Listed below are some of the latest ASP.NET security interview questions with answers for developers with 3 - 5 years of experience.
Here, I have come up with ASP.NET security related questions for experienced developers. This set contain 10 questions related to ASP.NET security.
So let's start...
ASP.NET Security Interview Questions Set-1
Q 1: What will you do to make your code more secure?
Answer: I will review my code from the beginning and understand the security issues that are possible in the code, after that, I will resolve them.
Q 2: How much time will you set for review, is there any time limit, if you do not get security issues?
Answer: I will set reasonable time limit on my review, and then optimize my review for this limit. If I find myself spending too much time in any one area (especially if it is not a high-priority area or objective), then I will flag it for later review and move on.
Q 3: What will you do if you do not have much time for (ASP.NET project) security review?
Answer: I will limit my reviews to small, manageable pieces of code. This allows me to finish quickly, stay focused, and find a larger number of security issues in the code that I am examining.
Q 4: What is the difference between Authentication and Authorization?
Answer: Authentication means validating users. In this step, we verify user credentials to check whether the person tying to log in is the right one or not.
Authorization, on the other hand, is keeping track of what the current user is allowed to see and what should be hidden from him.
Q 5: What do you understand by SQL Injection attack?
Answer: A SQL injection attack occurs when untrusted input can modify the logic of a SQL query in unexpected ways.
Q 6: What will you do to prevent SQL injection?
Answer: I will use parameterized and typed stored procedures.
The typed SQL parameter checks the type and length of the input, and it ensures that the userName input value is treated as a literal value and not as executable code in the database.
Q 7: If you are not using Stored Procedure, think you are using simple SQL statement then what will you do to prevent SQL injections?
Answer: If the code does not use stored procedures, make sure that it uses parameters in the SQL statements it constructs, as shown in the following example. Select status from Users where UserName=@userName.
I will check that the code does not use the following approach, where the input is used directly to construct the executable SQL statement by using string concatenation.
string sql = "select status from Users where UserName='" + txtUserName.Text + "'";
Q 8: What do you understand by XSS?
Answer: Cross-site scripting (also known as XSS or CSS)
Q 9: What is Cross-site scripting (XSS)?
Answer: Cross Site Scripting (or XSS) is one of the most common application-layer web attacks. XSS commonly targets scripts embedded in a page which are executed on the client-side (in the user’s web browser) rather than on the server-side.
For example, the HTML snippet:
<title>Example document: %(title)</title>
is intended to illustrate a template snippet that, if the variable title has value Cross-Site Scripting, results in the following HTML to be emitted to the browser:
<title>Example document: XSS Doc</title>
A site containing a search field does not have the proper input sanitizing. By crafting a search query looking something like this:
Sitting on the other end, at the Webserver, you will be receiving hits where after a double space is the users cookie. You might strike lucky if an administrator clicks the link, allowing you to steal their sessionID and hijack the session.
Q 10: What is the difference between Windows and Forums Authentication?
Answer: Windows Authentication is provided so that web pages can make use of the local Windows User and Groups. In it, Windows actual login name and password is used for authentication.
Under Forms Authentication, users will be able to create their own login name and password. It is basically a cookie based authentication system which stores the login name and password in database file.