Q1. What is OWASP? Also Mention OWASP TOP 10 2021.

Ans: OWASP is a non-profit organization that releases the top 10 web vulnerabilities. It works as a community of cybersecurity professionals, who constantly work to build an ecosystem for awareness about secure web applications. Recently, OWASP released new top 10 vulnerabilities for 2021:

• A01 Broken Access Control
• A02 Cryptographic Failures
• A03 Injection
• A04 Insecure Design
• A05 Security Misconfiguration
• A06 Vulnerable and Outdated Components
• A07 Identification and Authentication Failures
• A08 Software and Data Integrity Failures
• A09 Security Logging and Monitoring Failures
• A10 Server Side Request Forgery (SSRF)

Q2. Mention what flaw arises from session tokens having poor randomness across a range of values.

Ans:  Session hijacking, is the issue related to A2: 2017 – Broken Authentication. It is also called cookie hijacking. In this type of attack, there is the possibility of exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a system. This flaw comes when there is poor randomness in the session key.

Q3. How to mitigate SQL Injection risks?

Ans: Mitigations of SQL injection:

• Prepared Statements with Parameterized Queries: Always ensure that your SQL interpreter can always differentiate between code and data. Never use dynamic queries which fail to find the difference between code and data. Instead, use static SQL query and then pass in the external input as a parameter to query.  The use of Prepared Statements (with Parameterized Queries) forces the developer first to define all the SQL code and then pass each parameter to the query later.
• Use of Stored Procedures: Stored Procedure is like a function in C where the database administrator calls it whenever he/she needs it. It is not completely mitigated SQL injection but definitely helps in reducing risks of SQL injection by avoiding dynamic SQL generation inside.
• White List Input Validation: Always use white list input validation and allow only preapproved input by the developer. Never use a blacklist approach as it is less secure than a whitelist approach.
• Escaping All User Supplied Input
• Enforcing the Least Privilege

Click Here for SQL Injection Interview Questions

Q4. How to mitigate the risk of Weak authentication and session management?

Ans: Weak Authentication and Session management can be mitigated by controls of strong authentication and session management. Such controls are as follows:

• Compliant with all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management).
• Always use a simple interface for developers. Consider the ESAPI Authenticator and User APIs as good examples to emulate, use, or build upon.
• Use standard practices to secure session id by cross-site scripting attack.

Q5. How to mitigate the risk of Sensitive Data Exposure?

Ans: Following are the mitigation techniques employed for secure applications from Sensitive data exposure:

• Prepare a threat model to secure data both in transit and at rest from both types of the attacker( e.g., insider attack, external user)
• Encrypt data to protect it from any cyber attack.
• Never store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.
• Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
• Always implement and ensure strong standard algorithms and strong keys are used, and proper key management is in place. Consider using FIPS 140 validated cryptographic modules.
• Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.

Q6. What is a bug bounty?

Ans: Bug bounty is a program run by many big organizations which rewards those individuals who report security vulnerabilities to them. These organizations generally publish those vulnerabilities on websites after fixing those issues.

Q7. What Is Failure to Restrict URL Access?

Ans: This vulnerability has been removed from OWASP Top 10 2013. Actually, this issue is related to forced browsing where a user forcibly accesses URLs which is not supposed to access by the user. The attacker may guess links and brute force techniques to find unprotected pages through this vulnerability.

Q8. How to Prevent Breaches Due to Failure to Restrict URL Access?

Ans: This can be mitigated by using secure techniques for proper authentication and proper authorization for each page of the web application. Some mitigation techniques are described below:

• Implement Authentication and authorization policies based on the role instead of based on the user.
• Policies are highly configurable in favor of standard practices.
• Deny all access by default, and allow only those controls that the user needs.

Q9. How can we Protect Web Applications From Forced Browsing?

Ans: To protect web applications from forced browsing, strictly monitor access-control settings to be accurate and up-to-date on every page and application on the site.

Q10. Mention what is the basic design of OWASP ESAPI.

Ans: OWASP ESAPI is short for OWASP Enterprise Security API which is voluntarily developed by the OWASP community to provide a free, open-source, web application security control library to web developers to help them to develop a less vulnerable web application.

The basic design of OWASP ESAPI includes a set of security control interfaces. For each security control, there is a reference implementation that can be implemented as the requirement of the organization.

The post Top 10 Interview Questions | OWASP TOP 10 first appeared on All About Testing.

Q1. What is Cross-Site Scripting (XSS)?

Ans: By using the Cross-Site Scripting (XSS) technique, users executed malicious scripts (also called payloads) unintentionally by clicking on untrusted links, and hence, these scripts pass cookies information to attackers.

Q2. What information can an attacker steal using XSS?

Ans: By using XSS, the session id of the genuine user can be stolen by the attacker. The browser uses the session id to identify your credentials in an application and helps you keep login in till you sign off from an application. An attacker can write a code to extract information from cookies that contain session-id and other information. Later, the same session id can be used by an attacker to browse the application on behalf of the user without actually logged in to the application.

Q3. Apart from mailing links of error pages, are there other methods of exploiting XSS?

Ans: Other methods where attackers store malicious scripts (also called payloads) are discussion forums, the comment section of websites, and other similar platforms. Whenever the user navigates those pages, payloads got executed, and the user’s cookies information automatically sends to an attacker.

Q4. What are the types of XSS?

Ans: Cross-site Scripting can be divided into three types:

• Stored XSS
• Reflected XSS
• DOM-based XSS

Q5. What is Stored XSS?

Ans: In Stored XSS, the attacker plants a malicious script (also called payload) on a web page. Comment pages, forums, and other similar platforms can be used to store payloads. When the user browses these pages, these payloads are executed and sends cookies information to an attacker.

Q6. What is Reflected XSS?

Ans: Reflected XSS is one of the most widespread attack techniques used by attackers. In this type of attack, the user sends a malicious request by clicking on malicious links (contains an XSS payload) to a web server available on social networking sites and other platforms. As a result, the webserver replied to the user with an HTTP response containing the payload, which was executed in the browser and stole the user’s cookies.

Q7. What is DOM-based XSS?

Ans: DOM-based XSS is a type of cross-site scripting that appears in DOM(Document Object Model), instead of HTML.

Q8. How can I prevent XSS?

Ans: XSS can be prevented by sanitizing user input to the application. Always allowed those elements as input which is absolutely essential for that field.

Q9. Can XSS be prevented without modifying the source code?

Ans: “http only” attribute can also be used to prevent XSS.

Q10. What is Cross-Site Tracing (XST)? How can it be prevented?

Ans: By using XST technique, attackers are able to steal cookies by bypassing “http only” attribute.

XST technique can be prevented by disabling the TRACE method on the webserver.

Miscellaneous Questions

Q. List out key HTML entities used in XSS.

Ans:

> (greater than)
' (apostrophe or single quote)
" (double quote)
< (less than)
& (ampersand)

Q. Which tools are helpful in identifying XSS vulnerabilities?

Ans: XSS is the most common vulnerability type available in web applications. Many tools are available to identify XSS. Some of them are listed below:

• OWASP ZAP – Basically a web scanner but it can also be used in identifying XSS vulnerability
• BurpSuite – Most popular tool among Security Researchers.
• ratproxy – Automated web application security scanning tool.
• XSS-Proxy – Advanced tool to identify XSS vulnerability.

References:

https://www.owasp.org

The post Top 10 Interview Questions: Cross-Site Scripting | OWASP | Application Security first appeared on All About Testing.

Q1. What is SQL Injection?

Ans: SQL injection is a vulnerability by which an attacker executes malicious SQL queries on the backend database by manipulating the input to the application.

Q2. Is it just ASP and SQL Server that are both platforms vulnerable?

Ans: SQL injection is the most widespread vulnerability among all platforms. Improper input validation and the use of dynamic SQL queries are the main causes of SQL injection.

Q3. Apart from username and password which variables are candidates for SQL Injection?

Ans: Any input field like credit card number, account number, etc., which extracts data from the database by using where clause are the candidates of SQL injection. In addition, to form fields, an attacker can use hidden fields and query strings for successful exploitation.

Q4. What’s the worst an attacker can do with SQL?

Ans: SQL, is a language used to create and manage databases stored in RDBMS. If SQL injection vulnerability is available in the application, the following are the possibilities:

1.  Bypass authentication may be possible
2.  confidentiality of data may be lost as an attacker may be able to see data on exploiting SQL injection vulnerability
3.  an attacker can delete entries in the database
4.  an attacker can alter data in the database

Q5. What is Blind SQL Injection?

Ans: Blind SQL Injection is a type of SQL injection where an attacker asks true and false questions to the database. Based on error messages, attackers craft more specific questions to the database to extract more information. This is a little difficult to exploit but not impossible.

Q6. How do we prevent SQL Injection in our applications?

Ans: Here are some options to prevent SQL injection:

1. Use prepared statements to write database queries.
2. Sometimes the use of stored procedures also helps in mitigating SQL injection.
3. Use whitelist input validation.
4. Provide less privilege to the database account. Don’t grant rights related to creating and delete to application accounts. Avoid running DBMS as root or system.

Q7. I’m using stored procedures for authentication, am I vulnerable?

Ans: The use of stored procedures is one way to secure web applications from SQL injection attacks. By using a stored procedure, the user input is no longer used to build the query dynamically. But still, one way left for SQL injection attack is if the stored procedure took input and used the same input to build a query without validating it. However, it is difficult in the practical scenario, but not impossible.

Q8. I’m using client-side JavaScript code for checking user input. Isn’t that enough?

Ans: If client-side Javascript code is checking user input, then it is not enough to mitigate SQL injection. An attacker may intercept requests in any proxy tool such as OWASP ZAP, Burpsuite, etc., and change the input of the request field.

Q9. Are Java servlets vulnerable to SQL injection?

Ans: Yes, Java servlets are also vulnerable to SQL injection if input validation is not enforced and builds SQL queries dynamically. Java servlets also have some mechanisms to mitigate SQL injection, such as Callable Statements and Prepared Statements.

Q10. Can an automated scanner discover SQL Injection?

Ans: Although security researchers work very hard to develop an automated scanner that discovers all the issues, sometimes the scanner misses some issues. So it is good practice to check SQL injection manually while doing security testing.

Miscellaneous Interview Questions

Q. List out some methods to detect SQL Injection Vulnerabilities.

Ans: Methods to identify SQL Injection vulnerability in a web application:

• The most obvious method is to enter a single quote ‘ in fields and check for errors.
• Enter Boolean conditions like “OR 1=1”, “OR 4=9” etc., and identify anomalies in responses.
• Fuzzing with SQL payloads and watching errors
• Fuzzing with different time-based payloads and checking delays in responses

Q. Is it possible to identify SQL injection vulnerability by code review?

Ans: Yes, code review is the best way to identify this type of vulnerability.

Q. Can we examine databases by using SQL injection?

Ans: Yes, It is the most important step that helps in knowing the database used in the application. This can be done by using different queries to identify the type and version of the database software. You can use the below queries to examine the database:

Q. Mention specific tools to identify SQL injection vulnerabilities.

Ans: sqlmap is an open-source tool that may be used to identify security vulnerabilities in web applications related to SQL injection. You can also use different Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) tools to identify vulnerabilities related to SQL Injection.

Q. Mention some payloads related to SQL injection vulnerability.

Ans: Below is the list of some payloads that may be used to identify SQL injection vulnerability:

‘
`
“
/
\
;
‘ or “

Q. How to test for SQL Injection vulnerabilities?

Ans: SQL Injection may be tested by using the following techniques:

• Just submit a single quote character  ‘ in the text fields or in any other input parameter. If SQL specific error comes, it confirms SQL Injection vulnerberabily
• Try different SQL payloads (including boolean 1=1, 1=2, etc.) and analyze application response
• Try the time delay function (e.g. sleep) and analyze the application response
• Use automated tools such as Burpsuite, sqlmap, etc. to identify vulnerabilities related to SQL injection

The post Top 10 Interview Questions: SQL Injection | OWASP | Application Security first appeared on All About Testing.

Q1. What port is for ICMP or pinging?

Ans: Ping doesn’t use any port. It is used to identify whether the remote host at the other end is active or not. It also helps in determining the packet loss and round-trip delay while communicating.

Just remember, ping basically uses the ICMP protocol.

Q2. Do you prefer Windows or Linux?

Ans: Both operating systems have their own pros and cons. Be ready with a justification for why you use a particular OS. But as security analysts, prefer to use Linux as it gives more flexibility and more security in comparison to Windows. Many security researchers have also contributed to enhancing features and securing Linux.

Q3. What security mechanism should be implemented on a login page?

Ans: There are a lot of mechanisms available to secure the login page. First and foremost, implement TLS protocol that helps in achieving confidentiality and integrity of customers’ sensitive data by encrypting it while transmitting. If TLS is not used, an attacker can see sensitive information such as username, password, session id, etc.

Implement two-factor authentication for accessing user accounts. On the server side, never store passwords in the database in cleartext format. Always store passwords in an encrypted format. The algorithm used for encryption must be tested and certified by an auditing agency.

Q4. How would an HTTP program handle the state?

Ans: HTTP is a stateless protocol. It uses cookies to handle the state of the web application. Basically, there are two ways in which HTTP can handle web application states: one is client side and another server side. The developer may store data in cookies or may store data in the web server session. In this way, the application maintains sessions during a particular period and is not logged out in between.

Q5. What is Cross Site Scripting or XSS?

Ans: Cross-site scripting is one of the common vulnerabilities found in web applications. Here, an attacker sends malicious scripts to the victim and tricked the victim to execute those scripts. On execution,  cookies, session tokens, or other sensitive information got compromised by an attacker.

Q6. What are the types of XSS?

Ans: Cross-site scripting (XSS) is broadly divided into three categories:

Reflected XSS: In this vulnerability, the attacker executed the malicious script and get instant output in form of an error message, cookie information, and other sensitive information. A malicious script is not stored in the database in case of this vulnerability.

Stored XSS: Here, malicious scripts got stored in the database, maybe because of comment fields, discussion forums etc. Whenever the victim visited those pages, it got executed.

DOM XSS: DOM stands for Document Object Model. It defines how documents are accessed and manipulated. In DOM XSS, the malicious script flows in the browser and act as source and sink for the script in DOM. This vulnerability arises when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data without sanitizing the input.

Q7. What is the business application of public key cryptography?

Ans: The main business application of public key cryptography is digital signing and encryption.

In digital signing, the sender sign the document with the private key and the receiver checks the integrity of that document with the sender’s public key.

In encryption, the sender encrypts the document with the public key of the receiver and the receiver decrypts it using his/her private key.

Q8. Explain Phishing attacks & How can you defend against phishing attempts?

Ans: In a Phishing attack, the attacker tricks the victim to access a fake web page and submitting sensitive information.

Check for XSS vulnerabilities and implement HTTP referer header are some mitigation techniques against a phishing attack.

Q9. What is the difference between public key cryptography and a private key for encrypting and signing content?

Ans: In digital signing, the sender signs the document with the private key and the receiver checks the integrity of that document with the sender’s public key.

In encryption, the sender encrypts the document with the public key of the receiver and the receiver decrypts it using his/her private key.

Q10. What can you use to defend against multiple login attempts?

Ans: There are many techniques to defend against multiple login attempts. You can create an account lockout policy based on the number of attempts. Another method is to implement a captcha on the login page to know if the user is a machine or a human.

The post Interview Questions & Answers: Web Application Security Testing first appeared on All About Testing.