Most Asked API Security Interview Questions & Answers
In this blog, we will list out Most Asked API Security Interview Questions & Answers.
Q1. List out Critical API Security Risks.
Ans: I am listing out the ten most critical security risks as mentioned in OWASP API Security Top 10 2019:
- Broken Object Level Authorization
- Broken User Authentication
- Excessive Data Exposure
- Lack of Resources & Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfiguration
- Improper Assets Management
- Insufficient Logging & Monitoring
Q2. What types of security issues comes under the category Injection?
Ans: All types of Web Injection flaws such as SQL, NoSQL, Command Injection, etc., come under the category of Injection issues of API. Similar to the web, hackers execute the commands by trick the interpreter and access unauthorized data.
Q3. What are the methods available to prevent Injection flaws of API?
Ans: Below is the list of methods available to mitigate the resk of Injection flaws while implementing API:
- Validate any user input data and accepts the only permissible type of user input data
- Use safe API
- Implement brute force mitigation techniques
- Limit the number of output entries while accessing data via API.
- Escape and Sanitize user-provided special characters if not required.
Q4. What types of security issues come under the category of Broken User Authentication?
Ans: Incorrectly and insecure way of implemented authentication mechanisms comes under the category of Broken User Authentication. Examples are allowing usage of weak passwords, allowing unsigned/weakly signed JWT tokens, usage of weak encryption keys, no implemented technique to mitigate brute force attack, usage of auth tokens and passwords in the URL, etc.
Q5. What is Mass Assignment security risk?
Ans: This type of risk allows hacker to edit details that not allowed by the system in normal scenario if implemented in correctly manner. For example: e-commerce application allows to change address of delivery. If somehow hacker is able to change wallet balance in app, that is allowed only to administrator.
Q6. List out mitigation techniques of Mass Assignment.
Ans: Mitigation techniques such as correct implementation of least privilege i.e. allow user to edit only those fields that are allowed by administrator, usage of built-in features to blacklist properties, etc.
Q7. What type of security issues come under security misconfigurations?
Ans: This issue is similar to web application security. I am listing out possible security issues that come under the category of security misconfigurations.
- Non-implementation of Transport Layer Security (TLS)
- Missing security headers
- Missing Cross-Origin Resource Sharing (CORS) policy
- Missing latest security patches
- Errors providing excessive information
- lack of security hardening
Q8. List out security issues related to Insufficient Logging & Monitoring.
- Log integrity not guaranteed by network administer
- Monitoring of logs not happening periodically
- Logs are not available
- API related infrastructure not monitored
Q9. What is Improper Assets Management?
Ans: This category address issues related to usage of old versions/unpatched of API.
Q10. How can we mitigate risks of Insufficient Logging & Monitoring?
Ans: I am listing out list of security events that must be logged:
- Log all failed authentication attempts.
- Logs should be defined using a correct format, and based on input, the information should be provided
- Central log server should be available.
- Periodic backup of logs is mandatory.
- Check to handle logs and ensure integrity.
- Check mechanism of monitoring the infrastructure, network, and API functioning.
Q11. What tools are required to test the security of web API?
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.