Question 1

What is OWASP and what is its mission?

Accepted Answer

OWASP (Open Web Application Security Project) is a nonprofit foundation dedicated to improving software security through open-source projects, community collaboration, and educational resources. Its mission is to make software security visible so that individuals and organizations can make informed decisions about application security risks.

Question 2

What is the OWASP Top 10 and why is it important?

Accepted Answer

The OWASP Top 10 is a regularly updated list of the most critical security risks facing web applications, based on data from security experts worldwide. It serves as the de facto standard for web application security, helping developers and security teams prioritize their efforts on the most impactful vulnerabilities that are most likely to be exploited.

Question 3

What is Broken Access Control and why is it ranked #1 in OWASP Top 10 2021?

Accepted Answer

Broken Access Control occurs when users can access resources or perform actions beyond their intended permissions. It's ranked #1 because 94% of applications tested had some form of access control issue, affecting critical functions like data modification, deletion, and unauthorized access to sensitive information.

Question 4

What is SQL Injection and how do you prevent it?

Accepted Answer

SQL Injection is an attack where malicious SQL code is inserted into application queries, allowing attackers to view, modify, or delete database data. Prevention requires using parameterized queries (prepared statements), stored procedures with proper parameterization, input validation, and applying the principle of least privilege for database accounts.

Question 5

What is Cross-Site Scripting (XSS)?

Accepted Answer

Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject malicious JavaScript code into web pages viewed by other users. When victims load the compromised page, the malicious script executes in their browser with their session privileges, potentially stealing cookies, session tokens, or performing unauthorized actions on their behalf.

Question 6

What is Cross-Site Request Forgery (CSRF)?

Accepted Answer

CSRF is an attack where a malicious website tricks an authenticated user's browser into making unwanted requests to a trusted website where they're logged in. The attack exploits the browser's automatic inclusion of authentication cookies, allowing attackers to perform state-changing actions like fund transfers or password changes without the victim's knowledge.

Question 7

How do you securely store passwords?

Accepted Answer

Never store passwords in plaintext or using reversible encryption. Instead, use specialized password hashing algorithms like Argon2id, bcrypt, or scrypt with unique random salts for each password. These algorithms are intentionally slow and memory-hard to resist brute-force and rainbow table attacks.

Question 8

What is multi-factor authentication (MFA) and why is it important?

Accepted Answer

Multi-factor authentication (MFA) is a security mechanism that requires users to provide two or more independent verification factors (something they know, have, or are) to access a resource. It's critical because even if passwords are compromised, attackers still cannot access accounts without the additional factors, blocking 99.9% of automated attacks according to Microsoft.

Question 9

What is Server-Side Request Forgery (SSRF)?

Accepted Answer

Server-Side Request Forgery (SSRF) is a vulnerability where an attacker can abuse server-side functionality to make HTTP requests to arbitrary destinations, including internal resources normally inaccessible from the internet. The attacker tricks the server into acting as a proxy, potentially accessing internal APIs, cloud metadata services, or private network resources.

Question 10

What is Security Misconfiguration?

Accepted Answer

Security Misconfiguration occurs when security settings are not defined, implemented, or maintained properly, including missing security patches, unnecessary features enabled, default accounts unchanged, or misconfigured HTTP headers. It's the most common vulnerability because it can happen at any level of the application stack from network to database.

Question 11

What is Content Security Policy (CSP) and how does it prevent XSS?

Accepted Answer

Content Security Policy (CSP) is an HTTP header that controls which resources (scripts, styles, images) can be loaded and executed on web pages. It prevents XSS attacks by whitelisting trusted sources and blocking inline scripts by default, acting as an additional layer of defense against code injection attacks.

Question 12

What is injection and what types of injection attacks exist?

Accepted Answer

Injection attacks occur when untrusted data is sent to an interpreter as part of a command or query, tricking it into executing unintended commands or accessing unauthorized data. Common types include SQL injection, NoSQL injection, OS command injection, LDAP injection, XPath injection, and Server-Side Template Injection (SSTI).

Question 13

What is the OWASP Application Security Verification Standard (ASVS)?

Accepted Answer

The OWASP ASVS is a comprehensive framework that defines three levels of security requirements for web applications, providing specific, testable security controls that go far beyond the OWASP Top 10. It serves as a blueprint for developers to build secure applications and for security professionals to verify application security through testing and code review.

Question 14

What are Cryptographic Failures and how do you prevent them?

Accepted Answer

Cryptographic Failures (formerly Sensitive Data Exposure) occur when applications fail to properly protect sensitive data using encryption, both at rest and in transit. Prevention requires using strong encryption algorithms, proper key management, encrypting data in transit with TLS 1.2+, encrypting sensitive data at rest, and never storing sensitive data unnecessarily.

Question 15

What is the difference between authentication and authorization?

Accepted Answer

Authentication is the process of verifying who a user is (proving identity through credentials like passwords or tokens), while authorization determines what an authenticated user is allowed to do (access control and permissions). Both are essential security controls - authentication answers "who are you?" and authorization answers "what can you do?"

OWASP Fundamentals(4 questions)

What is OWASP and what is its mission?

What is the OWASP Top 10 and why is it important?

How often is the OWASP Top 10 updated and what changed in the 2021 version?

What is the OWASP Application Security Verification Standard (ASVS)?

A01:2021 - Broken Access Control(5 questions)

What is Broken Access Control and why is it ranked #1 in OWASP Top 10 2021?

What is Insecure Direct Object Reference (IDOR) and how do you prevent it?

What is horizontal vs vertical privilege escalation?

What is the principle of least privilege and how do you apply it?

What are Access Control Lists (ACLs) vs Role-Based Access Control (RBAC)?

A02:2021 - Cryptographic Failures(6 questions)

What are Cryptographic Failures (formerly Sensitive Data Exposure)?

What is the difference between encryption at rest and encryption in transit?

How do you securely store passwords?

What is password hashing and what algorithms are recommended (bcrypt, Argon2, scrypt)?

What is a salt and why is it important for password hashing?

What is the difference between hashing, encryption, and encoding?

A03:2021 - Injection(5 questions)

What is injection and what types of injection attacks exist?

What is SQL Injection and how do you prevent it?

How do parameterized queries prevent SQL injection?

What is Command Injection (OS Command Injection) and how do you prevent it?

What are the best practices for input validation to prevent injection?

A04:2021 - Insecure Design(4 questions)

What is Insecure Design and how does it differ from implementation vulnerabilities?

What is threat modeling and how do you perform it?

What is security by design and defense in depth?

How do you integrate security into the Software Development Lifecycle (SDLC)?

A05:2021 - Security Misconfiguration(5 questions)

What is Security Misconfiguration?

How do you secure HTTP headers (X-Content-Type-Options, X-Frame-Options, etc.)?

What is Content Security Policy (CSP) and how do you implement it?

What are default credentials and why are they dangerous?

How do you secure error handling and prevent information disclosure?

A06:2021 - Vulnerable and Outdated Components(4 questions)

How do you identify vulnerable dependencies in your application?

What is Software Composition Analysis (SCA)?

What tools are available for dependency scanning (OWASP Dependency-Check, Snyk, npm audit)?

What is the CVE (Common Vulnerabilities and Exposures) system?

A07:2021 - Identification and Authentication Failures(6 questions)

What are Identification and Authentication Failures?

What is multi-factor authentication (MFA) and why is it important?

How do you prevent brute force attacks?

What is credential stuffing and how do you prevent it?

How do you implement secure session management?

What is session fixation and how do you prevent it?

A08:2021 - Software and Data Integrity Failures(5 questions)

What are Software and Data Integrity Failures?

What is a supply chain attack and how do you prevent it?

What is Subresource Integrity (SRI) and how do you implement it?

How do you secure your CI/CD pipeline?

What are the risks of insecure deserialization?

A09:2021 - Security Logging and Monitoring Failures(4 questions)

What events should be logged for security purposes?

What is a Security Information and Event Management (SIEM) system?

How do you detect and respond to security incidents?

How do you protect sensitive data in logs?

A10:2021 - Server-Side Request Forgery (SSRF)(4 questions)

What is Server-Side Request Forgery (SSRF)?

How does SSRF differ from Cross-Site Request Forgery (CSRF)?

How do you prevent SSRF attacks?

What are the risks of SSRF in cloud environments (AWS, Azure, GCP)?

Cross-Site Scripting (XSS)(5 questions)

What is Cross-Site Scripting (XSS)?

What are the different types of XSS (Reflected, Stored, DOM-based)?

How do you prevent XSS attacks?

What is output encoding and how does it prevent XSS?

How does Content Security Policy (CSP) help prevent XSS?

Cross-Site Request Forgery (CSRF)(4 questions)

What is Cross-Site Request Forgery (CSRF)?

What is a CSRF token and how does it prevent attacks?

What is the SameSite cookie attribute and how does it help prevent CSRF?

What is the difference between SameSite=Strict, Lax, and None?

API Security(5 questions)

What is the OWASP API Security Top 10?

What is Broken Object Level Authorization (BOLA)?

How do you implement rate limiting for APIs?

How do you secure API keys and tokens?

What is the difference between API authentication methods (API keys, OAuth, JWT)?