Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Q18: How to mitigate the SQL Injection risks? ⭐⭐
Answer:
To mitigate SQL injection:
Prepared Statements with Parameterized Queries: Always ensure that your SQL interpreter always able to differentiate between code and data. Never use dynamic queries which fail to find the difference between code and data. Instead, use static SQL query and then pass in the external input as a parameter to query. Use of Prepared Statements (with Parameterized Queries) force developer to first define all the SQL code, and then pass in each parameter to the query later.
Use of Stored Procedures: Stored Procedure is like a function in C where database administrator call it whenever he/she need it. It is not completely mitigated SQL injection but definitely helps in reducing risks of SQL injection by avoiding dynamic SQL generation inside.
White List Input Validation: Always use white list input validation and allow only preapproved input by the developer. Never use blacklist approach as it is less secure than whitelist approach.
Escaping All User Supplied Input
Enforcing Least Privilege
Q41: Apart from mailing links of error pages, are there other methods of exploiting XSS? ⭐⭐⭐
The purpose of this document is to help security folks prepare for common security interview questions and answers. Lot of materials only include questions and doesnt include answers. Hence i compiled the resources together. The code review section is especially useful for folks doing code review not just preparing for interviews.
Q1: What is the difference between Authentication vs Authorization? ⭐
Answer:
Authentication is the process of ascertaining that somebody really is who he claims to be.
Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read.
Or in short:
Authentication = login + password (who you are)
Authorization = permissions (what you are allowed to do)
Injection attacks stem from a lack of strict separation between program instructions (i.e., code) and user-provided (or external) input. This allows an attacker to inject malicious code into a data snippet.
SQL injection is one of the most common types of injection attack. To carry it out, an attacker provides malicious SQL statements through the application.
How to prevent:
Prepared statements with parameterized queries
Stored procedures
Input validation – blacklist validation and whitelist validation
Principle of least privilege – Application accounts shouldn’t assign DBA or admin type access onto the database server. This ensures that if an application is compromised, an attacker won’t have the rights to the database through the compromised application.
TOP 10 Application Security Interview Questions and Answers 2019 | Application Security