Below is a collection questions about Security (General or Specific Knowledge)
What is the difference between HTTP and HTTPS?
Explain the difference between encryption and hashing. And what is base64 encoding and when it is safe or not safe to use?
Explain what is TLS? What is the difference between TLS and SSL?
If a Web application uses React in the Front-end, will it still be vulnerable to XSS?
What are the common file upload vulnerabilities in web apps? What is the best way to handle file upload?
How do you configure a cookie that is secure? What is the purpose of each of these security flags?
secure, HttpOnly, samesite
Does Java have buffer overflow issues?
This requires some knowledge of Java. You need to know that Java will perform bound checks. If code tries to access outside of the allocated memory (outside of array size), then exception will be thrown.
Rare situation where buffer overflow can happen: (1) JNI is used to call native code. (2) JVM has vulnerability.
Explain some examples of Business Logic vulnerabilities.
- Suppose there is an E-Commerce shop which allows you to pay an item with monthly installments (12 months, 18 months, 24 months etc.). Test if you can change the month to 1000 months. If so, there is a abuse case here. To understand such abuse case, you need to understand common financial and payment knowledge.
What are the limitations of SAST, DAST, SCA, IAST?
You need to know more than vendor marketing materials. The experience can come from actual hands-on usage of the tools, or listening to podcast, youtube presentation etc.