Application security interview questions
We will discuss around Application security interview questions/Penetration testing interview questions which consists of a list of Most Frequently Asked questions about security and also covered Security Engineer Interview Questions and cyber security interview questions:
Base Level -1 || Critical || Application security interview questions
How would an HTTP program handle state?
The data might be stored in cookies or in the web server’s session.
What do you understand by Cross Site Scripting or XSS?
Cross-site Scripting abbreviated as XSS is a client-side code injection issue where the un-authorised user aims to execute malicious scripts in user’s web browser by incorporating malicious code in a web application and hence once the user visits that web application then the malicious code gets executed resulting in the cookies, session tokens along with other sensitive information to be compromised.
What are the types of XSS?
There are majorly three different categories of XSS:
Reflected XSS: In this approach, the malicious script is not stored in the database in case of this vulnerability; instead, it comes from the current HTTP request.
Stored XSS: The suspicious scripts got stored in the Database of the web application and can get initiated from there by impacted person’s action by several ways such as comment field or discussion forums, etc.
DOM XSS: In DOM (Document Object Model)XSS, the potential issues exists within the client-side code instead of the server-side code. Here in this type, the malicious script flows in the browser and acts as a source script in DOM.
This potential impact arises when a client-side code reads data from the DOM and processes this data without filtering the input.
What are the owasp top 10 of 2021 ?
Mention the owasp risk rating methodology ?
The Owasp risk rating methodologies are segregated in the different layers , such as :
Explain how does the tracert or tracerout operates ?
Tracerout or tracert as the name suggests basically monitors and analyze the route between host machine to remote machine. it performs the below activities :
What is ICMP?
ICMP stands for Internet Control Message Protocol, located at the Network layer of the OSI model, and is an integral part of the TCP/IP.
Which port is for ICMP or pinging?
Ping doesn’t require any port and uses ICMP. It is used to identify whether the remote host is in an active status or not, and also it identifies the packet loss and round-trip delay while within the communication.
Mention the list of challenges for the successful deployment and monitoring the web intrusion detection?
Mention the risk that involves from unsecure HTTP cookies with tokens ?
Access Control Violation impact gets triggered when not flagging HTTP cookies along with secure tokens.
Mention the basic design of OWASP ESAPI?
The major OWASP ESAPI design are:
What is port scanning?
Scanning of the ports to discover that there can be some weak points in the system to which un-authorised user can target and pull some critical and sensitive data information.
Mention the different types of port scans ?
What is a honeypot?
The honeypot is a computer system that mimics likely targets of cyber issues. Honeypot basically used for detection and deflection vulnerability from a legitimate target.
Among Windows and Linux which one provides security ?
Both of the OS have their pros and cons. Still, as per the security is concerned, most of the community prefer to use Linux as it provides more flexibility & security compared to Windows, considering that many security researchers have contributed to securing Linux.
Which is mostly implemented protocol on a login page?
The TLS/SSL protocol is implemented in most of the scenarios while data is in transmission layers.This is to be done to achieve the confidentiality and integrity of user’s critical and sensitive data by using encryption in the transmission layer.
What is public-key cryptography?
Public Key Cryptography (PKC), also known as asymmetric cryptography, is a cryptography protocol which requires two separate sets of keys, ie one private and another one is public for data encryption & decryption.
State the difference between private and public-key cryptography while performing the encryption and signing content?
In the case of digital signing, the sender uses the private key to sign the data and on the other hand receiver verifies and validates the data with the public key of the sender itself.
While in encryption, the sender encrypts the data with the public key of the receiver and receiver decrypt and validates it using his/her private key.
Mention the major application of the public-key cryptography?
The major use cases of public-key cryptography are :
Discuss about the Phishing issues?
In Phishing, the fake web page is being introduced to trick the user and manipulate him to submit critical and sensitive information.
What approach you can take to defend the phishing attempts?
XSS vulnerabilities verification and validation and HTTP referer header are some mitigation approaches against the phishing.
How to defend against multiple login attempts?
There are different approaches to defend against several login attempts, such as :
What is Security Testing?
Security testing is one of the major important areas of testing to identify the possible vulnerabilities in any software (any system or web or networking or Mobile or any other devices ) based application and protect their confidential and sesitive data sets from potential risk and intruders.
What is “Vulnerability”?
Answer: Vulnerability is considered as the weakness/bug/flaw in any system through which an un-authorised user can target the system or the user who is using the application.
What is Intrusion Detection?
Answer: IDS or intrusion detection system is software or hardware application that monitors a network for unapproved activity or policy violations. Under this situations it is typically reported and resolved using security information and respective event management system.
Few Intrusion Detection systems are capable enough to respond to the detected intrusion upon discovery, known as intrusion prevention systems (IPS).
Base Level -2 || Major || Application security interview questions
What are Intrusion Detection System, type :
The IDS Detection majorly of the below types :
Along with these, there is a subset of IDS types , out of which the major variants are based on anomaly detection and signature detection
What do you know about OWASP?
OWASP is known as Open Web Application Security Project is an organisation which supports secure software development.
What potential issues arises if the session tokens has insufficient randomness across range values?
Session tampering arises from the issue with session tokens having insufficient randomness within a values of range .
What is “SQL Injection”?
Answer: SQL injection is one of the most common techniques in which a code is injected in the SQL statements via a web page input that might destroy your database and potentially expose all the data from your DB.
What do you understand by SSL session and also the SSL connections ?
Answer: SSL is known as Secured Socket Layer connection establishes the communication with peer-to-peer link having both the connection maintains SSL Session.
An SSL session represents the security contract, which in terms consists of key and algorithm agreement information that takes place over a connection between an SSL client connected to an SSL server using SSL.
An SSL session is governed by security protocols that control the SSL sessions parameter negotiations between an SSL client and SSL server.
Name the two standard approaches which are used to provide protection to a password file?
Answer: Two majorly applied approaches for password file protection are
What is IPSEC?
The IPSEC also known as IP security is an Internet Engineering Task Force (IETF) standard protocols suite among the two various communication layers across the IP network. It ensures dataset integrity, authentication and also the confidentiality. It generates the authenticated data packets with encryption, decryption.
What is the OSI model :
The OSI model also known as Open Systems Interconnection ,is a model that enables communication using standard protocols with the help of diverse communication systems. The International Organization for Standardization is creating it.
What is ISDN?
ISDN stands for Integrated Services Digital Network, a circuit-switched telephone network system. It provides packet switched networks access which allows the digital transmission of voice along with data. Over this network, the quality of data and voice is much better than an analog device/phone.
What is CHAP?
CHAP, also referred as Challenge Handshake Authentication Protocol (CHAP) which is basically a P-2-P protocol (PPP) authentication protocol where the initial startup of the link is used. Also, it performs a periodic health check of the router communicates with the host.CHAP is developed by IETF (Internet Engineering Task Force).
What is USM, and what does it perform?
USM stands for the User-based Security Model, is utilised by System Management Agent for decryption , encryption, decryption, and authentication as well for SNMPv3 packets.
Mention some factors that can cause vulnerabilities?
Answer: The majority of areas that might cause the potential vulnerabilities are :
Mention the parameters list to define SSL session connection?
Answer: The attributes which all define an SSL session connection are:
What is file enumeration?
Answer: Its a type of issues where the forceful browsing takes place by manipulating the URL where the un-authorised user exploit the URL parameters and get sensitive data.
What are the advantages of intrusion detection system?
Answer: The Intrusion detection system has the below advantages:
Base Level -3 || Basic|| Application security interview questions
What is Host Intrusion Detection System?
The (HIDSs)Host-based intrusion detection systems (HIDSs) are applications that operate on information collected from individual computer systems and serves on the existing system and compare with the previous mirror/snapshot of the system and validates for whether any data modification or manipulation has been done and generates an alert based on the output.
It can also figure out which processes and users are involved in malicious activities.
What is NNIDS?
NNIDS stands for Network Node Intrusion Detection System (NNIDS), which is like a NIDS, but it’s only applicable to one host at a single point of time, not an entire subnet.
Mention three intruders classes?
There are various intruder types, such as :
Mention the components which are used in SSL?
SSL establishes the secure connections among the clients and servers.
Disclaimer: This Application security interview questions tutorial post is for educational purpose only. We don’t promote/support any activity related to security issues/conduct. Individual is solely responsible for any illegal act if any.