Complex NET Core interview questions (Code Security, Authorization/Authentication, and code architecture)
____________________________________________________________________________
- Design and architecture using .net core
The software needs the architectural design to represent the design of the software.
Architectural styles. Each style will describe a system category that consists of :- A set of components(eg: a database, computational modules) that will perform a function required by the system.
- The connectors will help coordinate, communicate, and cooperate between the components.
- Conditions that how components can be integrated to form the system.
- Semantic models help the designer understand the system's overall properties.
Data flow architectures:
Call and Return architectures
Layered architecture - Microservices and communication patterns
RESTful APIs
gRPC
Message Queues (e.g., RabbitMQ)
Apache Kafka
GraphQL
- Web API authentication, authorization concepts
- Broken access control
Broken Access Control is a type of application security vulnerability that enables users to access data and functionalities that they should not have access to. In most cases of Broken Access Control attacks, a malicious user takes advantage of weak or non-implementation of access control in the target application - Insecure hash
A common application of SHA is to encrypt passwords, as the server side only needs to keep track of a specific user's hash value, rather than the actual password. - Cross-site scripting (XSS)
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. - Code injection
Code injection is the term used to describe attacks that inject code into an application. That injected code is then interpreted by the application, changing the way a program executes. Code injection attacks typically exploit an application vulnerability that allows the processing of invalid data. - Cross-site request forgery (CSRF)
What is CSRF. Cross site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in. A successful CSRF attack can be devastating for both the business and user. - NoSQL injection attack
Cyber-attacks where malicious payload is injected into non-SQL databases, such as MongoDB, are called NoSQL - SQL injection (SQLi)
SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details. - XML external entity injection (XXE)
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. - Logging vulnerabilities
- Publicly exposed log files.
- Logging of sensitive information.
- Insufficient logging.
- Ability to poison log entries.
- Blocking (or overloading) logging systems
- Server-side request forgery (SSRF)
Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location. In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure.
