Web Security Interview Preparation Guide
Download PDF

Web security job interview preparation guide for freshers and experienced candidates. Number of Web Security frequently asked questions(FAQs) asked in many Web security interviews

19 Web Security Questions and Answers:

1 :: Can you explain what are the principles in providing the security for the computer programs?

- The principle of least privilege is used to provide more security to the computer programs.

- The principle allows the designing of the program such that any unauthorized access is not allowed and only the person who owns the program will be able to access it.

- The services provided should be able to access only those products that need the services.

- Web servers that are involved in responding the queries of the web users provide only accessing to the HTML files that will serve the purpose of the programs.

- Computer programs should be made such that it provides secure features of logging into the program with proper authentication.

2 :: Do you know why are the valet keys used in Least privilege design mode?

- The valet keys are used to provide more security by not letting the processes to use the more resources then allowed.

- The valet keys allow the use of the resources that is necessary for the process to finish the job.

- Valet keys also limit the use of accesses that is being made on the system by the process.

- Valet keys lock the resources until the demand is being done to provide them to any process.

- The valet key system can’t be accessed as it is also remains locked by the system and the permission is given to only those who remain the owners of it.

3 :: Tell me what are the ways in which attackers can infiltrate the system?

- Web servers can be infiltrated using the command shell by an attacker to read the HTML files that is getting transferred.

- If the set-uid scripts are not proper and bad then the infiltration can happen by the attacker.

- The processes are not given proper permissions so that the password can be changed by using the “passwd” command to change the password of the system.

- This also authenticates the user for accessing the system and the files on it containing the data.

- The program that is used in the operating system doesn’t follow the principle of least privilege and lead to security issues.

4 :: Explain what is the principle of Least Privilege?

- Least privilege principles ensure that the process gets only the limited resources at the beginning.

- The process will have only that many resources that will allow it to finish a task or job in a given time.

- The principle defines the use of Valet keys that is to ensure the security of the system by locking the processes with limited number of resources.

- The web should be given access to only HTML files to remain more secure on the Internet and all should be secure.

- The user should be given the permission only to do their job and should be provided with that many resources only.

5 :: Can you explain what is the function of having SimpleWebServer and “Elevated Privileges”?

- SimpleWebServer provides the storage space for the files that can be stored having the permissions with them.

- System administrator can run the SimpleWebServer by only having the elevated privileges.

- Elevated privileges allow the users not to access the web server and just access the system that is given to them and the process that they have permission of.

- Using the special privileges the users can’t access any files on the system that is not allowed for them to access.

- The sensitive documents can be controlled using the directory structure of the system of the tree.

6 :: Do you know what would have happened if the least privilege principle being followed?

- Least privilege principle allowed the use of commands with more security and provided the processes with fewer resources that were unwanted.

- The command that were used to be situated with the set-uid to root that allowed the system to be accessed.

- The commands were used not in a better way to help people use it but they were used in an improper way of creating the directories and running it on their own.

- The root account was made less accessible by any user and no authorization is given on that front to run the file or any process again until it is required.

- There are many sub processes used to handle the commands so that it can’t interfere in other processes.

- This principle minimized the damage of having the viruses attacked the system and steal the information.

7 :: Explain what does following lines of code show?

GET ../../../../etc/shadow HTTP/1.0

- GET is the method that is used to access the files from the server it works the same way like PUT.

- GET method allows the information to be taken from the web server and send it to the user’s browser.

- The directory /etc/ consists of a shadow file that is having the special privileges and only accessible that is having the permissions.

- /etc/shadow consists of all the passwords and usernames that can be accessed and made changes to.

- The file 1.0 of HTTP can be specified by the constructor FileReader and it can attempt to open the file.

8 :: How to write a program that defines the use of fail-safe approach?

- Fail-safe approach is being designed to save the system from any failure that can come without any reason.

- This includes developing of the client system that requires the password to be sent to authentication server and if the server is down then the access to all the users is denied by default.

- The program is given to use in case of failure and it is as follows:

osw.write ("HTTP/1.0 200 OK\n\n");
while (c != -1) {
sb.append((char)c);
c = fr.read();
}
osw.write (sb.toString());

- This program defines the security of the requested file and it tells that if the file is opened and read successfully then return OK response and sends the content of the file.

9 :: Can you explain what needs to be done for having the fail-safe stance?

- Fail safe stances are used to provide the security in case of any failure occurs in the system.

- Fail safe stances works on the same principle of elevators and it always have a backup planned in case of system failure.

- The security can be breached in case of firewall of the system fails and it doesn’t allow any traffic to come.

- The security issues can be for the user who is intended to access the resources of the system and by default the access is being denied.

- There is a level of security being provided in case the system fails or one or more components fails in the system.

10 :: Do you know what is the Fail-safe approach?

- Fail-safe approach defines the level that divides the security such that it is safe even in case the system is failed.

- The fail safe approach doesn’t allow an attacker to take the advantage by breaking in the system and crashes out.

- This approach allows the web server to perform the routines even if the system runs out of the memory in case of any attack.

- The system in attacks doesn’t skip the access to the control check or it doesn’t skip serving any document requested.

- Fail safe approach can force the web server to run of the memory and have a DoS attack.