.net webapps written in asp.net behave similar to PHP in that any file with a .aspx extension that is within the web root will execute by default. This means that asp (and php) webservers are particularly vulnerable to RCE attacks because the default configuration of the server turns an "arbitrary file upload" into a remote code execution instead.
Where an asp.net server would handle front-end and api and they would be tightly coupled, we've moved on to where the most common configuration is a separate API and frontend. I believe you lose a lot of the benefit of using asp.net to try and decouple them.
On a totally personal note, as a penetration tester I've proxied requests from a LOT of different APIs on a lot of different technologies and asp.net is hands down one of the worst to test, the way it handles requests under the hood is unruly and ugly. Some might say that's a positive in terms of security, but IMO it makes it harder to identify vulnerabilities in your system.
.net webapps written in asp.net behave similar to PHP in that any file with a .aspx extension that is within the web root will execute by default. This means that asp (and php) webservers are particularly vulnerable to RCE attacks because the default configuration of the server turns an "arbitrary file upload" into a remote code execution instead.
Where an asp.net server would handle front-end and api and they would be tightly coupled, we've moved on to where the most common configuration is a separate API and frontend. I believe you lose a lot of the benefit of using asp.net to try and decouple them.
On a totally personal note, as a penetration tester I've proxied requests from a LOT of different APIs on a lot of different technologies and asp.net is hands down one of the worst to test, the way it handles requests under the hood is unruly and ugly. Some might say that's a positive in terms of security, but IMO it makes it harder to identify vulnerabilities in your system.