300+ [LATEST] Application Security Interview Questions and Answers

Application Security Interview Questions

1. What Are The Common Defenses Against Xss?

Input Validation/Output Sanitization, with focus on the latter.

2. How Does One Defend Against Csrf?

Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we’re looking for recognition and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you’re hiring for.

3. What Is Cross-site Request Forgery?

Not knowing this is more forgivable than not knowing what XSS is, but only for junior positions. Desired wer: when an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowing. A solid example of this is when an IMG tag points to a URL associated with an action

Ex: https://www.engineeringinterviewquestions.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically).

4. Describe The Last Program Or Script That You Wrote. What Problem Did It Solve?

All we want to see here is if the color drains from the guy’s face. If he panics then we not only know he’s not a programmer (not necessarily bad), but that he’s afraid of programming (bad). I know it’s controversial, but I think that any high-level security guy needs some programming skills. They don’t need to be a God at it, but they need to understand the concepts and at least be able to muddle through some scripting when required.

5. How Does Http Handle State?

It does not, of course. Not natively. Good wers are things like “cookies”, but the best wer is that cookies are a hack to make up for the fact that HTTP doesn’t do it itself.

6. What Are The Various Ways To Handle Account Brute Forcing?

Look for discussion of account lockouts, IP restrictions, fail2ban, etc.

7. If You Were A Site Administrator Looking For Incoming Csrf Attacks, What Would You Look For?

This is a fun one, as it requires them to set some ground rules. Desired wers are things like, “Did we already implement nonces?”, or, “That depends on whether we already have controls in place…” Undesired wers are things like checking referrer headers, or wild panic.

8. How Would You Implement A Secure Login Field On A High Traffic Website Where Performance Is A Consideration?

We’re looking for a basic understanding of the issue of wanting to serve the front page in HTTP, while needing to present the login form via HTTPs, and how they’d recommend doing that. A key piece of the wer should center around avoidance of the MiTM threat posed by pure HTTP. Blank stares here mean that they’ve never seen or heard of this problem, which me they’re not likely to be anything near pro level.

9. What Exactly Is Cross Site Scripting?

You’d be amazed at how many security people don’t know even the basics of this immensely important topic. We’re looking for them to say anything regarding an attacker getting a victim to run script content (usually JavaScript) within their browser.