Application Security (AppSec) Interview Questions Notes
This is my notes that I took during my interview preparation over the years. These are not the questions asked by interviewers ;)
Basic Questions
XSS
-
What is XSS and different types of XSSes
-
How do you explain XSS to Developer and explain/convince the impact?
-
How do you prevent XSS?
-
What is DOM Based XSS and how it differs?
-
What is CSP (Content Security Policy)
SQL Injection
-
What is SQL Injection
-
How do you prevent?
-
How do you explain SQL Injection to Developer?
-
Why Prepared Statements prevent SQLi?
-
Blind SQLi how do you evaluate ? and confirm and extract the data?
CSRF
-
What is CSRF?
-
How do you prevent?
-
If CSRF Token usage is not possible per each session, what’s the solution?
-
Login CSRF
-
SOP vs CSRF
Cryptography
-
Symmetric and Asymmetric
-
in HTTPS which one is used?
-
What is PKI?
-
What are the certificates?
-
How SSH Works ? explain in detail with A to B
-
How HTTPS works? link
-
Encryption, Authentication, Authrozation
-
Encryption, hashing, encoding
Password Storage
-
How to store passwords securely?
-
What are rainbow tables?
-
What is the use of Salting?
-
What are rainbow tables?
-
will salting helps?
-
is there any impact on performance with different algorthms?
Generic Questions
-
What happens when you type google.com in browser?
-
How DNS work?
System Design
-
Design a password manager
-
Design a file uploading to the server
-
Website withDB console access: How do you protect.
-
Login functionality how do you design
Coding
-
ROTN function. Similar to ROT13.
-
Base64 encoded string. It’s kind of JSON output after base64 decode. Extract different values
-
Parsing webserver logs. Return 200 status code or 404. Downloading files.