage | 4EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course Outline RequiredField Validation Control Range Validation Control Comparison Validation Control RegularExpression Validation Control Custom Validation Control Validation Summary Control• Input Validation Attackso Cross Site Scripting (XSS) Attacko SQL Injection Attackso HTML Tags Used in XSS Attack• Defensive Techniques against XSS Attackso XSS Attack Defensive Techniqueso Need for Securing Validation Controlso Securing RequiredField Validation Controlo Securing Range Validation Controlo Specifying the Correct Data Type in Range Validatoro Securing Comparison Validation Controlo Securing RegularExpression Validation Controlo Securing Custom Validation Controlo Integrating Security for Multiple Validation Controls• Defensive Techniques against SQL Injection Attackso SQL Injection Attack Defensive Techniqueso Using Parameterized Querieso Using Parameterized Stored Procedureso Using Escape Routines to Handle Special Input Characterso Database Specific Escaping: Oracle Escapingo Using a Least-Privileged Database Accounto Constraining Input• Output Encodingo ASP.NET Controls with Encoding Supporto Encoding Unsafe Output using HtmlEncodeo Encoding Unsafe Output using UrlEncodeo Anti-XSS LibraryPage | 5EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course Outlineo Encoding Output using Anti-XSS Library• Sandboxingo Sandboxing Software: Sandboxieo Sandboxing Software: BufferZone Proo Sandboxing API in .NET Frameworko Creating Sandbox for Partial Trust Code• Best Practiceso Microsoft Code Analysis Tool .NET (CAT.NET)Module 04: .NET Authorization and Authentication• Introduction to Authentication and Authorizationo Common Threats with User Authentication and Authorizationo Authentication and Authorization in .NET Web Application Securityo Security Relationship between IIS and ASP.NET• Authenticationo ASP.NET Authenticationo ASP.NET Authentication Modeso Security Settings Matrix between IIS and ASP.NETo Forms Authenticationo Passport Authentication Implementing Passport Authenticationo Custom Authentication Implementing Custom Authentication Schemeo Windows Authenticationo Selecting an Appropriate Authentication Methodo Determining an Authentication Methodo Enterprise Services Authenticationo SQL Server Authentication• Authorizationo Identities, Principals, and Roleso ASP.NET Authorizationo URL Authorizationo File AuthorizationPage | 6EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course OutlineooooooWhat is Impersonation?Impersonation OptionsDelegationCode-based AuthorizationDeclarative AuthorizationImperative AuthorizationExplicit AuthorizationAuthorization using ASP.NET RolesEnterprise Services AuthorizationSQL Server Authorization• Authentication and Authorization VulnerabilitiesooooooooooooooooooooSecuring Forms Authentication TicketsSecuring Hash Generation using SHA1Securing Encryption using AESSecuring Forms Authentication Cookies using SSLSecuring Forms Authentication CredentialsPreventing Session Hijacking using Cookieless AuthenticationSecuring Authentication Token Using Sliding ExpirationAvoiding Forms Authentication Cookies from Persisting Using DisplayRememberMe PropertyAvoiding Forms Authentication Cookies from Persisting Using RedirectFromLoginPageMethodAvoiding Form Authentication Cookies from Persisting Using SetAuthCookie MethodAvoiding Form Authentication Cookies from Persisting Using GetRedirectUrl MethodAvoiding Form Authentication Cookies from Persisting Using FormsAuthenticationTicketConstructorSecuring Passwords with minRequiredPasswordLengthSecuring Passwords with minRequiredNonalphanumericCharactersSecuring Passwords with passwordStrengthRegularExpressionRestricting Number of Failed Logon AttemptsSecuring Application by Using Absolute URLs for NavigationSecuring Applications from Authorization Bypass AttacksCreating Separate Folder for Secure Pages in ApplicationValidating Passwords on CreateUserWizard Control using Regular Expressions• Authentication and Authorization Best PracticesPage | 7EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course Outlineo Application Categories Considerations: Authentication-Formso Application Categories Considerations: Authorizationo Guidelines for Secure Authentication and Authorization Codingo Secure Development Checklists: Authenticationo Secure Development Checklists: Authorizationo Secure Development Checklists: User-Server Authentication• Secure Communicationo Storing Secretso Options for Storing Secrets in ASP.NETModule 05: Secure Session and State Management• Session Managemento Basic Security Principles for Session Management Tokenso Common Threats to Session Management• Session Management Techniques in ASP.NETo ASP.NET Session Management Techniqueso Client-Side State Management Client-Side State Management Using Cookies Client-Side State Management Using Hidden Fields Client-Side State Management Using View State Client-Side State Management Using Control State Client-Side State Management Using Query Stringso Server-Side State Management Server-Side State Management Using Application Object Server-Side State Management Using Session Object Server-Side State Management Using Profile Properties• Session Attacks and Its Defensive Techniqueso Session Hijacking Securing ASP.NET Application from Session Hijacking Implementing SSL to Encrypt Cookies Setting a Limited Time Period for Expiration Avoid using Cookieless Sessions Avoid using UseUri Cookieless SessionsPage | 8EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course Outline Avoid Specifying Cookie Modes to AutoDetect Avoid Specifying Cookie Modes to UseDeviceProfile Enabling regenerateExpiredSessionID for Cookieless Sessions Resetting the Session when User Logs Outo Token Prediction Attack Generating Lengthy Session Keys to Prevent Guessingo Session Replay Attack Defensive Techniques for Session Replay Attacko Session Fixationo Session Fixation Attack Securing ASP.NET Application from Session Fixation Attacko Cross-Site Script Attack Preventing Cross-Site Scripting Attack using URL Rewriting Preventing Session Cookies from Client-Side Scripts Attackso Cross-Site Request Forgery Attack Implementing the Session Token to Mitigate CSRF Attacks Defensive Techniques for Cross Site Request Forgery Attack• Securing Cookie Based Session Managemento Cookie-Based Session Managemento Persistent Cookies Information Leakageo Avoid Setting the Expire Attribute to Ensure Cookie Securityo Ensuring Cookie Security using the Secure Attributeo Ensuring Cookie Security using the HttpOnly Attributeo Ensuring Cookie Security using the Domain Attributeo Ensuring Cookie Security using Path Attribute• ViewState Securityo Common Threats on ViewState ViewState Data Tampering Attack ViewState oneClick Attackso Securing ViewState Securing ViewState with Hashing Securing ViewState with Encryption Securing ViewState by Assigning User-Specific KeyPage | 9EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course Outline• Guidelines for Secure Session ManagementModule 06: .NET Cryptography• Introduction to Cryptographyo Cryptographic Attackso What Should You Do to Keep the .NET Application Away from Cryptographic Attacks?o Cryptographyo Functions of Cryptographyo Common Threats on Functions of Cryptography and Their Mitigation Techniqueso Types of Cryptographic Attacks in .NETo .NET Cryptography Namespaceso .NET Cryptographic Class Hierarchy• Symmetric Encryptiono SymmetricAlgorithm Classo Members of the SymmetricAlgorithm Classo Programming Symmetric Data Encryption and Decryption in .NETo Securing Information with Strong Symmetric Encryption Algorithmo Cipher Function Cipher Modes Vulnerability in Using ECB Cipher Modeo Padding Problem with Zeros Paddingo Symmetric Encryption Keys Securing Symmetric Encryption Keys from Brute Force Attacks Resisting Cryptanalysis Attack Using Large Block Size Generating Non-Predictable Cryptographic Keys using RNGCryptoServiceProvidero Storing Secret Keys and Storing Options Protecting Secret Keys with Access Control Lists (ACLs) Protecting Secret Keys with DPAPIo Self Protection for Cryptographic Applicationo Encrypting Data in the Stream using CryptoStream Class• Asymmetric Encryptiono AsymmetricAlgorithm ClassPage | 10EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course Outlineooooooooo• HashingoooooooooMembers of the AsymmetricAlgorithm ClassProgramming Asymmetric Data Encryption and Decryption in .NETAsymmetric Encryption Algorithm Key SecuritySecuring Asymmetric Encryption using Large Key SizeStoring Private Keys SecurelyProblem with Exchanging Public KeysExchanging Public Keys SecurelyAsymmetric Data PaddingProtecting Communications with SSLHashing Algorithms Class Hierarchy in .NETHashing in .NETMembers of the HashAlgorithm ClassProgramming Hashing for Memory DataProgramming Hashing for Streamed DataImposing Limits on Message Size for Hash Code SecuritySetting Proper Hash Code Length for Hash Code SecurityMessage Sizes and Hash Code Lengths Supported by the .NET Framework HashingAlgorithmsSecuring Hashing Using Keyed Hashing Algorithms• Digital SignaturesoooAttacker's Target Area on Digital SignaturesSecurity Features of Digital Signatures.NET Framework Digital Signature Algorithms• Digital Certificatesoo.NET Support for Digital CertificatesProgramming Digital Signatures using Digital Certificates• XML SignaturesoooNeed for Securing XML FilesSecuring XML Files using Digital SignaturesProgramming a Digital Signature for a Sample XML FilePage | 11EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course OutlineModule 07: .NET Error Handling, Auditing, and Logging• Error Handlingo Parameters to be Considered while Designing Secure Error Messages!o What is an Error?o What are Exceptions/Runtime Errors?o Need of Error/Exception Handlingo Secure Exception Handling• Exception Handling in ASP.NETo Handling Exceptions in an Applicationo Class-Level Exception Handlingo Class-Level Exception Handling Vulnerabilities Generic Exception Throwing Vulnerability Generic Exception Catching Vulnerability Vulnerability in Printing StackTrace Vulnerability in Exception.ToString() Method Vulnerability in Swallowing Exceptions Cleanup Code Vulnerability Vulnerability in Re-Throwing Exception Rules of Thumb for Good Exception Managemento Page-Level Exception Handlingo Application-Level Exception Handling Handling Exception with Application_Error Event Handler Handling Exception with ASP.NET Error Page Redirection Mechanism Managing Unhandled Errors Exposing Detailed Error Messages Sensitive Information Leakage Vulnerability in Custom Error Message Unobserved Exception Vulnerability• Exception Handling Best Practiceso Best Practices for Coding Exceptions Safelyo Do’s and Don’ts in Exception Handlingo Guidelines for Proper Exception Handlingo Error Handling Security Checklists• Auditing and LoggingPage | 12EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course Outlineo What is Logging and Auditing?o Need of Secure Logging and Auditingo Common Threats to Logging and Auditingo What Should be Logged?o What Should NOT be Logged?o Where to Perform Event Logging?o Performing Log Throttling in ASP.NET Health Monitoring Systemo Windows Event Log Preventing Windows Event Log from Denial of Service Attack Securing Windows Event log Preventing Rogue Administrators from Tampering with Windows Event Logso Centralizing Logging and Configuring its Securityo Tracing in .NET Writing Trace Output to Windows Event Log Using EventLogTraceListener• Auditing and Logging Best Practiceso Tracing Security Concerns and Recommendationso Secure Auditing and Logging Best Practices: Protecting Log Recordso Secure Auditing and Logging Best Practices: Fixing the Logso Auditing and Logging Security Checklists• .NET Logging Toolso Apache Foundation’s log4neto SmartInspecto NLogo Logview4neto .NET Logging ToolsModule 08: .NET Secure File Handling• File Handlingo System.IO Namespace Classes• Attacks on File and Its Defensive Techniqueso Path Traversal Attack Protecting Path Traversal Attack Possible Methods to Prevent Path TraversalPage | 13EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course Outlineo Canonicalization Canonicalization Attack Protecting the Applications against Canonicalization Attacks• Securing Fileso Securing the Static Fileso Adding Role Checks to File Accesso Securing File I/O from Untrusted File Inputo Securing File I/O with Absolute Patho Constrain File I/O by Configuring Code Access Security Policyo Securing User-Specified Files with FileIOPermissiono Virtual Path Mapping Using MapPatho Preventing Cross-Application Mapping Using MapPatho Validating File Names using GetFullPatho Securing User Uploaded Files• File Extension Handlingo Active Server Pages (ASP) Directory Listingo Creating Directory Listing• Isolated Storageo Isolated Storage - Get Store/ Open Storeo Isolated Storage Root Location Storage Fileso Isolated Storage Example• File Access Control Lists (ACLs)o File ACLso Required .NET Access Control Lists (ACLs)• Checklist for Securely Accessing FilesModule 09: .NET Configuration Management and Secure Code Review• Configuration Managemento ASP.NET Configuration Fileso ASP.NET Configuration File Modelo ASP.NET Configuration File Locationso Configuration Management Threats• Machine Configuration FilePage | 14EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course OutlineooMachine Configuration File: Machine.configMachine.config Vulnerability• Application Configuration FilesooApplication Configuration File: Web.configWeb.config Vulnerabilities: Default Error MessageWeb.config Vulnerabilities: Leaving Tracing Enabled in Web-Based ApplicationsWeb.config Vulnerabilities: Leaving Debugging EnabledWeb.config Vulnerabilities: Cookies Accessible through Client-Side ScriptWeb.config Vulnerabilities: Enabled Cookieless Session StateWeb.config Vulnerabilities: Enabled Cookieless AuthenticationWeb.config Vulnerabilities: Failure to Require SSL for Authentication CookiesWeb.config Vulnerabilities: Using Sliding ExpirationWeb.config Vulnerabilities: Using Non-Unique Authentication CookieWeb.config Vulnerabilities: Using Hardcoded CredentialWeb.config Vulnerabilities: Securing List-based Controls using EnableEventValidationWeb.config Vulnerabilities: Securing Passwords using PasswordFormatWeb.config Vulnerabilities: Changing Default Values of Membership SettingsWeb.config Vulnerabilities: Securing Against XSS Attack VulnerabilitiesWeb.config Vulnerabilities: Securing Against DoS Attack VulnerabilitiesWeb.config Vulnerabilities: Preventing ViewState from TamperingWeb.config Vulnerabilities: Securing ViewState with SDL-approved CryptographicAlgorithmsWeb.config Vulnerabilities: Securing ViewState with Strong Validation KeyWeb.config Vulnerabilities: Securing ViewState using EncryptionWeb.config Vulnerabilities: Selecting Right Algorithm for ViewState EncryptionWeb.config Vulnerabilities: Deploying Application with Strong decryption KeyWeb.config Vulnerabilities: Ignoring Validation ErrorsApplication Configuration Files: App.exe.configApp.exe.config Vulnerabilities• Code Access Security Configuration FilesoooEnterprise Policy Configuration File: enterprisesec.configMachine and User Policy Configuration File: security.configASP. NET Policy Configuration FilesPage | 15EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.

EC-Council Certified Secure Programmer Exam 312-93Course Outlineo .NET Framework Configuration Tool: Mscorcfg.msc Mscorcfg.msc Featureso Code Access Security Policy Tool: Caspol.exe• Configuration Management Best Practices• Secure Code Reviewo Why Secure Code Review?o Security Code Review Approach Step 1: Identify Security Code Review Objectives Step 2: Perform Preliminary Scan Step 3: Review Code for Security Issues Step 4: Review for Security Issues Unique to the Architecture• Static Code Analysis Toolso Parasoft dotTESTo Microsoft FxCopo StyleCopo NDependo ReSharperPage | 16EC-Council Certified Secure Programmer Copyright © by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.