Web AppSec Interview Questions

The following web application security questions and answers (mostly focused on web app hacking) are part of a series from my social media. Most are supposed to be difficult, so don’t worry if you have trouble answering them! The answers are hidden by default so you can practice answering them yourself in preparation for an interview. Note that the answers aren’t necessarily complete, they are just how I would answer the question.

1. What is the difference between Web Cache Deception and Web Cache Poisoning?

2. What two criteria must be met to exploit Session Fixation?

3. What are the differences between Base64 and Base64URL encoding?

4. Name 5 (or more) types of Cross-Site Scripting.

5. How does Boolean *Error* Inferential (Blind) SQL Injection work?

6. What is the Same-Origin Policy (SOP) and how does it work?

7. How does the TE.TE variant of HTTP Request Smuggling work?

8. What is DOM Clobbering and how can it be used to bypass (some) HTML sanitizers, resulting in XSS?

9. Describe how HTTP Parameter Pollution could be used to bypass a Web Application Firewall.

10. Describe IDOR and explain how mitigating it is different from other access control vulnerabilities.

11. What are JWKs and JKUs and how does their usage differ in JWTs?

12. In the context of web apps, what is Business Logic and how does testing for Business Logic vulnerabilities differ compared to (for example) XSS, SQLi, etc?

13. Describe 3 payloads you could use to identify a server-side template engine by causing an error message.

14. What is the purpose of the Sec-WebSocket-Key header?

15. What does the “unsafe-inline” value allow for if used in a script-src directive of a CSP?

16. Give an example of stateless authentication, and describe an inherent weakness of this authentication mechanism.

17. Describe 3 ways to mitigate Cross-Site Request Forgery.

18. What are XML parameter entities and what limitations do they have in XXE Injection?

19. What recommendations would you give a customer for fixing DOM based XSS?

20. What conditions must be met to *prevent* a browser from sending a CORS Preflight request?

21. Describe 3 ways an Insecure Deserialization vulnerability could be exploited.

22. List the checks an application might perform to ensure files cannot contain malicious content, and can only be uploaded to specific directories.

23. How does Mass Assignment work and what are some potential outcomes of exploiting such a vulnerability?

24. What is GraphQL batching and how can it be used to bypass rate limiting?

25. What is type juggling, and why does the JSON format help exploit these vulnerabilities?

26. Describe 3 techniques you might use to find sensitive data being exposed by an application.

27. Describe the attributes of a request which make it effectively immune to CSRF (i.e. CSRF mitigation is not required).

28. What are 3 negative outcomes (i.e. bad for the tester) that could arise if “OR <true>” (or similar) is relied on for SQL injection testing? 👀

29. Name 5 vulnerabilities which could potentially lead to OS command execution on a web app.

30. What is prototype pollution, and what exploits could it lead to with both client / server-side variants?

31. Describe how you would test for Vertical Access Control vulnerabilities on an application with 20 roles and 300+ different “functional” requests.

32. Under what circumstances is a tab’s Session Storage instance preserved?

33. Other than uploading XML via a form, how else might one find and exploit XXE?

34. Name some common password reset flow vulnerabilities.

35. What is the difference between encoding, encryption, and hashing?

36. Name some ways an attacker might exploit an HTTP Request Smuggling vulnerability.

37. What is Server-Side Request Forgery and how can it be detected & exploited?

38. Name some ways TLS / SSL can be misconfigured.

39. Give some reasons why sending sensitive data in a URL query parameter is insecure.

40. In what ways could an open redirect be exploited?

41. Describe two output encoding techniques and the context in which they should be used to mitigate Cross-site Scripting.

42. Describe three “403 Forbidden” bypass techniques.

43. Describe some potential CAPTCHA weaknesses.

44. You find XSS in an application, however the customer informs you that users should be able to submit HTML code. What advice would you give them to remain secure?

45. What are some questions you would ask a customer during a web app pentest scoping call?

46. How would you recommend a customer fix an Insecure Deserialization vulnerability?

47. Name some user account enumeration techniques.

48. Name some techniques to detect blind/inferential command injection vulnerabilities.

49. What are some types of race condition vulnerabilities in web applications?

50. How does NoSQL Injection differ from SQL Injection?

51. Describe the syntax of an HTTP request.

52. Name some potential attacks against JWTs.

53. Describe the process of finding and exploiting a web cache poisoning issue.

54. Describe the process of finding and exploiting a Server-Side Template Injection.

55. What is formula injection and how might it be exploited?

56. What are some common OAuth 2.0 flaws & misconfigurations?

57. Describe the CL.0 variant of HTTP Request Smuggling and how it differs from standard variants (e.g. CL.TE).

58. Name some potential ways to exploit HTML Injection.

59. Describe some methods for bypassing SSRF detection filters.

60. Describe different ways a PHP include() could be exploited to gain code execution.

61. Explain how CRLF Injection works and describe possible ways it could be exploited.