Interview Questions - TairinySimeonato/WebAuditing GitHub Wiki

  1. Explain the difference between DOM and reflected XSS dom saved on server reponse embedded client side reflected not on server reponse embedded server side

  2. How to defend against CSRF? csrf token csrf login: create a pre-session token and including csrf token in the login form validate referer double submit cookie

  3. Scenario: Facebook wants to use some google script. Is it possible to happen? Could it have security implications? it is possible, not best practice, any vuln in google script would be in facebook. Facebook should nebver use 3rd party code

  4. Explain XSS

  5. Explain CSRF

  6. Explain SQL injection

  7. Difference between encoding, hashing and encrypting.

Encoding ensures message integrity. Can be easily reversible. Example: base64 Encryption guarantees message confidentiality. Reversible only using the appropriate decryption keys. Example: AES256 Hashing is a one-way function. Cannot be reversed. The output is fixed length and usually smaller than the input.

  1. How would you test a website for security flaws?

  2. In your opinion, what has been the biggest advancement in technology this past year?

  3. Looking at our products and services, what do you think we do better at NCC Group plc. than any of our competitors?

  4. How do you keep up-to-date on new technologies and trends in this industry?

  5. What is CSRF and how is it different from XSS?

  6. You are performing an application penetration test and you come across a Java applet, describe what you might do with it.

  7. An HTML page of a victim to get their Windows computer to send you their password hashes?

  8. What tests you would perform in the following scenarios: suppose you are assessing an application, the “forgot password” process consists of 3 steps:

  • Enter your username
  • Answer 3 security questions
  • Set a new password

  1. You have found Local File Inclusion in a .php file on a webserver; you want to read the file contents of the local file config.php file on the webserver but the code is being interpreted. How do you gain access to the file contents of config.php?

  2. How would you turn a Local File Inclusion against a Linux host into Command Execution?

  3. Describe how and where in an application you might test for username enumeration.

  4. Are there any security concerns with scoping an authorization cookie to the parent domain?

  5. On a Linux host running MySQL, how would you go about gaining command execution leveraging SQL Injection?

  6. Describe what SQL Injection is and how you would test for it? @jstnkndy

  7. What about Blind SQL Injection and how is it different from other kinds? @jstnkndy

  8. How can SQL Injection lead to remote code execution? @morgoroth

  9. How can you execute OS command with mssql injection? @enddo

  10. Describe a webshell and how you would upload/use one. @enddo

  11. How would you bypass uploader protections? @enddo

  12. Describe Remote Command Execution (RCE). @enddo

  13. How would you prevent it in PHP? @enddo

  14. How would you prevent CSRF?

  15. Describe the different types of Cross Site Scripting. @jstnkndy

  16. How would you exploit XSS?

  17. What is the purpose of the same origin policy with relation to the document object model? @jstnkndy

  18. Describe the basics of input and output of a block cipher. @jstnkndy

  19. How does the Heartbleed vulnerability work? @webbreacher

  20. How do you exploit the Shellshock vulnerability and what can an attacker do with it? @webbreacher

  21. What could attackers do with HTTP Header Injection vulnerability?

Carriage returns and line feeds (or %0D & %0A) are means to an end that would allow attackers to control HTTP headers Attackers could inject XSS via Referer header Attackers could set cookie to a value known by the attacker (session fixation) Attackers could redirect to a malicious server

  1. How would you implement a secure login field on a high traffic website where performance is a consideration?

TLS (regardless of performance) is a must Also, reducing 3rd party library dependencies could improve performance and reduce security risks (https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5) Content-Security Policy (CSP) to enforce stricter execution rules around JS and CSS (https://en.wikipedia.org/wiki/Content_Security_Policy) Subresource Integrity (SRI) to ensure only known, trusted resource files are loaded from 3rd-party servers/CDNs (https://en.wikipedia.org/wiki/Subresource_Integrity) What are the various ways to handle brute forcing?

Account Lockouts/timeouts API rate limiting IP restrictions Fail2ban ...etc What is Cross-Site Request Forgery? And how to defend against it?

When an attacker gets a victim's browser to make requests with the victim's credentials Example: if an image tag () points to a URL with an associated action, e.g. https://foo.com/logout Defense includes but are not limited to: check origins header & referer header check CSRF tokens or nonce What is Cross-Site Scripting? What are the different types of XSS? How to defend against XSS?

XSS is when attackers get victim's browsers to execute some code (usually JavaScript) within their browser Traditionally, types have been categorized into Stored and Reflected XSS attacks. Stored XSS is some code that an attacker was able to persist in a database and gets retrieved and presented to victims (e.g. forum) Reflected XSS is usually in the form of a maliciously crafted URL which includes the malicious code. When the user clicks on the link, the code runs in their browser Recently there has been discussions around DOM-based XSS, which occurs when attackers can control DOM elements, thus achieve XSS without sending any requests to the server XSS categories tend to overlap, therefore it's much better to describe XSS in terms like Server Stored XSS, Server Reflected XSS, Client Stored XSS (e.g. stored DOM-based XSS), or Client Reflected XSS (e.g. reflected DOM-based XSS) Defense includes: Output encoding (more important) Input validation (less important)

How does HTTP handle state?

HTTP is stateless State is stored in cookies

  1. Explain risk, vulnerability and threat? TIP: A good way to start this answer is by explaining vulnerability, and threat and then risk. Back this up with an easy to understand example.

Vulnerability (weakness) is a gap in the protection efforts of a system, a threat is an attacker who exploits that weakness. Risk is the measure of potential loss when that the vulnerability is exploited by the threat e.g. Default username and password for a server – An attacker can easily crack into this server and compromise it.

  1. What is the difference between Asymmetric and Symmetric encryption and which one is better? TIP: Keep the answer simple as this is a vast topic.

Symmetric encryption uses the same key for both encryption and decryption, while Asymmetric encryption uses different keys for encryption and decryption.

Symmetric is usually much faster but the key needs to be transferred over an unencrypted channel.

Asymmetric on the other hand is more secure but slow. Hence, a hybrid approach should be preferred. Setting up a channel using asymmetric encryption and then sending the data using symmetric process.

  1. What is XSS, how will you mitigate it?

Cross site scripting is a JavaScript vulnerability in the web applications. The easiest way to explain this is a case when a user enters a script in the client side input fields and that input gets processed without getting validated. This leads to untrusted data getting saved and executed on the client side.

Countermeasures of XSS are input validation, implementing a CSP (Content security policy) etc.

TIP: Know the different types of XSS and how the countermeasures work.

  1. What is CSRF?

Cross Site Request Forgery is a web application vulnerability in which the server does not check whether the request came from a trusted client or not. The request is just processed directly. It can be further followed by the ways to detect this, examples and countermeasures.

  1. What is a Security Misconfiguration?

Security misconfiguration is a vulnerability when a device/application/network is configured in a way which can be exploited by an attacker to take advantage of it. This can be as simple as leaving the default username/password unchanged or too simple for device accounts etc.

  1. What is a Black hat, white hat and Grey hat hacker? TIP: Keep the answer simple.

Black hat hackers are those who hack without authority. White hat hackers are authorised to perform a hacking attempt under signed NDA. Grey hat hackers are white hat hackers which sometimes perform unauthorised activities.

  1. What is a firewall? TIP: Be simple with the answer, as this can get complex and lead to looped questions.

A firewall is a device that allows/blocks traffic as per defined set of rules. These are placed on the boundary of trusted and untrusted networks.

  1. Various response codes from a web application?

1xx - Informational responses 2xx - Success 3xx - Redirection 4xx - Client side error 5xx - Server side error 22. DDoS and its mitigation?

DDoS stands for distributed denial of service. When a network/server/application is flooded with large number of requests which it is not designed to handle making the server unavailable to the legitimate requests. The requests can come from different not related sources hence it is a distributed denial of service attack. It can be mitigated by analysing and filtering the traffic in the scrubbing centres. The scrubbing centres are centralized data cleansing station wherein the traffic to a website is analysed and the malicious traffic is removed.

  1. What is a WAF and what are its types? TIP: This topic is usually not asked in detail.

WAF stands for web application firewall. It is used to protect the application by filtering legitimate traffic from malicious traffic. WAF can be either a box type or cloud based.

  1. Explain the objects of Basic web architecture? TIP: Different organisations follow different models and networks. BE GENERIC.

A basic web architecture should contain a front ending server, a web application server, a database server.

5- How would traceroute help you find out where a breakdown in communication is? Tracert or traceroute, depending on the operating system, allows you to see exactly what routers you touch as you move along the chain of connections to your final destination. However, if you end up with a problem where you can’t connect or can’t ping your final destination, a tracert can help in that regard as you can tell exactly where the chain of connections stop. With this information, you can contact the correct people – whether it be your own firewall, your ISP, your destination’s ISP or somewhere in the middle.

8- What is SSL and why is it not enough when it comes to encryption? SSL is identity verification, not hard data encryption. It is designed to be able to prove that the person you are talking to on the other end is who they say they are. SSL and its big brother TLS are both used almost everyone online, but the problem is because of this it is a huge target and is mainly attacked via its implementation (The Heartbleed bug for example) and its known methodology. As a result, SSL can be stripped in certain circumstances, so additional protections for data-in-transit and data-at-rest are very good ideas.

9- How would you find out what a POST code means? POST is one of the best tools available when a system will not boot. Normally through the use of either display LEDs in more modern systems, or traditionally through audio tones, these specific codes can tell you what the system doesn’t like about its current setup. Because of how rare these events can be, unless you are on a tech bench day in and day out, reference materials such as the Motherboard manual and your search engine of choice can be tremendous assets. Just remember to make sure that everything is seated correctly, you have at least the minimum required components to boot, and most importantly that you have all of your connections on the correct pins.

10- What is the difference between a Black Hat and a White Hat? This particular question can lead into a major philosophical debate about freedom of information, and if something is implemented in a deliberately broken way it isn’t actually breaking into it, etc etc. The one I’ve heard the most is the classic Jedi example – same tools, different ideologies. Personally, with the people I know that have worked on both sides of the line it comes down to this – the difference between a Black Hat and a White Hat is who is signing the check.. 14- What are salted hashes? Salt at its most fundamental level is random data. When a properly protected password system receives a new password, it will create a hashed value for that password, create a new random salt value, and then store that combined value in its database. This helps defend against dictionary attacks and known hash attacks. For example, if a user uses the same password on two different systems, if they used the same hashing algorithm, they could end up with the same hash value. However, if even one of the systems uses salt with its hashes, the values will be different.

16- What are the three ways to authenticate a person? Something they know (password), something they have (token), and something they are (biometrics). Two-factor authentication often times uses a password and token setup, although in some cases this can be a PIN and thumbprint.

  • What is the Three-way handshake? How can it be used to create a DOS attack? The three-way handshake is a cornerstone of the TCP suite: SYN, SYN/ACK, ACK. SYN is the outgoing connection request from client to server. ACK is the acknowledgement of the server back to the client, saying that yes I hear you, let’s open a connection. SYN/ACK is the final connection, and allows the two to speak. The problem is that this can be used as a very basic type of Denial of Service Attack. The client opens up the SYN connection, the server responds with the SYN/ACK, but then the client sends another SYN. The server treats this as a new connection request and keeps the previous connection open. As this is repeated over and over many times very quickly, the server quickly becomes saturated with a huge number of connection requests, eventually overloading its ability to connect to legitimate users.

  1. What is the difference between UDP and TCP? Both are protocols for sending packets of information over the internet and are built on top of the internet protocol. TCP stands for transmission control protocol and is more commonly used. It numbers the packets it sends to guarantee that the recipient receives them. UDP stands for user datagram protocol. While it operates similarly to TCP, it does not use TCP’s error-checking abilities, which speeds up the process, but makes it less reliable.

  2. What is a traceroute? A traceroute, or tracert, can help you see where a breakdown of communications occurred. It shows what routers you touch as you move along to your final destination. If there is somewhere you cannot connect, you can see where it happened.

⚠️ **GitHub.com Fallback** ⚠️