Most Asked API Security Interview Questions & Answers

In this blog, we will list out Most Asked API Security Interview Questions & Answers.

Q1. List out Critical API Security Risks.

Ans: I am listing out the ten most critical security risks as mentioned in OWASP API Security Top 10 2019:

1. Broken Object Level Authorization
2. Broken User Authentication
3. Excessive Data Exposure
4. Lack of Resources & Rate Limiting
5. Broken Function Level Authorization
6. Mass Assignment
7. Security Misconfiguration
8. Injection
9. Improper Assets Management
10. Insufficient Logging & Monitoring

Q2. What types of security issues come under the category of Injection?

Ans: All types of Web Injection flaws such as SQL, NoSQL, Command Injection, etc., come under the category of Injection issues of API. Similar to the web, hackers execute the commands by tricking the interpreter and accessing unauthorized data.

Q3. What are the methods available to prevent Injection flaws of API?

Ans: Below is the list of methods available to mitigate the risk of Injection flaws while implementing API:

• Validate any user input data and accepts the only permissible type of user input data
• Use safe API
• Implement brute force mitigation techniques
• Limit the number of output entries while accessing data via API.
• Escape and Sanitize user-provided special characters if not required.

Q4. What types of security issues come under the category of Broken User Authentication?

Ans: Incorrectly and insecure way of implemented authentication mechanisms comes under the category of Broken User Authentication. Examples are allowing usage of weak passwords, allowing unsigned/weakly signed JWT tokens, usage of weak encryption keys, no implemented technique to mitigate brute force attacks, usage of auth tokens and passwords in the URL, etc.

Check Application Security Interview Questions

Q5. What is Mass Assignment security risk?

Ans: This type of risk allows hackers to edit details that are not allowed by the system in normal scenarios if implemented incorrectly manner. For example, an e-commerce application allows changing the address of delivery. If somehow the hacker is able to change the wallet balance in-app, that is allowed only to the administrator.

Q6. List out mitigation techniques of Mass Assignment.

Ans: Mitigation techniques such as the correct implementation of least privilege i.e. allowing the user to edit only those fields that are allowed by the administrator, usage of built-in features to blacklist properties, etc.

Q7. What type of security issues comes under security misconfigurations?

Ans: This issue is similar to web application security. I am listing out possible security issues that come under the category of security misconfigurations.

• Non-implementation of Transport Layer Security (TLS)
• Missing security headers
• Missing Cross-Origin Resource Sharing (CORS) policy
• Missing latest security patches
• Errors providing excessive information
• lack of security hardening

Q8. List out security issues related to Insufficient Logging & Monitoring.

Ans:

• Log integrity is not guaranteed by the network administrator
• Monitoring of logs not happening periodically
• Logs are not available
• API-related infrastructure not monitored

Network Security Interview Question and Answers

Q9. What is Improper Assets Management?

Ans: This category address issues related to the usage of old versions/unpatched API.

Q10. How can we mitigate the risks of Insufficient Logging & Monitoring?

Ans: I am listing out the list of security events that must be logged:

• Log all failed authentication attempts.
• Logs should be defined using a correct format and based on input, the information should be provided
• A central log server should be available.
• Periodic backup of logs is mandatory.
• Check to handle logs and ensure integrity.
• Check the mechanism of monitoring the infrastructure, network, and API functioning.

Q11. What tools are required to test the security of web API?

Ans: Postman and Fiddler, both tools are used to check the security vulnerabilities of web API.