- ASP.NET: HttpContext vs HttpContextBase
- covariance and contravariance c#
- Different session state in Sitecore
- "Why can't I inherit static classes?
- Glass Mapper - recursive mapping
- glass mapper ieper
- what .net framework you have worked on
- Sitecore 9
- What's new in the .net world
- Web API routes registration via pipeline
- difference between IEnumerable and enum
- difference between async and await
- SOLID PRinciples
- OOPs Concepts
- Basic C# like structure
- classes
- interface
- method overload
- boxing/unboxing
- casting
- generics
- conversion
- Design Patterns: Helix,
- Design Patterns: Creational Patterns,
- Design Patterns: Dependency injection,
- delegates
- Design Patterns: providers patterns,
- Design Patterns: Test driven development practices
- In, ref, out parameter
- Pattern Matching
- Generics
- Anonymous Function
- Make a class immutable
- Dynamic keywords & New
- Var and dynamic
- Difference between convert.ToString() or .ToString()?
- Difference Between Class and struct?
- What is iterator?
- Difference b/w ref and out
- Difference between class and interface?
- Difference between Array and ArrayList?
- Difference between class and struct
- Difference between String and Sting builder
- Difference between Sitecore 8 and 9
- Difference between Is vs As operator keyword in C#
- Difference between == and Equals() ?
- Difference between server.transfer and response.redirect?
- What are the benifits of DI ?
Friday, May 31, 2019
Interview Questions Sitecore and C#
What are OWASP Top 10 Vulnerability?
Following are the top 10 Vulnerability reported in 2017.
- Injection
This kind of attack usually happens by sending the untrusted data via a form inputs or by summiting the data using other mediums (e.g Postman) to the server.
For example, an attacker can send a SQL query in the input text field, suppose to be used for the First name, if this input is not secured/validated it will result in executing the SQL query on the SQL server.
Injection attached can be prevented by validating/sanitizing the submitted data and by limiting the data can be exposed by a user.
- Broken Authentication and session management.
Overview
Often Application functionality related to the Authentication and session management not implemented correctly, which allows the attacker to compromise passwords, keys, session tokens, to fake the user identity,
RiskAn attacker can view unauthorized content, can perform the unauthorized function or even can take over the control of the website.
Protection
Use of SSL (secure socket layer) certification: this will avoid man in the middle attack by encrypting the data/information exchange between a web browser and web server
Use of VPN. Allows user to exchange the information over private networks.
Use of Strong password A strong passwords do not include complete words, but rather are a mix of random letters (both uppercase and lowercase), numbers, and symbols, so the password can’t be easily guessed.
Use of web application firewall (WAF) is designed to scan the incoming traffic and let in only good visitor and keep out the malicious ones out.
- Sensitive Data Exposure:
Overview
If the web application does not protect/secure the sensitive data ( financial information, Password),
Risk
The attacker can gain access to this sensitive data and use it to wrong purposes. one of the common method used to steal sensitive data by using man in the middle attack.
Protection
Sensitive data can be easily protected by encrypting sensitive data.
- Cross-site scripting (XSS)
Overview
XSS allows the attacker to inject the client-side scripts into the web pages viewed by other users
Risk
An attacker can send a fishy email to a victim that appears to be from a trusted bank, with the link to the bank's website. This link could have a malicious javascript code at the end of the URL. if the bank website doesn't protect against XSS, then malicious javascript code will run in the user browser when he clicks on the link.
ProtectionCross-site scripting can be prevented by denying the untrusted HTTP request as well as by validating/sanitizing the user-generated content.
- Insufficient logging and monitoring
OverviewIn most of the modern web application does not take steps to identify the data breach
Protection
Developer should implement logging and monitoring and incident reporting plan, so they are made aware of the data breach in time.
- Insecure Deserialisation
OverviewInsecure deserialization occurs if the data is deserialized from the untrusted source and can result in a problem like DDoS (Distributed Denial of Service) or remote code execution attack.
Prevention
The only way to prevent web application from Insecure Deserialisation attack is, not to deserialize the data from untrusted sources.
- XML external entity (XEE)
Overview
A web application can face this attack if it parses the XML inputs.
Risk
An XML parser in the web application can be duped to send sensitive information to an external entity, which can pass the sensitive data to the attacker.
- Broken Access Control
- Security Misconfiguration
- Using Components With Known Vulnerabilities
This kind of attack usually happens by sending the untrusted data via a form inputs or by summiting the data using other mediums (e.g Postman) to the server.
For example, an attacker can send a SQL query in the input text field, suppose to be used for the First name, if this input is not secured/validated it will result in executing the SQL query on the SQL server.
Injection attached can be prevented by validating/sanitizing the submitted data and by limiting the data can be exposed by a user.
Overview
Often Application functionality related to the Authentication and session management not implemented correctly, which allows the attacker to compromise passwords, keys, session tokens, to fake the user identity,
RiskAn attacker can view unauthorized content, can perform the unauthorized function or even can take over the control of the website.
Protection
Use of SSL (secure socket layer) certification: this will avoid man in the middle attack by encrypting the data/information exchange between a web browser and web server
Use of VPN. Allows user to exchange the information over private networks.
Use of Strong password A strong passwords do not include complete words, but rather are a mix of random letters (both uppercase and lowercase), numbers, and symbols, so the password can’t be easily guessed.
Use of web application firewall (WAF) is designed to scan the incoming traffic and let in only good visitor and keep out the malicious ones out.
Overview
If the web application does not protect/secure the sensitive data ( financial information, Password),
Risk
The attacker can gain access to this sensitive data and use it to wrong purposes. one of the common method used to steal sensitive data by using man in the middle attack.
Protection
Sensitive data can be easily protected by encrypting sensitive data.
Overview
XSS allows the attacker to inject the client-side scripts into the web pages viewed by other users
Risk
An attacker can send a fishy email to a victim that appears to be from a trusted bank, with the link to the bank's website. This link could have a malicious javascript code at the end of the URL. if the bank website doesn't protect against XSS, then malicious javascript code will run in the user browser when he clicks on the link.
ProtectionCross-site scripting can be prevented by denying the untrusted HTTP request as well as by validating/sanitizing the user-generated content.
OverviewIn most of the modern web application does not take steps to identify the data breach
Protection
Developer should implement logging and monitoring and incident reporting plan, so they are made aware of the data breach in time.
OverviewInsecure deserialization occurs if the data is deserialized from the untrusted source and can result in a problem like DDoS (Distributed Denial of Service) or remote code execution attack.
Prevention
The only way to prevent web application from Insecure Deserialisation attack is, not to deserialize the data from untrusted sources.
Overview
A web application can face this attack if it parses the XML inputs.
Risk
An XML parser in the web application can be duped to send sensitive information to an external entity, which can pass the sensitive data to the attacker.
Subscribe to:
Posts (Atom)