Web Application Security with ASP.NET at DevConnections, Oct 31-Nov 3 in Las ...

Once again I'll be speaking at DevConnections this fall. One of my talks will tackle one of my main topics: web application security. I'll cover common (and some uncommon) attacks against web sites, discuss countermeasures and have a close look which safeguards ASP.NET offers, and where developers need to add some security code on their own.

As usual I plan to show a number of code demos, so I thought it would be a nice addition to present a list of important resources for topics I am covering in this session. The list tries to focus only on major sources for each topic, but feel free to use the comments to suggest additional websites.

See you in Las Vegas!

• General
  
  
  • The Open Web Application Security Project
  
  


• Cross-Site Scripting (XSS)
  
  
  • Controlling Internet Explorer's XSS filter
  
  
  • XSS Cheat Sheet (unfortunately a bit outdated)
  
  
  • The Microsoft Web Protection Library (includes AntiXSS)
  
  
  • Content Security Policy
  
  


• SQL Injection
  
  
  • Microsoft Source Code Analyzer for SQL Injection (for Classic ASP sites)
  
  
  • How to protect from SQL Injection attacks with ASP.NET
  
  


• Cross-Site Request Forgery (CSRF)
  
  
  • How to protect from CSRF attacks with ASP.NET
  
  
  • AntiCSRF for ASP.NET
  
  
  • .NET CSRF Guard
  
  
  • The X-FRAME-OPTIONS HTTP header
  
  


• CAPTCHAs
  
  
  • The official CAPTCHA site
  
  
  • reCAPTCHA
  
  


• Clickjacking
  
  
  • Clickjacking