Scribd
Upload
2 views3 pages

Q & A PART !

The document outlines various web application security concepts, including session hijacking, SQL injection mitigation, and cross-site scripting (XSS). It also discusses the importance of SSL certificates, input validation, and the OWASP Top Ten security risks. Additionally, it provides strategies for protecting sensitive data, ensuring secure communication, and managing third-party libraries with vulnerabilities.

Uploaded by

salmanabdikadir01
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
2 views3 pages

Q & A PART !

The document outlines various web application security concepts, including session hijacking, SQL injection mitigation, and cross-site scripting (XSS). It also discusses the importance of SSL certificates, input validation, and the OWASP Top Ten security risks. Additionally, it provides strategies for protecting sensitive data, ensuring secure communication, and managing third-party libraries with vulnerabilities.

Uploaded by

salmanabdikadir01
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

1. What is Session Hijacking?

Session Hijacking is when an attacker takes over a user’s session — typically by stealing the
session ID (stored in cookies) — allowing them to impersonate the user without needing to log
in.
2. How to mitigate the SQL Injection risks?
 Use prepared statements (with bound parameters).
 Validate and sanitize user inputs.
 Use ORM frameworks.
 Limit database privileges.
 Apply Web Application Firewalls (WAFs).
 Keep your database and platform up to date.
3. How can we protect web applications from Forced Browsing?
 Implement authorization checks on the server side.
 Do not rely on hiding URLs.
 Use access control lists (ACLs).
 Configure file permissions correctly.
 Remove or protect sensitive directories (e.g., with .htaccess).
4. What is Cross-Site Scripting (XSS)?
XSS is a vulnerability that allows attackers to inject malicious JavaScript into a trusted website,
which then executes in another user's browser, leading to session theft, phishing, or defacement.
5. What is an SSL Certificate?
An SSL certificate encrypts data between a user's browser and a web server using HTTPS. It
ensures confidentiality, integrity, and authentication of the website.
6. What is the OWASP Top Ten?
The OWASP Top 10 is a list of the 10 most critical web application security risks, published by
the Open Worldwide Application Security Project. It includes issues like:
 Injection
 Broken Authentication
 XSS
 Insecure Design
 Security Misconfiguration, etc.
7. What is Input Validation?
Input validation is the process of ensuring that user input is correct, safe, and expected. It's used
to prevent vulnerabilities like XSS, SQL injection, and command injection.
8. What is Server-Side Request Forgery (SSRF)?
SSRF is an attack where the server is tricked into making a request to an internal or external
resource, often leading to unauthorized access to internal services.
9. What is a common vulnerability?
A common vulnerability is a well-known security flaw that attackers often exploit — such as
XSS, SQL Injection, or using outdated software with known issues.
10. What is Command Injection Vulnerability?
Command Injection allows an attacker to execute arbitrary OS commands on the server by
injecting them into input fields that are passed to system-level functions (like exec()).
11. How do you prioritize vulnerabilities in a penetration testing report?
Vulnerabilities are prioritized based on:
 CVSS severity scores (technical impact)
 Impact vs. likelihood of exploitation
 Asset value (importance of the affected system)
 Business context (how it affects operations)
 Known public exploits (exploitability)
 Regulatory compliance risks (e.g., GDPR, PCI)
12. How do you stay current with web application security threats and trends?
 Follow OWASP, CVE databases, and security blogs.
 Attend conferences (e.g., Black Hat, DEFCON).
 Join online communities like Reddit, Stack Overflow, and Twitter.
 Use threat intelligence platforms.
 Subscribe to security newsletters.
13. How do you protect sensitive data, such as credit card numbers and passwords?
 Use TLS/SSL for data in transit.
 Hash passwords using strong algorithms (bcrypt, Argon2).
 Encrypt sensitive data at rest.
 Use tokenization or vaults for payment data.
 Limit access using RBAC (Role-Based Access Control).
14. How do you ensure secure communication between users and the server?
 Enforce HTTPS (SSL/TLS).
 Use HSTS (HTTP Strict Transport Security).
 Avoid mixed content (e.g., HTTP assets on HTTPS pages).
 Use secure cookies (Secure, HttpOnly, SameSite).
 Validate server certificates.
15. How do you handle a web application that uses a third-party library with known
vulnerabilities?
 Check for patches or updates to the library.
 Use tools like Dependabot, Snyk, or npm audit to detect issues.
 If no fix exists, replace or isolate the library.
 Apply virtual patches or WAF rules.
 Document and assess the risk based on usage.

You might also like