ASP.Net Security interview questions and answers

      
                                                             Authentication and Authorization 
                                                          -------------------------------------------------
 1) What is web security?
 
  --protecting the web pages from unauthorized users is called as web security.
  --In asp.net we can implement websecurity by making use of predefined security module as a part of asp.net runtime module.
  -all the classes related to the security are defined in "System.web.security"(namespace)

 2) What are the concepts in security issues?

   -- While dealing with security issues we need to deal with the following 3 concepts
                a) Impersonation:  It is the process of assuming the user account for the unknown user.
                b) Authentication:  It is the process of identifying the user in some manner.
                c) Authorization:  It is the process of verifying whether the particular user is allowed to access required resources or not.

 3) What are the authentication modes available in ASP.NET?

    --         ASP.NET supports three authentication modes
                A) Windows Authentication
                B) Passport authentication
                c) Forms authentication

 4) What is the Windows Authentication?
               
   *The windows authentication authenticates users based on their windows accounts.
   * It uses windows network security.
   * It uses Accounts information available in Active directory of Windows Server to perform authentication.

 5) What is the Passport authentication?
               
   *The Passport authentication uses Microsoft's passport service to authenticate users.
   *The new user is directed to the Microsoft site where he can register his identity.
   *This facilitates user to access multiple sites using single user name and password.
   *You need to install the Passport SDK to enable the Passport authentication.

 6) What is the Form authentication?

   *The Form authentication collects user's credentials and lets the application use own logic to authenticate users.
   *The collected user's credential is validated using the users list maintained by the application.
   *The application maintains its own user list either using <credential> element in the web.config file or using database.
   *The advantage of using form authentication is that the users don't need to be the member of windows network to have  access to the application. 

 7) What is the advantage of using Forms authentication?

   *The advantage of using Forms authentication is that users do not have to be member of a domain-based network to have access to your application. .                 
 *It is useful for internet based applications
   *There will be greater flexibility to design login page according to requirements by programmer

 8) Explain how Forms authentication works?
  
   *When someone accesses a Web application that uses Forms authentication, Login page will be sent to user.
   *User credentials will be collected
   *Once user is Authenticated then ASP.NET will create authenticated cookie
   *Then authorization details will be verified.
   *If user is authenticated and authorized then request will be processed and rendered webpage will be sent to user.
   *along with response authentication cookie also will be sent

 9) How do you set authentication mode in the ASP.NET application?
  
   You can set authentication mode using< authentication> element in web.config file.
                <authentication mode="windows">
                <authentication mode="passport">
                <authentication mode="forms">

 10) What are disadvantages of windows Authentication?

   * It is more suitable for the Intranet websites
   *Developer cannot customize the login dialog box.

 11) List out the difference between windows authentication and form authentication.

*The difference between Windows authentication and Forms authentication is that in forms authentication your application performs all the authentication and authorization tasks.
You must create Web forms and write code to collect user names and passwords and to check those items against a list of authorized users.
 *Where as in Windows Authentication most of process has been automated

 12) What is the difference between login controls and Forms authentication?

   *Forms authentication can be easily implemented using login controls without writing any code.
   *Login control performs functions like prompting for user credentials, validating them and issuing authentication just as the Forms Authentication class.
   *The Forms Authentication class is used in the background for the authentication ticket and ASP.NET membership API is used to validate the user credentials.

 13) How do you impersonate the authenticated user in ASP.NET? 

   *Impersonation means delegating one user identity to another user. In ASP.NET, the anonymous users impersonate the ASPNET user account by default. You can use <identity> element of web.config file to impersonate user.
   * E.g. <identity impersonate="true"/>

 14) What is impersonation in ASP.NET?

 *Impersonation is when a user accesses a resource without revealing his identity.
 *The two types of accounts that are set up using IIS make the task of being identifiable very difficult. These are IUSR_machinename and IWAM_machinename and they get added on a web server automatically. When IIS receives a request for  a web page or other resource that has permission for anonymous access, IIS treats the IUSR_machinename/ IWAM_machinename account (depending upon the type of the  resource) as the user's account, to access the resources. This obviates the need
  to authenticate a user.  

 15) How do you provide secured communication in ASP.NET? 

   *ASP.NET provides secured communication using Secure Sockets Layer (SSL).
The application to use SSL need to have an encryption key called a server certificate configured in IIS. When a user requests a secured page, the server generates  an encryption key for the user’s session.
The encrypted response is then sent along with encryption key generated.
In the client side, the response is then decrypted using same encryption key. 

 16) What is the use of mode attribute in authentication element in a web.config file?

   *To specify the type of authentication.

 17) What is the use of name attribute and loginUrl attribute of a forms element in a web.config file?
   
   *Name attribute of forms element is used to set the name of the cookie in which to store the user’s credential.
    The default is .authaspx. If more than one application on the server is using Forms authentication, you need to specify a unique cookie name for each application.
   *loginUrl attribute of forms element is used to set the name of the Webform to display if the user has not already been authenticated. If omitted, the default is Default.aspx.

 18)What is protection attribute in a forms element used for in web.config file?
  
   *The protection attribute of a forms element of web.config file is used for setting how ASP.NET protects the authentication cookie stored on the user’s machine. The default is All, which performs encryption and data validation.
    Other possible settings are Encryption, Validation, and None.

 19)What is timeout attribute in a forms element used for in web.config file?

   *Timeout attribute is used to set the number of minutes the authentication cookie persists on the user’s machine.
   *The default is 30, indicating 30 minutes.
   *ASP.NET renews the cookie automatically if it receives a request from the user and more than half of the allotted time has expired.

 20)In which namespace the Forms Authentication class is present?
 
   *System.Web.Security namespace

 21)Which method checks the user name and password against the user list found in the credentials element of Web.config?
  
   *The Forms Authentication class’s Authenticate() checks the user name and password against the user list found in the
    <credentials> element of Web.config.if user is valid then it will return true

 22)Which method can be used to remove forms authentication cookie?
  
   *Use the signout() of FormsAuthentication class to sign out when the user has finished with the application or when you want to remove the authentication cookie from his or her machine.
    Ex:FormsAuthentication.SignOut();

 23)What is the advantage of Authenticating Users with a Database?
  
   *You can authenticate users based on a list in Web.config.
The Forms Authentication class’s Authenticate method is set up to read from web.config file automatically. That’s fine if user names and passwords are created and maintained by a  system administrator, but if you allow users to create their own user names or change their passwords, you’ll need to store that information outside the Web.config file.
This is because changing Web.config at run time causes the Web application to restart, which resets any Application state and Session state variables used by the application.

 24)What are the advantages of storing user names and passwords in a database rather than a file?
  
   *You can store user names and passwords in any type of file; however, using a database has the following significant advantages

25)What is HTTP Handlers vs HTTP Modules ?

When client request a resource that request handle by HTTP handlers based on file extensions for every file extension system has separate handler, If we want we will create new custom handler and register this web config file. 

public class TestHandler:IHttpHandler
{
    public bool IsReusable
    {
        get { return false; }
    }

    public void ProcessRequest(HttpContext context)
    {
        context.Response.Write("HttpHandler Test Dated on - " + DateTime.Now.ToString());

}
}
in webconfig file
<httpHandlers>
        <add verb="*" path="*.crack" type="CustomHandlerModuleExample.CustomHandler"/>
</httpHandlers>
When user request a file with extention with .crack then it will display above message

HttpModules:

HttpModules helps to executing the request by processing application events.

Application has number of events BeginReques() etc..

if you want you can customise the same register like above in webconfig file.
public class CustomHttpModule:IHttpModule
{
    public void Init(HttpApplication context) // here you can register events
    {
        context.EndRequest += new EventHandler(this.context_EndRequest);
    }
    public void context_EndRequest(object sender, EventArgs e)
    {
        StreamWriter sw = new StreamWriter(@"C:\requestLog.txt", true);
        sw.WriteLine("End Request ended at " + DateTime.Now.ToString());
        sw.Close();
    }
    public void Dispose() // useful for clean up before garbage collection
    {
    }
}

in webconfig.cs
<httpModules>
      <add name="programmingCracker" type="CustomHttpModule"/>
</httpModules>
if you run program , it will write log in C drive


Thanks for visiting this blog. How is the content?. Your comment is great gift to my work. Cheers.

5 comments:

  1. It was really a nice post and Thanks for the info
    Dot Net Online Training

    ReplyDelete
  2. Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

    ReplyDelete
  3. It was nicely explained. Really good. Can update the UI for better readability.

    ReplyDelete
  4. Thanks for your suggestion

    ReplyDelete
  5. This is very Good Information Thanku For Sharing This Information.
    Dot Net Online Training
    Visit us: Dot Net Online Training

    ReplyDelete