- World's Largest Collection of Interview Questions & Answers, FAQs, queries, sample papers, exam papers, dumps, what, why, how, where, when questions
Our Services
Get 9,000 Interview Questions & Answers in an eBook.

Get it now !!
Send your Resume to 6000 Companies
Web Security Interview Questions & Answers - Learning Mode

Web Security Interview Questions & Answers - Learning Mode

Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services. At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. Web server security is the protection of information assets that can be accessed from a Web server. Web server security is important for any organization that has a physical or virtual Web server connected to the Internet. Your web security is relatively lower if your company has financial assets like credit card or identity information, if your web site content is controversial, your servers, applications and site code are complex or old and are maintained by an underfunded or outsourced IT department.

Try Web Security Interview Questions & Answers - Exam Mode


Sort By : Latest First | Oldest First | By Rating

Web Security Interview Questions & Answers - Learning Mode
Try Web Security Interview Questions & Answers - Exam Mode
Question: What application generated the log file entry below? What type of attack is this? Assuming the index.php program is vulnerable, was this attack successful?

Answer: Request: - - [09/Oct/2004:19:40:46 --0400] "POST /index.php
HTTP/1.1" 403 743
Handler: cgi-script
POST /index.php HTTP/1.1
Connection: keep-alive
Accept: */*
Accept-Language: en-us
Content-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla 4.0 (Linux)
Content-Length: 65
mod_security-message: Access denied with c Source:
Question: You have been asked to review the source code for a compiled script that is being used to validate logon credentials for a web application. The file is called "logon_validate" and a typical logon request looks like this -

Answer: "GET /cgi-bin/logon_validate?login=test&password=test"

The source code is shown below -
void show_error(void) { // AUTHENTICATION ERROR exit(-1); } int main(int argc, char **argv) { char error_on_auth='1'; char user[128]; char pass[128]; char *ch_ptr_begin; char *ch_ptr_end; /**********************************/ /* Get Username from Query String */ /**********************************/ ch_ptr_begin=(char *)strstr(****QUERY_STRING****,"login="); if (ch_ptr_begin==NULL) show_error( Source:
Question: What do you see as challenges to successfully deploying/monitoring web intrusion detection?

Answer: Goal of question We are attempting to see if the applicant has a wide knowledge of web security monitoring and IDS issues such as:

* Limitations of NIDS for web monitoring (SSL, semantic issues with understanding HTTP)
* Proper logging increasing the verboseness of logging (Mod_Security audit_log)
* Remote Centralized Logging
* Alerting Mechanisms
* Updating Signatures/Policies
Question: What online resources do you use to keep abreast of web security issues? Can you give an example of a recent web security vulnerability or threat?

Answer: Goal of question Determine if the applicant utilizes computer security resources such as CERT, SANS Internet Storm Center or ICAT. Email lists such as securityfocus, bugtraq, SANS @RISK, etc. are also good resources. Recent examples of threats will vary depending on current events, but issues such as new web based worms (PHP Santy Worm) or applications, which are in wide use (awstats scripts) are acceptable.
Question: If you were not using Apache as the reverse proxy, what Microsoft application/tool could you use to mitigate this attack?

Answer: You could use either Microsoft's Internet and Security Acceleration (ISA) server as a front-end proxy or implement URLScan on the target IIS server. The urlscan.ini file has the AllowDotInPath directive which will block directory traversal attempts.
Question: What are some examples of you how you would attempt to gain access?

Answer: Goal of question Determine if the applicant has a wide knowledge of different authentication vulnerabilities. They may attempt default usernames/passwords or attempt SQL Injection queries that provide an SQL true statement (such as OR 1=1#). If they provide SQL examples, then offer them the following Error document information and ask them what this indicates.

ODBC Error Code = 37000 (Syntax error or access violation)

[Microsoft][ODBC SQL Server Driver][SQL Server]Line 4: Incorrect Source:
Question: Why we use firewall for security when we have facilities like access-list on routers ?

Answer: No answer available currently.
Question: What are the most important steps you would recommend for securing a new web server? Web application?

Answer: Goal of question Once again, there is no right or wrong answer, however we are interested in what the applicant views as important.

Web Server Security:
* Update/Patch the web server software
* Minimize the server functionality disable extra modules
* Delete default data/scripts
* Increase logging verboseness
* Update Permissions/Ownership of files

Web Application Security:
* Make sure Input Validation is enforced within the cod Source:
Question: What is your definition of the term "Cross-Site Scripting"? What is the potential impact to servers and clients?

Answer: Goal of question This question will determine if the applicant is well versed in the terminology used in web security. The applicant needs to be able to articulate highly technological topics to a wide audience. The second question will help to verify that the applicant fully understands how XSS attacks work and the impact to client information. WASC has a web security glossary of terms that may be of help -

Cross-Site Scripting: (Acronym XSS) An att Source:
Question: What does this log entry indicate? How could you identify what the contents are of the "hacked.htm" file that the attacker is trying to upload?

Answer: Goal of question Determine if the applicant can identify both the attack (a web defacement attempt using the HTTP PUT Method), as well as, the logging limitations of CLF. In this type of attack, the defacement text is sent in the request body and not on the URL Request line. In order to identify this data, a network sniffing application would need to be utilized. An application such as Snort could be used with a custom rule to identify this activity. Here is an example rule

alert tcp $EXT Source:
Question: One of your web servers is logging multiple requests similar to the following:

Answer: - - [26/Dec/2004:01:55:48 -0500] "PUT /hacked.htm HTTP/1.0 403 769 "Microsoft Data Access Internet Publishing Provider DAV 1.1" "-"
Question: What do you see as the most critical and current threats effecting Internet accessible websites?

Answer: Goal of question To gauge the applicants knowledge of current web related threats. Topics such as Denial of Service, Brute Force, Buffer Overflows, and Input Validation are all relevant topics. Hopefully they will mention information provided by web security organizations such as the Web Application Security Consortium (WASC) or the Open Web Application Security Project (OWASP). Source:


India News Network
Latest 20 Questions
Payment of time- barred debt is: (a) Valid (b) Void (c) Illegal (d) Voidable
Consideration is defined in the Indian Contract Act,1872 in: (a) Section 2(f) (b) Section 2(e) (c) Section 2(g) (d) Section 2(d)
Which of the following is not an exception to the rule, "No consideration, No contract": (a) Natural love and affection (b) Compensation for involuntary services (c) Completed gift (d) Agency
Consideration must move at the desire of: (a) The promisor (b) The promisee (c) The promisor or any other party (d) Both the promisor and the promisee
An offer which is open for acceptance over a period of time is: (a) Cross Offer (b) Counter Offer (c) Standing Offer (d) Implied Offer
Specific offer can be communicated to__________ (a) All the parties of contract (b) General public in universe (c) Specific person (d) None of the above
_________ amounts to rejection of the original offer. (a) Cross offer (b) Special offer (c) Standing offer (d) Counter offer
A advertises to sell his old car by advertising in a newspaper. This offer is caleed: (a) General Offer (b) Special Offer (c) Continuing Offer (d) None of the above
In case a counter offer is made, the original offer stands: (a) Rejected (b) Accepted automatically (c) Accepted subject to certain modifications and variations (d) None of the above
In case of unenforceable contract having some technical defect, parties (a) Can sue upon it (b) Cannot sue upon it (c) Should consider it to be illegal (d) None of the above
If entire specified goods is perished before entering into contract of sale, the contract is (a) Valid (b) Void (c) Voidable (d) Cancelled
______________ contracts are also caled contracts with executed consideration. (a) Unilateral (b) Completed (c) Bilateral (d) Executory
A offers B to supply books @ Rs 100 each but B accepts the same with condition of 10% discount. This is a case of (a) Counter Offer (b) Cross Offer (c) Specific Offer (d) General Offer
_____________ is a game of chance. (a) Conditional Contract (b) Contingent Contract (c) Wagering Contract (d) Quasi Contract
There is no binding contract in case of _______ as one's offer cannot be constructed as acceptance (a) Cross Offer (b) Standing Offer (c) Counter Offer (d) Special Offer
An offer is made with an intention to have negotiation from other party. This type of offer is: (a) Invitation to offer (b) Valid offer (c) Voidable (d) None of the above
When an offer is made to the world at large, it is ____________ offer. (a) Counter (b) Special (c) General (d) None of the above
Implied contract even if not in writing or express words is perfectly _______________ if all the conditions are satisfied:- (a) Void (b) Voidable (c) Valid (d) Illegal
A specific offer can be accepted by ___________. (a) Any person (b) Any friend to offeror (c) The person to whom it is made (d) Any friend of offeree
An agreement toput a fire on a person's car is a ______: (a) Legal (b) Voidable (c) Valid (d) Illegal
Cache = 0.046875 Seconds