Explore essential concepts in API security testing through practical CAT interview scenarios. This quiz challenges your understanding of vulnerability detection, authentication issues, security misconfigurations, and best practices in secure API design.
During an interview scenario, you are given an API endpoint that uses a basic authentication header. Which security risk is most likely if credentials are transmitted without encryption over HTTP?
Explanation: Transmitting credentials in plain text over HTTP exposes them to interception by attackers through network sniffing. While slow requests (option B) can occur for many reasons, it is not directly related to basic authentication over HTTP. Improper data parsing (option C) is unlikely if the request is correctly formed. Token expiration (option D) is not relevant when discussing basic authentication headers.
In a security testing case, a candidate submits ' OR 1=1 -- as an input to an API parameter. What type of vulnerability is primarily being tested for?
Explanation: Inserting ' OR 1=1 -- is a classic test for SQL Injection, where the input aims to manipulate the backend SQL query. Cross-Origin Resource Sharing (option B) refers to policy handling for API calls across domains, not injection. Broken Access Control (option C) deals with improper access levels rather than input manipulation. XXS (option D) seems a typo for XSS, but that generally involves scripting payloads, not SQL syntax.
Given an API endpoint that does not limit the number of requests per user per minute, which attack is the API most vulnerable to?
Explanation: Without rate limiting, attackers can overwhelm the API with excessive requests, leading to resource exhaustion or Denial-of-Service. Clickjacking (option B) involves UI manipulation to trick users, not direct API abuse. Man-in-the-middle (option C) exploits insecure data transmission, which is unrelated to request limits. Replay attacks (option D) reuse valid transmissions, but overwhelming the server is specifically tied to DoS.
During a mock interview test, you discover that the API sends detailed stack traces and server file paths in error messages. What type of API security issue does this represent?
Explanation: Revealing system information like stack traces and file paths is a sign of security misconfiguration as it leaks sensitive implementation details to attackers. Broken object level authorization (option B) involves access control issues on user data. Unvalidated redirects (option C) are about redirection vulnerabilities. Insecure deserialization (option D) deals with manipulating serialized data, not error message content.
An API candidate suggests assigning only essential permissions to API service accounts as part of their security hardening process. Which best practice are they following?
Explanation: Limiting permissions to only what is necessary is the 'Principle of Least Privilege,' reducing the attack surface. Single Sign-On (option B) refers to user authentication, not permissions. Audit logging (option C) tracks actions but does not define permissions. Data masking (option D) involves hiding sensitive data, not managing account privileges.