OWASP & Web Security Interview Prep

Top 35 OWASP & Web Security Interview Questions 2025

Q: What is OWASP Top 10 and its current categories?

2021 Top 10: (1) Broken Access Control, (2) Cryptographic Failures, (3) Injection, (4) Insecure Design, (5) Security Misconfiguration, (6) Vulnerable Components, (7) Auth Failures, (8) Software/Data Integrity Failures, (9) Logging/Monitoring Failures, (10) SSRF. Focus shifted to root causes (insecure design) not just symptoms. Use as baseline, not comprehensive list.

Q: How do you prevent SQL injection?

Primary defense: parameterized queries/prepared statements (never concatenate user input). Additional: input validation (whitelist), escape special characters (last resort), least privilege database accounts, WAF rules. ORM frameworks help but aren't foolproof. Test with SQLMap. Injection affects any interpreter (LDAP, OS commands, XPath).

Q: Explain XSS types and prevention.

Types: Stored (persisted in database), Reflected (in URL/request), DOM-based (client-side). Prevention: output encoding (HTML, JS, URL, CSS contexts), Content Security Policy (CSP), input validation, HttpOnly cookies, sanitize HTML (DOMPurify). Modern frameworks auto-escape but watch dangerouslySetInnerHTML, v-html, etc.

Q: What is CSRF and how do you prevent it?

CSRF: attacker tricks user into performing unwanted action on authenticated site. Prevention: (1) CSRF tokens (synchronizer token pattern), (2) SameSite cookie attribute, (3) Verify Origin/Referer headers, (4) Custom request headers (APIs). Token per-session or per-request. Modern frameworks provide built-in CSRF protection. Double-submit cookie pattern for stateless.

Q: How do you implement security headers?

Essential headers: Content-Security-Policy (XSS mitigation), Strict-Transport-Security (HTTPS only), X-Content-Type-Options: nosniff, X-Frame-Options/CSP frame-ancestors (clickjacking), Referrer-Policy. Use helmet.js (Node) or similar. Test with securityheaders.com. Balance security with functionality; CSP can break features if too strict.

Prepare for security interviews with 35+ questions on OWASP Top 10, vulnerabilities, and secure coding.

5 Questions

~30 min read

OWASP

beginner

What is OWASP Top 10 and its current categories?

Injection

intermediate

How do you prevent SQL injection?

XSS

intermediate

Explain XSS types and prevention.

CSRF

intermediate

What is CSRF and how do you prevent it?

Headers

intermediate

How do you implement security headers?

Ready to Test Your OWASP & Web Security Skills?

Practice with real interview questions and get instant feedback.

Top 35 OWASP & Web Security Interview Questions 2025

OWASP

Injection

XSS

CSRF

Headers

Related Interview Questions

Ready to Test Your OWASP & Web Security Skills?