Ernst & Young Security Consultant Interview Questions, Process, and Tips

XSS is a type of web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

• XSS stands for Cross-Site Scripting.

• Attackers can exploit XSS vulnerabilities by injecting malicious scripts into web pages viewed by other users.

• These scripts can steal sensitive information, such as login credentials or personal data, from the victim's browser.

• XSS attacks can be prevented by prope...read more

CSRF is a type of attack where a malicious website tricks a user into performing an action on a different website.

• CSRF stands for Cross-Site Request Forgery

• It can be exploited by tricking a user into clicking a link or button on a malicious website that sends a request to a different website where the user is logged in

• The request can perform actions on behalf of the user without their knowledge or consent

• To prevent CSR...read more

SAST and DAST are security testing techniques used to identify vulnerabilities in software applications.

• SAST (Static Application Security Testing) is performed on the source code of an application to identify security vulnerabilities before the application is compiled and deployed.

• DAST (Dynamic Application Security Testing) is performed on a running application to identify vulnerabilities in real-time.

• SAST is useful fo...read more

httpsOnly and secure flag are used for securing web traffic and preventing attacks.

• httpsOnly ensures that all traffic to a website is encrypted and cannot be intercepted by attackers.

• Secure flag ensures that cookies are only sent over encrypted connections, preventing session hijacking attacks.

• Both are important security measures for protecting sensitive information and preventing attacks.

• Examples of websites that use ...read more

Security headers are used to enhance the security of web applications by providing additional protection against attacks.

• Common security headers include Content-Security-Policy (CSP), X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, and Strict-Transport-Security (HSTS)

• CSP helps prevent cross-site scripting (XSS) attacks by specifying which sources of content are allowed to be loaded

• X-XSS-Protection helps prev...read more

Cache control is implemented through HTTP headers to specify how long a resource should be cached.

• Cache-Control header is used to specify caching directives

• Expires header is used to specify an expiration date for the resource

• Max-Age header is used to specify the maximum age of the resource in seconds

• Pragma header is used for backwards compatibility with HTTP/1.0

• Examples: Cache-Control: max-age=3600, Expires: Wed, 21 Oc