OWASP Top 10 is a list of TOP 10 vulnerabilities released by OWASP. OWASP is a non-profit organization works for spreading awareness about practices for a secure web application. Here is the list of interview questions and answers of OWASP Top 10 which frequently asked in interviews.
Q1. What is OWASP? Also Mention OWASP TOP 10 2017?
Ans: OWASP is a non-profit organization which releases top 10 web vulnerabilities. It works as a community of cybersecurity professionals, who constantly work to build an ecosystem for awareness about secure web applications. Recently, OWASP released new top 10 vulnerabilities for 2017:
A1:2017 – Injection
A2:2017 – Broken Authentication
A3:2017 – Sensitive Data Exposure
A4:2017 – XML External Entities (XXE)
A5:2017 – Broken Access Control
A6:2017 – Security Misconfiguration
A7:2017 – Cross-Site Scripting (XSS)
A8:2017 – Insecure Deserialization
A9:2017 – Using Components with Known Vulnerabilities
A10:2017 – Insufficient Logging & Monitoring
Q2. Mention what flaw arises from session tokens having poor randomness across a range of values?
Ans: Session hijacking, is the issue related to A2: 2017 – Broken Authentication. It is also called cookie hijacking. In this type of attack, there is the possibility of exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a system. This flaw comes when there is poor randomness in the session key.
Q3. How to mitigate SQL Injection risks?
Ans: Mitigation of SQL injection:
- Prepared Statements with Parameterized Queries: Always ensure that your SQL interpreter is always able to differentiate between code and data. Never use dynamic queries which fail to find the difference between code and data. Instead, use static SQL query and then pass in the external input as a parameter to query. Use of Prepared Statements (with Parameterized Queries) force developer to first define all the SQL code, and then pass in each parameter to the query later.
- Use of Stored Procedures: Stored Procedure is like a function in C where the database administrator call it whenever he/she need it. It is not completely mitigated SQL injection but definitely helps in reducing risks of SQL injection by avoiding dynamic SQL generation inside.
- White List Input Validation: Always use white list input validation and allow only preapproved input by the developer. Never use a blacklist approach as it is less secure than a whitelist approach.
- Escaping All User Supplied Input
- Enforcing the Least Privilege
Q4. How to mitigate the risk of Weak authentication and session management?
Ans: Weak Authentication and Session management can be mitigated by controls of strong authentication and session management. Such controls are as follows:
- Compliant with all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management).
- Always use a simple interface for developers. Consider the ESAPI Authenticator and User APIs as good examples to emulate, use, or build upon.
- Use standard practices to secure session id by cross-site scripting attack.
Q5. How to mitigate the risk of Sensitive Data Exposure?
Ans: Following are the mitigation techniques employed for secure applications from Sensitive data exposure:
- Prepare a threat model to secure data both in transit and at rest from both types of the attacker( e.g. insider attack, external user)
- Encrypt data to protect it from any type of cyber attack.
- Never store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.
- Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
- Always implement and also ensures strong standard algorithms and strong keys are used, and proper key management is in place. Consider using FIPS 140 validated cryptographic modules.
- Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.
Q6. What is a bug bounty?
Ans: Bug bounty is a program run by many big organizations which reward those individuals who report security vulnerabilities to them. These organizations generally publish those vulnerabilities on websites after fixing those issues.
Q7. What Is Failure to Restrict URL Access?
Ans: This vulnerability has been removed from OWASP Top 10 2013. Actually, this issue is related to forced browsing where a user forcibly accesses URLs which is not supposed to access by the user. The attacker may guess links and brute force techniques to find unprotected pages through this vulnerability.
Q8. How to Prevent Breaches Due to Failure to Restrict URL Access
Ans: This can be mitigated by using secure techniques for proper authentication and proper authorization for each page of the web application. Some mitigation techniques are described below:
- Implement Authentication and authorization policies based on role, instead of based on the user.
- Policies are highly configurable in favor of standard practices.
- Deny all access by default, and allow only those controls which are needed by the user.
Q9. How can we Protect Web Applications From Forced Browsing?
Ans: To protect web applications from forced browsing, strictly monitor access-control settings are accurate and up to date on every page and application on the site.
Q10. Mention what is the basic design of OWASP ESAPI?
Ans: OWASP ESAPI is short for OWASP Enterprise Security API which is voluntarily developed by OWASP community to provide free, open source, web application security control library to web developers to help them to develop a less vulnerable web application.
The basic design of OWASP ESAPI includes a set of security control interfaces and for each security control, there is a reference implementation which can be implemented as the requirement of the organization.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.