Updated post at https://ishaqmohammed.me/posts/application-security-engineer-interview-questions/

Application Security Engineer Interview Questions

Some of the questions/topics which i was asked when i was giving interviews for Application/Product Security Engineering roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer. I tried to include the reference resource for some of the questions/topics, feel free to reach out to me on twitter for any feedback/suggestions/discussions.

Which architecture is more secure? 2 tier or 3 tier
Explain SSL Handshake
- https://www.youtube.com/watch?v=ubHZQrECeew
- https://www.cloudflare.com/learning/ssl/how-does-ssl-work/
- https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/
Recommend XXE mitigation for application which requires external entities to be called because of business requirement
Explain CORS and SOP
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://portswigger.net/web-security/cors
- https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
- https://www.bedefended.com/papers/cors-security-guide
Does SOP mitigate CSRF attacks?
- https://security.stackexchange.com/questions/157061/how-does-csrf-correlate-with-same-origin-policy
Exploiting SSRF attacks
- https://portswigger.net/web-security/ssrf
- https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
- https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital-one-breach-4c3c2cded3af
What is web cache deception?
- https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/
- http://omergil.blogspot.com/2017/02/web-cache-deception-attack.html
- https://portswigger.net/research/practical-web-cache-poisoning
What is HTTP request smuggling?
- http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling
- https://portswigger.net/web-security/request-smuggling
Explain DOM XSS. Can DOM XSS be stored? Can CSP header mitigate dom based XSS
- https://www.html5rocks.com/en/tutorials/internals/howbrowserswork/
- https://html.spec.whatwg.org/multipage/parsing.html
- https://portswigger.net/web-security/cross-site-scripting/dom-based
- https://brutelogic.com.br/blog/dom-based-xss-the-3-sinks/
- https://www.scip.ch/en/?labs.20171214
What will be your testcase for a file upload functionality?
- https://medium.com/@satboy.fb/art-of-unrestricted-file-upload-exploitation-92ed28796d0
- https://resources.infosecinstitute.com/file-upload-vulnerabilities/#gref
- https://pentestlab.blog/2012/11/19/abusing-file-upload/
- https://pentestlab.blog/2012/11/29/bypassing-file-upload-restrictions/
What is HSTS?
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Explain SSL Stripping
- https://blog.cloudflare.com/performing-preventing-ssl-stripping-a-plain-english-primer/
If you have API calls which need to fetch credentials, what will be the secure way to store secrets and making them available for API calls?
- https://medium.com/hackernoon/where-do-you-keep-credentials-for-your-lambda-functions-cac746048480
How does file compression work?
Which method is secure? Compress First and then Encrypt the data or Encrypt First then Compress
You have found a vulnerability a product/infrastructure, how will you investigate if this was not exploited already by an attacker
What is SPF, DKIM and DMARC?
- https://www.smartertools.com/blog/2019/04/09-understanding-spf-dkim-dmarc
- https://www.endpoint.com/blog/2014/04/15/spf-dkim-and-dmarc-brief-explanation
- https://www.reddit.com/r/sysadmin/comments/aph6ee/lets_talk_about_email_spoofing_and_prevention_alt/
Explain DNS Exfiltration
Explain Log Poisoning using LFI/RFI
- https://www.hackingarticles.in/apache-log-poisoning-through-lfi/
- https://www.hackingarticles.in/rce-with-lfi-and-ssh-log-poisoning/
- https://highon.coffee/blog/lfi-cheat-sheet/
Do the HttpOnly cookie and X-XSS-Protection header mitigate cross-site scripting attacks?
How do you exploit XSS in a post request?
- https://portswigger.net/blog/exploiting-xss-in-post-requests
Difference: IDOR, Missing function level access control and privilege escalation
How does burp suite work with HTTPs requests?
- https://www.quora.com/How-is-it-possible-that-a-proxy-tool-like-Burp-Suite-is-able-to-decrypt-HTTPS-communication-like-plain-text-credentials
- https://portswigger.net/burp/documentation/desktop/tools/proxy/using
Is the DNS service's communication encrypted?
Security implications in DNS
DNS over HTTPs
- https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
- https://www.chromium.org/developers/dns-over-https
How does ssh authentication work?
- https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
- https://gravitational.com/blog/ssh-handshake-explained/
How to create and implement an SSL certificate?
How to verify if a database is encrypted?
If you want a script to use credentials from the system, where will you store the credentials?
Explain SDLC
In which phase of SDLC should security be integrated?
Explain encryption in Wifi network communication.
What are stateless and stateful requests?
- https://www.geeksforgeeks.org/difference-between-stateless-and-stateful-protocol/
How is the state of a request saved in HTTP?
What data does the shadow file contains?
- https://www.cyberciti.biz/faq/understanding-etcshadow-file/
What is salt in cryptography?
What is Double-Submit Cookie?
What is Preflight request?
- https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
What are Certificate Transparency Logs?
What is your favourite vulnerability and why?
Talk about any latest/interesting vulnerability or breach you learnt about.

Reviews

Repository Details

Application Security Engineer Interview Questions

Which architecture is more secure? 2 tier or 3 tier

Explain SSL Handshake

Recommend XXE mitigation for application which requires external entities to be called because of business requirement

Explain CORS and SOP

Does SOP mitigate CSRF attacks?

Exploiting SSRF attacks

What is web cache deception?

What is HTTP request smuggling?

Explain DOM XSS. Can DOM XSS be stored? Can CSP header mitigate dom based XSS

What will be your testcase for a file upload functionality?

What is HSTS?

Explain SSL Stripping

If you have API calls which need to fetch credentials, what will be the secure way to store secrets and making them available for API calls?

How does file compression work?

Which method is secure? Compress First and then Encrypt the data or Encrypt First then Compress

You have found a vulnerability a product/infrastructure, how will you investigate if this was not exploited already by an attacker

What is SPF, DKIM and DMARC?

Explain DNS Exfiltration

Explain Log Poisoning using LFI/RFI

Do the HttpOnly cookie and X-XSS-Protection header mitigate cross-site scripting attacks?

How do you exploit XSS in a post request?

Difference: IDOR, Missing function level access control and privilege escalation

How does burp suite work with HTTPs requests?

Is the DNS service's communication encrypted?

Security implications in DNS

DNS over HTTPs

How does ssh authentication work?

How to create and implement an SSL certificate?

How to verify if a database is encrypted?

If you want a script to use credentials from the system, where will you store the credentials?

Explain SDLC

In which phase of SDLC should security be integrated?

Explain encryption in Wifi network communication.

What are stateless and stateful requests?

How is the state of a request saved in HTTP?

What data does the shadow file contains?

What is salt in cryptography?

What is Double-Submit Cookie?

What is Preflight request?

What are Certificate Transparency Logs?

What is your favourite vulnerability and why?

Talk about any latest/interesting vulnerability or breach you learnt about.

Further readings and references:

How to prepare for a security engineer interview by Eray Mitrani

Security_Engineer_Interview_Questions by Tad Whitaker

Security Engineer - Interview Questions by Namish

60 Cybersecurity Interview Questions 2019 Update by Daniel Miessler

More Repositories