.NET DECK Flashcards

Question

ASP .NET MVC "helpers"

Answer 1

when you you @.property style fields (such as @html.Displayfor) it automatically HTML encodes the field - most of the frameworks *try* to encode these fields

Answer 2

By calling Page.Validate (runs on client and server)

Answer 3

if the target value is an emoty string. Used in conjuction with RequiredFieldValidator to make sure the field exists and has the correct regular expression.

Answer 4

the Page.IsValid before handling any data.

Answer 5

both client and server

Answer 6

Added to .NET in version 4.5, deferred (or lazy) validation only runs on an item in the reuqest collection when the app code accesses it. For example, Requests.Form["Feedback"] or Model.Feedback would check to make sure that specific field is validated.

Answer 7

Ability to manipulate parameters in post data; headers, cookies, hidden fields. Can jack with session IDS.

Answer 8

1. keep service-side session state, storing in object on the server. 2. Encrypt request parameters with AES and MAC to protect anything you dont want the user to manipulate. (put in HMAC viewstate) 3. Perform server side auth checks.

Answer 9

When unvalidated data is used to redirect or forward a user to another site. Can lure victims to an evil forged version of a site. (that is vulnerable to other attacks)

Answer 10

Always have the input validated | Use whitelists for authorized redirect locations

Answer 11

use the TryCreate() method, to make sure the redirect is relative (in the same application/domain path)

Answer 12

when the 302 (redirect) code is provided via the server and not the browser. All the redirecting action is run on the back end, not visible to the user. If the user can control the URL involved in that back end transfer, its a problem.

Answer 13

its a problem with the server.Transfer method; not an MVC/.NET issue.

Answer 14

keep user-controllable data OUT of the server.Transfer. If you have to do it, make sure the user data is auth checked/validated.

Answer 15

is merged with the DOM and JS in the browser executes the XSS attack. (The JS in the page extracts the XSS attack and merges it into the DOM method)

Answer 16

HTML elements, attributes, and comments URLs JS VBS/CSS. Protections vary by conmtext.

Answer 17

You can bypass or disable request validation at the: 1. field (Unvalidated property on HttpRequest object, such as Request.Unvalidated.Form["Feedback"]) 2. page (setting ValidateRequestMode on any .Net Control to Disabled) 3. application (via validateRequest=False in web.config)

Answer 18

It bypasses authorization/authentication rules If you must do it, perform code based authorization before forwarding and on the landing page.

Answer 19

``` Malware JS based key-loggers CSRF attacks Phishing, spam, and ads cookie theft ```

Answer 20

Encoding (ensure server and application are using same consistent UTF style, etc) Canonicalization (different ways you can represent the same tag, in UTF Output encoding

Answer 21

Users can inject code that response and FORCE their own encoding, bypassing validation/encoding roles.

Answer 22

THe different ways to represent characters based on encoding types. How to represent in a dozen different ways. (UTF-7: +ADw-script+AD4-), %3C%73%, etc

Answer 23

AntiXSSEncoder MS Web protection library (WPL) HTTPUtility class

Answer 24

MS Web Protection Library (WPL)

Answer 25

Whitelist encoding methods an HTML sanization library Named entity support (auto encoding of HTML-specific special characters, like , and "

Answer 26

WPL Sanitizer class

Answer 27

HTML helper class Tags such as @Html.DisplayFor() method will encode content and prevent XSS attacks, as will @Html.ActionLink

Answer 28

JS, VBScript, URL, CSS, or attributes

Answer 29

HTML helper class, via the @ sign.

Answer 30

1. setting the HttpOnly flag (preventing access to cookies from client side scripts) 2. X-XSS protections (level 0, 1, and 1;mode=block) for variable levels of protection. 3. Content Security Policy (header used to set rigid, granular levels of controls for what sources content can come from, and how.

Answer 31

Code can not be placed in tags within the HTML page, or with inline event handlers (such as Can't have app code that calls to functions that allows JS to execute from strings. (Such as eval, setInterval, etc)

Answer 32

The way Content Security policy defines where content can be retrieved from. Items include script-src, object-src, media-src.

Answer 33

You have to disable the unsafe-inline and unsafe-eval directives, and explicitly allow them. Weakens the security provisions.

Answer 34

Escape command characters in SQL using: ADO .NET (Parameterization) LINQ to SQL (automatically parameterizes) Entity Framework Dynamic TSQL params

Answer 35

Parameterizing queries. Rather than directly inserting dynamically concatenated code, it uses parameters (such as username and password) which are properly encoded. (@username)

Answer 36

.......translate when applications speak to model objects, like SQL, and they translate the properties/queries so that you *don't have to understand the underlying DB store*. The queries are then written in C# versus SQL

Answer 37

Entity Framework. (EF) Uses a similar syntax (C# to SQL) as Linq, but has wider support.

Answer 38

DBContext. Contains ExecuteSqlCommand and SqlQuery methods, which runs direct commands at the DB.

Answer 39

the LDAP filters (such as & and |, which allow queries to look for specific items) and Distinguished names.

Answer 40

Encoding the content, with WPL LDAP encoding.

Answer 41

allows objects to be retrieved in a more object-oriented (vice RDBMS) Most common forms of data not stored as objects are RDBs and XML. LINQ and EF do this type of object to DB language conversion

Answer 42

Encoding, using the WPL Encoder.XmlEncode or XmlAttributeEncode() methods. Also, the System.Xml class built into .Net has some encoding.

Answer 43

Xpath Elements, Attributes, etc.

Answer 44

3rd party MvpXML project; parameterizes Xpath expressions Through parameterization, encoding occurs on elements

Answer 45

Weak passwords Authentication Improper Restriction of Authentication ATTEMPTS (vulnerable to brute forcing) Overly restrictive lockout mechanisms (DoS) Missing auth checks for critical functions

Answer 46

1. Changing what's assumed to be immutable data: environment variables, hidden form fields, cookies 2. Inject SQL/LDAP language into login fields 3. Adjust client side auth details, insert into AJAX

Answer 47

Cracking hashes that ARE NOT SALTED

Answer 48

Without restricting attacks, vulnerable to brute forcing user accounts

Answer 49

DoS 'ing someone's account

Answer 50

Missing auth for critical functions

Answer 51

Missing authorization

Answer 52

Be sent the request out of band, and have to provide their old password/have their auth token checked.

Answer 53

SMS out of band checks and one-time, time sensitive temporary passwords

Answer 54

1. Combined with out of band, rotatinmg 6 digit SMS code | 2. Made Safe to store/transit, stable information, memorable, and definitive.

Answer 55

The system generates a pseudo-random crypto number have it added to the hash. (Can be stored beside it; doesn't need secure storage) Make sure it's at least 128 bits.

Answer 56

system.cryptography.RNGCryptoServiceProvider

Answer 57

Don't do it, ever. Don't allow passwords to be recreated or dispensed; it's an easy way to steal account info. 1. Send a temp password that allows users to change it 2. Generate a temporary, non-discoverable password change link 3. email the users to alert for a change in status/activity

Answer 58

Easy to screw up. 1. Don't echo passwords to the user, especially via email or HTTP. (Which shows that the passwords are stored in the clear or using reversible encryption) 2. Make users verify the account, so that attackers can't just drop in 10k accounts with automation 3. Make sure account creation confirmation page is destroyed after the account is verified.

Answer 59

1. When created, send a confirmation email to user email. 2. User follows the link (over HTTPS) to activate the account and re-authenticate. (confirmation contains only text, no private details) 3. Set the confirmation opportunity to expire 4. Make sure sensitive parts of the app (anything where private information is displayed) is protected with TLS.

Answer 60

1. Auto-unlock accounts after a set time, to eliminate DoS/strain on help desk 2. Use a captcha to prevent automation of account cracking

Answer 61

In version 6, all ASP activities were received by ASP .NET, and then sent to IIS via Aspnet_isapi.dll and duplicated by an IIS process. (Gateway between the server and the app framework) clunk and cumbersome. IN version 7, IIS and .NET ASP are more tightly integrated and have a the features are combined for point Auth, Handlers, and HTTP responses, when set to "Integrated mode"

Answer 62

applicationhost.config and web.config, IIS 7.0 and later

Answer 63

Unmanaged code creates a lot of overhead, and forms authentication may not protect unmanaged resources like pics, PDFs, office docs, etc.

Answer 64

Unified functionality 1. Can add custom modules into pipeline. (perfect for security) 2. Can define config, tracing, logging, output, authorization, etc. 3. all inbound web goes through pipeline; this means you can "bolt on" functionality that isn't resident in apps to the framework/IIS.

Answer 65

Modules are libraries/classes that HTTP requests treaverse through and do something to the data within requests. (often security focused)

Answer 66

Handlers are what waits at the end of the request to do the dynamic processing: endpoint for the request.

Answer 67

``` Modules are: 1 module to many requests Handlers are: 1 handler for every 1 request. ```

Answer 68

Each module inspects the request, does a specific job (like setup a user session, perform authentication, or do an auth request) After modules handle flow, it's passed to the HTTP handler that does the GET/POST, along with the URI (.aspx, trace, asxd, etc)

Answer 69

``` Can do things like CSRF checks, User input checking/validating, customized auth (SSO, SAML, smart cards, etc) ```

Answer 70

Use the IHttpModuleInterface, and create a custom event. Use things like PostAuthenticateRequest and Endrequest, for example.

Answer 71

HTTP Handlers

Answer 72

Http Handlers

Answer 73

iHttpHandler Interface

Answer 74

applicationHost.config or the web.config. (Can have modules apply to specifc apps, or go site wide)

Answer 75

is the IIS 7.0 global control file for both IIS and .NET.

Answer 76

modules and handlers.

Answer 77

1. ASP .NET Identity 2. Forms auth 3. Membership Provider 4. Windows auth 5. Default 6. Anonymous

Answer 78

It's user/pwd based, and creds are past in the POST in the clear, so it requires TLS to encrypt

Answer 79

Open Web Interface for .NET (OWIN) provides a managed authentication/authroization foundation for .NET identity. What the identity services are built on.

Answer 80

.NET identity, via OWIN.

Answer 81

1. Individual users (cookie based, username/pwd, social auth) 2. Tied to AD/O365/SSO 3. Windows IIS auth. (Intranet)

Answer 82

Configuration of Cookie security options, such as CookieHttpOnly, CookieSecure, ExpireTimeSpan, etc

Answer 83

.NET Identity User Manager

Answer 84

.Net Identity User Manager manager config

Answer 85

The crypto hashing values used by User manager to hash passwords. (Work factor, characters, salt, etc)

Answer 86

AccountController.cs, where the Register action takes place and the relevant info (User account, email address, etc) is passed on to the DB, via UserManager.CreateAsync option.

Answer 87

ApplicationUser class. Lets you configure what properties are stored in the database, like AccessFailedCount, Email, EmailConfirmed, PasswordHash, PhoneNumber, etc.

Answer 88

add new data attributes for a user into the application, and automatically update the backend DB to make sure that the data is consistent and persistent. EX: if I add CustomerId, BirthDate to a user profile, the EF Code First migration will update the back end DB with those two fields. 1. Enable-Migrations 2. Add-Migration Init 3. Update-Database After completion , you'll see the DB schema will have new columns for these properties.

Answer 89

1. Doesn't enforce account lockout by default 2. Weak password length by default 3. Missing password expiration/password history (using old passwords is easy) features 4. OWIN Cookie Manager bug by default"

Answer 90

OWIN uses middleware cookie collection (Separate from application cookies) which are lost if Response.Cookies are modified. (First cookie added overwrites the OWIN cookie) Fixed via setting the CookieManager to SystemWebCookieManager, which will sync cookies between middleware/app up.

Answer 91

1. Is older, and only works with SQL/AD out of the box. (oracle and such needs a customer connector) 2. Stores in 3 formats: clear, MD5, and SHA1. (not great options) 3. Even if hashing the passwords in the web.config, they're still vulnerable to brute force style/rainbow table attacks.

Answer 92

Membership Provider. Provides a bolt-on solution for older .NET versions to hash passwords with SHA256, and store them in a backend DB for use. Blocks poor security features, such as non-complex passwords. Can customize the hashing/salting done by the membership provider forms auth feature. (for example, change it from SHA1 to PBKDFv2)

Answer 93

Integrated Windows authentication

Answer 94

Integrated Windows authentication

Answer 95

Default Auth. Gives everyone accessing the system a "GenericPrincipal" object with no user info.

Answer 96

.NET Managed Url Auth

Answer 97

a file or folder that you're applying authorization code to (such as /privateFiles), and then

Answer 98

Checks based on the and configuration. ``` Looks like: UrlAuthorizationModule.CheckUrlAccessForPrincipal( "/privateFiles" , User , Request.HttpMethod) ```

Answer 99

avoid caching protection is set to "all" requiring TLS, keeping timeouts low no persistence

Answer 100

Declarative (preferred: annotation in MVC) Explicit (secondary: boolean "has this role, y/n")

Answer 101

Can perform authorization checks. Holds general info about the user, like privileges and roles. Has a property named "Identity" that contains specific info about user.

Answer 102

Authenticated users user account User.Identity.IsAuthenticated User.Identity.Name

Answer 103

Through the current web page (System.Web.UI.Page.User) and HTTP context (HttpContext.Current.User)

Answer 104

the AuthorizeAttribute class, with [authorize] attributes. Kept in the controller. Can perform basic "is this account authenticated" checks and more advanced role based checks. (Is this user in the manager role?")

Answer 105

Querying the IPrincipal object, performing boolean checks on the response. (if (User.IsInRole("Admin") then do stuff, else log/exit.)

Answer 106

Using windows authentication. File authorization uses the Winodws ACL to limit access to the file system. Used mostly for internal network ops. "get the windows current user token, check it's ACL"

Answer 107

Session Cookie, Role Cookie, Forms Auth Ticket cookie, custom cookie, custom URL value, or auth headers

Answer 108

General Session tracking is a way of tracking users, irrespective of .NET session feature (that has its own architecture, use, API, etc)

Answer 109

global variable available on every web page in an app by every user.. the state is only stored in memory, and in a single process. Not replicated across application farms, other processes, or if app restarts. *Only good for use as an app dictionary.

Answer 110

Pros: 1. Can attach any type of user info to the profile object. (ex, Profile.Name, Profile.Age) How we used to track users. (via profile objects) 2. Works for anonymous/unauthenticated users. 3. Properties are defined for the Profile oject in the web.config 4. Works for Forms/Windows auth, too" Cons: 1. not good for security purposes. 2. The profile properties state is stored in a sql database in a single DB column, and all the objects are aggregated into a user ""blob"" which can then be read back to the object. (or anyone else with access to that blob can de-serialize it and see all the stuff) Not good for searching for specific properties, like an age.

Answer 111

he profile properties state is stored in a sql database in a single DB column, and all the objects are aggregated into a user ""blob"" which can then be read back to the object. (or anyone else with access to that blob can de-serialize it and see all the stuff) Not good for searching for specific properties, like an age.

Answer 112

Profile Properties, which are defined in the web.config

Answer 113

Session Object. Tracked via URL value w/Session ID or via cookie.

Answer 114

Uniquely identify browsers/client device requests, and map them to a session instance on the server Store session-specific data on the server for multiple browsers/client device requests within that session Raise appropriate session mgmt events.

Answer 115

``` In-Proc StateServer SqlServer Custom Off ```

Answer 116

Server side storage for state management. MOST secure fashion of storing user info server side. Assigned to one user, and tracked via cookie or URL value that has a session ID

Answer 117

Stores session data in memory w/the web app; very fast but memory intensive

Answer 118

Windows service to store session info in memory, OUTSIDE of the app pool process state.

Answer 119

MAX SCALABILITY. Stores the session state centrally in a sql server (or sql cluster)

Answer 120

Developers can create or use third-party session state storage libaries to extend or enhance capability

Answer 121

.NET "In Proc" state storage

Answer 122

It doesn't traverse servers, trust boundaries, and is lost in a reboot; memory intensive.

Answer 123

StateServer mode. Very memory intensive, but efficient. Can be used by multiple web servers.

Answer 124

Network traffic between worker process and state server (or sql server) is not encrypted. (Must use IPSec/TLS) Because the data crosses a process boundary, it must be serializable

Answer 125

creating the sql database for .NET to use to store state info

Answer 126

Which session state configuration mode is used is configured in web.config. Set as InProc, StateServer, SqlServer, Custom, or Off. Can be protected by encrypting the web.config, but unless its combined with "integrated auth" sql server state management won't work with an encrypted web.config section. (Will have to store the creds in the clear)

Answer 127

For sql server state management, just server/DB name required, no creds stored...use trusted_connection=true

Answer 128

Can use whatever back end you want to store session state info; MySQL, Oracle, Mongo, etc.

Answer 129

1. InProc mode: Session_OnEnd event, removes active session fm mem 2. Session.Clear() needs to be called before Session.Abandon() for log outs 3. in SQLMode, Session.Abandon() doesn't do anything, DB is cleared out periodically by SQL jobs "

Answer 130

aspnet_setreg.exe (DPAPI)

Answer 131

aspnet_regiis.exe (RSA or DPAPI)

Answer 132

InProc mode, and uses it to remove active session info from memory.

Answer 133

Periodic SQL tasks. Should still use Clear() and Abandon() to make sure it gets cleared out.

Answer 134

web forms; each viewState is tied to a specific Web Form.

Answer 135

a hidden field, and it holds data for a user's session.

Answer 136

Can be extracted and viewed, if not encrypted, and can be replayed from old requests. Not associated with a user or session by default. Can be used in CSRF attacks, or manipulated.

Answer 137

Use HMAC (message auth code) to prevent tampering of view state

Answer 138

you have sensitive data to protect. it slows down processing, and isn't always necessary for non-sensitive fields.

Answer 139

machineKey element web.config

Answer 140

by tying View State User Key to a specific user (using SessionID, for example) if someone tries to replay using CSRF, they'll have a different Session ID, because it will be an old value. (Different HMAC); That SessionID becomes a nonce.

Answer 141

Sensitive info; if you have to store sensitive info there, encrypt the cookies.

Answer 142

Turn cookies to secure = true and HttpOnly = true.

Answer 143

race conditions

Answer 144

AES, 3DES w/the machine key

Answer 145

HMAC via SHA1, MD5, 3DES, AES, etc. SHA1 preferres

Answer 146

1. Make sure all modifications to a data record happen in one transaction. 2. Use locks for a thread so that nothing can access those objects in different threads 3. Use .NET session module; its immune to race conditions

Answer 147

SessionID, which means that the server is performing a diff on requests to see if the POST came from a different user

Answer 148

A weak session ID. Shoot for 128 bit values, same as salts.

Answer 149

browsers. (It's not included in the RFC)

Answer 150

1. Use cryptography namespace (library) and RNGCryptoServiceProvider to generate strong, random numbers. 2. Use expiring session cookies over persistent cookies or long-lasting tokens. 3. Use .NET session features, which are strong.

Answer 151

1. Use encrypted (at all times) comms: VPN, TLS, HTTPS, IPSEC. 2. Don't use kerberos, if possible; vulnerable to pass the hash style attacks, vulns in NTLM. 3. set secure flag on ALL security-related cookies 4. Use .NET session cookies, Role provider cookies.

Answer 152

In response to the sslsniff/sslstrip vulnerabilities

Answer 153

When browser receives HSTS header, it forces all comms to always use HTTPS with valid certificates.

Answer 154

Session Hijacking

Answer 155

Session Fixation, or "borrowing"

Answer 156

1. Secure auth cookies 2. HttpOnly auth cookies 3. Strict Transport Security response header (HSTS)

Answer 157

1. always assign new session ID during authentication. Throw away old auth cookie. 2. no cookieless sessions. 3. Always use HTTPOnly

Answer 158

1. Anti-CSRF tokens, nonce, or form key that is tied to a session/auth. Even if the user knows everything else to execute a transaction, they wont have the user generated nonce 2. reduce session timeout values 3. Use session cookies vs. persistent cookies 4. Re-authenticate for critical operations 5. Use CAPTCHAs 6. Use POSTS to modify data, never GET

Answer 159

Validate Anti-Forgery token

Answer 160

built into MVC 1. NET uses a syncronizer token, which doesn't match the original cookie value 2. Double submit cookie pattern (The same CSRF token generated using pseudo-random number, and is embedded in a cookie AND hidden form field, and matched up on each request.

Answer 161

Defense to CSRF. Generates a challenge token, which is a random value associated with the current session/user. That token is submitted with every request. (Hidden field for POSTS or the URL for GETS) The server then checks to make sure that token is current for each session/user. Can do it per request or per session.

Answer 162

Defense to CSRF. Synchronizer pattern. CSRF token generated using pseudo-random-crypto generator, but is embedded in HTTP header in a cookie as well as a hidden form field. Attacker can't replicate what is in the victim's browser cookie store, and make it match the value on the form.

Answer 163

Web forms defense from CSRF. Unique key value for each ViewState that is user/session specific. Auto generated in VS 2012.

Answer 164

Happens when an attacker tricks a victim into clicking a hidden UI element, which redirects a user to another site. (Also called a UI Redress attack)

Answer 165

Set .NET ""X-Frame-Options header"" to ALL requests in the app using Application_BeginRequest event. Set header to ""deny"" 1. You can change to ""allow from"" the specified origin option, but better to replace with content security policy."

Answer 166

Can add an "anti-clickjacking" JS code that "breaks" frames and displays them.

Answer 167

DENY:: Prevents any site from framing the page SAMEORIGIN: Allows framing only from the same origin ALLOW-FROM: only from the specific source. Some browsers can't support

Answer 168

Add the X-Frame-Options header (ASP .Net Response.AddHeader method) set DENY, SAMEORIGIN, ALLOW-FROM options.

Answer 169

Proprietary, closed source algorithms. NTLM (Lanmanager) Closed does not equal good

Answer 170

One way, irreversible, keyed-hash. (Uses a secret key) provides authenticity)

Answer 171

the level of protection. More bits, larger keyspace = more protection.

Answer 172

The key. a

Answer 173

the key, not the algorithm. A 128 Bit RC4 algorithm (with 112 bits of key) is stronger than a 1024 bit RSA algorithm, with 80 bits of key.

Answer 174

Browser has public key, Server has private key; once decrypted, they switches over to symmetric key for the rest.

Answer 175

Initialization vector

Answer 176

Block ciphers use the results from the previous block as a nonce to encrypt the next block, so the IV is just the "randomness" needed for the first block

Answer 177

Keys are hard to securely store Keys have to be rotated Keys are hard to exchange securely (without intercept) Proper implementation

Answer 178

The way crypto is utilized. Stored in System.Security.Cryptography, see how the app is utilizing the various algorithms.

Answer 179

MSIL, Microsoft Intermediate Language

Answer 180

System.Security.Cryptography

Answer 181

Crypto Service Provider hashes are wrappers around the base system crypto libraries, and call down into the MS code. "Managed" algorithms are implemented entirely in MSIL (C#) and are written/executed entirely in and by .NET.

Answer 182

1. Converts the string to a series of bytes (ASCII) that the algorithm can work on (hashing algorithms can't directly work on a string) 2. Encode the string (UTF or ASCII) via the encoding class 3. Run the SHA1 (or whatever) hashing function on the encoded byte array. 4. Convert that hashed byte array into a hex string (using the BitConverter class) and return it to whatever called the hashing method.

Answer 183

Converting a hex string (hash) back into a byte array so that it can be converted back to a string.

Answer 184

the KeyedHashAlgorithm class utilizes a key property; this key value must be initialized (set to value) before calling the ComputeHash method.

Answer 185

CSP algorithms are wrappers that call into the Windows Crypto Library (underlying OS) vs Rijndael which is exclusively built in .NET/C#/MSIL.

Answer 186

Ensures the streams are closed, the crypto objects are cleared, and that they're marked for garbage collector pickup. Protects against inadvertent disclosure of info.

Answer 187

The Cryptography Next Generation Classes. Lets you store a key pair or a public key securely, refer to it using a simple string name.

Answer 188

Create strong crypto random numbers, using the RandomNumberGenerator method in the RNGCryptoServiceProvider class.

Answer 189

small amounts of data, or for the exchanging of symmetric keys (ssl)

Answer 190

1. Does the information NEED to be stored, for the app to function? (example: guy storing an unnecessary backup of credit card data at business to be able to re-authorize purchases. Nice functionality, but it's a headache, and should be deleted) 2. Does it actually protect our data? Some encryption (such as transparent encryption, SQL) only protects against stolen backups, doesn't protect against sql injection. 3. Where do we store it? (Key storage is hard; encrypting the keys compounds the problem, have to backup the keys to ensure recovery)

Answer 191

1. Use DPAPI to secure code, such as the web.config (IIS6+) Uses w3wp.exe to encrypt the file w/local machine code. This is the ".NET way" (stores in UserStore) Can also store in MachineStore or Registry. 2. In a web farm, store in the registry, and use the User-centric option for retrieval, that involves an additional secret to unprotect the data. 3. No good options for shared hosting environment.

Answer 192

User's logon creds. Uses an extra key (secret) to unprotect the data when used in multiple server setup.

Answer 193

For a trusted environment that is not accessible by external users. Protected data is made available to any process on that machine, and it uses the logon creds to determine access.

Answer 194

1. Use tokenization, if its necessary to store CC/sensitive info. 2. use Rijndael, SHA-1, or 3DES. Have to encrypt the Account Number, Cardholder Name, Service Code, Exp, token to encrypt with AES/Symmetric key. 3. Can't store CVV2 or PIN anywhere.

Answer 195

1. Always store passwords as a hash (PBKDF preferred, SHA-512 with custom work factor okay; can use bcrypt.net if you're not looking for FIPS compliance) 2. Always add a salt before hashing; salts should be per-user, not per database. Don't need to protect the salt 3. Make sure you have at least a 1/4 second work factor (adaptive hashing delay)

Answer 196

PBKDF and Bcrypt; use adaptive hashing w/work factor and salts.

Answer 197

RNGCryptoServiceProvider Dictionary/rainbow table attacks.

Answer 198

PBKDF has salt and work factor (iteration count) built in, you just pass it the counts. Easy to implement. 1. Feed it the password, salt, hash, and iterations. 2. You then tell it how many of those bytes to get back. (32-64) can then store it off. 3. Has a built in feature to GenerateSaltValue which you can throw into the hashing feature.

Answer 199

PBKDF; it's how Lastpass works. (use the Rfc2898DeriveBytes method to input cleartext, a salt, and some iterations and then turn the resulting bytes (32, 64) it into a strong AES key.

Answer 200

1. Helps make GUI more responsive. 2 Splits work across multiple cores 3. push long running tasks into a background 4. Improve performance

Answer 201

1. Harder to debug | 2. Threading creates availability concerns, especially when race conditions occur and lock up the system.

Answer 202

Timing issues. When code is performing multiple things at a time, timing issues occur. Sometimes a second thread can see data the first thread is working on, and it creates problems. Sometimes problems in code don't appear until code is executing on multiple threads.

Answer 203

When code is written to make sure there's no race condition/concurrency issues.

Answer 204

1. Have to design w/threading as objective. too hard to "bolt on" after 2. Use .NET modules designed to prevent concurrency issues 3. Perform extensive testing and analysis. Put the system under load.

Answer 205

State. If an object is being modified by one thread and and another thread inspects it at the same time, it's possible to have two threads with a different "state" of the application. Any class with stateful members has the potential to be in an inconsistent state when accessed concurrently.

Answer 206

Thread Synchronization; require all threads to wait until critical code finishes doing its work. Use the lock() and Monitor object to employ thread synchronization.

Answer 207

EventWaitHandle, Semaphore, Mutex)

Answer 208

Monitor.Enter() can act on any object, and until Monitor.Exit() is called, that object is blocked. (IE, will wait for the code to finish)

Answer 209

the lock() method

Answer 210

When one bit of code depends on the result of one of two threads finishing, and the results vary depending on which completes first. (Code will have different results depending on when it runs)

Answer 211

When two threads are waiting on the release of the same object.

Answer 212

1. Mutual exclusion: When one thread owns a resource/process, another can't take it. GUI's in Windows are owned by a single thread, and are responsible for processing everything. 2. Hold+Wait: When a thread is executing a critical section, it can reach out to another critical section, which can cause it to lock up if that section is held by another thread. 3. No preemption: No resource can be forcibly removed from a process holding it. 4. Circular wait: When a chain of two or more threads is waiting on a resource. Deadlocks are WAIT conditions. A thread is waiting on another one to finish, and the other thread can't/wont finish.

Answer 213

More efficient way to handle race conditions for counters than the Lock() method. Lets you increment variables as an "atomic" operation, meaning that it's handled as a single event.

Answer 214

Caused by unfair scheduling decisions and changing thread priorities.

Answer 215

The O/S has a scheduler to balance threads and prevent starvation. If you manually change the priorities, you can screw it up and create starvation. Threads have the ability to be set to below normal priority up to high.

Answer 216

ReadWriter locks. Class that lets a write activity jump in to execute really quickly. Used in situations where there's a lot of reads, and you need the ability for a write to jump in.

Answer 217

locking on "this" Locking on a type: for example, lock on "system.string"

Answer 218

as a countermeasure to deadlocks; you can set a timeout, in seconds, and have it continue to try to acquire a lock as part of a try/finally/else block. (Either it conducts the lock/runs the code, then exits normally, or exits and throws an error that it couldn't get the lock.

Answer 219

It uses an "impersonation token" for access. 1. This token doesnt propogate across threads, and this can introduce vulnerabilities in the code. 2. If an exception is thrown and code is exited when "impersonating" a different user, the impersonator could get stuck as that user. 3. Possible to lose the impersonation context when using components that don't use the same threading model.

Answer 220

a ReaderWriter lock, that favors writers.

Answer 221

In .NET 2.0, you can set to have the token flow across threads. "Specifies that the Windows identity always flows across asynchronous points, regardless of how impersonation was performed."

Answer 222

Yes, using the System.Threading.ExecutionContext.SupressFlow() method. (requires special permissions, in book)

Answer 223

static constructors

Answer 224

Not always. In situations where static members manipulate state, they need to be synchronized. Race conditions CAN and WILL occur in static methods and static constructors

Answer 225

its a .NET design pattern to provide global access to an object and verify there's ONLY ONE INSTANCE. 1. Can be used as a state object! 2. create a cleaner object structure than global variables

Answer 226

1. First, the person using the object runs a check to see if an instance exists. 2. Second, it locks the object (_lockobj) 3. Third, it checks to make sure an instance doesn't exist. (This verifies there wasn't another thread creating it! thread safe!) 4. It creates a new instance.

Answer 227

Seal the class, then create a read-only instance. This allows the field to be set at the class level or in a constructor, after which it cannot be changed.

Answer 228

If the hardware isn't robust enough, the binary representation of the number might not be assigned in a single atomic operation because it's too large.

Answer 229

they modify static state. Synchronize static constructors.

Answer 230

Can cause the thread to exit in an unpredictable way depending on platforms/third party code.

Answer 231

Lock within dispose to make sure they aren't called by multiple threads at once

Answer 232

When you persist the output of a security decision, multiple threads referencing it can create a race condition. Make sure to use those security states in a thread-safe fashion.

Answer 233

Used to compare if two strings match and for putting lists of strings into order. 1. Ordinal means a bit by bit/character-by character matching. 2. works by comparing the individual characters in the strings based on their numeric values. (e not the same as é, numerically)

Answer 234

Culture-sensitive comparisons work to treat some sequences as the same. (for example, Resume and resumé can be compared as the same) Use it to sort lists when strict matching isn't necessary!

Answer 235

Use String.Compare instead

Answer 236

StringComparison.xxIgnoreCase

Answer 237

Strings are immutable. Once they are stored in memory, they are there until the garbage collector removes it from memory. It's not possible to zero out/null out a string in memory or overwrite it. If you write to it again, it stores it with the variable name in a second instance. (there's two instances of "string s = blah/bill" in memory.

Answer 238

Use arrays or the SecureString object instead. Strings are immutable; it's a good idea to store passwords in another format other than strings, so it can be removed.

Answer 239

1. Stored on managed memory stack, not heap. 1. Creates smaller attack surface, less exposure 2. Use Array.Clear() on array types that store sensitive info. Can be wiped from memory, unlike strings.

Answer 240

Wiping out/clearing an array that has sensitive contents

Answer 241

SecureString

Answer 242

SecureString usually accepts input (say, from a text box) and stores it as a string, before storing it in a secure string. To store a string as a SecureString, store it in a char[] array first, so that it never makes it to memory and can be wiped.

Answer 243

Put data directly into the object Don't leave the SecureString object until it's ready for use Don't put it into a String object Use APIs that accept SecureString object

Answer 244

when the bounds of a specific numeric data type can be exceeded beyond its range. It's a Validation problem, When you don't plan for what #'s you'll see.

Answer 245

The bit that notates whether the value should be handled as a positive or negative number. It's the 16th bit.

Answer 246

-32k to 32k a ushort is 65k, but only positive numbers. (doesn't have a bit for +/-)

Answer 247

1. Exceed the boundary. (ex: 66,000 in a Ushort register) 2. "Signed" number in an unsigned register (negative number in an Ushort) 3. "Cast" from one numeric type to another 4. "Cast" from signed/unsigned types.

Answer 248

Math operations and downcasting/converting will cause this

Answer 249

1. DoS: Try to get the app to fail to correctly handle a numeric overflow gracefully and crash. ()Flip the sign of a numeric value, for example....or overload a register with a large number 2. Logic flaws: Exercise the application in a way it wasn't meant to be exercised; like controlling the sign of a numeric value from positive to negative and getting items for free.

Answer 250

Only in unmanaged.NET. Unsafe, Process invoking, and Com interop methods

Answer 251

Turn it on in the compiler, or by using the checked keyword for specific operations. (recommended that you turn it on and use "unchecked" only when necessary.

Answer 252

When working in a checked context, .NET will analyze a cast or numeric operation to determine whether a numeric overflow condition will occur, and if so, report an error

Answer 253

Static method that lets you safely multiply two unsigned integers together, which is stored in an unsigned long

Answer 254

No. Only unmanaged code can lead to a buffer overflow via numeric overflow

Answer 255

1. /optionstrict+ compiler option or | 2. /removeintchecks- compiler option

Answer 256

By implementing exception handling at the application layer all the way down to the method, via System.Exception.

Answer 257

The runtime will execute a stack walk to find where the exception occurred, which is computationally expensive. Checks the handler first, and then checks each method in the call in the stack.

Answer 258

System.Exception

Answer 259

user-defined exceptions specific to a given app.

Answer 260

a human-readablpe text that describes the error, via the exception.message property 2. The state of the call stack when it was thrown, via stack trace

Answer 261

System.IO.IOException

Answer 262

Stack Trace Property

Answer 263

Catch blocks start (from top to bottom ) with the most specific error, down to the most generic. When the code in a "try" block fails, the CLR will parse through the catches until it finds one that matches. If there's a "throw" command in that catch block, it's executed instead of the exception handlers default.

Answer 264

When the code in a try/catch block runs to the end, the "finally" block does the cleanup work (and runs regardless of which catch statement executes)

Answer 265

...pass an exception thrown back to the caller. (the method that invoked the code that threw the error)

Answer 266

Wrapping exceptions lets you wrap each less specific into a more general one in the method above it. Each new exception is thrown for each catch statement. Nice way to add information/nest information in a bigger error message.

Answer 267

"Can wrap every individual method in exception handling, but it makes the code base very dense and hard to read. Conversely, don't use coarse grain (too general) exception handling for important code that you need specific errors for. Find a blend of both.

Answer 268

the first place the framework looks for how to handle an exception for an action. looks for the same notation in the controller, if not found there.

Answer 269

/Views/Error or /Views/Shared/Error

Answer 270

Will propagate up the call stack through Application_Error method, and from there it will display based on what is in the in the web.config

Answer 271

Last resort for MVC unhandled errors.

Answer 272

for unandled exceptions at the method-level. Try/catch blocks are not necessary.,

Answer 273

the in the web.config 1. Off: full debug provided to the user 2. RemoteOnly: full debug only provided to localhost 3. On: no debug, only custom errors provided to everyone

Answer 274

1. Make sure you have a custom catch-all error defined in the of the web.config, with a defaultRedirect 2. Wrap ANY SQL(DB) access code in try/catch/finally blocks, logging sensitive info to an application log while only sending generic errors back to the user.

Answer 275

1. When accessing a DB, open the connection as late as possible 2. Use the connection for the shortest period of time possible 3. Close the connection as soon as possible.

Answer 276

1. microsoft event logs: not great because it's a lot of events (hard to aggregate w/o a SIEM) and it uses MS account details 2. Windows Management Events (WMI) - format that can be sent to any enterprise logging mechanism 3. Custom log (text file where specific events get written to) 4. Can be sent to the IIS log (which is already full of things like every post/get request) 5. SQL Database - can be written to a custom SQL DB 6. Email inbox - only good for critical events

Answer 277

Windows management event: format for raising events that can be captured by other enterprise logging mechanisms

Answer 278

1. Log aggregation is difficult, because centralized logging isn't available without 3rd party app or MS operations manager 2. Access to the event log is based on OS security accounts, not app accounts 3. Log size and overwrite decisions are controlled globally, can't be customized for an app.

Answer 279

1. Account related (creation, deletion, mod, enable/disable, logon) 2. Logging related (Event log enable/disable, event deleted/mod, entry insertion) 3. Role related (Use of priv, application start/stop/fail) 4. Transactions (success and failure) 5. Application event (start, stop, failure)

Answer 280

truncate it or obfuscate it somehow, first

Answer 281

Happy infrequently

Answer 282

Work process does not have sufficient privileges to create an event source, and the soruce must be created by an admin prior to the application start. Can only write to the application log.

Answer 283

the app log

Answer 284

critical (infrequent) application events. Never have the email contain sensitive info.

Answer 285

Make sure to sanitize/filter/validate log data before presenting it to a screen to avoid subjecting yourself to attacks

Answer 286

Microsoft Common Language runtime

Answer 287

the MS Common Language Runtime (CLR)

Answer 288

an application that understands when the CLR needs to be loaded. Each CLR needs to be loaded into a process. Examples include shell executables, IE, Custom hosts (managed services, written by developers) and ASP .NET

Answer 289

1. Load correct CLR 2. Load assemblies into CLR, check evidence. (Such as origin, dig sig, publisher) 3. Dynamically figure out state of evidence. 4. Unload CLR.

Answer 290

Shell Executables

Answer 291

ASP .NET runtime

Answer 292

Custom hosts. IE is an example of a runtime custom host, built by MS.

Answer 293

Two layers of defense; the .NET framework security layer, then the OS layer. 1. First, the application checks the user context and rights to the underlying protected resource. 2. After the app deems the user as having access to the resource, THE OS performs the same check. .NET can't override the underlying windows security. Screen reader support enabled. Two layers of defense; the .NET framework security layer, then the OS layer. 1. First, the application checks the user context and rights to the underlying protected resource. 2. After the app deems the user as having access to the resource, THE OS performs the same check. .NET can't override the underlying windows security.

Answer 294

Even if the operating system security permits access to a protected resource, the .NET framework also has to allow access.

Answer 295

Managed code assemblies

Answer 296

Managed code is capable of being managed, meaning it can be controlled in a meaningful way.

Answer 297

Also called MSIL (Microsoft Intermediate Language) 1. Platform agnostic. (x76, i386, etc. Doesn't matter) 2. Has built in memory management/buffer overflow prevention. 3. CLR can enforce access to protected resources. 4. Can be checked for inappropriate behavior before exeuction; can deny access before the assembly begins to execute.

Answer 298

Buffer overflows Lack of control of memory access Ensures applications don't monopolize system memory resources....protects against memory leaks.

Answer 299

Software developers write programs, which are compiled into Microsoft Intermediate Language. (MSIL) MSIL is sent to consumers, which, when executed, are checked for validity/errors, then re-compiled using Just-In-Time-Compilation into native code for the processor they're using. (X86, etc)

Answer 300

Manifest, Managed code, and metadata.

Answer 301

Permissions are granted to assemblies. Code access security checks an assemblies set of permissions to govern access to resources.

Answer 302

Weak named; private, relative names, stored locally Strong named: can be shared, have a cryptographically UNIQUE name, and can be stored in special system-defined directory.

Answer 303

Strong named assembles have 1. cryptographically unique names, are 2. stored in a system-defined directory 3. may be shared amongst applications. Are uniquely named and referenced.

Answer 304

weak named assemblies

Answer 305

Also called "Partially" named assemblies. 1. Are not visible or used by more than one application, 2. must be stored in the application root directory. 3. They do not use all four elements of the assembly name, thus, "weak/partial" named. Referenced only by it's "friendly" name. (relative name, only unique for the app)

Answer 306

their relative name, which is unique only for the app

Answer 307

The Global Assembly Cache. Only for strong named apps

Answer 308

To sign code (strong named) with a public key. (Creating an integrity check) 1. The public key is embedded in the assembly metadata. (manifest) 2. The whole assembly is hashed to create a "fingerprint" 3. The hash is encrypted with the vendor's private key, creating a digital signature. 4. The signature is embedded in the assembly. (DLL) 5. Assembly distributed to consumers.

Answer 309

public key

Answer 310

a hash of the of the assembly, signed by the vendor's private key, and then embedded in the assembly with the vendors PUBLIC key.

Answer 311

the vendors public key

Answer 312

1. Extract the public key from the manifest 2. Regenerates the hash of the assembly 3. Extract the digital signature, and uses the public key to decrypt it 4. Get original hash generated by the software dev (the software hash+public key) 5. Compare the runtime hash against the hash recovered from the digital signature. If they match, the integrity is established

Answer 313

Used by developers; public key token uses the last 64 bits of the SHA-1 hash of the public key, versus the full 1024 bit public key, for ease of use/admin overhead reduction

Answer 314

When multiple versions of the same assembly can exist on the same computer without disruption or confusion Possible because of strong named assemblies.

Answer 315

Any attacker can grab a strong-named assembly (as long as it's publicly accessible) and sign it with THEIR private key, then have the runtime's integrity check succeed. Only way to ensure protection is if the original developer transmitted their public key out of band.

Answer 316

sn.exe, provided with .NET Microsofot crypto API (CAPI)

Answer 317

the Assembly's source code (specifically, the AssemblyInfo file)

Answer 318

NuGet packages

Answer 319

1. No third party validation. 2. If the private key is compromised, you can't revoke the key. 3. Signed assemblies cant reference/invoke unsigned assemblies. 4. Can't strong name EXE's. If you do they wont be able to reference any weak-named DLL's that are deployed with the app.

Answer 320

Despite signing with a private key, it's still a self signing process. No third party verification. Hard to keep private key storage....private. Unlike with HTTPs (x.509v3, which binds a user's identity to a pub key) a third party doesn't verify that the private key belongs to the entitity for code signing.

Answer 321

authenticode

Answer 322

%systemroot%\assembly and requires admin access.

Answer 323

Good place to keep core libraries; things to that do validation, encoding, etc.

Answer 324

strict control of memory access; types cant reach into another type's memory space to muck around

Answer 325

type safety

Answer 326

Code Access security, which is ONLY POSSIBLE with MSIL verification.

Answer 327

1. Cornerstone of .NET security; checks code before executing to ensure that it is type safe and properly formatted. Will throw an exception if it's not. 2. Can skip this verification, which lets excepted (not type safe) code execute anyway. Dont do this.

Answer 328

Allows programs to access an assembly's internal information. (functions, fields, object metadata/properties) "find all the properties decorated with this attribute" utilities exist that can encrypt information in the ""get"" and ""set"" fields?" Basically, deconstruct compiled code and give source.

Answer 329

OWASP Top 10 (A9) - Using components with known vulnerabilities 70% of the source code powering an application we did not own, and we did not write. 70% in .NET coming from NuGet packages. Can't scan and change those components. Components, such as libraries/frameworks/modules/API, almost always run with full priveleges....Applications with known vulnerabilities may undermine app defenses and enable a wide rage of attacks and impacts

Answer 330

Put a process in place that catalogs all the 3rd party code, and automate the process of being alerted for vulnerabilities in that code.

Answer 331

Runtime Application Security Protection. RASP

Answer 332

SOAP typically uses XML messages to pass info back and forth. REST APIs typically communicate using JSON.

Answer 333

Usually, WSDL (Web Service Definition Language) files are deployed in production, which gives attackers a document describing the operations and message formats for web services. For JS, the swagger service provides similar interface details to a WSDL. 1. Shows all the methods and parameters for using those APIs. (guide to manipulating them)

Answer 334

Trivial to capture an AJAX call and reply/fuzz, and manipulate them. Zap, Burp, and SoapUI have built in support for scanning and fuzzing web services.

Answer 335

WCF is a framework for building service oriented applications. (API) It's a configuration for how consumers of data interact with your application. Builds small, simple apps that perform a purpose.

Answer 336

Data can be sent as async messages between endpoints. (API style) Secure, reliable, and scalable messaging.

Answer 337

The interface (IService) that defines what happens when the API is used. (List of the methods the interface will utilize)

Answer 338

1. webHttpBinding: For REST APIs. Client will access a URL which will give him an XML/JSON response. 2. basicHttpBinding: old SOAP 1.1 or .asmx binding: light weight, misses a lot of security options. 3. wsHttpBinding: advanced SOAP 1.2+ binding. Can only be consumed by .NET 3.5 or later. Has transport and message security options.

Answer 339

Most secure: wsHttpBinding, which is advanced and has transport/message security options. Least secure: BasicHttpBinding, which is an old Soap 1.1 or .asmx binding. lightweight, not secure.

Answer 340

For wsHttpBinding, you can set the security mode, transport client creds, and message client creds.

Answer 341

1. Basic 2. Certificate 3. Digest 4. NTLM 5. Windows (intranet)

Answer 342

Set in WCF Binding. Establishes what the client of the service (API) will use for a credential. 1. Certificate, 2. UserName 3. Windows Auth 4. Issued Token (SAML) for federated ID

Answer 343

WCF serviceMetada

Answer 344

WCF serviceDebug

Answer 345

WCF WCF SecurityAudit

Answer 346

By default, doesnt do: data validation, error handling, authentication/authorization, CSRF, Transport layer encryption.

Answer 347

Web API validation is not enabled by default, and it's vulnerable to validation attacks until it's enabled. Use model state to prevent validation problems. Standard data annotations, like MaxLength, Range, Phone, Email address, etc. will allow you to create a validation type for an input field, and if it fails that validation, it reports to the ModelState and ModelState is no longer valid.

Answer 348

Add appropriate standard data annotations, like MaxLength, Range, Phone, Email address, etc. This will allow you to create a validation type for an input field, and if it fails that validation, it reports to the ModelState and ModelState is no longer valid.

Answer 349

It's hard to remember to have model.state checked for every single Web API call, so it's easier to centralize the logic in the OnActionExecute() method, and then register the filter in the global config. (WebApiConfig)

Answer 350

It's not enabled by default; exceptions will be thrown directly to the JSON. Create conditions in methods that will present custom errors rather than letting the null stack trace bubble up to the user.

Answer 351

reate a custom global error, just like with SOAP, that logs every error to a specific location and instead presents a custom message. you inherit the ExceptionFilterAttribute and have it perform an action with the OnException event. (It logs to the log file and throws a "an exception has occured") error.

Answer 352

Not enabled by default. ``` Can set custom auth modes via: .NET Identity social logins (facebook), Forms Windows, HTTP basic auth. (Use HTTPS to encrypt the transport) Starts with the authentication it has from the application cookie. ```

Answer 353

Authorization is done by using the [Authorize] annotation, and decorating the entire feedback controller with it. Can use the "user" and "role" parameters to further restrict to specific users, or set specific methods to [AllowAnonymous] after using [Authorize] as a deny all.

Answer 354

In the WebApiConfig.cs, add a filter to deny all. Config.Filters.Add(new AuthorizeAttribute()); This denies all access, and lets you set granular control to users and roles.

Answer 355

1. Include AntiForgeryToken in the view, add the value to the DOM. 2. Ensure client side JS reads the token from the DOM, and adds it to the AJAX request header. 3. Service side API must validate the anti-foregery token value in header and cookie, make sure they match.

Answer 356

Quality gates/Bug Bars

Answer 357

Same as a ""bug Bar"" minimum level of acceptable security and privacy. Establishing risk tolerance. ""Everything above a low must be fixed"

Answer 358

Conducted during the requirements phase; analysis of the data in the system, and whether it's private or sensitive. (Credit card? PII? is it going to be encrypted, or should it be?) Requires an understanding of what privacy policies exist.

Answer 359

STRIDE is a way developers and QA folks can categorize bugs in code. It stands for: Spoofing, Tampering, Repudiation, Info Disclosure, DoS, and Elevation (of Privilege). (STRIDE) Critical, Important, Moderate, Low, or None.

Answer 360

A threat, with intent to harm, actually leveraging a vulnerability.

Answer 361

Dread is a ranking mechanism for threats. You give each subcategory a ranking (1-10) and then average them out. ``` Damage Potential Reproducability Expoitability Affected Users Discoverability ``` Older system, based on "gut feels" which is insufficent.

Answer 362

Risk = likelhihood * impact

Answer 363

manual code, keyword searches, and static analysis.

Answer 364

Manual Review: by developers, security team (bi-annual or so), or consulting firm. Time consuming, and requires a high level of expertise. Keep use of automated tools to high-end, critical stuff. Peer review: Only by developers. Only looking at the code changes and affected code; small scope, needs less time, but relies on security knowledge of reviewer. Security group review: only by security group, looks at the whole application. Lengthy, expensive, requires a high level of security knowledge, and takes time to understand whole app. Make sure findings go into backlog, not a pdf assessment.

Answer 365

Doesn't provide line numbers; is an issue or is not.

Answer 366

Annotations or regex

Answer 367

A cryptosystem

Answer 368

Create an HttpHandler class to determine the request for the photo download.

Answer 369

To catch and handle an exception generated by an executable code.

Answer 370

B. JavaScript Object Notation (JSON)

Answer 371

attributes, metadata

Answer 372

Code access security

Answer 373

A. RegularExpressionValidator

Answer 374

E. StackTrace

Answer 375

A. System.UInt16 | B. ushort

Answer 376

Lets application admins create a whitelist of trusted sources. (Images, frames, scripts, object sources; anything with src=)

Answer 377

Attackers Inject a null byte (%00) into an application that results in a string being terminated early. Can be used to bypass validation routines, or inject dangerous input.

Answer 378

multiple things need to be known or possessed. A smart card with a pin makes use of something you have and something you know.

Answer 379

C. Certificate-based authentication

Answer 380

Sealed, public static, readonly. ``` class MySingle { private MySingle() {} public static readonly MySingle Instance = new MySingle(); ```

Answer 381

encrypting the web.config in .NET 2.0+

Answer 382

encrypting the web config in versions 2.0 or earlier.

Answer 383

a copy of the key, so they can decrypt the pertinent sections of the web.config

Answer 384

The return URL must be validated to ensure it points at an expected URL

Answer 385

SOURCE PAGE, server side

Answer 386

are derived using the low-order 64 bits of the SHA1 hash of the public key.

Answer 387

the original exception would not make sense to the caller.

Answer 388

The includeSubDomains option will force all domains in the sans.org website to be accessed securely (using https://), which will block standard http access to http://public.sans.org. The Strict-Transport-Security (HSTS) header forces the browser to access the website using a secure transport (https).

Answer 389

Command injection

Answer 390

it does not require server interaction to execute. (skips the server to execute on the client)

Answer 391

An attack surface analysis

Answer 392

HTML encoding

Answer 393

threats AND missing or incomplete countermeasures Without a threat, the vulnerability has no actor to exploit it.

Answer 394

MVC, set during MVC Model Binding.

Answer 395

Uses attributes to place security information into the metadata of your code. This has to be done at complile time.

Answer 396

URL and verb

Answer 397

the first regular expression which removes everything except numeric data from prodID is correct.

Answer 398

by setting the response encoding, the browser is informed of the appropriate character set, limiting the ability of an attacker to leverage canonicalization and multi-byte character sequences to perform cross-site scripting attacks.

Answer 399

All. Even configuration file data should be validated/considered untrusted.

Answer 400

The Page.IsValid property. It can only be checked AFTER calling Page.Validate(). However, Page.Validate() is called automatically if the server control has CausesValidation set to true (which is the default value).

Answer 401

Reliable verification of user credentials

Answer 402

Application User

Answer 403

Not good. Considered a Weak Crypto Key vulnerability. These values do not use the full key space and should use a secure random number generator or PBKDF to generate the values.

Answer 404

Good, full 256 bit key

Answer 405

Whitelist Validation. Default encoding library uses a blacklist validation, while the other two libraries use whitelist validation

Answer 406

IIS can only log one string per event. It can NOT append multi-line log entries.

Answer 407

Assembly 1 must be in the GAC. An assembly located in the GAC is by definition shared and strong-named, whereas private assemblies-even if given a strong name-are stored in any location other than the GAC and are accessible by a single application only

Answer 408

from a SQLi attack

Answer 409

They'll get access. At run-time, ASP.NET iterates through the authorization elements until it finds a match. Any subsequent authorization elements are ignored.

Answer 410

Allows for open redirect attacks

Answer 411

HttpOnly cookies and forms authentication would prevent any client script from accessing the cookie thus helping in mitigating the risk of cookie replay attacks

Answer 412

State Server mode. (provides no auth between app and state server)

Answer 413

HtmlEncode the contents of a variable that is inline

Answer 414

You have to set the entire page to not validate. ValidateRequest=""False"" in a page directive. .net 2.0 - 3.5 applications do not allow field level exclusion from Request Validation, so the entire page must be removed from validation. Request.Unvalidated and Feedback.ValidateRequestMode are only available in .net 4.5

Answer 415

StringComparison.Ordinal

Answer 416

SHA 512 RIPEMD, MD5 and SHA-1 have all had proven weaknesses in the collision properties, and therefore should be considered insecure for most applications of hash functions.

Answer 417

A blacklist validation mechanism that ensures known bad character sequences are not present within request parameters.

Answer 418

Encrypt the cookie with the application's machine key.

Answer 419

The action is searched for [HandleError] annotation

Answer 420

D. Add an event handler for the Application.Error event to the Global.asax file of the application.

Answer 421

PrincipalPermission

Answer 422

Set the EnableSessionState attribute in the @ Page directive to false.

Answer 423

B. RequiredFieldValidator | D. RegularExpressionValidator

Answer 424

Forms auth