Security testing interview questions

// 24 QUESTIONS · UPDATED MAY 2026

Security testing interview questions scoped for QA engineers and SDETs: the OWASP Top 10 from a tester's perspective, SQL injection and XSS validation, authentication versus authorisation testing, broken access control and IDOR, session management, CSRF, security headers, sensitive data exposure, SAST and DAST in CI/CD, and how QA security testing complements the dedicated security team.

Level

Showing 24 of 24 questions

  1. What is the OWASP Top 10 and how should a QA engineer use it?Junior

    The OWASP Top 10 is a ranked list of the most critical web application security risks, updated every few years by a global community of s…

  2. What is the difference between authentication and authorisation, and how do you test each?Junior

    Authentication verifies identity ('who are you?') — tested with login flows, MFA, and session handling. Authorisation verifies permission…

  3. What is SQL injection and how does a QA tester verify that inputs are protected?Junior

    SQL injection occurs when user input is interpolated into a SQL query, allowing an attacker to alter the query's logic. A QA tester valid…

  4. What cookie security flags exist and how do you verify they are correctly set?Junior

    HttpOnly prevents JavaScript from reading the cookie (mitigates XSS-based session theft). Secure ensures the cookie is only sent over HTT…

  5. Which security response headers should be present and how do you check them in a test?Junior

    Key headers: Content-Security-Policy (restricts resource loading — mitigates XSS), Strict-Transport-Security (HSTS — enforces HTTPS), X-C…

  6. What is cross-site scripting (XSS) and how do you test that an application prevents it?Mid

    XSS occurs when user-supplied content is rendered in the browser without encoding, allowing injected JavaScript to execute in another use…

  7. How do you test for broken access control and IDOR vulnerabilities?Mid

    Insecure Direct Object References allow users to access resources by guessing or incrementing identifiers. Test by authenticating as User…

  8. What is CSRF and how do you verify that a protection mechanism is working?Mid

    Cross-site request forgery tricks an authenticated user's browser into sending a state-changing request to a target site without their kn…

  9. How do you test session management — what signals indicate a problem?Mid

    Verify sessions expire after inactivity and absolute timeout, that a new token is issued on login (preventing session fixation), that tok…

  10. How do you test for sensitive data exposure in API responses and application logs?Mid

    Intercept all API responses for endpoints handling PII, payment data, or credentials, and verify sensitive fields are absent, masked, or…

  11. What is the difference between SAST and DAST, and where does each fit in a QA workflow?Mid

    SAST (Static Application Security Testing) analyses source code without running it — fast, runs in the IDE or PR gate, but produces false…

  12. How do you test rate limiting and brute-force protection on an authentication endpoint?Mid

    Send a rapid sequence of login requests with invalid credentials and assert the application responds with 429 Too Many Requests, introduc…

  13. How does rigorous boundary and negative testing form a layer of security validation?Mid

    Injection and overflow vulnerabilities are triggered at the edges of expected input. A QA team that practises thorough boundary testing —…

  14. What is software composition analysis (SCA) and how does it fit into a QA team's workflow?Mid

    SCA scans your dependency tree for known vulnerabilities (CVEs) in third-party libraries. Tools include Snyk, Dependabot, and OWASP Depen…

  15. How do you test for security misconfiguration in a deployed web application?Mid

    Security misconfiguration covers missing headers, overly permissive CORS, unnecessary features enabled (directory listing, debug endpoint…

  16. How do you design an API security test suite that validates authorisation on every endpoint?Senior

    Build a matrix of all API endpoints × role types. For each cell, assert the expected HTTP status (200 for permitted, 403 for forbidden) a…

  17. How do you test OAuth 2.0 and JWT-based authentication flows for security weaknesses?Senior

    For OAuth: test that the state parameter is validated (CSRF on the auth flow), redirect URIs are checked against an allowlist, and author…

  18. How do you integrate DAST scanning into a CI/CD pipeline while keeping false positives manageable?Senior

    Run DAST in baseline (passive) mode against staging as a nightly step — not on every PR. Active scanning is too slow and noisy for PR gat…

  19. How do you test for business logic vulnerabilities that automated scanners cannot find?Senior

    Business logic vulnerabilities are specific to the application's domain — price manipulation, workflow step skipping, quantity exploits.…

  20. How do you test file upload functionality for security vulnerabilities?Senior

    Test: uploading a file with a mismatched extension and Content-Type, an executable disguised as an image, a filename containing path trav…

  21. How do you verify that secrets and credentials are never exposed in API responses, logs, or client-side code?Senior

    Test three surfaces: intercept all API responses and search for credential patterns in the body; access application logs in a test enviro…

  22. How do you test for injection vulnerabilities beyond SQL — including command, LDAP, and XML injection?Senior

    Each injection type exploits a different parsing context and requires different payloads. Command injection targets OS shell calls; LDAP…

  23. How do you write a negative security test plan for a feature that handles sensitive PII?Senior

    Map every point where PII enters, moves through, and exits the system. For each point, write negative cases: accessing another user's PII…

  24. How do you define a security testing strategy that integrates QA with the dedicated security team?Lead

    Define clear lanes: QA owns preventive security testing (OWASP Top 10 coverage, SAST/SCA in CI, functional security tests per feature). T…

// Continue exploring

GraphQL

Schema, queries, mutations, the errors array, nested authorisation, N+1, and how GraphQL testing differs from REST.

Manual & exploratory

Test design, exploratory testing, bug reporting, test cases, regression strategy.

Cypress

Custom commands, sessions, intercept, retry-ability, component testing.