Without any further ado, let’s proceed to the core challenge.
Now is the time to ask some OWASP Top 10 questions to test your candidate’s knowledge of common web-based attacks. Attacks include SQL injection, XSS (cross-site scripting), CSRF (cross-site request forgery), directory traversal, LDAP/XML/command injection, clickjacking, remote file inclusion, remote code execution, buffer/integer/heap overflows, and so on. You could formulate hundreds of specific web AppSec questions. But since you have limited time to assess the candidate, consider questions that show you their thought process:
Question: Which approach is better: a manual security test or an automated security test? Short answer: It depends. Long answer: We don’t have a clear winner, so the candidate should compare the pros and cons of both and describe a balanced approach.
Question: What is the difference between white box and black box testing? Which is better? Trick question, especially the “which is better” part. The answer depends on a host of factors such as cost, time, the team’s requirements, code availability, stage of the SDLC, and so on.
Question: How would you perform a security/penetration test on a web application covering the following scenarios?
- Unauthenticated tests on log-in page. Test for brute forcing, password cracking, rainbow table attacks, account lockouts, clickjacking, session fixation, and so on.
- Authenticated tests with one user account. Test for the usual suspects from the OWASP Top 10.
- Authenticated tests with multiple user accounts. Test for horizontal privilege escalation, vertical privilege escalation, and forceful browsing.
Question: Explain a DOM-based cross-site scripting attack.
Question: Is input validation sufficient to prevent cross-site scripting?
Question: Explain a blind SQL injection attack.
Question: How does a web application firewall (WAF) detect and prevent attacks?
Question: What is the difference between authentication and authorization?
Question: What is same origin policy? What is CORS (cross-origin resource sharing)?
|Tip: Ask questions that cover all three aspects of a web application vulnerability: root cause, actual attack, and defense mechanisms.