Tech Point Fundamentals

Sunday, January 15, 2023

.Net Core Interview Questions and Answers - Part 20

ASP.Net Core Interview Questions and Answers - Part 20


Are you preparing for the .Net Core Interview? If yes, then you are at the right place. This is the ASP.Net Core Interview Questions and Answers article series. Here we will see the Top 150+ .Net Core Interview Questions with Answers. 

Please visit our YouTube Channel for Interviews and other videos by below link:

Please read the complete Design Pattern, C#, MVC, WebAPI, and .Net Framework Interview Questions and Answers article series here.


This is the 20th part of the .Net Core Interview Questions and Answers article series. Each part contains ten .Net Core Interview Questions. Please read all the .Net Interview Questions list here.

I will highly recommend to please read the previous parts over here before continuing the current part:

ASP.Net Core Interview Questions and Answers - Part 20

Q194. What is XSRF and CSRF attack? 

Cross-Site Request Forgery is also known as XSRF or CSRF attack. This is an attack against web-hosted apps whereby a malicious web app can influence the interaction between a client browser and a web app that trusts that browser. 

CSRF is a type of attack where the attacker forces the user to execute unwanted actions in an application that the user is logged in. These attacks are possible because web browsers send some types of authentication tokens automatically with every request to a website. 

This form of exploit is also known as a one-click attack or session riding because the attack takes advantage of the user's previously authenticated session. 

Now suppose an attacker sends you links in an email that appears to have come from your bank. If you click the links while you’re logged into your bank, the attacker’s malicious website could send POST requests back to the banking website. The malicious website might even attempt to insert or delete data in your bank since you’re already authenticated.

Cross-site request forgery is a kind of attack in which an attacker sends a malicious message to a web app that exploits the authentication cookies of the victim. CSRF attacks are possible in web apps that use cookies to authenticate because:

  1. Cookies are stored in web browsers.
  2. Stored cookies comprise session cookies for all users who have been authenticated.
  3. No matter how the request was generated, web browsers transmit all cookies associated with a domain to the web app.

However, CSRF attacks aren't limited to exploiting cookies.  Using HTTPS doesn't prevent a CSRF attack. The malicious site can send an HTTPS  request just as easily as it can send an insecure request.

In CSRF, the attacker acts as a trusted source that sends some data to a website and performs some action. The attacker is considered a trusted source because it uses the authenticated cookie information stored in the browser.

Q195. What is an Antiforgery Token? How does ASP.Net Core prevent XSRF/CSRF attacks?

Cross-Site Scripting (XSS) is a security vulnerability that enables an attacker to place client-side scripts (usually JavaScript) into web pages. At a basic level XSS works by tricking your application into inserting a <script> tag into your rendered page, or by inserting an On*event into an element.

You can protect users of your ASP.NET Core applications from CSRF attacks by using anti-forgery tokens. When you include anti-forgery tokens in your application, two different values are sent to the server with each POST. One of the values is sent as a browser cookie, and one is submitted as form data.

Unless the server receives both values, it will refuse to allow the request to proceed. Thus the server ensures that all legitimate requests must come directly from the client, not from an external source. 

ASP.NET Core Razor Pages apps provide an anti-forgery token by default for the page forms. However, if you’re using an ASP.NET Core application (not MVC) from scratch, you’ll have to add Microsoft.AspNetCore.Antiforgery package to your project manually and register the services.

ASP.NET Core implements anti-forgery using ASP.NET Core Data Protection. The data protection stack must be configured to work on a server farm.  Antiforgery middleware is added to the Dependency injection container when one of the following APIs is called in Program.cs:

  1. AddMvc()
  2. MapRazorPages()
  3. MapControllerRoute()
  4. MapBlazorHub()

ASP.NET Razor Pages provide support for anti-forgery tokens by default. At runtime, the form tag helper will automatically render a hidden field that contains an anti-forgery token.

<form method="post">

At run time, this tag helper will generate the following HTML:

<form method="post">     
<input name="__RequestVerificationToken" type="hidden" value="CfDJ8MZ1yRS5ySZJqjGnctAjlJcuQEPXqJHkCYWpvhGPis3j1s7cUUZByFfabzIP0xlz2kWwbaXZQ86hzrHmeU5DlD-u8DHmg_a5PhLwDcpJSdpnO4bHtE_X2OksjQW2uRp7ZWdnf1d0hcJZ1eAWtUNabHw" />

In ASP.NET Core 2.0 or later FormTaghelper automatically injects the anti-forgery tokens into the HTML form element. The following markup in a Razor file automatically generates anti-forgery tokens:

<form method="post">   

Similarly, IHtmlHelper.BeginForm generates anti-forgery tokens by default if the form's method is not GET. 

The automatic generation of anti-forgery tokens for HTML form elements happens when the <form> tag contains the method="post" attribute and either of the following are true:

  1. The action attribute is empty (action="").
  2. The action attribute isn't supplied (<form method="post">).

You can programmatically validate CSRF tokens in ASP.NET Core. 

if (! await IsAntiForgeryTokenValid())
  return BadRequest();

Automatic generation of antiforgery tokens for HTML form elements can be disabled:

<form method="post" asp-antiforgery="false">  

Q196. What is Tag Helpers (TagHelpers) in ASP.Net Core? 

Microsoft introduced a new feature in the MVC Razor engine with the release of ASP.NET Core which is known as Tag Helpers. With the help of Tag Helpers, developers can design their presentation layer using HTML tags while they still can write business logic in the C# the code at the server-side which will run on the web server.

This is a completely new concept used in the Razor view engine.  Tag Helpers helps server-side code to create and render HTML tags in the Razor View Engine. It does the same thing as HTML Helpers does in previous versions of MVC but with a variety of changes. It enables IntelliSense, which allows building HTML markup in an easy way.

Asp.Net core provides an in-build tag helper, Tag helper enables the server-side code that creates and renders the HTML elements in the Razor page. There are many built-in Tag Helpers for common tasks, such as creating forms, links, loading assets, etc. 

Using TagHelpers enables to render server-side code in HTML elements in Razor files. Different kinds of TagHelpers are available for different purposes. Tag Helpers reduce the explicit transitions between HTML and C# in Razor views.

In order to use Tag Helpers, we need to install a NuGet library and also add an addTagHelper directive to the view or views that use these tag helpers. 

@addTagHelper*, Microsoft.AspNetCore.Mvc.TagHelpers
<label asp-for="College.DeptName"></label>
<input asp-for="Email" class="form-control" />

The @addTagHelper makes the built-in tag helpers to available in the application which are defined in an assembly called Microsoft.AspNetCore.Mvc.TagHelpers. Here the wildcard “*” specifies that all the Tag Helpers are made available.

Q197. What is FormTagHelper in ASP.NET Core? 

In order to create a Form in ASP.NET Core Application, we need to use the following common Tag Helpers: Form Tag Helper, Input Tag Helper, Label Tag Helper, Select Tag Helper, etc.

In order to create a Form in ASP.NET Core MVC View, we need to use the <form> tag helper. The syntax to use the Form Tag Helper is shown below.

<form asp-controller="Home" asp-action="Create" method="post" class="mt-3">

If you didn’t specify the controller and action name using the asp-controller and asp-action tag helpers, then by default, when the form is submitted, it will be invoked the same action method of the controller which rendered the form.

FormTagHelper is used to generate action attributes depends given data. By default predominately generating hidden fields for preventing CSRF attacks.

Q198. What are self-closing tag helpers in ASP.Net Core?

Some Tag Helpers are designed to be self-closing tags. Using a Tag Helper that was not designed to be self-closing suppresses the rendered output. Self-closing a Tag Helper results in a self-closing tag in the rendered output.

If you were to write the email tag self-closing (<email mail-to="Rick" />), the final output would also be self-closing. To enable the ability to write the tag with only a start tag (<email mail-to="Rick">) you must mark the class with the following:

[HtmlTargetElement("email", TagStructure = TagStructure.WithoutEndTag)] 
public class EmailVoidTagHelper : TagHelper

With a self-closing email tag helper, the output would be <a href="" />. Self-closing anchor tags are not valid HTML, so you wouldn't want to create one, but you might want to create a tag helper that's self-closing.

Q199. What is API Documentation in ASP.Net Core? What are the different ways to generate API Documentation?

API documentation is used to help the client or non-technical users to understand the .Net Core endpoints. Before selecting or attempting any integration with an API, most developers check out its API documentation. Keeping the API documentation up to date to reflect the software changes is challenging and requires time and effort. 

A Web API documentation provides the necessary information (e.g., endpoints, data contracts, etc.) to describe our Web API to our consumers. This can be done by OpenAPI or Swagger in the ASP.Net Core.

API Documentation generation tools like Swagger UI and Redoc are used to render our OpenAPI definition as a web page. While Code generation tools like NSwag, Swagger Codegen are used to automatically generate the consumer’s source code in various programming languages.

The two main OpenAPI implementations for .NET are Swashbuckle and NSwag.

Q200. What is Swagger? How can you integrate it into ASP.Net Core?

Swagger is an open-source technology used for API documentation. Swagger (OpenAPI) is a language-agnostic specification for describing REST APIs. It allows both computers and humans to understand the capabilities of a REST API without direct access to the source code.

Since the ASP.NET Core 5.0, the Web API templates enable the OpenAPI support by default. The template contains a NuGet dependency on Swashbuckle, registers services, and adds the necessary middlewares to generate a basic OpenAPI definition file and serve it in a Web UI (via the Swagger UI tool). 

Swagger UI offers a web-based UI that provides information about the service, using the generated OpenAPI specification. Both Swashbuckle and NSwag include an embedded version of Swagger UI so that it can be hosted in your ASP.NET Core app using a middleware registration call. 


To provide OpenAPI Documentation, we would start by installing the Swashbuckle.AspNetCore NuGet package. To support API documentation for multiple versions, we need to install the Microsoft.AspNetCore.Mvc.Versioning.ApiExplorer NuGet package.

Q201. What is OpenAPI Specification?

The OpenAPI Specification is a document that describes the capabilities of your API. The document is based on the XML and attributes annotations within the controllers and models. 
It's the core part of the OpenAPI flow and is used to drive tooling such as SwaggerUI. By default, it's named openapi.json


Q202. What is the difference between OpenAPI and Swagger?

The Swagger project was donated to the OpenAPI Initiative in 2015 and has since been referred to as OpenAPI. Both names are now used interchangeably. 

However, "OpenAPI" refers to the specification. "Swagger" refers to the family of open-source and commercial products from SmartBear that work with the OpenAPI Specification. 

OpenAPI is a specification while Swagger is tooling that uses the OpenAPI specification. For example, OpenAPIGenerator and SwaggerUI. Subsequent open-source products, such as OpenAPIGenerator, also fall under the Swagger family name, despite not being released by SmartBear.

Q203. What is the @page directive?

The @page directive has different effects depending on the type of file where it appears. In the .cshtml file indicates that the file is a Razor Page. It specifies that a Razor component should handle requests directly.

@using RazorPagesIntro.Pages
@model Index2Model

<h2>Separate page model</h2>

The @page must be the first Razor directive on a page. @page affects the behavior of other Razor constructs. Razor Pages file names have a .cshtml suffix.

To Be Continued Part-21...

Recommended Articles

Thanks for visiting this page. Please follow and join us on LinkedInFacebookTelegramQuoraYouTubeTwitterPinterestTumbler, and VK for regular updates.


No comments:

Post a Comment

Please do not enter any HTML. JavaScript or spam link in the comment box.