Prepare for security interviews with 35+ questions on OWASP Top 10, vulnerabilities, and secure coding.
2021 Top 10: (1) Broken Access Control, (2) Cryptographic Failures, (3) Injection, (4) Insecure Design, (5) Security Misconfiguration, (6) Vulnerable Components, (7) Auth Failures, (8) Software/Data Integrity Failures, (9) Logging/Monitoring Failures, (10) SSRF. Focus shifted to root causes (insecure design) not just symptoms. Use as baseline, not comprehensive list.
Primary defense: parameterized queries/prepared statements (never concatenate user input). Additional: input validation (whitelist), escape special characters (last resort), least privilege database accounts, WAF rules. ORM frameworks help but aren't foolproof. Test with SQLMap. Injection affects any interpreter (LDAP, OS commands, XPath).
Types: Stored (persisted in database), Reflected (in URL/request), DOM-based (client-side). Prevention: output encoding (HTML, JS, URL, CSS contexts), Content Security Policy (CSP), input validation, HttpOnly cookies, sanitize HTML (DOMPurify). Modern frameworks auto-escape but watch dangerouslySetInnerHTML, v-html, etc.
CSRF: attacker tricks user into performing unwanted action on authenticated site. Prevention: (1) CSRF tokens (synchronizer token pattern), (2) SameSite cookie attribute, (3) Verify Origin/Referer headers, (4) Custom request headers (APIs). Token per-session or per-request. Modern frameworks provide built-in CSRF protection. Double-submit cookie pattern for stateless.
Essential headers: Content-Security-Policy (XSS mitigation), Strict-Transport-Security (HTTPS only), X-Content-Type-Options: nosniff, X-Frame-Options/CSP frame-ancestors (clickjacking), Referrer-Policy. Use helmet.js (Node) or similar. Test with securityheaders.com. Balance security with functionality; CSP can break features if too strict.
Practice with interactive quizzes and get instant feedback.
Start Free Practice