ASP.NET CORE EXAM
What are the Top 10 attacks?
A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Broken Access Control A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Insufficient Attack Protection A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Underprotected APIs
Code First Migrations Commands
Add-Migration will scaffold the next migration based on changes you have made to your model since the last migration was created Update-Database will apply any pending migrations to the database
To prevent SQL injections:
Apply security in depth "protect all layers". Using JavaScript in the client side is important but is not a complete defence, you must protect all layers. Parameterized input such as using safe stored procedures Use a tested ORM system for the back-end layer such as Entity Framework. But remember to protect all layers.
Authentication and Authorization
Authentication is the process of verifying who you are. Authorization refers to rules that determine who is allowed to do what.
What are the required skills to work as a Full Stack ASP.NET Core Developer?
Client-Side Programming: Web basics with HTML5, CSS3 and JavaScript, responsive Frond-Ends with Angular, design libraries such as Bootstrap, JQuery and Ajax. Server-Side Programming: build scalable, secure back-end services using C#, ASP.NET Core and ASP WebAPI Management: Agile project management principles Version Control: Git and GitHup
HTTP Get vs. HTTP Post
HTTP GET used to retrieve data from the server HTTP POST used to supply data from the client (browser) to the server in the message body.
Injections
Injection flows occur when an application sends untrusted data to an interpreter (such as SQL, NoSQL, and XML). The first top Web application attack at all time Injections attack the database server
ASP.NET Core Framework Benefits
Open-source and community-focused. Cross-platform: you can run it on Windows, Mac and Linux operating system Modular framework: create small, independent units of the system Easy to integrate with modern client-side frameworks such as Angular and JavaScript libraries Built-in dependency injection.
To prevent Broken Authentication and Session Management:
Passwords, session IDs, and other credentials are sent over encrypted connections such as the use of HTTPS and not HTTP Password has to be strong (difficult to guess). Such as a mixture of lower case, upper case, digits and not alphabetical letters, also 6+ long. Password must be changed in a regular bases Session time-out configured correctly (not too long) Multi-Factor Authentication (MFA) by asking the user several separate pieces of evidence to be authenticated such as a password, PIN, SMS code, secret question/answer
What is MVC pattern?
The Model-View-Controller (MVC) architectural pattern separates an application into three main groups of components: Models, Views, and Controllers. This pattern helps to achieve Separation of Concerns principle Model Responsibility: Represents the domain or entity classes. View Responsibility: Presenting content through the user interface. Controller Responsibility: the entry point to receive the request, handle user interaction, work with the models, services, view-models and ultimately select a view to render. View-Model Responsibility: Represents the data that need to be displayed in the view. Services Responsibility: business logic, back-end logic, mash-ups and call of external APIs.
To prevent Cross-Site Scripting (XSS)
Use encoding and validation ASP.NET Core has a built-in Anti XSS feature
Cross-Site Scripting (XSS)
XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. Attacker sends text-based attack scripts that exploit the interpreter in the browser. Attackers can execute scripts in a victim's browser using JavaScript XSS attack the users through browsers
Broken Authentication and Session Management
Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users
The Principle of Defense-In-Depth or Security-In-Depth
Defense-in-depth or security-in-depth is the use of multiple security controls (defence) to protect the information assets in an enterprise. Example Onion Layers of Security or The Onion Model.
What is Dependency injection (DI)?
Dependency injection (DI) is a technique for achieving loose coupling between objects and their dependencies. ASP.NET Core includes a simple built-in container that refers to the types of objects that need to be created when the service is injected into the controller constructor. We inject a service interface into the constructor of the controller and the container is responsible to create the required object. So the controller and the service are loosely coupled.
What is Entity Framework Core?
Entity Framework is an open-source ORM (Object-Relational-Mapping) software that enables developers to connect with different database providers such as MS SQL Server, Oracle and MySQL. If you are to build an application using an existing database, you can follow data-driven design approach and you can apply domain-driven design approach with code-first by reverse engineer the database.
Where do we configure the Pipeline?
In Configure method In the Startup file. The order of Middleware(s) is important since any middleware that has the response will send it back to the user. For example if we are using static files, session and MVC then the code should be in order as below: [StaticFiles -> Session -> MVC ] app.UseStaticFiles(); // Return static files and end pipeline. app.UseSession(); // Add session to the pipeline app.UseMvcWithDefaultRoute(); // Add MVC to the request pipeline.
Where do we configure the Dependency Injection container?
In ConfigureServices method In the Startup file.
What is middleware?
Middleware is software that is assembled into an application pipeline to handle HTTP requests and responses. The pipeline consists of a sequence of request delegates, called one after the other.
What is Session state?
Session state is a feature in ASP.NET Core that you can use to save and store user data in the server while the user browses your web app. ASP.NET Core maintains session state by giving the client a cookie that contains the session ID, which is sent to the server with each request. One session object will be created per client and the session ID will be sent to the server with each request
What is Social engineering?
Social engineering is the art of manipulating people so they give up confidential information.
What is TempData?
TempData is a collection used when you need to pass data from one controller to another controller. The session state has to be configured in order to use TempData.
What is the Routing format in ASP.NET Core?
The routing format is URL\Controller\Action. For example www.somesite.com\Product\Create is a routing URL that runs the action code (Create) in the controller class (Product). The default MVC route is Home/Index
What is the naming convention of the View page in ASP.NET core MVC?
The view page must be created in a folder that matches the controller name. The folder must be created as a subfolder of Views. The name of the view page must match the name of the action.
Define Web Application Security?
Web Application Security, is the practice of defending websites and online services through solutions that enable you to prevent breaches and downtime by securing your applications against web attacks.