InterviewStack.io LogoInterviewStack.io

OWASP Top Ten and CWE Top Twenty Five Questions

Comprehensive knowledge of the Open Web Application Security Project Top Ten categories and the Common Weakness Enumeration Top Twenty Five weaknesses, focused on identification, exploitation mechanisms, root causes, business impact, and prevention. Candidates should understand each vulnerability class in depth, including injection, broken authentication and authorization, cross site scripting, cross site request forgery, security misconfiguration, insecure design, vulnerable and outdated components, cryptographic and data integrity failures, logging and monitoring gaps, server side request forgery, and related common weakness patterns. Assessment covers how to find these issues in source code and running applications, how attacks are constructed, secure coding fixes and remediation, threat modeling and secure design choices to prevent them, use of static and dynamic analysis and dependency scanning tools, vulnerability prioritization and patching strategies, and runtime detection and monitoring practices. Candidates should be able to explain concrete code examples, demonstrate fixes, and map specific code patterns to CWE entries when relevant.

EasyTechnical
42 practiced
Explain the OWASP Top Ten (2021) web application risk categories and how they relate to the CWE Top 25. For three OWASP categories of your choice (for example: Injection, Broken Access Control, Cryptographic Failures) do the following:- Briefly describe the OWASP category in one sentence- Map it to 2-3 relevant CWE identifiers (include CWE number and short name)- Give a concrete code pattern or application misconfiguration that commonly leads to those CWEsEmphasize root cause, attacker capability, business impact, and high-level mitigations.
MediumTechnical
36 practiced
A web page echoes a query parameter without encoding:
<!-- vulnerable.php -->
<html>
  <body>
    Search results: <?php echo $_GET['q']; ?>
  </body>
</html>
Demonstrate a reflected XSS payload an attacker could use to exfiltrate cookies. Then provide a secure coding fix (server-side) and a recommended CSP header. Explain why both are useful.
HardSystem Design
36 practiced
Design a runtime detection system to identify SSRF exploitation attempts in your fleet. Include application-level telemetry, host/network signals, egress filtering, DNS and TLS telemetry, eBPF-based tracing options, heuristics to flag suspicious outbound requests (e.g., internal IP ranges, metadata endpoints), alerting thresholds, and mitigation automation.
EasyTechnical
36 practiced
You find code that uses MD5 for password hashing and a hardcoded symmetric key for data encryption. Explain why these are risky. Provide specific recommendations (algorithms, libraries, configuration) to fix both password storage and data encryption at rest and in transit, including key management and rotation details. Map these mistakes to CWE entries and describe business impact.
HardTechnical
38 practiced
Case study: For an internet-facing e-commerce application (catalog, cart, payments, admin portal), perform a STRIDE-based threat model focusing on OWASP Top Ten risks. Identify the highest-impact threats, map them to OWASP categories and relevant CWEs, propose mitigations (design and operational), and prioritize remediation by business impact and cost.

Unlock Full Question Bank

Get access to hundreds of OWASP Top Ten and CWE Top Twenty Five interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.