6 Web Security Interview Questions and Answers for FullStack Developers
Web sites are unfortunately prone to security risks. And so are any networks to which web servers are connected. Setting aside risks created by employee use or misuse of network resources, your web server and the site it hosts present your most serious sources of security risk.
Q1: How to mitigate the SQL Injection risks?
Topic: Security
Difficulty: ⭐⭐
To mitigate SQL injection:
- Prepared Statements with Parameterized Queries: Always ensure that your SQL interpreter always able to differentiate between code and data. Never use dynamic queries which fail to find the difference between code and data. Instead, use static SQL query and then pass in the external input as a parameter to query. Use of Prepared Statements (with Parameterized Queries) force developer to first define all the SQL code, and then pass in each parameter to the query later.
- Use of Stored Procedures: Stored Procedure is like a function in C where database administrator call it whenever he/she need it. It is not completely mitigated SQL injection but definitely helps in reducing risks of SQL injection by avoiding dynamic SQL generation inside.
- White List Input Validation: Always use white list input validation and allow only preapproved input by the developer. Never use blacklist approach as it is less secure than whitelist approach.
- Escaping All User Supplied Input
- Enforcing Least Privilege
🔗 Source: career.guru99.com
Q2: What is Cross Site Scripting (XSS)?
Topic: Security
Difficulty: ⭐⭐
By using Cross Site Scripting (XSS) technique, users executed malicious scripts (also called payloads) unintentionally by clicking on untrusted links and hence, these scripts pass cookies information to attackers.
🔗 Source: allabouttesting.org
Q3: What is ClickJacking?
Topic: Security
Difficulty: ⭐⭐⭐
ClickJacking is an attack that fools users into thinking they are clicking on one thing when they are actually clicking on another. The attack is possible thanks to HTML frames (iframes).
Its other name, user interface (UI) redressing, better describes what is going on. Users think they are using a web page’s normal UI, but in fact there is a hidden UI in control; in other words, the UI has been redressed. When users click something they think is safe, the hidden UI performs a different action.
🔗 Source: synopsys.com
Q4: List the attributes of Security Testing
Topic: Security
Difficulty: ⭐⭐⭐
Security testing is to be carried out to make sure that whether the system prevents the unauthorized user to access the resource and data. Security Testing needs to cover the seven attributes of Security Testing:
- Authentication - Authentication is a process of identifying the person before accessing the system. It allows user to access the system information only if authentication check got passed.
- Authorization - Once the Authentication passed the Authorization comes in the picture to limit the user as per the permission set for the user.
- Confidentiality - Confidentiality is to be carried out to check if unauthorized user and less privileged users are not able to access the information. It is to check that the protection of information and resources from the users other than the authorized and authenticated.
- Availability - The availability of system is to check the system is available for authorized users whenever they want to use except for the maintenance window & upgrade for security patches.
- Integrity - Integrity is to make sure that the information received is not altered during the transit & check if correct information presented to user is as per the user groups, privileges & restrictions.
- Non-repudiation - Nonrepudiation is the assurance that someone cannot deny something. For security testing it is tracking who is accessing the systems and which of the requests were denied along with additional details like the Timestamp and the IP address from where the requests came from.
- Resilience - Resilience is to check the system is resistance to bear the attacks, this can be implemented using encryption, use OTP (One Time Password), two layer authentication or RSA key token.
🔗 Source: softwaretestingclass.com
Q5: What are the types of XSS?
Topic: Security
Difficulty: ⭐⭐⭐⭐
Cross-site Scripting can be divided into three types:
- Stored XSS
- Reflected XSS
- DOM-based XSS
🔗 Source: allabouttesting.org
Q6: What is HSTS?
Topic: Security
Difficulty: ⭐⭐⭐⭐
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking.
The HSTS Policy is communicated by the server to the user agent via an HTTPS response header field named Strict-Transport-Security. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.
🔗 Source: globalsign.com
Thanks 🙌 for reading and good luck on your interview!
Check more FullStack Interview Questions & Answers on 👉 www.fullstack.cafe
