The following is a summary and reflection on some of the current popular A-side interview/written test questions (partial management and operation), hoping to help you who are preparing for the A-side interview;
May we overcome obstacles and enjoy every scenery along the way
1. Briefly describe the related vulnerabilities of current mainstream programming languages
Answer: The relevant idea of this question is to talk about the loopholes of the current mainstream language. You can explain it from two aspects:
The related vulnerabilities of Java, Python, PHP (big vulnerability) are actually those;
talk about the frameworks you know - such as the Apache foundation framework, PHPAdmin, Python mainstream web architecture - jinjia2, Django, etc.;
Python vulnerabilities:
Injection: Django 2022 new SQL injection vulnerability, even if Django uses parameterized query and ORM to prevent SQL injection, there is a way of dictionary injection. The latest CVE vulnerability in 2022 uses QuerySet.annotate(), aggregate() and extra() methods Injection;
XML: XML reading can cause DoS attacks; XXE attack utilization;
assert statement: Do not use assert statement to prevent users from accessing specific code segments. By default, Python executes scripts with debug set to true, but in real environments it is common to run with optimizations, which will skip assert statements and go directly to secure code, regardless of whether the user is is_admin or not.
site-package: Forge official libraries for code injection and code forgery;
Java vulnerabilities:
Java is most famous for deserialization vulnerabilities, which appear in common Web containers such as WebLogic and JBoss;
Structs2 is arbitrary code execution
Log4j2 is also a very popular vulnerability
Shiro authentication bypass, remote code execution;
PHP Vulnerabilities: Catch a Lot
ThinkPHP's remote code execution
PHP's deserialization
ThinkPHP file contains
PHP unsafe functions: chroot, exec, one-word Trojan horse, proc_open, etc.
2. How to find out that the relevant system currently running is under DDoS attack?
Answer: Question background:
First of all, most enterprises do not purchase anti-DoS related defense equipment, or simply deploy DoS traffic defense equipment systems, because if the enterprise suffers from DoS attacks, the anti-D equipment at the Internet exit can no longer meet the demand. When there is a peak traffic at the Internet entrance and exit, the device will be directly hung up, so that the device traffic is bypassed, and traffic cleaning and DoS related defenses cannot be achieved;
There is no effective defense method for this kind of attack. The best way is to do a good job of traffic cleaning and traffic black hole on the operator, so as to prevent it more effectively. Therefore, the most trouble-free and effective way is to purchase the operator's traffic cleaning service. ;
In fact, CDN is also a very effective way to prevent DoS attacks, and it is also a low-cost way to solve the problem;
How to find out that the system is under attack?
First of all, a traffic monitoring system or a traffic auditing system can be deployed in the live network to monitor business traffic, track and observe normal business traffic and IP addresses, form its own business traffic security-related model, and specify the intranet server or its own For the upper limit of service traffic, the application system sets up a relevant warning threshold, and if it exceeds this threshold, it needs to consider whether it is attacked by DoS;
Utilizes distributed multi-core hardware technology, monitors and analyzes network traffic data based on deep packet inspection technology (DPI), and quickly identifies attack packets hidden in background traffic to achieve accurate traffic identification and cleaning. Malicious traffic mainly includes DoS/DDoS attack, synchronization storm (SYN Flood), UDP storm (UDPFlood), ICMP storm (ICMP Flood), DNS query request storm (DNS Query Flood), HTTP Get storm (HTTP Get Flood), CC attack and other network attack traffic.
Secondly, the Linux server has its own log records for CC attacks and DoS attacks. The dmesg and message logs will have related Flood log records. This log record is due to the net.ipv4.tcp_max_syn_backlog parameter setting. Linux also has other parameters to To prevent DoS attacks, the main idea is to control the number of connections;
net.ipv4.tcp_max_syn_backlog = 4096 ``#表示SYN队列的长度,加大队列长度可以容纳更多等待连接的网络连接数
net.ipv4.tcp_syncookies = 1 ``#表示开启SYN Cookies功能。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭,1表示打开;
net.ipv4.tcp_synack_retries = 2 ``#下面这两行表示定义SYN重试次数
net.ipv4.tcp_syn_retries = 2
#提高TCP连接能力
net.ipv4.tcp_rmem = 32768
net.ipv4.tcp_wmem = 32768
net.ipv4.tcp_sack = 0 ``#打开tcp_sack功能,1表示"关闭",0表示"打开"
DDoS deflate is also an effective tool to control netstat and iptables. It monitors and tracks IP addresses that create a large number of network connections through netstat. When it detects that a node exceeds the preset limit, the program will prohibit or block these IPs through APF or IPTABLES ;
Some frameworks, such as Apache's web framework, record: access log to record access;
In addition, you can check the resource usage of the related process of the Linux server, check the resource usage of the monitoring system process through the top command, and monitor the resource usage of the system, which involves related technologies of host monitoring; or use netstat to check the current system status number of connections;
netstat -npt | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
It is also possible to directly capture network traffic for analysis. The related tools used are: tcpdump and tshark can capture network traffic for analysis;
3. Briefly describe the encryption process of TLS (10 points)
Answer: First of all, it must be clear that the current version of TLS has changed from 1.0 to 1.3, and the current popular version is 1.2. The OSI model of TLS operation is at the transport layer. SSL/TLS comprehensively uses symmetric ciphers in cryptography and message authentication. Code, public key cryptography, digital signature, pseudo-random number generator, etc., can be said to be a master in cryptography.
handshake protocol;
The handshake protocol is responsible for agreeing on the cryptographic algorithm and shared key between the client and server, including certificate authentication, and is the most complex part of the four protocols.
Password specification change agreement;
The password specification change protocol is responsible for conveying the signal of changing the password method to the communication object
warning protocol;
The warning protocol is responsible for communicating the error to the other party when an error occurs
application data protocol;
The application data protocol is responsible for communicating the application data carried by TLS to the communication object.
TLS record protocol;
Principles of TLS encryption
- TCP establishes a connection at both ends; based on the TCP connection, TLS also ensures the safe transmission of data at the application layer through several handshakes;
- To ensure data security, it is necessary to encrypt the transmitted messages at both ends, and to prevent them from being cracked by man-in-the-middle attacks.
- TLS uses asymmetric encryption for encryption. Of course, the problem caused by this encryption method is: it is very time-consuming, and encrypted transmission data will affect efficiency, which is very critical;
- The key exchange rules for TLS are:
The server generates an asymmetric key pair, saves the private key itself, and transmits the public key to the client in plaintext; the
client generates a symmetric key by itself, encrypts the symmetric key with the public key, and transmits the encrypted key to the client. The server, the server decrypts through the private key saved by itself, and obtains the symmetric key specified by the client;
currently, this method of key exchange also has a problem, that is, the public key transmitted in plain text may be tampered with. The concepts of digital certificates and CAs must be introduced;
- CA and digital certificates for TLS (be sure to answer questions in this area):
A digital certificate is a file containing the name and public key of a certain service site, which is issued by a CA and can prove the authenticity of the service site.
The server itself applies for a digital certificate from the CA certificate, and how does the CA organization obtain relevant trust? At this time, the root certificate authority is involved. There are only a few root certificate authorities in the world, so the CA institution applies to the root CA institution. The entire CA trust chain is also a step-by-step chain certification process, which will not be described in detail here. .
- Encryption protocols used by TLS:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"
DHE-DSS-AES256-SHA256
TLS_DHE_DSS_AES_256_CBC_SHA256
The final detailed process is as follows:
- Step 1: The client determines the random number, and sends the supported cryptographic algorithm into the TLS protocol for the server to choose; the server stores the random number 1 sent by the client;
- Step 2: The server determines the encryption algorithm with the client, and determines a random number 2, which is sent to the client in plain text, and the client saves the random number 2;
- Part 3: The server sends a digital certificate (including: public key, signature, and server subject information) to the server. At this time, the server also determines the decryption private key corresponding to the public key; the client verifies whether the digital certificate is valid after receiving it. , and determine the random number 3;
- Step 4: The client sends the random number 3 encrypted with the public key, and the server receives it and decrypts it with the saved private key;
- Step 5: Now both the server and the client have three random numbers generated by the symmetric key: random number 1, random number 2, and random number 3, using DH (now more popular: ECDH algorithm) secret key The generation algorithm generates a symmetric key, and uses the symmetric key to encrypt data for transmission;
4. How to improve the operating efficiency of asymmetric encryption (10 points)
answer:
It can be carried out in the form of an independent hardware encryption module. The algorithm used in asymmetric symmetric encryption needs to consider large number multiplication, large factor decomposition, and large number modulus operations. In computers, addition and subtraction are simple, so multiplication itself is lossy; Secondly, the algorithm requires space and algorithm complexity for the storage of the secret key, which will also affect the operating efficiency of asymmetric encryption;
Using quantum computing and elliptic curve algorithm for encryption, elliptic curve algorithm involves geometry, so it is less complex than large number multiplication, large factorization, and large number analog operation;
5. Please briefly describe what is enterprise security operation / how to implement security operation construction within the enterprise (20 points + 20 points)
answer:
This question is really hard to drill, requires strong system knowledge and practical experience in the enterprise, and even has a certain understanding of the enterprise system and organizational structure, so it is a big question with 20 points; split the knowledge;
What is enterprise security operation, the concept of security operation:
Security operation is defined as: taking assets as the core and security event management as the key process, adopting the idea of dividing security domains, establishing a set of real-time asset risk models, and assisting administrators in event analysis, risk analysis, early warning management and emergency response Centralized security management system for processing;
Security operation is aimed at the ultimate security of the user network, and realizes the overall management of the operation process;
Security risks not only refer to the current Internet technology and computer science and technology, but include the security of the entire system of the enterprise in the construction of security operations, including: compliance security (regulatory agencies, industry norms), operational risk management (in practice All risks in operation, such as the risk control department of the financial industry, involving business, products, etc.);
Security operation is essentially a complex systematic process that combines technology, processes and people, including:
Products, services, operation and maintenance, research and development, etc., the data produced by existing security tools and security services can be effectively analyzed to continuously output value and solve security risks
Its model: use the "service model" to carry out cooperation, use "safety capabilities" to empower, use "safety data" to provide decision-making, use "operation capabilities" as delivery, and use operation models to discover, verify, analyze, and respond to problems Process, solve problems and continue to optimize;
Problems in enterprise security operation:
The underlying security capabilities are immature, security goals are not clear, security operation tools rely on third-party vendors, no reasonable security system has been formed, and security talents are not selected;
The construction direction and general content of enterprise security operation:
Compliance construction and enterprise's own security system construction:
First of all, for any enterprise, compliance and legality are the lifeline of enterprise survival, and this must be kept in mind. For relevant safety regulations, you can refer to relevant concepts and rules and regulations of GB/T or ISO, or published e-government data, safety standards, and guidance Laws and regulations have great construction reference significance;
Carry out hierarchical protection and risk assessment process, compliance inspection and assessment guidance, compliance rectification content;
Clarify internal safety management requirements, safety technical standards and operating standards;
Enterprise organizational structure construction direction:
Clarify the status quo and establish the organizational structure
The service system construction direction of security operation:
Carry out security baseline assessment and reinforcement
Network device security configuration baseline - ARP pollution and other common attack methods
Security device security configuration baseline
Operating system security configuration baseline
Database and middleware security baseline
Security configuration verification system and inspection script tools
Operation and maintenance management and security audit
Security operation and maintenance management: control over identity, access, and authority;
Roles and permissions RBAC model, etc.
Auditing and analysis of security audit logs: operation and maintenance operations generate network access logs, security operation and maintenance logs, operation logs, product operation logs, and network traffic data; these logs hide network attacks or undiscovered related attacks. Audit and excavate through these information to discover relevant attack behavior characteristics;
Service Deliverables Audit
System online check
Security Incident Analysis
Offensive and defensive drills in key periods;
Security incident and situation monitoring, security incident emergency response
Expert emergency response, security incident detection, security incident suppression, security incident eradication, security incident recovery, security incident summary;
Internet Asset Discovery
Application of detection of compromised assets
Security Policy Optimization Service
Operation, security, operation and maintenance of security products
Real-time monitoring of external threats
Full Lifecycle Management of Vulnerabilities
Security checks during major periods
Notification of major security incidents
Security management service construction:
- Management organization building:
In accordance with the "Network Security Law" and other laws and regulations and other security requirements, carry out information security design for each business system and the construction of a security operation center; the construction
of the organizational structure needs to pass the review;
clarify the security responsibility matrix;
- Security system management:
Clarify the general policy of information security, security strategy, and explain the overall goals, scope, guidelines, and principles of the organization's security work; improve the
management system in security;
establish daily management and operation systems and manuals;
regularly review the security system and
establish an information security leadership group and the committee, the information security team is in charge of it and organizes relevant personnel to designate the information security management system;
- Security Process Management:
Security incident handling process, security risk content assessment process, security incident emergency response process, security incident traceability and evidence collection process, security equipment online call process; change process process
release
process
personnel safety management
safety construction management
system grading, safety plan involvement, safety Product procurement, independent software development, outsourced software development, project implementation, test acceptance, system delivery, system filing, grade evaluation, security service provider selection;
- Security Operation and Maintenance Management
Environment Management - Setting Management Area
Asset Management
Media Management
Device Management
Security Monitoring
System Security Management
Malicious Code Prevention
Supply Chain Security Management
Password Management
Change Management
Backup and Recovery Management
Security Incident Handling
Emergency Plan Management
- Safety Training Management
- Security Operations Management
Analyze the "Network Security Law" and the third level of protection, and gradually establish and improve the security management system
to unify role/authority management, security system management, risk management, control execution, performance evaluation, threat evaluation, threat intelligence, and work processes manage
- Security Consulting Management
6. Briefly describe how to enhance enterprise data security (20 points)
(Due to space reasons, not fully displayed)
Note: The goal of making this list is not very comprehensive, because it is impossible to cover all the interview questions anyway, and more people still hope to reach the surface from the point of view, check for omissions and fill in the gaps.
TODO LIST
- penetration testing
- web security
- PHP security
- java security
- Linux-related
- Windows-related
- Intranet penetration
- Security R&D
- Party A's safe operation
penetration testing
How to bypass the CDN to find the real IP, please list five methods (★★★)
How to use redis unauthorized access, what are the prerequisites for using it? (★★★)
What are the methods of mysql privilege escalation? What are the conditions for use? (★)
windows+mysql, there is sql injection, but the machine has no external network permissions, can it be exploited? (★)
What are the commonly used methods of information collection? Apart from common methods such as path scanning and sub-domain name blasting, are there any wretched ways to collect enterprise information? (★★)
What is the difference between SRC mining and penetration testing? For these two different goals, what will be the difference in the implementation process (★★)
How to store xss in a pure intranet environment? (★★)
In mssql, assuming sa authority, how to execute system commands without xp_cmdshell (★★)
Assuming that a website has waf, how to bypass it without considering the positive bypass (discuss cloud waf/physical waf according to the situation) (★)
PHP security
How to use the phar:// pseudo-protocol to trigger deserialization in PHP, what are the usage scenarios and prerequisites? (★★)
How to bypass the limitation of disable_function in php.ini, what methods are there, which method has the highest success rate, and why? (★★★)
What is the principle of %00 truncation in file upload, and how did the official design the repair solution? (★★)
Implement a one-sentence webshell, what are the ways to bypass RASP, what are the ways to bypass machine learning detection, and what are the ways to bypass AST-Tree (★★)
What are the attack scenarios of the PHP pseudo-protocol? (★★)
What are the attack surfaces of the mail function? (★)
How to construct a webshell without numbers and characters, what is its principle, and what security problems will such features cause? (★)
If you need to receive a network security interview question package, you can scan the code below!
