• 6 hours
  • Medium

Free online content available in this course.



Got it!

Last updated on 12/20/19

Protect Against Common Security Threats With .NET Core

Log in or subscribe for free to enjoy all this course has to offer!

Evaluated skills

  • Protect against common security threats with .NET Core
  • Question 1

    Which of the following best describes the results of a cross-site scripting (XSS) attack?

    Careful, there are several correct answers.
    • Theft of personal data via fake forms inserted on a page.

    • Theft of personal data and even money by taking advantage of a user’s previously authenticated session on a site.

    • Theft of usernames, passwords, and credit card information via embedded event listeners.

    • Theft of usernames and passwords by tamping with the return URL in a query string to take the user to a fake site for login before returning to the correct one.

    • Theft of cookies containing sensitive information from the user’s hard drive.

  • Question 2

    Which of the following are appropriate methods for preventing cross-site scripting attacks?

    Careful, there are several correct answers.
    • Accept untrusted data (such as data with special characters) via user input only from properly authenticated and authorized users.


    • Make sure any untrusted data is JavaScript encoded before placing it into JavaScript via variables.


    • Ensure all untrusted data is HTML encoded before placing it inside an HTML element or attribute.

    • Ensure any untrusted data is URL encoded before placing it in a URL query string.

    • Strip all untrusted data from user input prior to submission by using only HTML elements constructed with Razor.

  • Question 3

    Which of the following statements are true about accepting untrusted data through user input?

    Careful, there are several correct answers.
    • Using the @ directive to access data automatically encodes the data with HTML attribute encoding.


    • The HtmlString class is the most secure method of encoding user input prior to display.


    • The JavaScript encoder can be injected via Razor into JavaScript code on a page.

    • The C# language in ASP.NET Core MVC has a URL encoder that can be injected into a class to encode dynamically constructed query strings.

    • Never pass untrusted data as a query string value; always pass it as part of the URL path.