Course Overview

This 3-day course teaches students the fundamentals of web application security by allowing them to play the role of a malicious user and perform a variety of tasks involving application profiling and penetration testing. After that, students learn about the countermeasures and best practices necessary for building a secure ASP.NET web application.

Key Learning Areas

  • Gain a familiarity with the tools and techniques used to exploit web application vulnerabilities
  • Perform profiling tasks and penetration testing against a sample web application
  • Learn about various forms of input injection and their associated countermeasures
  • Acquire hands-on experience with configuring IIS to host secure ASP.NET web applications
  • Use the cryptography classes in the .NET Framework to explore various forms of encryption and signing
  • Learn about several different forms of authentication and study their advantages and drawbacks

Course Outline

  • Introduction
  • Review of HTTP
  • OWASP Top Ten
  • Profiling
  • Cryptography
  • Injection
  • Authentication Fundamentals
  • Authentication Protocols
  • OAuth 2.0
  • ASP.NET Identity
  • Authorization
  • Application Vulnerabilities
  • IIS Hardening
  • Conclusion

Who Benefits

This course aims to arm students with the knowledge and tools necessary to secure all aspects of an ASP.NET-based web application. After a brief introduction on the current state of web application security, students gain a deeper understanding of HTTP and the most common exploits. With a clearer picture of what is possible, students learn about the actual steps involved in carrying out a modern cyberattack.

Switching from the role of attacker to defender, students start to assemble their toolbox by learning about the wide variety of cryptographic mechanisms available and how to properly employ them. Moving up the application stack, students learn to analyze application security requirements and develop an implementation strategy for higher-level concerns such as authentication and authorization.


Prior ASP.NET development experience is assumed. Experience with ASP.NET MVC and Web API is helpful but not absolutely required.