Applications security specialist interview questions shared by candidates
I was asked to explain the difference between Insufficient Authentication and Insufficient Authorization. In the process, I managed to confuse the person asking the question by giving obscure examples.
Insufficient Authentication - Being able to perform a functionality or view information that should not be viewable to an unauthenticated user. Insufficient Authorization - Being able to perform a functionality or view information that should not be viewable to a user of your privilege level (ex: being able to perform administrator functionality as a regular user) or by any user other than you (ex: being able to view another users account information)
They give you different variations on using cross-site scripting. None of them were too difficult and they gave me some hints. If you have a lot of experience in this it should be fairly easy.
Given this snippet of code, assuming that from where you injected your inputs on the URL, this is the landing space in an attribute, explain to us how you would obfuscate past their filter and successfully demonstrate that the page is vulnerable to Cross Site Scripting.
See Interview Questions for Similar Jobs
- Software Engineer
- Security Engineer
- Information Security Engineer
- Applications Security Engineer
- Senior Consultant
- Senior Software Engineer
- Software Developer
- Product Manager
- Security Specialist
- Network Engineer
- Sales Engineer
- Program Manager
- Senior Security Engineer
- Security Analyst
- Information Security Analyst