Friday, May 31, 2019

Interview Questions Sitecore and C#

  1. ASP.NET: HttpContext vs HttpContextBase
  2. covariance and contravariance c#
  3. Different session state in Sitecore
  4. "Why can't I inherit static classes?
  5. Glass Mapper - recursive mapping
    1. glass mapper ieper
  6. what .net framework you have worked on
  7. Sitecore 9
  8. What's new in the .net world
  9. Web API routes registration via pipeline
  10. difference between IEnumerable and enum
  11. difference between async and await
  12. SOLID PRinciples
  13. OOPs Concepts
  14. Basic C# like structure
  15. classes
  16. interface
  17. method overload
  18. boxing/unboxing
  19. casting
  20. generics
  21. conversion
  22. Design Patterns: Helix,
    1. Design Patterns: Creational Patterns,
    2. Design Patterns: Dependency injection,
    3. delegates
    4. Design Patterns: providers patterns,
    5. Design Patterns: Test driven development practices
  23. In, ref, out parameter
  24. Pattern Matching
  25. Generics
  26. Anonymous Function
  27. Make a class immutable
  28. Dynamic keywords & New
  29. Var and dynamic
  30. Difference between convert.ToString() or .ToString()?
  31. Difference Between Class and struct?
  32. What is iterator?
  33. Difference b/w ref and out
  34. Difference between class and interface?
  35. Difference between Array and ArrayList?
  36. Difference between class and struct
  37. Difference between String and Sting builder
  38. Difference between Sitecore 8 and 9
  39. Difference between Is vs As operator keyword in C#
  40. Difference between == and Equals() ?
  41. Difference between server.transfer and response.redirect?
  42. What are the benifits of DI ?

What are OWASP Top 10 Vulnerability?

Following are the top 10 Vulnerability reported in 2017.

  1. Injection

    This kind of attack usually happens by sending the untrusted data via a form inputs or by summiting the data using other mediums (e.g Postman) to the server. 

    For example, an attacker can send a SQL query in the input text field, suppose to be used for the First name, if this input is not secured/validated it will result in executing the SQL query on the SQL server. 

    Injection attached can be prevented by validating/sanitizing the submitted data and by limiting the data can be exposed by a user.
  2. Broken Authentication and session management.

    Overview
    Often Application functionality related to the Authentication and session management not implemented correctly, which allows the attacker to compromise passwords, keys, session tokens, to fake the user identity, 


    RiskAn attacker can view unauthorized content, can perform the unauthorized function or even can take over the control of the website.

    Protection
    Use of
    SSL (secure socket layer) certification: this will avoid man in the middle  attack by encrypting the data/information exchange between a web browser and web server

    Use of
    VPN. Allows user to exchange the information over private networks.

    Use of
    Strong password A strong passwords do not include complete words, but rather are a mix of random letters (both uppercase and lowercase), numbers, and symbols, so the password can’t be easily guessed. 
    Use of web application firewall (WAF)  is designed to scan the incoming traffic and let in only good visitor and keep out the malicious ones out.
  3. Sensitive Data Exposure:
    Overview
    If the web application does not protect/secure the sensitive data ( financial information, Password),

    Risk
    The attacker can gain access to this sensitive data and use it to wrong purposes. one of the common method used to steal sensitive data by using man in the middle attack.


    Protection
    Sensitive data can be easily protected by encrypting sensitive data.
  4. Cross-site scripting (XSS)

    Overview
    XSS allows the  attacker to inject the client-side scripts into the web pages viewed by other users 


    Risk
    An attacker can send a fishy email to a victim that appears to be from a trusted bank, with the link to the bank's website. This link could have a malicious javascript code at the end of the URL. if the bank website doesn't protect against XSS, then malicious javascript code will run in the user browser when he clicks on the link. 


    ProtectionCross-site scripting can be prevented by denying the untrusted HTTP request as well as by validating/sanitizing the user-generated content.
  5. Insufficient logging and monitoring

    OverviewIn most of the modern web application does not take steps to identify the data breach 
    Protection
    Developer should implement logging and monitoring and incident reporting plan, so they are made aware of the data breach in time.
  6. Insecure Deserialisation

    OverviewInsecure deserialization occurs if the data is deserialized from the untrusted source and can result in a problem like DDoS (Distributed Denial of Service) or remote code execution attack. 
    Prevention
    The only way to prevent web application from Insecure Deserialisation attack is, not to deserialize the data from untrusted sources.
  7. XML external entity (XEE)

    Overview
    A web application can face this attack if it parses the XML inputs. 

    Risk
    An XML parser in the web application can be duped to send sensitive information to an external entity, which can pass the sensitive data to the attacker.
  8. Broken Access Control
  9. Security Misconfiguration
  10. Using Components With Known Vulnerabilities