Scribd
Upload
10 views5 pages

Essential API Security Interview Questions

The document outlines key API interview questions and best practices for API security, including the OWASP Top 10 vulnerabilities, differences between web applications and APIs, and various attack mitigations such as JWT and OAuth. It emphasizes the importance of using standard authentication methods, validating inputs, and implementing proper access controls to safeguard APIs. Additionally, it covers best practices for processing and outputting data securely, as well as continuous integration and deployment strategies for maintaining API security.

Uploaded by

5koos
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
10 views5 pages

Essential API Security Interview Questions

The document outlines key API interview questions and best practices for API security, including the OWASP Top 10 vulnerabilities, differences between web applications and APIs, and various attack mitigations such as JWT and OAuth. It emphasizes the importance of using standard authentication methods, validating inputs, and implementing proper access controls to safeguard APIs. Additionally, it covers best practices for processing and outputting data securely, as well as continuous integration and deployment strategies for maintaining API security.

Uploaded by

5koos
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

API Interview Questions

1. OWASP Top 10 of API


2. Difference between Web Application & API
3. Difference between Web Services & API
4. Out of Band XXE Injection
5. XXE Mitigation
6. XML RPC attack
7. JWT Bypass
8. Billion laugh Attack/ XML Bombing
9. Xpath injection
10. What test cases you will check in API?
11. Common vulnerabilities in web and API/Those which are in API but not in web and vice
versa.
12. Authentication mechanisms used in API
13. JWT attacks & mitigations
14. Oauth2 attack & mitigations
15. SOAP & REST difference

uthentication

 Don't use Basic Auth. Use standard authentication instead


(e.g. JWT, OAuth).

 Don't reinvent the wheel in Authentication, token


generation, password storage. Use the standards.

 Use Max Retry and jail features in Login.

 Use encryption on all sensitive data.

JWT (JSON Web Token)

 Use a random complicated key (JWT Secret) to make brute


forcing the token very hard.

 Don't extract the algorithm from the header. Force the


algorithm in the backend (HS256 or RS256).

 Make token expiration (TTL, RTTL) as short as possible.


 Don't store sensitive data in the JWT payload, it can be
decoded easily.

OAuth

 Always validate redirect_uri server-side to allow only whitelisted


URLs.

 Always try to exchange for code and not tokens (don't


allow response_type=token).

 Use state parameter with a random hash to prevent CSRF on the


OAuth authentication process.

 Define the default scope, and validate scope parameters for


each application.

Access

 Limit requests (Throttling) to avoid DDoS / brute-force attacks.

 Use HTTPS on server side to avoid MITM (Man in the Middle


Attack).

 Use HSTS header with SSL to avoid SSL Strip attack.

 For private APIs, only allow access from whitelisted IPs/hosts.

Input

 Use the proper HTTP method according to the operation: GET


(read), POST (create), PUT/PATCH (replace/update), and DELETE (to
delete a record), and respond with 405 Method Not Allowed if the
requested method isn't appropriate for the requested resource.

 Validate content-type on request Accept header (Content


Negotiation) to allow only your supported format
(e.g. application/xml, application/json, etc.) and respond with 406 Not
Acceptable response if not matched.

 Validate content-type of posted data as you accept


(e.g. application/x-www-form-urlencoded, multipart/form-data, applicati
on/json, etc.).

 Validate user input to avoid common vulnerabilities


(e.g. XSS, SQL-Injection, Remote Code Execution, etc.).

 Don't use any sensitive data (credentials, Passwords, security


tokens, or API keys) in the URL, but use standard Authorization
header.

 Use an API Gateway service to enable caching, Rate Limit


policies (e.g. Quota, Spike Arrest, or Concurrent Rate Limit) and
deploy APIs resources dynamically.

Processing

 Check if all the endpoints are protected behind authentication to


avoid broken authentication process.

 User own resource ID should be avoided. Use /me/orders instead


of /user/654321/orders.

 Don't auto-increment IDs. Use UUID instead.

 If you are parsing XML files, make sure entity parsing is not
enabled to avoid XXE (XML external entity attack).

 If you are parsing XML files, make sure entity expansion is not
enabled to avoid Billion Laughs/XML bomb via exponential entity
expansion attack.

 Use a CDN for file uploads.

 If you are dealing with huge amount of data, use Workers and
Queues to process as much as possible in background and return
response fast to avoid HTTP Blocking.
 Do not forget to turn the DEBUG mode OFF.

Output

 Send X-Content-Type-Options: nosniff header.

 Send X-Frame-Options: deny header.

 Send Content-Security-Policy: default-src 'none' header.

 Remove fingerprinting headers - X-Powered-By, Server, X-AspNet-


Version, etc.

 Force content-type for your response. If you


return application/json, then your content-type response
is application/json.

 Don't return sensitive data like credentials, Passwords, or security


tokens.

 Return the proper status code according to the operation


completed. (e.g. 200 OK, 400 Bad Request, 401 Unauthorized, 405 Method
Not Allowed, etc.).

CI & CD

 Audit your design and implementation with unit/integration tests


coverage.

 Use a code review process and disregard self-approval.

 Ensure that all components of your services are statically


scanned by AV software before pushing to production, including
vendor libraries and other dependencies.

 Design a rollback solution for deployments.

You might also like