1. What is the OWASP Top 10?

2. What are cross-site scripting (XSS) attacks?

3. How do you mitigate XSS attacks?
4. What is SQL injection?
5. How do you protect against SQL injection?
6. What are secure coding practices?
7. What is CSRF (Cross-Site Request Forgery)?
8. How does the Cross-Site Scripting (XSS) differ from Cross-Site Request Forgery
(CSRF)?
9. What is session hijacking?
10. What is a Web Application Firewall (WAF)?
11. What is input validation and why is it important?
12. What is directory traversal and how can you prevent it?
13. What is Security Misconfigurations and how to prevent or mitigate?
14. What is XML External Entities (XXE) and why did it change to Security Misconfigurations
in 2021 Owasp top 10.
15. What is Broken Access Control and how to prevent or mitigate?
16. What is Identification and Authentication Failures and how does it different from Broken
Access Controls?
17. What is Insecure Deserialization and how to prevent or mitigate?
18. What is rate limiting, and how does it protect web applications?
19. What is the cost of using Vulnerable and Outdated Components? Why do people still
prefer to do it so?
20. Which category do you think that 2024 Crowdstrike Update Failure is a part of?

1. What is the OWASP Top 10?

The OWASP Top 10 is a list of the most critical web application security risks, published by the
Open Web Application Security Project (OWASP). It serves as a guideline for developers and
organizations to improve their security posture.

● Broken Access Control

● Cryptographic Failures
● Injection
● Insecure Design
● Security Misconfiguration
● Vulnerable and Outdated Components
● Identification and Authentication Failures
● Software and Data Integrity Failures
● Security Logging and Monitoring Failures
 ● Server-Side Request Forgery (SSRF)

2. What are cross-site scripting (XSS) attacks?

XSS attacks occur when an attacker injects malicious scripts into content from otherwise trusted
websites. These scripts are executed in the user's browser, potentially stealing cookies,
sessions, or other sensitive information. A notable example is the MySpace Worm (2005),
where an XSS vulnerability allowed an attacker to propagate a worm through user profiles.

3. How do you mitigate XSS attacks?

To mitigate XSS attacks, developers can implement various measures such as:

○ Input Validation: Validate and sanitize user input to ensure that only expected
data types are processed.
○ Output Encoding: Use context-specific encoding (like HTML encoding) to
prevent scripts from executing in browsers.
○ Content Security Policy (CSP): Use CSP headers to restrict which scripts can
run on the site. For example, Google has implemented CSP on its services to
prevent XSS.

4. What is SQL injection?

SQL injection is an attack that allows an attacker to manipulate SQL queries by injecting
malicious code through user input fields. This can lead to unauthorized access to databases.

The Heartland Payment Systems breach in 2008 is a well-known example of an SQL

injection attack. In this incident, attackers exploited SQL injection vulnerabilities in the
company's payment processing system to gain access to its database. This allowed them to
steal millions of credit card numbers and associated information. The breach exposed around
130 million credit card records, making it one of the largest data breaches at the time.

This attack underscored the importance of secure coding practices, particularly the need to
properly sanitize and validate user inputs to prevent SQL injection attacks and protect sensitive
financial data.

5. How do you protect against SQL injection?

To protect against SQL injection:

○ Use Prepared Statements: Parameterized queries prevent SQL injection by

separating SQL code from data.
○ Input Validation: Validate and sanitize user inputs.
 ○ Web Application Firewalls (WAF): Implement a WAF to detect and block SQL
injection attempts. For example, many organizations use AWS WAF to protect
their applications.

6. What are secure coding practices?

Secure coding practices are guidelines and techniques that help developers write code that is
resistant to vulnerabilities. Key practices include:

○ Input Validation: Always validate user inputs.

○ Error Handling: Avoid exposing stack traces or sensitive data in error
messages.
○ Use of Libraries: Regularly update and use secure libraries. A well-known
example of secure coding practice is the Mozilla Secure Coding Guidelines.

7. What is CSRF (Cross-Site Request Forgery)?

CSRF is an attack that tricks a user into executing unwanted actions on a web application in
which they are authenticated. For instance, if a user is logged into their banking site and clicks
on a malicious link, it could initiate a transfer without their consent.

The famous CSRF (Cross-Site Request Forgery) example involving eBay occurred in 2010,
where attackers took advantage of the vulnerability to place unauthorized bids on auctions on
behalf of users without their consent. The exploit worked by tricking users into clicking on
malicious links or visiting compromised websites while logged into their eBay accounts.
Once triggered, the CSRF attack sent fraudulent requests to eBay, which appeared as if they
came from the legitimate user, resulting in unauthorized actions like placing bids.

This incident highlighted the dangers of CSRF attacks and the need for secure anti-CSRF
tokens and proper validation mechanisms to prevent such unauthorized actions.

8. How does Cross-Site Scripting (XSS) differ from Cross-Site Request

Forgery (CSRF)?

XSS targets users by injecting malicious scripts into webpages, allowing attackers to steal
information from users. In contrast, CSRF targets the web application itself by causing it to
execute unwanted actions on behalf of authenticated users. For example, XSS can be used to
steal session cookies, while CSRF can be used to perform actions like changing a user’s email
address.

9. What is session hijacking?

In computer science, session hijacking, sometimes also known as cookie hijacking, is the
exploitation of a valid computer session—sometimes also called a session key—to gain
unauthorized access to information or services in a computer system.
In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a
remote server. It has particular relevance to web developers, as the HTTP cookies used to
maintain a session on many websites can be easily stolen by an attacker using an intermediary
computer or with access to the saved cookies on the victim's computer (HTTP cookie theft).

After successfully stealing appropriate session cookies an adversary might use the Pass the
Cookie technique to perform session hijacking. Cookie hijacking is commonly used against
client authentication on the internet. Modern web browsers use cookie protection mechanisms
to protect the web from being attacked.

The notable incident involving Twitter in 2010 was a session hijacking attack, where attackers
exploited a vulnerability to gain access to high-profile accounts. This attack, often referred to as
"sidejacking," involved intercepting and stealing users' session cookies, which are used to
authenticate them after login. By hijacking these session tokens, attackers were able to
impersonate users and take control of their accounts without needing their login credentials.

The attack exposed the need for stronger protections like using HTTPS for secure
communication to prevent session tokens from being intercepted, which Twitter later
implemented across the platform.

10. What is a Web Application Firewall (WAF)?

A WAF is a security solution that monitors and filters HTTP, HTTPS traffic to and from a web
application. It protects against various attacks such as SQL injection and XSS.

For example, Cloudflare offers a WAF that helps secure websites by blocking malicious traffic.

11. What is input validation and why is it important?

Input validation is the process of verifying that user input is safe and meets the application’s
criteria before processing it. It is essential for preventing various attacks, such as SQL injection
and XSS. For example, the Toyota vehicle recall incident in 2010 was partially attributed to poor
input validation that allowed unauthorized access to vehicle systems.

12. What is directory traversal and how can you prevent it?

Directory traversal is an attack that allows attackers to access files and directories outside the
intended directory by manipulating file paths. To prevent this:

○ Validate User Input: Ensure that file paths do not include directory traversal
characters like ../.
○ Use Whitelisting: Only allow access to specific files or directories.
The Adobe ColdFusion vulnerability is a well-known example of a directory traversal attack.
In this case, attackers exploited a flaw in Adobe ColdFusion that allowed them to manipulate file
paths and gain unauthorized access to sensitive files stored on the server. By sending specially
crafted requests, attackers could traverse the directory structure outside of the intended web
directory, enabling them to view and potentially download critical files like password files,
configuration files, and other sensitive data.

This vulnerability demonstrated the risks of improper input validation and inadequate controls on
file access, which can lead to severe security breaches in web applications.

13. What is Security Misconfigurations and how to prevent or mitigate?

Security misconfigurations occur when security settings are incomplete or poorly configured,
leading to vulnerabilities. To prevent this:

○ Conduct Regular Audits: Regularly review security configurations.

○ Use Automation Tools: Employ tools to automate the configuration process and
check for compliance.

The Capital One breach in 2019 is a famous example of a security misconfiguration. In this
case, a misconfigured Web Application Firewall (WAF) allowed attackers to exploit a
vulnerability and access sensitive data stored in Amazon Web Services (AWS) S3 buckets. The
breach resulted in the exposure of personal information, including the Social Security numbers,
bank account details, and credit scores of over 100 million customers.

This incident highlighted the importance of properly configuring security tools like firewalls,
ensuring least-privilege access, and regularly auditing cloud security settings to prevent
unauthorized access to sensitive data.

14. What is XML External Entities (XXE) and why did it change to Security
Misconfigurations in the 2021 OWASP Top 10?

XXE is a vulnerability that allows an attacker to exploit poorly configured XML parsers to access
files or perform malicious actions on the server. In the 2021 OWASP Top 10, it was integrated
into the Security Misconfigurations category, as many XXE vulnerabilities stem from
misconfigured XML processors that allow external entities to be processed.

The 2017 Uber data breach is a well-known example of an XML External Entity (XXE)
exploitation. In this incident, attackers exploited an XXE vulnerability in Uber's system to gain
unauthorized access to sensitive data stored on their servers. XXE attacks occur when an
application processes XML input insecurely, allowing attackers to inject external entities into the
XML, which can lead to the exposure of confidential files, server-side request forgery (SSRF), or
denial of service.
This breach underscored the importance of securely configuring XML parsers to disable
external entity processing, preventing such attacks from exposing sensitive information.

15. What is Broken Access Control and how to prevent or mitigate?

Broken access control occurs when users can act outside their intended permissions, leading to
unauthorized access to resources. To prevent this:

○ Implement Role-Based Access Control (RBAC): Enforce user roles and

permissions strictly.
○ Regularly Review Access Controls: Audit permissions to ensure users have
only the access necessary.

The Facebook data leak in 2019 is a notable example of broken access control. In this case,
inadequate access controls allowed unauthorized third parties to access sensitive user data
stored on Facebook’s servers. Specifically, a large dataset of user information, including names,
phone numbers, and Facebook IDs, was publicly accessible without proper restrictions,
enabling attackers and unauthorized users to retrieve it.

This incident highlighted the critical need for implementing robust access controls, ensuring that
sensitive data is only accessible to authorized individuals and systems, and regularly auditing
permissions to prevent unauthorized access.

16. What is Identification and Authentication Failures and how does it differ
from Broken Access Controls?

Identification and authentication failures occur when an application fails to properly verify user
identities, leading to unauthorized access.

This differs from broken access control, which involves users gaining unauthorized access to
resources they shouldn’t access.

The Yahoo data breach in 2013 is a well-known example of identification and authentication
failures. In this breach, attackers exploited weak authentication mechanisms, including poorly
implemented password management and outdated encryption methods, to gain unauthorized
access to over 3 billion user accounts. The breach involved stolen user credentials, security
questions, and answers, exposing a vast amount of sensitive information.

This incident demonstrated the dangers of weak authentication systems and highlighted the
importance of using strong password policies, multi-factor authentication (MFA), and robust
encryption methods to protect user accounts from unauthorized access.
17. What is Insecure Deserialization (Software and Data Integrity Failures)
and how to prevent or mitigate?

● Answer: Insecure deserialization occurs when untrusted data is used to recreate

objects, potentially allowing attackers to manipulate application logic or execute code. To
prevent this:
○ Implement Integrity Checks: Ensure that serialized objects are verified before
processing.
○ Use Safe Serialization Formats: Avoid using formats that allow arbitrary code
execution.

The eBay vulnerability in 2014 is a well-known example of insecure deserialization. In this

case, attackers exploited deserialization flaws in eBay's system to execute arbitrary code on the
server. The vulnerability occurred because eBay improperly handled user-supplied serialized
objects, allowing attackers to craft malicious objects that, when deserialized, executed
unauthorized commands or actions on the server.

This incident highlighted the risks associated with insecure deserialization, demonstrating the
importance of validating and sanitizing serialized data and avoiding the deserialization of
untrusted input to prevent remote code execution attacks.

18. What is rate limiting, and how does it protect web applications?

Rate limiting is a technique used to control the number of requests a user can make to a web
application within a given timeframe. This helps prevent abuse, such as brute-force attacks or
denial-of-service (DoS) attacks. For example, Twitter uses rate limiting to restrict API requests,
ensuring fair usage and protecting against abuse.

19. Cost of Using Vulnerable and Outdated Components:

1. Security Risks:
Using outdated or vulnerable components (libraries, frameworks, software, etc.) exposes
the system to known vulnerabilities that attackers can easily exploit. This can lead to
data breaches, unauthorized access, and service disruptions, with significant financial,
reputational, and legal consequences.
2. Increased Maintenance Costs:
Outdated components may lack vendor support, requiring custom fixes and
workarounds, which increases maintenance efforts and costs over time.
3. Compliance Issues:
Many regulatory frameworks (e.g., GDPR, PCI-DSS) require up-to-date software and
security patches. Using vulnerable components can lead to non-compliance, resulting in
fines or penalties.
 4. Performance Degradation:
Older components may not be optimized for current technology stacks, leading to poor
performance or compatibility issues, which can slow down the application and reduce
user satisfaction.
5. Technical Debt:
Accumulating outdated components creates technical debt, where the time and
resources required to update or replace them later are much higher than addressing
them early on.

Why Do People Use Vulnerable and Outdated Components?

1. Legacy Systems:
Organizations often rely on legacy systems where upgrading components is complex
and expensive. In some cases, these systems are mission-critical, making downtime for
updates risky.
2. Cost and Time Constraints:
Updating components requires time, resources, and testing. Some organizations delay
updates due to budget limitations, staffing shortages, or prioritizing other business needs
over security.
3. Compatibility Issues:
Upgrading one component may break compatibility with others. To avoid the risk of
breaking existing functionality, developers sometimes stick with outdated versions that
"just work."
4. Lack of Awareness:
In some cases, developers or teams may not be aware of vulnerabilities in the
components they are using or may lack automated tools to identify and alert them to
outdated versions.
5. Perceived Low Risk:
Some organizations may underestimate the potential risk of using outdated components,
especially if they’ve experienced no incidents in the past. This false sense of security
can lead to postponing necessary updates.
6. Dependency Chains:
Complex applications often have many dependencies. An update to a key library might
introduce cascading effects across multiple components, making teams hesitant to
update and test each dependency.
20. Which category do you think that 2024 Crowdstrike Update Failure is
a part of?

Security Misconfiguration

The faulty configuration file responsible for screening named pipes directly caused system
instability, leading to crashes and reboot loops. This is a classic example of security
misconfiguration, where incorrect or unsafe settings led to a breakdown in the system. In this
case, the configuration update was not properly tested or validated, and the automatic
deployment of these content files further exacerbated the issue by not allowing users to delay or
validate the updates before deployment.

Software and Data Integrity Failures

The update led to data integrity failures, causing memory errors (out-of-bounds reads) and
resulting in system crashes. The integrity of the update process was compromised because it
didn’t allow a rollback or preventive mechanism, effectively damaging systems across Azure
and Google Compute Engine.