Application Security Interview Questions Github

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Q18: How to mitigate the SQL Injection risks? ⭐⭐


To mitigate SQL injection:

  • Prepared Statements with Parameterized Queries: Always ensure that your SQL interpreter always able to differentiate between code and data. Never use dynamic queries which fail to find the difference between code and data. Instead, use static SQL query and then pass in the external input as a parameter to query. Use of Prepared Statements (with Parameterized Queries) force developer to first define all the SQL code, and then pass in each parameter to the query later.
  • Use of Stored Procedures: Stored Procedure is like a function in C where database administrator call it whenever he/she need it. It is not completely mitigated SQL injection but definitely helps in reducing risks of SQL injection by avoiding dynamic SQL generation inside.
  • White List Input Validation: Always use white list input validation and allow only preapproved input by the developer. Never use blacklist approach as it is less secure than whitelist approach.
  • Escaping All User Supplied Input
  • Enforcing Least Privilege
  • Q41: Apart from mailing links of error pages, are there other methods of exploiting XSS? ⭐⭐⭐

    See Answer

    Q22: How can I prevent XSS? ⭐⭐


    XSS can be prevented by sanitizing user input to the application. Always allowed those elements as input which is absolutely essential for that field.

    Q39: What Is Failure to Restrict URL Access? ⭐⭐⭐

    See Answer

    Q43: What is PKI? ⭐⭐⭐

    See Answer

    Users who have contributed to this file

  • Open with Desktop
  • View raw
  • Copy raw contents Copy raw contents Copy raw contents Copy raw contents
  • View blame
  • Q46: How come that hash values are not reversible? ⭐⭐⭐⭐

    See Answer

    Q27: What is Cross-Site Request Forgery? ⭐⭐⭐

    See Answer

    Q54: What is Cross Site Tracing (XST)? How can it be prevented? ⭐⭐⭐⭐

    See Answer

    Q35: Mention what threat can be avoided by having unique usernames produced with a high degree of entropy? ⭐⭐⭐

    See Answer

    The purpose of this document is to help security folks prepare for common security interview questions and answers. Lot of materials only include questions and doesnt include answers. Hence i compiled the resources together. The code review section is especially useful for folks doing code review not just preparing for interviews.

    Q1: What is the difference between Authentication vs Authorization? ⭐


  • Authentication is the process of ascertaining that somebody really is who he claims to be.
  • Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read.
  • Or in short:

  • Authentication = login + password (who you are)
  • Authorization = permissions (what you are allowed to do)
  • Also:

  • Authentication = Verification
  • Authorization = Permissions
  • Q44: Name the elements of PKI ⭐⭐⭐

    See Answer

    Q2: What is SQL injection? ⭐


    Injection attacks stem from a lack of strict separation between program instructions (i.e., code) and user-provided (or external) input. This allows an attacker to inject malicious code into a data snippet.

    SQL injection is one of the most common types of injection attack. To carry it out, an attacker provides malicious SQL statements through the application.

    How to prevent:

  • Prepared statements with parameterized queries
  • Stored procedures
  • Input validation – blacklist validation and whitelist validation
  • Principle of least privilege – Application accounts shouldn’t assign DBA or admin type access onto the database server. This ensures that if an application is compromised, an attacker won’t have the rights to the database through the compromised application.
  • TOP 10 Application Security Interview Questions and Answers 2019 | Application Security

    Related Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *