Application Security Flashcards
Describe the last program or script that you wrote.
What problem did it solve?
All we want to see here is if the color drains from the person’s face. If they panic then we not only know they’re not a programmer (not necessarily bad), but that he’s afraid of programming (bad). I know it’s controversial, but I think that any high-level security person needs at least some programming skills. They don’t need to be a God at it, but they need to understand the concepts and at least be able to muddle through some scripting when required.
How would you implement a secure login field on a
high traffic website where performance is a consideration?
The answer you’re looking for here is that TLS is a must for the entire site at this point, and that there are very few situations where you shouldn’t insist on encryption.
Other good responses include those around using solid, dependable frameworks, and not building your own.
What are the various ways to handle account brute forcing?
Look for discussion of account lockouts, IP restrictions, fail2ban, commercial versions thereof, etc.
What is Cross-Site Request Forgery?
Not knowing this is more forgivable than not knowing what XSS is, but only for junior positions. Desired answer: when an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowing. A solid example of this is when an IMG tag points to a URL associated with an action, e.g. http://foo.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically).
How does one defend against CSRF?
Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we’re looking for recognition and basic understanding here—not a full, expert level dissertation on the subject. Adjust expectations according to the position you’re hiring for.
If you were a site administrator looking for incoming
CSRF attacks, what would you look for?
This is a fun one, as it requires them to set some ground rules. Desired answers are things like, “Did we already implement nonces?”, or, “That depends on whether we already have controls in place…” Undesired answers are things like checking referrer headers, or wild panic.
What’s the difference between HTTP and HTML?
Obviously the answer is that one is the networking/application protocol and the other is the markup language, but again, the main thing you’re looking for is for them not to panic. The object here should be identifying absolute beginners and/or having fun with people who know how silly the question is.
How does HTTP handle state?
It doesn’t, of course. Not natively. Good answers are things like “cookies”, but the best answer is that cookies are a hack to make up for the fact that HTTP doesn’t do it itself.
What exactly is Cross Site Scripting, and how would you explain it to a 10-year-old??
You’d be amazed at how many security people don’t know even the basics of this immensely important topic. We’re looking for them to say anything regarding an attacker getting a victim to run script content (usually JavaScript) within their browser.
What’ss the difference between stored and reflected XSS?
Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim’s browser when the results are returned from the site.
What are the common defenses against XSS?
Input Validation and Output Sanitization, with focus on the latter.
