Top 10 Interview Questions | OWASP TOP 10

OWASP Top 10 is a list of the TOP 10 vulnerabilities released by OWASP. OWASP is a non-profit organization that works to spread awareness about practices for a secure web application. Here is the list of interview questions and answers of OWASP Top 10, which are frequently asked in interviews.

OWASP TOP 10 Interview Questions and Answers

Q1. What is OWASP? Also, Mention OWASP TOP 10 2021.

Ans: OWASP is a non-profit organization that releases the top 10 web vulnerabilities. It works as a community of cybersecurity professionals, who constantly work to build an ecosystem for awareness about secure web applications. Recently, OWASP released new top 10 vulnerabilities for 2021:

• A01 Broken Access Control
• A02 Cryptographic Failures
• A03 Injection
• A04 Insecure Design
• A05 Security Misconfiguration
• A06 Vulnerable and Outdated Components
• A07 Identification and Authentication Failures
• A08 Software and Data Integrity Failures
• A09 Security Logging and Monitoring Failures
• A10 Server Side Request Forgery (SSRF)

Q2. Mention what flaw arises from session tokens having poor randomness across a range of values.

Ans:  Session hijacking, is the issue related to A2: 2017 - Broken Authentication. It is also called cookie hijacking. In this type of attack, there is the possibility of exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a system. This flaw comes when there is poor randomness in the session key.

Q3. How to mitigate SQL Injection risks?

Ans: Mitigations of SQL injection:

• Prepared Statements with Parameterized Queries: Always ensure that your SQL interpreter can always differentiate between code and data. Never use dynamic queries which fail to find the difference between code and data. Instead, use static SQL query and then pass in the external input as a parameter to query.  The use of Prepared Statements (with Parameterized Queries) forces the developer first to define all the SQL code and then pass each parameter to the query later.
• Use of Stored Procedures: Stored Procedure is like a function in C where the database administrator calls it whenever he/she needs it. It is not completely mitigated SQL injection but definitely helps in reducing risks of SQL injection by avoiding dynamic SQL generation inside.
• White List Input Validation: Always use white list input validation and allow only preapproved input by the developer. Never use a blacklist approach as it is less secure than a whitelist approach.
• Escaping all user-supplied input
• Enforcing the Least Privilege

Click Here for SQL Injection Interview Questions

Q4. How to mitigate the risk of Weak authentication and session management?

Ans: Weak Authentication and Session management can be mitigated by controls of strong authentication and session management. Such controls are as follows:

• Compliant with all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management).
• Always use a simple interface for developers. Consider the ESAPI Authenticator and User APIs as good examples to emulate, use, or build upon.
• Use standard practices to secure session ID by cross-site scripting attacks.

Q5. How to mitigate the risk of Sensitive Data Exposure?

Ans: The following are the mitigation techniques employed for secure applications from Sensitive data exposure:

• Prepare a threat model to secure data both in transit and at rest from both types of the attacker( e.g., insider attack, external user)
• Encrypt data to protect it from any cyber attack.
• Never store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.
• Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
• Always implement and ensure strong standard algorithms and strong keys are used, and proper key management is in place. Consider using FIPS 140 validated cryptographic modules.
• Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.

Q6. What is a bug bounty?

Ans: Bug bounty is a program run by many big organizations that rewards those individuals who report security vulnerabilities to them. These organizations generally publish those vulnerabilities on websites after fixing those issues.

Q7. What Is Failure to Restrict URL Access?

Ans: This vulnerability has been removed from OWASP Top 10 2013. Actually, this issue is related to forced browsing where a user forcibly accesses URLs which is not supposed to access by the user. The attacker may guess links and brute force techniques to find unprotected pages through this vulnerability.

Q8. How to Prevent Breaches Due to Failure to Restrict URL Access?

Ans: This can be mitigated by using secure techniques for proper authentication and proper authorization for each page of the web application. Some mitigation techniques are described below:

• Implement Authentication and authorization policies based on the role instead of based on the user.
• Policies are highly configurable in favor of standard practices.
• Deny all access by default, and allow only those controls that the user needs.

Q9. How can we Protect Web Applications From Forced Browsing?

Ans: To protect web applications from forced browsing, strictly monitor access-control settings to be accurate and up-to-date on every page and application on the site.

Q10. Mention what is the basic design of OWASP ESAPI.

Ans: OWASP ESAPI is short for OWASP Enterprise Security API which is voluntarily developed by the OWASP community to provide a free, open-source, web application security control library to web developers to help them to develop a less vulnerable web application.

The basic design of OWASP ESAPI includes a set of security control interfaces. For each security control, there is a reference implementation that can be implemented as the requirement of the organization.