OWASP Top 10 in ASP.NET Core

<h2 class="wp-block-heading">Introduction</h2> The OWASP Top 10 ASP.NET Core is the most important baseline for modern web application security. It represents real-world vulnerabilities observed in enterprise systems, SaaS platforms, APIs, and microservices. For developers working with ASP.NET Core, these risks are not theoretical — they exist in everyday code: controllers, LINQ queries, JWT authentication, configuration, error handling, and external integrations. A typical application may look clean: <ul class="wp-block-list"> <li>Dependency Injection ✔</li> <li>Entity Framework ✔</li> <li>JWT ✔</li> <li>Docker ✔</li> </ul> But still be vulnerable. <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">🔴 Image — Request Security Flow</h2> <figure class="wp-block-image"><img src="https://images.openai.com/static-rsc-4/3SkRQQtZPdr6aIY40v2wcPiEhm_teEna0KBmujGOP6ZKA_t7fsj5cBp44D2JVxDiHmv2dTDdCFFZ0dYqvQzWi0tUNh8uJ0PyZZr9GNRNlNybDjk_J9FyTWkQNud6E4ve3gWxsUd-wtS73ZDEiqTQ2_RuOtUE9h_HBCSggqNTk2o?purpose=inline" alt="OWASP Top 10 ASP.NET Core"/></figure> <figure class="wp-block-image"><img src="https://images.openai.com/static-rsc-4/VIzHO7KQhJ3sTN4fa9By9KyUDFV1nTpSoIxHVz0BMyKtMbhauvx5dmUhq2Aa_UNbvNbkkAeuEmd5uGfqZZojBNvLmRkb_GYaenELo1DeoAnyJ20Dwy8Hn-pT5oKJgRZuNjYN2jfnVOXPHO8TSMjxulnguAvRwkdOMnUUffjXc1A?purpose=inline" alt="OWASP Top 10 ASP.NET Core"/></figure> <figure class="wp-block-image"><img src="https://images.openai.com/static-rsc-4/u-ZTGWDwhn8ArcHVJVDYCGs2Ma15xsgRE94Uy7LWs02nXsTm2zsKBjn2g9Zx7A32ArNwyLOJqsHJdx5s6q8uPfdJu5-fy6308rCJLoH7Ef3ANKeHNVGOsPX0AXgsJm-vgCLjzjc7tLI3_NJeJer5EBCz6WtXoTv3dBJnRPBl1C0?purpose=inline" alt="OWASP Top 10 ASP.NET Core"/></figure> 6 <pre class="wp-block-code"><code>User → Validation → Authentication → Authorization → Business Logic → Database</code></pre> <h3 class="wp-block-heading">In OWASP Top 10 ASP.NET Core most vulnerabilities happen when one of these steps is skipped.</h3> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">1. Broken Access Control</h2> <h2 class="wp-block-heading">❌ Example 1 — Missing Ownership Check</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>[HttpGet("{id}")] public async Task<IActionResult> GetOrder(int id) { var order = await db.Orders.FindAsync(id); return Ok(order); }</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>[HttpGet("{id}")] public async Task<IActionResult> GetOrder(int id) { var order = await db.Orders.FindAsync(id); return Ok(order); }</code></pre></div> <h3 class="wp-block-heading">Attack</h3> <pre class="wp-block-preformatted">GET /orders/1 GET /orders/2 GET /orders/3</pre> User reads data. <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 2 — Admin Endpoint Without Role Check</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>[HttpDelete("{id}")] public async Task<IActionResult> DeleteUser(int id) { var user = await db.Users.FindAsync(id); db.Users.Remove(user); await db.SaveChangesAsync(); return Ok(); }</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>[HttpDelete("{id}")] public async Task<IActionResult> DeleteUser(int id) { var user = await db.Users.FindAsync(id); db.Users.Remove(user); await db.SaveChangesAsync(); return Ok(); }</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>[Authorize(Roles = "Admin")] [HttpDelete("{id}")] public async Task<IActionResult> DeleteUser(int id) { ... }</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>[Authorize(Roles = "Admin")] [HttpDelete("{id}")] public async Task<IActionResult> DeleteUser(int id) { ... }</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Secure Ownership Check</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>var userId = User.FindFirst("sub")?.Value; var order = await db.Orders .Where(o => o.Id == id && o.UserId == userId) .FirstOrDefaultAsync();</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>var userId = User.FindFirst("sub")?.Value; var order = await db.Orders .Where(o => o.Id == id && o.UserId == userId) .FirstOrDefaultAsync();</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">2. Injection</h2> <h2 class="wp-block-heading">🔴 Image — SQL Injection</h2> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 1 — Raw SQL</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>var sql = "SELECT * FROM Users WHERE Email = '" + email + "'"; var users = db.Users.FromSqlRaw(sql).ToList();</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>var sql = "SELECT * FROM Users WHERE Email = '" + email + "'"; var users = db.Users.FromSqlRaw(sql).ToList();</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 2 — Command Injection</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>Process.Start("cmd.exe", "/c ping " + host);</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>Process.Start("cmd.exe", "/c ping " + host);</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix 1 — LINQ</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>var user = await db.Users .FirstOrDefaultAsync(x => x.Email == email);</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>var user = await db.Users .FirstOrDefaultAsync(x => x.Email == email);</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix 2 — Sanitization + Whitelist</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>if (!Regex.IsMatch(host, @"^[a-zA-Z0-9.-]+$")) return BadRequest();</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>if (!Regex.IsMatch(host, @"^[a-zA-Z0-9.-]+$")) return BadRequest();</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">3. Cryptographic Failures</h2> <h2 class="wp-block-heading">🔴 Image — Password Security</h2> <figure class="wp-block-image"><img src="https://images.openai.com/static-rsc-4/RjkSdvuoELX5tXbV_6leYNcTfqjMVmWyASMIdQq-o5j4RhtNiaw_N2wnCr4rfv88drtvNGA0_nnvaiq5TmZnuAUHBxaRSWJ5u21poIaBxrtNzDPZhSANjK-pES8WD4YqJiikVr0zTaMn5cyfhiGrELNyCUX1yvqx4wmOoTSUhQY?purpose=inline" alt="https://images.openai.com/static-rsc-4/XvO1TEjml7t3F9OJbCASAZgTqV8IMj4kkay1IVIGJJsz4XXt-t_CZ_wjWS1sEItn5eJzVSTxlxrmG_nqoeBlkAvC0b2zo09CZmA8IthY0EiQ7zsjs4oPJccm94XODcWfGYNgM-o4R5ZilJcAHLcws4fhsrJfzl6f0Wvc8460acUuBuvFUT19JS3mzwNFXgCg?purpose=fullsize"/></figure> <figure class="wp-block-image"><img src="https://images.openai.com/static-rsc-4/9OLCUNQWjMYMTk7fxsiWH7RsXKnZYd7shyAMfur7rV13yii4sLwL_S606xGIrmA4-DmhtEIBE1tmrgVYlgxlRn05T1qWGWR7EZbzuz7fAy0HutoshWgQQyqhtIKTd_ivPH_k4yY-QgYUWGFfOXHgMLLakPa-wUP-U_CNrm5nQRc?purpose=inline" alt="https://images.openai.com/static-rsc-4/7KkhkLQxCv1XOrYv6ihDch2UnyVtBKfkiaYjtVwrQdBHWUJVJRGYLFy7j42anoUdyepMSGsDeVfUhOCQvzgMoaEYWaWHKENh0_P6rQuKNhFOvrgR8bYqamI-N9Ag9cO7jg6I9U_0Nfqivzr_sYOKn_xnbIzePWwxJ2-KzcYvMePQjwySIH0gbIxVX0-gdgE8?purpose=fullsize"/></figure> <figure class="wp-block-image"><img src="https://images.openai.com/static-rsc-4/mLaSiHn0ri9_NuxqcySARxRh9rVEY_qV5nGKGNLLiXHPgvHergFX9pNsb9Pcf-c6-9Ve4MsVzmazLNUDai0q6RVKMdvV0lDW9IF_zxtX-xdQv5gPPJdNcLGntf-y3bEIvdW3WCbqTO2AfJwll8gEDuHqyJXqq8bsHf1GWt5nOvs?purpose=inline" alt="https://images.openai.com/static-rsc-4/-EQ9uQLS354iV_b8XsYMUjZ2woMsE38fYDSSggDycYXUhbEUMWln25LlLeTYCp94tqSQowqE2rT8K-Di1tHZjH44Z2dft7Mx-ogM-n6mcFrV-g-yVFnL16M8F2-rXXk12eCZxtGI-x--pK-CFYPHNo1FR3-kAoB3Y4mWwbfqm_hozKS285KH1kfeCsH0J0O4?purpose=fullsize"/></figure> 6 <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 1 — Plain Password</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>user.Password = password;</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>user.Password = password;</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 2 — Weak Hash</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>user.Password = SHA1(password);</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>user.Password = SHA1(password);</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix 1 — ASP.NET Identity</h2> <pre class="wp-block-code"><code>await userManager.CreateAsync(user, password);</code></pre> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix 2 — Data Protection API</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>var protector = dataProtectionProvider.CreateProtector("tokens"); var encrypted = protector.Protect("sensitive-data");</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>var protector = dataProtectionProvider.CreateProtector("tokens"); var encrypted = protector.Protect("sensitive-data");</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">4. Insecure Design</h2> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 1 — No Rate Limit</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>[HttpPost("login")] public IActionResult Login(LoginDto dto) { return Ok(authService.Login(dto)); }</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>[HttpPost("login")] public IActionResult Login(LoginDto dto) { return Ok(authService.Login(dto)); }</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 2 — No Business Rules</h2> User can order negative quantity: <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>order.Quantity = -100;</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>order.Quantity = -100;</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix 1 — Rate Limiting</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>builder.Services.AddRateLimiter(options => { options.AddFixedWindowLimiter("login", opt => { opt.PermitLimit = 5; opt.Window = TimeSpan.FromMinutes(1); }); });</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>builder.Services.AddRateLimiter(options => { options.AddFixedWindowLimiter("login", opt => { opt.PermitLimit = 5; opt.Window = TimeSpan.FromMinutes(1); }); });</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix 2 — Domain Validation</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>if (quantity <= 0) throw new ArgumentException("Invalid quantity");</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>if (quantity <= 0) throw new ArgumentException("Invalid quantity");</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">5. Security Misconfiguration</h2> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 1 — Swagger Public</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>app.UseSwagger();</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>app.UseSwagger();</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 2 — Detailed Errors</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>app.UseDeveloperExceptionPage();</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>app.UseDeveloperExceptionPage();</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>if (app.Environment.IsDevelopment()) { app.UseDeveloperExceptionPage(); app.UseSwagger(); }</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>if (app.Environment.IsDevelopment()) { app.UseDeveloperExceptionPage(); app.UseSwagger(); }</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Security Headers</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>app.Use(async (ctx, next) => { ctx.Response.Headers.Add("X-Content-Type-Options", "nosniff"); ctx.Response.Headers.Add("X-Frame-Options", "DENY"); await next(); });</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>app.Use(async (ctx, next) => { ctx.Response.Headers.Add("X-Content-Type-Options", "nosniff"); ctx.Response.Headers.Add("X-Frame-Options", "DENY"); await next(); });</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">6. Vulnerable Components</h2> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 1 — Old NuGet</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">BAT (Batchfile)<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>dotnet add package Newtonsoft.Json --version 9.0.1</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>dotnet add package Newtonsoft.Json --version 9.0.1</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 2 — No Dependency Scan</h2> CI without security check. <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">BAT (Batchfile)<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>dotnet list package --vulnerable</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>dotnet list package --vulnerable</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ CI Check</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">YAML<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>- name: Check vulnerabilities run: dotnet list package --vulnerable</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>- name: Check vulnerabilities run: dotnet list package --vulnerable</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">7. Authentication Failures</h2> <h2 class="wp-block-heading">🔴 Image — JWT Flow</h2> <figure class="wp-block-image"><img src="https://images.openai.com/static-rsc-4/K1GIY02igSo1NusY3gEfO35WM4u1GEQpwRBTAEtBzeL7FZG7yx_m_pa8BuS1I-SmdN4iiSqwdD1rwndTA1H4T07KntMrf6pW6SHQxNBW7h46XYzQ6wwZPnMgVLLghKdQttv1iqi4qPuJLxQkv3sYIOk68EdzxbOsnXogANIJMaE?purpose=inline" alt="https://images.openai.com/static-rsc-4/2-JawdroBGoyycaRZZ14_I6Xrqnw0cNRovHyqWZX7yok5t1IQC7cSAHcACHjd-0QD71jwp30X7D2cqx31zyjXHg3OrG7JV0omp4YAW7drfnvMYO9Ue04JSe8aun9OFkiN2ycB1QtAsAjLJBKJU-D7YeobzhJgT-5j9pcAFlze-Xavs30Zh1bkBex89NAewkG?purpose=fullsize"/></figure> <figure class="wp-block-image"><img src="https://images.openai.com/static-rsc-4/Yh0gyLTN6XzfUNvheP5PR5ZC2yq2IK4x3YgZZo8qCeCIaY4XfDRXivOLMo2iQ2rlxBP5Kqtc_qhDGD4Ao0yy5NvJqmDO5r9UKiA5pLMKugI87BuPmugs7lf251UBquzCgpmGl0uEYbO4KUvNTQHYBX57flthcbGg2ndd9mYrGp0?purpose=inline" alt="https://images.openai.com/static-rsc-4/4u7ET65cYNOLxkaj8fWtk-_H4JaEluFOR3DaRqGp5A2oZBANcv8pEVeGi_vpia7gWNb03WcxU_aq9PzF0jxo0cgUIGWfgAkGJdrGtCkadLizy-mFcSLAe4BOKgeTaFtl_6a-vCgkA18-bsP8sLS0z3b3ioc7Iv_ZwWJBoV8h4Sh5NGdTx_I9tPwvR1lMicRL?purpose=fullsize"/></figure> <figure class="wp-block-image"><img src="https://images.openai.com/static-rsc-4/7NABCUKjFNeejhrrI79ZGgvCTXY4mNwTc4lzrtBIdh37EXVeCnly1iKIoyHqVAc886oxmifMPIG27BsO4edFpjwb199sbyl5wCxIEXSCxSSIXrUf1iAsmqdC64mzIuiy83pfacJeMTNkn2BwDRYGc1Hl5nw0aF2LzUL3U16E2fc?purpose=inline" alt="https://images.openai.com/static-rsc-4/scEnuI7p1QqY7Tpxt82Uq3XhZEj9xKCcqdp95WuEMPwWz5OyUdW4eeVWAAazkCS_uw_keug7F0fyCL6yD2P7M5iUbzHrzjFOKDm0wmNPh7u7wq0G75Ok_3Q7Zm6FkffK4cYDkkoUjxiGcpZWjX72LyUq6DJeGHVvo_fiPRgLVC76y-DzS8iIzVaZMJA6uKMV?purpose=fullsize"/></figure> 6 <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 1 — No Validation</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">YAML<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>ValidateIssuer = false;</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>ValidateIssuer = false;</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 2 — No Expiration</h2> Token never expires. <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">YAML<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>ValidateLifetime = true; ClockSkew = TimeSpan.Zero;</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>ValidateLifetime = true; ClockSkew = TimeSpan.Zero;</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Secure Cookie</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>options.Cookie.HttpOnly = true; options.Cookie.SecurePolicy = CookieSecurePolicy.Always;</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>options.Cookie.HttpOnly = true; options.Cookie.SecurePolicy = CookieSecurePolicy.Always;</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">8. Software/Data Integrity Failures</h2> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 1 — Auto Deploy</h2> OWASP Top 10 ASP.NET Core CI deploys on push without review. <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 2 — Untrusted Packages</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">BAT (Batchfile)<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>dotnet add package random-lib</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>dotnet add package random-lib</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix</h2> <pre class="wp-block-preformatted">✔ Code review required ✔ Signed packages ✔ Private NuGet feed</pre> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">9. Logging & Monitoring Failures</h2> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 1</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>catch { }</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>catch { }</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 2</h2> No logs for login attempts. <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>logger.LogWarning("Failed login for {Email}", email);</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>logger.LogWarning("Failed login for {Email}", email);</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Central Logging</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>builder.Host.UseSerilog();</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>builder.Host.UseSerilog();</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">10. SSRF (Server-Side Request Forgery)</h2> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 1</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>return await httpClient.GetStringAsync(url);</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>return await httpClient.GetStringAsync(url);</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">❌ Example 2</h2> Calling internal services via user input. <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix — Whitelist</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>var allowed = new[] { "api.partner.com" };</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>var allowed = new[] { "api.partner.com" };</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">✅ Fix — DNS/IP Check</h2> <div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)">C#<pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>var ip = Dns.GetHostAddresses(uri.Host); if (ip.Any(i => IPAddress.IsLoopback(i))) return BadRequest();</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg><pre class="shiki nord" style="background-color: #2e3440ff" tabindex="0"><code>var ip = Dns.GetHostAddresses(uri.Host); if (ip.Any(i => IPAddress.IsLoopback(i))) return BadRequest();</code></pre></div> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">🔥 Enterprise Security Checklist</h2> <pre class="wp-block-preformatted">✔ Per-user data filtering ✔ Strong JWT validation ✔ Rate limiting ✔ Secure headers ✔ Dependency scanning ✔ Logging & alerting ✔ No raw SQL ✔ Input validation ✔ External call whitelist ✔ CI/CD security gates</pre> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 class="wp-block-heading">Final Thoughts</h2> OWASP Top 10 ASP.NET Core Security is not a feature — it is a continuous process. Most real vulnerabilities are not complex: <ul class="wp-block-list"> <li>missing WHERE clause</li> <li>missing validation</li> <li>wrong config</li> </ul> The OWASP Top 10 helps you avoid exactly those mistakes. <h2 class="wp-block-heading">Source</h2> <a href="https://github.com/rafalkukuczka/OwaspTop10AspNetCoreDemo">https://github.com/rafalkukuczka/OwaspTop10AspNetCoreDemo</a> <h2 class="wp-block-heading">References</h2> <a href="https://owasp.org/www-project-top-ten">https://owasp.org/www-project-top-ten</a> <h2 class="wp-block-heading">More Info</h2> We implement this in real production systems. If you need help → contact us <a href="https://pkey.info/contact/" type="page" id="74">Contact</a>

Introduction

The OWASP Top 10 ASP.NET Core is the most important baseline for modern web application security. It represents real-world vulnerabilities observed in enterprise systems, SaaS platforms, APIs, and microservices.

For developers working with ASP.NET Core, these risks are not theoretical — they exist in everyday code: controllers, LINQ queries, JWT authentication, configuration, error handling, and external integrations.

A typical application may look clean:

Dependency Injection ✔
Entity Framework ✔
JWT ✔
Docker ✔

But still be vulnerable.

🔴 Image — Request Security Flow

User → Validation → Authentication → Authorization → Business Logic → Database

In OWASP Top 10 ASP.NET Core most vulnerabilities happen when one of these steps is skipped.

1. Broken Access Control

❌ Example 1 — Missing Ownership Check

[HttpGet("{id}")]
public async Task<IActionResult> GetOrder(int id)
{
    var order = await db.Orders.FindAsync(id);
    return Ok(order);
}

[HttpGet("{id}")]
public async Task<IActionResult> GetOrder(int id)
{
    var order = await db.Orders.FindAsync(id);
    return Ok(order);
}

Attack

GET /orders/1
GET /orders/2
GET /orders/3

User reads data.

❌ Example 2 — Admin Endpoint Without Role Check

[HttpDelete("{id}")]
public async Task<IActionResult> DeleteUser(int id)
{
    var user = await db.Users.FindAsync(id);
    db.Users.Remove(user);
    await db.SaveChangesAsync();
    return Ok();
}

[HttpDelete("{id}")]
public async Task<IActionResult> DeleteUser(int id)
{
    var user = await db.Users.FindAsync(id);
    db.Users.Remove(user);
    await db.SaveChangesAsync();
    return Ok();
}

✅ Fix

[Authorize(Roles = "Admin")]
[HttpDelete("{id}")]
public async Task<IActionResult> DeleteUser(int id)
{
    ...
}

[Authorize(Roles = "Admin")]
[HttpDelete("{id}")]
public async Task<IActionResult> DeleteUser(int id)
{
    ...
}

✅ Secure Ownership Check

var userId = User.FindFirst("sub")?.Value;

var order = await db.Orders
    .Where(o => o.Id == id && o.UserId == userId)
    .FirstOrDefaultAsync();

var userId = User.FindFirst("sub")?.Value;

var order = await db.Orders
    .Where(o => o.Id == id && o.UserId == userId)
    .FirstOrDefaultAsync();

2. Injection

🔴 Image — SQL Injection

❌ Example 1 — Raw SQL

var sql = "SELECT * FROM Users WHERE Email = '" + email + "'";
var users = db.Users.FromSqlRaw(sql).ToList();

var sql = "SELECT * FROM Users WHERE Email = '" + email + "'";
var users = db.Users.FromSqlRaw(sql).ToList();

❌ Example 2 — Command Injection

Process.Start("cmd.exe", "/c ping " + host);

Process.Start("cmd.exe", "/c ping " + host);

✅ Fix 1 — LINQ

var user = await db.Users
    .FirstOrDefaultAsync(x => x.Email == email);

var user = await db.Users
    .FirstOrDefaultAsync(x => x.Email == email);

✅ Fix 2 — Sanitization + Whitelist

if (!Regex.IsMatch(host, @"^[a-zA-Z0-9.-]+$"))
    return BadRequest();

if (!Regex.IsMatch(host, @"^[a-zA-Z0-9.-]+$"))
    return BadRequest();

3. Cryptographic Failures

🔴 Image — Password Security

https://images.openai.com/static-rsc-4/XvO1TEjml7t3F9OJbCASAZgTqV8IMj4kkay1IVIGJJsz4XXt-t_CZ_wjWS1sEItn5eJzVSTxlxrmG_nqoeBlkAvC0b2zo09CZmA8IthY0EiQ7zsjs4oPJccm94XODcWfGYNgM-o4R5ZilJcAHLcws4fhsrJfzl6f0Wvc8460acUuBuvFUT19JS3mzwNFXgCg?purpose=fullsize

https://images.openai.com/static-rsc-4/7KkhkLQxCv1XOrYv6ihDch2UnyVtBKfkiaYjtVwrQdBHWUJVJRGYLFy7j42anoUdyepMSGsDeVfUhOCQvzgMoaEYWaWHKENh0_P6rQuKNhFOvrgR8bYqamI-N9Ag9cO7jg6I9U_0Nfqivzr_sYOKn_xnbIzePWwxJ2-KzcYvMePQjwySIH0gbIxVX0-gdgE8?purpose=fullsize

https://images.openai.com/static-rsc-4/-EQ9uQLS354iV_b8XsYMUjZ2woMsE38fYDSSggDycYXUhbEUMWln25LlLeTYCp94tqSQowqE2rT8K-Di1tHZjH44Z2dft7Mx-ogM-n6mcFrV-g-yVFnL16M8F2-rXXk12eCZxtGI-x--pK-CFYPHNo1FR3-kAoB3Y4mWwbfqm_hozKS285KH1kfeCsH0J0O4?purpose=fullsize

❌ Example 1 — Plain Password

user.Password = password;

user.Password = password;

❌ Example 2 — Weak Hash

user.Password = SHA1(password);

user.Password = SHA1(password);

✅ Fix 1 — ASP.NET Identity

await userManager.CreateAsync(user, password);

✅ Fix 2 — Data Protection API

var protector = dataProtectionProvider.CreateProtector("tokens");
var encrypted = protector.Protect("sensitive-data");

var protector = dataProtectionProvider.CreateProtector("tokens");
var encrypted = protector.Protect("sensitive-data");

4. Insecure Design

❌ Example 1 — No Rate Limit

[HttpPost("login")]
public IActionResult Login(LoginDto dto)
{
    return Ok(authService.Login(dto));
}

[HttpPost("login")]
public IActionResult Login(LoginDto dto)
{
    return Ok(authService.Login(dto));
}

❌ Example 2 — No Business Rules

User can order negative quantity:

order.Quantity = -100;

order.Quantity = -100;

✅ Fix 1 — Rate Limiting

builder.Services.AddRateLimiter(options =>
{
    options.AddFixedWindowLimiter("login", opt =>
    {
        opt.PermitLimit = 5;
        opt.Window = TimeSpan.FromMinutes(1);
    });
});

builder.Services.AddRateLimiter(options =>
{
    options.AddFixedWindowLimiter("login", opt =>
    {
        opt.PermitLimit = 5;
        opt.Window = TimeSpan.FromMinutes(1);
    });
});

✅ Fix 2 — Domain Validation

if (quantity <= 0)
    throw new ArgumentException("Invalid quantity");

if (quantity <= 0)
    throw new ArgumentException("Invalid quantity");

5. Security Misconfiguration

❌ Example 1 — Swagger Public

app.UseSwagger();

app.UseSwagger();

❌ Example 2 — Detailed Errors

app.UseDeveloperExceptionPage();

app.UseDeveloperExceptionPage();

✅ Fix

if (app.Environment.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
    app.UseSwagger();
}

if (app.Environment.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
    app.UseSwagger();
}

✅ Security Headers

app.Use(async (ctx, next) =>
{
    ctx.Response.Headers.Add("X-Content-Type-Options", "nosniff");
    ctx.Response.Headers.Add("X-Frame-Options", "DENY");
    await next();
});

app.Use(async (ctx, next) =>
{
    ctx.Response.Headers.Add("X-Content-Type-Options", "nosniff");
    ctx.Response.Headers.Add("X-Frame-Options", "DENY");
    await next();
});

6. Vulnerable Components

❌ Example 1 — Old NuGet

BAT (Batchfile)

dotnet add package Newtonsoft.Json --version 9.0.1

dotnet add package Newtonsoft.Json --version 9.0.1

❌ Example 2 — No Dependency Scan

CI without security check.

✅ Fix

BAT (Batchfile)

dotnet list package --vulnerable

dotnet list package --vulnerable

✅ CI Check

YAML

- name: Check vulnerabilities
run: dotnet list package --vulnerable

- name: Check vulnerabilities
run: dotnet list package --vulnerable

7. Authentication Failures

🔴 Image — JWT Flow

https://images.openai.com/static-rsc-4/2-JawdroBGoyycaRZZ14_I6Xrqnw0cNRovHyqWZX7yok5t1IQC7cSAHcACHjd-0QD71jwp30X7D2cqx31zyjXHg3OrG7JV0omp4YAW7drfnvMYO9Ue04JSe8aun9OFkiN2ycB1QtAsAjLJBKJU-D7YeobzhJgT-5j9pcAFlze-Xavs30Zh1bkBex89NAewkG?purpose=fullsize

https://images.openai.com/static-rsc-4/4u7ET65cYNOLxkaj8fWtk-_H4JaEluFOR3DaRqGp5A2oZBANcv8pEVeGi_vpia7gWNb03WcxU_aq9PzF0jxo0cgUIGWfgAkGJdrGtCkadLizy-mFcSLAe4BOKgeTaFtl_6a-vCgkA18-bsP8sLS0z3b3ioc7Iv_ZwWJBoV8h4Sh5NGdTx_I9tPwvR1lMicRL?purpose=fullsize

https://images.openai.com/static-rsc-4/scEnuI7p1QqY7Tpxt82Uq3XhZEj9xKCcqdp95WuEMPwWz5OyUdW4eeVWAAazkCS_uw_keug7F0fyCL6yD2P7M5iUbzHrzjFOKDm0wmNPh7u7wq0G75Ok_3Q7Zm6FkffK4cYDkkoUjxiGcpZWjX72LyUq6DJeGHVvo_fiPRgLVC76y-DzS8iIzVaZMJA6uKMV?purpose=fullsize

❌ Example 1 — No Validation

YAML

ValidateIssuer = false;

ValidateIssuer = false;

❌ Example 2 — No Expiration

Token never expires.

✅ Fix

YAML

ValidateLifetime = true;
ClockSkew = TimeSpan.Zero;

ValidateLifetime = true;
ClockSkew = TimeSpan.Zero;

✅ Secure Cookie

options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;

options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;

8. Software/Data Integrity Failures

❌ Example 1 — Auto Deploy

OWASP Top 10 ASP.NET Core CI deploys on push without review.

❌ Example 2 — Untrusted Packages

BAT (Batchfile)

dotnet add package random-lib

dotnet add package random-lib

✅ Fix

✔ Code review required
✔ Signed packages
✔ Private NuGet feed

9. Logging & Monitoring Failures

❌ Example 1

catch { }

catch { }

❌ Example 2

No logs for login attempts.

✅ Fix

logger.LogWarning("Failed login for {Email}", email);

logger.LogWarning("Failed login for {Email}", email);

✅ Central Logging

builder.Host.UseSerilog();

builder.Host.UseSerilog();

10. SSRF (Server-Side Request Forgery)

❌ Example 1

return await httpClient.GetStringAsync(url);

return await httpClient.GetStringAsync(url);

❌ Example 2

Calling internal services via user input.

✅ Fix — Whitelist

var allowed = new[] { "api.partner.com" };

var allowed = new[] { "api.partner.com" };

✅ Fix — DNS/IP Check

var ip = Dns.GetHostAddresses(uri.Host);

if (ip.Any(i => IPAddress.IsLoopback(i)))
    return BadRequest();

var ip = Dns.GetHostAddresses(uri.Host);

if (ip.Any(i => IPAddress.IsLoopback(i)))
    return BadRequest();

🔥 Enterprise Security Checklist

✔ Per-user data filtering
✔ Strong JWT validation
✔ Rate limiting
✔ Secure headers
✔ Dependency scanning
✔ Logging & alerting
✔ No raw SQL
✔ Input validation
✔ External call whitelist
✔ CI/CD security gates

Final Thoughts

OWASP Top 10 ASP.NET Core Security is not a feature — it is a continuous process.

Most real vulnerabilities are not complex:

missing WHERE clause
missing validation
wrong config

The OWASP Top 10 helps you avoid exactly those mistakes.

Source

https://github.com/rafalkukuczka/OwaspTop10AspNetCoreDemo

References

https://owasp.org/www-project-top-ten

More Info

We implement this in real production systems.
If you need help → contact us

Contact