Web App Pen Testing Interview Q&A

What is Web Application Penetration Testing?

Identifying and exploiting security vulnerabilities in web applications with proper authorization to improve security.

VAPT vs Web Penetration Testing?

• Vulnerability Assessment identifies weaknesses.
• Penetration Testing validates whether vulnerabilities can be exploited.

What is the OWASP Top 10?

A list of the most critical web application security risks including Broken Access Control, Injection, Security Misconfiguration, SSRF, and Cryptographic Failures.

What is SQL Injection?

Occurs when user input manipulates SQL queries to access or modify database information without authorization.

What is Cross-Site Scripting (XSS)?

Allows attackers to inject malicious JavaScript into web pages. Types: Stored XSS, Reflected XSS, DOM-based XSS.

What is CSRF?

Cross-Site Request Forgery tricks authenticated users into performing unintended actions.

Authentication vs Authorization?

• Authentication verifies identity.
• Authorization determines permissions.

What is Session Management?

Securely tracking authenticated users using session IDs or tokens.

What is HTTPS?

Encrypts communication between the browser and server using TLS.

What is Burp Suite?

A popular web application security testing tool used for intercepting, modifying, and analyzing HTTP traffic.

What is IDOR?

Insecure Direct Object Reference — allows attackers to access unauthorized resources by changing object identifiers.

What is SSRF?

Server-Side Request Forgery — forces the server to make unintended requests.

What is XXE?

XML External Entity — exploits insecure XML parsers to read files or access internal resources.

What is Command Injection?

Occurs when user input is executed as operating system commands.

What is Remote Code Execution (RCE)?

Enables attackers to execute arbitrary code on the target server.

Explain File Upload Vulnerabilities.

Improper validation of uploaded files can allow attackers to upload malicious scripts or executables.

What is Directory Traversal?

Enables attackers to access files outside the intended directory structure.

What is Clickjacking?

Tricks users into clicking hidden or disguised interface elements.

Explain CORS.

Cross-Origin Resource Sharing — controls how web resources can be requested from different domains.

What is Content Security Policy (CSP)?

HTTP security header that helps prevent XSS by restricting which resources can be loaded.

What is Burp Suite?

An integrated platform for web application security testing with proxy, scanner, and analysis tools.

Explain Burp Proxy.

Intercepts and modifies HTTP/HTTPS traffic between the browser and server.

What is Burp Repeater?

Allows manual modification and resending of requests for testing.

What is Burp Intruder?

Automated tool for fuzzing, brute-forcing, and parameter testing.

What is Burp Decoder?

Tool for decoding, encoding, and manipulating data.

Explain Burp Extensions.

Add-ons that extend Burp Suite functionality (e.g., BApp Store).

What is Session Fixation?

Attack where an attacker sets a known session ID before the user authenticates.

What is Session Hijacking?

Stealing a valid session token to gain unauthorized access.

What is Secure Flag?

Ensures cookies are only sent over HTTPS connections.

What is HttpOnly Flag?

Prevents client-side scripts from accessing cookies, reducing XSS impact.

What is JWT?

JSON Web Token — a compact token format for authentication and information exchange.

What is OAuth?

Open standard for delegated access, often used for third-party authentication.

What is REST API?

Representational State Transfer — an architectural style for API design using HTTP methods.

What is GraphQL?

A query language for APIs that allows clients to request specific data.

What is BOLA?

Broken Object Level Authorization — unauthorized access to API objects.

What is API Rate Limiting?

Restricts the number of API requests to prevent abuse and DoS attacks.

What is API Fuzzing?

Automated testing of API endpoints with unexpected or malformed input.

What is HTTP Request Smuggling?

Exploits inconsistencies between front-end and back-end server processing.

What is SSTI?

Server-Side Template Injection — allows attackers to execute code through template engines.

What is Deserialization?

Insecure deserialization can lead to RCE, data tampering, and privilege escalation.

What is Prototype Pollution?

JavaScript vulnerability that allows attackers to modify object prototypes and alter application behavior.

What is Cache Poisoning?

Injecting malicious content into a cache to serve it to users.

What is Input Validation?

Checking and sanitizing user input before processing to prevent injection attacks.

What is Output Encoding?

Escaping output to prevent XSS and injection attacks.

What are Parameterized Queries?

Preventing SQL Injection by separating SQL logic from user input.

What is Least Privilege?

Users should only have the minimum permissions necessary.

What is Password Hashing?

Storing passwords securely using hashing algorithms like bcrypt or Argon2.

How do you write a penetration testing report?

Include executive summary, methodology, findings, evidence, remediation, and conclusion.

What should executive summary include?

High-level overview, key risks, business impact, and recommendations.

What is CVSS?

Common Vulnerability Scoring System for rating vulnerability severity.

What is Proof of Concept (PoC)?

Evidence that demonstrates how a vulnerability can be exploited.

How to prioritize vulnerabilities?

Use CVSS scores, exploitability, and business impact.