API Security Interview Questions and Practice Challenges

# CHAPTER 20

API Security Interview Questions and Practice Challenges #

1. Introduction #

You have completed the API Security Tutorial! You now possess the knowledge required to architect, defend, and audit modern REST APIs against the most devastating attacks on the internet. However, knowing how to write the code is only half the battle. To pass a technical interview for a Backend Developer, DevOps, or Cybersecurity role, you must be able to articulate these concepts clearly. In this final chapter, we provide a curated list of high-yield interview questions and real-world practice challenges to solidify your expertise.

---

2. Core Concepts & Architecture Interview Questions #

Q1. What is the "Zero Trust" principle in API architecture? *Answer:* It is the assumption that every network request, even if it originates from an internal system or a verified mobile app, is potentially malicious. The backend API must independently verify authentication, authorization, and validate all input on every single request.

Q2. Explain the difference between Authentication and Authorization. Give examples. *Answer:* Authentication verifies identity ("Who are you?" e.g., logging in with email/password to get a JWT). Authorization verifies permissions ("What are you allowed to do?" e.g., checking if the logged-in user has the 'admin' role required to access the /delete endpoint).

Q3. What is the Attack Surface of an API? *Answer:* The total sum of all points where an unauthorized user can interact with the system. This includes URL paths, query parameters, HTTP headers, and the JSON payload body.

Q4. Explain the difference between Rate Limiting and Throttling. *Answer:* Rate limiting is a hard cutoff (e.g., max 100 requests/minute; the 101st request returns a 429 error). Throttling is a soft degradation (e.g., the 101st request is intentionally delayed by the server by 2 seconds to reduce load, but is still processed).

---

3. Vulnerability & Attack Interview Questions #

Q5. What is the #1 vulnerability on the OWASP API Top 10, and how do you mitigate it? *Answer:* Broken Object Level Authorization (BOLA / IDOR). It occurs when an API trusts a resource ID provided in the URL without verifying ownership. Mitigation requires backend logic that explicitly checks if the requested resource belongs to the currently authenticated user (e.g., adding AND user_id = ? to the SQL query).

Q6. Exactly how do Prepared Statements (Parameterized Queries) neutralize SQL Injection? *Answer:* They force the database engine to pre-compile the SQL logic structure *before* the user input is inserted. When the user data is finally passed in, the database treats it strictly as a literal string value, rendering any malicious SQL commands inert.

Q7. Explain the "None" algorithm attack against JSON Web Tokens (JWT). *Answer:* Older JWT libraries allowed an attacker to alter the token header to specify "alg": "none". The server would read the header, assume no signature verification was required, and blindly accept the manipulated payload. This is fixed by explicitly forcing the backend library to demand a specific algorithm (e.g., HS256).

Q8. How does an API facilitate Cross-Site Scripting (XSS), and how do you prevent it? *Answer:* If an API accepts malicious scripts in a JSON payload and serves them back to a frontend UI that renders them unescaped, XSS occurs. The API must sanitize output (e.g., using htmlspecialchars() in PHP) and enforce Content-Type: application/json headers to ensure browsers don't execute the response as HTML.

Q9. What is Mass Assignment (Broken Object Property Level Authorization)? *Answer:* When an API blindly binds all incoming JSON payload data directly to a database object. An attacker can add hidden fields (like "is_admin": true) to their request, gaining unauthorized privileges. Mitigation requires strict "allow-listing" of updateable fields.

---

4. Implementation & Security Engineering Questions #

Q10. Why is the state parameter critical in the OAuth 2.0 flow? *Answer:* It prevents Cross-Site Request Forgery (CSRF) attacks. The application generates a random state string, saves it in the session, and sends it to the Auth Server (e.g., Google). When Google redirects the user back, the app verifies the returned state matches the session state, proving the login flow was initiated by the legitimate user.

Q11. Walk me through how you securely handle file uploads via an API. *Answer:*

1. 1. Validate file size.

1. 2. Verify the true MIME type using binary magic numbers (e.g., finfo in PHP), never trusting the client's file extension.

1. 3. Completely rename the file to a random hash.

1. 4. Store the file outside the public web root or in a cloud bucket (like S3) to prevent remote code execution.

Q12. What is Information Leakage via Error Messages, and how is it prevented? *Answer:* It is returning verbose technical errors (like SQL stack traces) to the client, providing attackers a map of your infrastructure. Prevention involves disabling error display in production (display_errors = Off), logging detailed errors securely on the server, and returning generic 500 JSON responses to the client.

Q13. Why is it dangerous to use Access-Control-Allow-Origin: * in a CORS configuration? *Answer:* It defeats the Same-Origin Policy, allowing any malicious website on the internet to make background AJAX requests to the API. If the API uses session cookies, the malicious site can perform unauthorized actions on behalf of the logged-in user.

---

5. Hands-on Practice Challenges for Your Portfolio #

To prove your skills to employers, build the following projects and host them on GitHub. Be sure to detail the security features in your README.md.

Challenge 1: The Secure Login API *Task:* Build a PHP API with /register and /login endpoints. *Security Requirements:*

• Hash passwords using password_hash().

• Implement a basic IP rate limit (e.g., max 5 login attempts per minute) using a database table.

• Return generic error messages ("Invalid credentials").

• Generate and return a secure JWT upon successful login.

Challenge 2: BOLA Defense Simulator *Task:* Build a /api/notes endpoint that supports GET, POST, and DELETE. *Security Requirements:*

• Require JWT authentication for all routes.

• The database table must have id, user_id, and content.

• The DELETE /api/notes/{id} endpoint must successfully delete a note if the logged-in user owns it, but return a 403 Forbidden if they try to delete another user's note. Use PDO prepared statements.

Challenge 3: The Safe Vault (File Upload) *Task:* Build a /api/upload endpoint intended for image uploads. *Security Requirements:*

• Write PHP code that actively rejects a file named hack.php.jpg by inspecting the MIME type using finfo.

• Rename the file using bin2hex(random_bytes(16)).

• Save it to a directory that is explicitly denied execution permissions via .htaccess.

---

6. Conclusion #

Security is not a destination; it is a continuous process. As backend technologies evolve, so do the tactics of attackers. By mastering the principles in this tutorial—Zero Trust, Defense in Depth, Cryptography, and Validation—you have built a mental framework that will serve you throughout your entire career. Stay curious, read the OWASP updates regularly, and always code defensively. Congratulations on completing the API Security Tutorial!