《Beginning ASPNET Security_Barry Dorrans著》pdf电子书免费下载
下载方式一:
百度网盘下载地址:https://pan.baidu.com/s/1rn19A7jdRELMyorUIeh5pA
百度网盘密码:1111
下载方式二:
http://ziliaoshare.cn/Download/af_123592_pd_BeginningASPNETSecurity_BarryDorransZ.zip
|
|
作者:empty 页数:440 出版社:empty |
《Beginning ASPNET Security_Barry Dorrans著》介绍
For details of our global editorial off ie es, for customer services and for information abour howto apply for per mass ion toteusethecopyrightmaterialinthishookpleaseseeourwebsiteatwwwwiley.com.The right of the author to he identifed as the author of this work has been asserted in accordance with the Copyright,Designs and Patents Act 1988.All rights reserved.No part of this pub lea tion maybe reproduced, stored in a retrieval system, or transmitted, in a byform or by acy mans, t let rnc, me sba nical photo cop iDg, tee ord img or other w is, exeeptaspemtdbytheUKCopyright, Designs and Patents A et 1988, without the prior permission of the publisher,wle vasu pub shes is books in a variety of c lectronic formats, Some cunt et that appears ip tnt may rat be availblein electronic books,Des g nations used by companies to dst ingush their products arc often eam med as trademarks All brandnames andproduct names used in this book are tradenames, servicemarks, trademarks or registered trademarks of the irrespective.de.to provide accurate and authoritative information in regard to the sub jeet matter covered.It is sold om the understandinghat the publ sher is not engaged in tendering pro tessin al servces.Ifp rafe sional advice or other expert as it aoc esrequired, the services of a competent professional should he sought.ISBN:978-0-470-74365-2A catalogue record for this ba ok is available from the Br tsh LibrarySet in 9.5/125abonRomanatMacMilan Publishing SolutionsPrinted in Great Britain by Bell and Bain, Glasgow
To mum, wbo asked me more about the book's progressalmost as often as the long-suffering Wrox staff didAnd to Emil icon, wbo had to put up with my stressand frustration wben the words didn't come.
ABOUT THE AUTHORBARRY DORR ANSi sa consultant based in the UnitedKingdom, a public speaker, and Microsoft MVP in the“Visual Tools—Security category.His developmentexperience started out with a Sinclair ZXSpectrum,graduating through IBM PCs, minicomputers.mainframes, C++, 5QL, VisualBasic, and che.NETframework.His approach to development and speakingblends humor with the paranoia suitable for consideringsecurity.In recent years, Barry has mentored developersthrough the full lifecycle of ASP.NET development,worked on the Sub Tex r OpenSource blogging platform,and started his own OpenSource project for InformationCard identity providers, Sharp STS.Born in NorthernIreland, he still misses the taste of real Guinness.
ACKNOWLEDGMENTSCREDITSCLICHED THOUGH IT IS, there are too many people to thank individual y.I would like to specifc allyacknowledge the help and inspiration of two fellow Microsoft MVPs一Dominick Baier(who hasbeen my main sounding board) and Alex Smolen{my Technical Editor, who has been there to catchmy mistakes and point out what I missed) .Id also like to thank ar those folks in various Microsoft teams who have put up with my questions,queries, and misunderstandings with good humor over the years, and during the writing process,especially the UK DPE team, without whose help I doub rId learn anywhere near as much.Part of the conf dence to write this book has come from my involvement with the UK developercommunity, especially the Developer Developer Developer conferences.It would be impossible tothank everyone who has let me speak, or come along to listen, but I would like to give specialthanks to community leaders and fellow authors Craig Murphy and Phil Winstanley for theirunf inching support of both my speaking engagements and their advice, as well as toTrevor Dwyer, who bullied me into my first very conference presentation all those years ago.
《Beginning ASPNET Security_Barry Dorrans著》目录
CONTENTS
CHAPTER1:WHYWEBSECURITYMATTERS
Anatomy of an Attack
Risks and Rewards
Building Security from the Ground Up
Defense inDepth
Never Trust Input
Fail Gracefully
Watch for Attacks
Use Least Privilege
Requesting a Resource
Responding to a Request
Echoing UserInput Safely
Mitigating Against XSS
The Microsoft Anti-XSS Library
Validating View State
Encrypting View State
Firewalls and Cryptography Are Not a Panacea
Security Should Be Your Default State
Code Defensively
The OWASP TopTen
Moving Forward
Checklists
PART I:THE ASP.NET SECURITY BASICS
CHAPTER2:HOWTHEWEBWORKS
Sniffing HTTP Requests and Responses
Understanding HTML Forms
Examining How ASP.NETWorks
Understanding How ASP.NET Events Work
Examining the ASP.NET Pipeline
Writing HTTP Modules
Summary
CHAPTER3:SAFELYACCEPTINGUSERINPUT
Defining Input
Dealing with Input Safely
CHAPTER4:USINGQUERYSTRINGS, FORM FIELDS,
The Security Run-time Engine
Constraining Input
Protecting Cookies
Validating Form Input
Validation Controls
Standard ASP.NET Validation Controls
A Checklist for Handling Input
EVENTS, AND BROWSER INFORMATION
Using the Right Input Type
Query Strings
Form Fields
Request Forgery and Howto Avoid It
Using the Required Field Validator
Using the Range Validator
Using the RegularExpression Validator
Using the Compare Validator
Using the Custom Validator
Validation Groups
Mitigating Against CSR F
Protecting ASP.NET Events
Avoiding Mistakes with Browser Information
A Checklist for Query Strings, Forms, Events,
and Browser Information
CHAPTER5:CONTROLLINGINFORMATION
Controlling View State
Protecting Against View State One-Click Attacks
Removing View State from the Client Page
Disabling Browser Caching
Error Handling and Logging
Improving Your Error Handling
Watching for Special Exceptions
Choosing a Hashing Algorithm
Protecting Passwords with Hashing
Logging Errors and Monitoring Your Application
Using the Windows EventLog
Using Email to Log Events
Using ASP.NET Tracing
Using Performance Counters
Using WMI Events
Another Alternative:Logging Frameworks
Limiting SearchEngines
Controlling Robots with a Metatag
Controlling Robots with robots.txt
Protecting Passwords in Config Files
A Checklist for Query Strings, Forms, Events, and
Browser Information
CHAPTER6:KEEPINGSECRETSSECRET-HASHING
AND ENCRYPTION
Protecting Integrity with Hashing
Encrypting Data
Salting Passwords
Generating SecureRandom Numbers
Understanding Symmetric Encryption
Protecting Data with Symmetric Encryption
Sharing Secrets with Asymmetric Encryption
Using Asymmetric Encryption without Cert fi cates
Using Certificates for Asymmetric Encryption
Getting a Certificate
Using the Windows DP API
A Checklist for Encryption
PART II:SECURING COMMON ASP.NET TASKS
CHAPTER7:ADDINGUSERNAMESANDPASSWORDS
Authentication and Authorization
Discovering Your Own Identity
Adding Authentication in ASP.NET
Using Forms Authentication
Configuring Forms Authentication
Using SQL as a Membership Store
Creating Users
Examining How Users A reStored
Configuring the Membership Settings
Creating Users Programmatically
Supporting Password Changes and Resets
Windows Authentication
Configuring I IS for Windows Authentication
Impersonation with Windows Authentication
Authorization in ASP.NET
Examining allow>and deny>
Role-Based Authorization
Connecting Without Passwords
SQL Permissions
Drawbacks of the VS Built-in WebServer
Configuring Roles with Forms-Based Authentication
Using the Configuration Tools to Manage Roles
Managing Roles Programmatically
Managing Role Members Programmatically
Roles with Windows Authentication
Limiting Access to Files and Folders
Checking Users and Roles Programmatically
Securing Object References
A Checklist for Authentication and Authorization
CHAPTER8:SECURELYACCESSINGDATABASES
Writing Bad Code:Demonstrating SQL Injection
Fixing the Vulnerability
More Security for SQLServer
Adding a User to a Database
Managing SQL Permissions
Groups and Roles
Least Privilege Accounts
Using Views
SQL Express User Instances
Dynamic SQL Stored Procedures
Using SQL Encryption
Encrypting by PassPhrase
SQL Symmetric Encryption
SQL Asymmetric Encryption
Examining the Update Panel
Examining the Script Manager
Demanding Minimum CAS Permissions
Asking and Checking for CAS Permissions
Testing Your Application Under a New Trust Level
Calculating Hashes and HMAC sin SQL
Making Static Files Secure
Valid XML
Avoiding XPath Injection
Encrypting XML Documents
Using aSymmetric Encryption Key with XML
Transport Security
Message Security
Mixed Mode
Selecting the Security Mode
Choosing the Client Credentials
Adding Security to an Internet Service
Signing Messages with WCF
Logging and Auditing in WCF
Validating Parameters Using Inspectors
Using Message Inspectors
Throwing Errors in WCF
A Checklist for Securing WCF
RIA Architecture
Security in Ajax Applications
The XMLHttpRequest Object
The Ajax Same Origin Policy
The Microsoft ASPNET Ajax Framework
Security in Silver light Applications
Using ASP.NET Trust Levels
A Checklist for Securely Accessing Databases
CHAPTER9:USINGTHEFILESYSTEM
Accessing Existing Files Safely
Checking That Your Application Can Access Files
Making a File Downloadable and Setting Its Name
Adding Further Checks to File Access
Adding Role Checks
Anti-Leeching Checks
Accessing Files on a Remote System
Creating Files Safely
Handling User Uploads
Using the FileUpload Control
A Checklist for Securely Accessing Files
CHAPTER10:SECURINGXML
Validating XML
Well-Formed XML
XMLParser s
Querying XML
Securing XML Documents
Using an Asymmetric KeyPair to Encrypt and Decrypt XML
Using an X 509 Certificate to Encrypt and Decrypt XML
Signing XML Documents
A Checklist for XML
PART III:ADVANCED ASP.NET SCENARIOS
CHAPTER11:SHARINGDATAWITHWINDOWS
COMMUNICATION FOUNDATION
Creating and Consuming WCF Services
Security and Privacy with WCF
CHAPTER12:SECURINGRICHINTERNETAPPLICATIONS
Security Considerations with Update Panel and Script Manager
Understanding the Core