Last updated on 12/20/19
Protect Against Common Security Threats With .NET Core
- Protect against common security threats with .NET Core
Which of the following best describes the results of a cross-site scripting (XSS) attack?Careful, there are several correct answers.
Theft of personal data via fake forms inserted on a page.
Theft of personal data and even money by taking advantage of a user’s previously authenticated session on a site.
Theft of usernames, passwords, and credit card information via embedded event listeners.
Theft of usernames and passwords by tamping with the return URL in a query string to take the user to a fake site for login before returning to the correct one.
Theft of cookies containing sensitive information from the user’s hard drive.
Which of the following are appropriate methods for preventing cross-site scripting attacks?Careful, there are several correct answers.
Accept untrusted data (such as data with special characters) via user input only from properly authenticated and authorized users.
Ensure all untrusted data is HTML encoded before placing it inside an HTML element or attribute.
Ensure any untrusted data is URL encoded before placing it in a URL query string.
Strip all untrusted data from user input prior to submission by using only HTML elements constructed with Razor.
Which of the following statements are true about accepting untrusted data through user input?Careful, there are several correct answers.
Using the @ directive to access data automatically encodes the data with HTML attribute encoding.
The HtmlString class is the most secure method of encoding user input prior to display.
The C# language in ASP.NET Core MVC has a URL encoder that can be injected into a class to encode dynamically constructed query strings.
Never pass untrusted data as a query string value; always pass it as part of the URL path.