foreword
Many small partners are facing job-hopping or job hunting. This article summarizes common security job interview questions for your review. I wish you all success in your career and wealth. Go further and further on the road of network security! .
Note: All the materials have been compiled into PDFs, and the interview questions and answers will be updated continuously, because it is impossible to cover all interview questions anyway.
text
- PHP burst absolute path method?
Single quotation marks cause database error,
access wrong parameter or wrong path,
probe files such as phpinfo
scan and develop undeleted test files,
google hacking
phpmyadmin report path: /phpmyadmin/libraries/lect_lang.lib.php
use loopholes to read configuration files and find paths
for malicious use Website functions, such as the local image reading function to read non-existing images, and the upload point to upload files that cannot be imported normally - What are your commonly used penetration tools, and which one is the most commonly used?
burp, nmap, sqlmap, awvs, ant sword, ice scorpion, dirsearch, imperial sword, etc.
- The use of xss blind typing to the intranet server
Phishing Administrator
Information Collection - Spear attacks and watering hole attacks?
Harpoon attack: Refers to the use of a Trojan horse program as an email attachment, sent to the target computer, and induces the victim to open the attachment to infect the Trojan horse
Watering hole attack: analyze the online activities of the target, find the weaknesses of the websites frequently visited by the target, break through the website and implant
malicious programs, and wait for the target to visit - What is a virtual machine escape?
Use the vulnerabilities of the virtual machine software or the software running in the virtual machine to attack to achieve the purpose of attacking or controlling the operating system of the virtual machine host
- Man-in-the-middle attack?
Principle:
In the same LAN, by intercepting normal network communication data, and performing data tampering and sniffing
Defense:
Binding the MAC and IP addresses of the gateway to the host is static
Binding the MAC and IP addresses of the host to the gateway
uses an ARP firewall - TCP three-way handshake process?
The first handshake: when the connection is established, the client sends a syn packet (syn=j) to the server, and enters the SYN_SEND state, waiting for the server to confirm the second handshake: the server
receives
the syn packet and must confirm the client’s SYN (ack=j) j+1), and at the same time send a SYN packet
(syn=k), that is, a SYN+ACK packet, at this time the server enters the SYN_RECV state for the
third handshake: the client receives the SYN+ACK packet from the server and sends a confirmation packet ACK to the server (ack=k+1), the packet is sent,
the client and server enter the ESTABLISHED state, and complete the three-way handshake - Seven-story model?
Application layer, presentation layer, session layer, transport layer, network layer, data link layer, physical layer
- Understanding of cloud security
Integrating emerging technologies and concepts such as parallel processing, grid computing, and unknown virus behavior judgment, through the
abnormal monitoring of software behavior in the network through a large number of mesh clients, obtain the latest information on Trojan horses and malicious programs in the Internet, and send them to the server Carry out automatic analysis
and processing, and then distribute virus and Trojan horse solutions to each client - Know about websockets?
WebSocket is a protocol for full-duplex communication on a single TCP connection. The biggest feature is that the server can actively push information to the client
, and the client can also actively send information to the server. It is a true two-way equal dialogue. - What is DDOS? What? What is a CC attack? What is the difference?
DDOS:
Distributed denial of service attack, using reasonable service requests to occupy too many service resources, so that legitimate users cannot get service
responses
Main methods:SYN Flood
UDP Flood
ICMP Flood
Connection Flood
HTTP Get
UDP DNS Query Flood
CC attack:
simulate multiple normal users to continuously visit pages that require a large amount of data operations, such as forums, resulting in waste of server resources, CPU
at 100% for a long time, network Congestion
The difference between the two:
CC attacks webpages, DDOS attacks servers, it is more difficult to defend against
CC, the threshold is lower, DDOS requires a large number of servers,
CC lasts for a long time, and DDOS has a great impact - what is land attack
LAN denial-of-service attack, a type of DDOS attack, by sending carefully constructed spoofed
data packets with the same source address and destination address, causing the target device lacking corresponding protection mechanism to be paralyzed - How will you conduct information gathering?
Server information: ip, middleware, operating system, domain
name whois, ipwhois, network segment attribution, subdomain
detection
, website directory scanning, interface information scanning,
port scanning,
and major search engines for relevant information - What is a CRLF injection attack?
Inject HTTP streams through "carriage return" and "line feed" characters to achieve website tampering, cross-site scripting, hijacking, etc.
- To prevent XSS, two angles at the front end and back end?
Front-end:
User input special character filtering and escape to html entity
User output encoding
Back-end:
Entity encoding
Function filtering
Limit character length - How to protect the security of a port?
Utilize WAF, IDS, IPS and other equipment
Dangerous service ports prohibit external access or restrict IP access
Regularly updated versions of services - Webshell detection idea?
Static detection: match feature codes, feature values, and dangerous functions
Dynamic detection: WAF, IDS and other devices
Log detection: filter by IP access rules and page access rules
File integrity monitoring - How to test its loopholes when I found an IIS website? (depending on version)
https://mp.weixin.qq.com/s/5XV984kErF2Zhh-P5aoUwQ
- What are GPCs? open how to bypass
GPC:
The magic_quotes_gpc in the php.ini configuration file implements
adding backslashes\for single quotes, double quotes, backslashes, and NULL characters passed in by get, post, and cookies.
Bypass:
PHP5’s GPC ignores $_SERVER, Can be injected in the http request header
Secondary injection
Wide byte injection - What are the commonly used encryption algorithms for the web?
One-way hash encryption MD5, SHA, MAC
Symmetric encryption AES, DES
Asymmetric encryption RSA, RSA2 - What else can XSS do besides get cookies?
Get administrator ip
xss worm
Phishing attack
Front-end JS mining
Keylogging
Screen capture - Carrier (or other) network hijacking
Carrier hijacking: advertising
DNS hijacking: tampering with DNS and hijacking the network by various means - What is DNS spoofing
A deceptive behavior in which an attacker pretends to be a domain name server
- Buffer Overflow Principles and Defenses
Principle:
When the amount of data written into the buffer exceeds the maximum capacity of the buffer, a buffer overflow occurs, and the overflowed data is
exploited by hackers, forming a remote code execution vulnerability.
Defenses:
OS-based defenses
Buffer bounds checking
Secure programming - Emergency response to network security incidents
Network disconnection: When conditions permit, disconnect the network first to prevent hackers from further operations or delete traces.
Forensics: Find the hacker’s IP by analyzing login logs, website logs, and service logs, and check the operations performed by hackers. Backup
: Backup server files and compare the changes before and after the invasion Documents
Leak detection: Find business weaknesses through the above steps, and repair vulnerabilities
Antivirus: Clear backdoors, webshells, and management accounts left by hackers
Source tracing: Through hacker ip addresses, intrusion methods, etc.
Records: Archiving, prevention - Internal Security
Real-name networking important network segment isolation prohibits access to any USB devices
Disable WIFI network IP and MAC address binding
Deploy network monitoring, IDS, IPS equipment
Regular training to improve employee security awareness - Before the business goes online, how to test and from which angles to test
Security testing: looking for product vulnerabilities, page vulnerabilities, service vulnerabilities, sensitive information leakage, logic vulnerabilities, weak passwords
Performance testing: stress testing,
functional integrity testing - The application has a vulnerability, but it cannot be repaired and disabled, what should you do?
Restrict IP whitelist access
Use WAF, IDS, firewall devices - How to protect against CSRF?
Verify HTTP Referer field
Add Token field and verify
Add custom field and verify - File upload bypass method?
WAF bypass:
Modify upload form fields,
form field case replacement,
form field increase or decrease spaces, form
field string splicing,
construct double file upload form, upload double files at the same time, encoding
bypass
, junk data filling bypass,
file name case bypass
server detection Bypass:
MIME type bypass,
front-end JS detection, packet capture and packet modification, blacklist
bypass: php3, asa, ashx, windows features (test.asp_, flow features), apache parsing vulnerability
picture content detection using picture horse to bypass. htassess bypass
Whitelist detection bypass:
truncated upload bypasses
IIS6/7/7.5 parsing vulnerability, nginx low version parsing vulnerability
file contains bypass - Verification code related utilization points
Verification code reuse
Verification code identifiable
Verification code invalid
Verification code DDOS - cookie you test what content
SQL injection
xss
permission bypass
sensitive information disclosure - Name a few types of business logic vulnerabilities?
Any user password reset
SMS bombing
Order amount modification
Forgot password bypass
Malicious ticket swiping
Verification code reuse - Profile file contains vulnerability
When calling a file containing function, the file name and path are not strictly limited, such as include(), require() and other functions
-
What are the examples of business logic loopholes and arbitrary password resets by users, and what factors cause them?
Ordinary users reset the management user
password - During the penetration test, I found a function that can only upload zip files. What are the possible ideas?
The shell is compressed and uploaded, and the program self-extracts getshell
to try to parse the vulnerability getshell
finds that the file contains a vulnerability
Trojan phishing administrator - Why is the aspx Trojan horse authority greater than asp?
aspx uses .net technology, which is not supported by default in IIS. ASPX needs to rely on .net framework. ASP is just a scripting language.
When invading, the Trojan horse of asp generally has the guest authority. The Trojan horse of APSX generally has the user authority. - What are some ideas for having only one login page?
SQL injection, universal password, brute
force cracking,
permission bypass,
directory scanning,
sensitive information leakage - Which of the request headers are harmful?
COOKIE injection
user-agent injectionX-Forwarded-For injection
Referer injection - Talk about the difference between horizontal/vertical/unauthorized unauthorized access?
Horizontal privilege access: ordinary users access ordinary users
without privileges Vertical privilege
access: ordinary users access administrative users without authorization - What is xss? The hazards and principles of executing stored xss
Storage type, reflection type, DOM type
Storage type XSS means that the application obtains untrustworthy data through web requests, and
stores it in the database without checking whether the data contains XSS code.
Storage type XSS hazard:
stealing users Cookie
XSS Phishing Attack
XSS Worm Attack
Get Keylogger
Get User Information
Get Screenshot - The host is suspected of being compromised, where to check the logs
System login log
Service access log
Website log
Database log - Python commonly used standard library
Regular expression re
time module time
random number random
operating system interface os
scientific computing math
network request urlib
http library requests
crawler library Scrapy
multithreading library threading - The difference between reverse_tcp and bind_tcp?
reverse_tcp: The attack machine sets a port and IP, and the Payload is executed on the test machine to connect to the port of the attack machine IP. At this time, if the attack machine listens to this port, it will be found that the test machine has already connected to the vernacular
, which is to let the controlled machine actively connect to us.
Set a port (LPORT), and the Payload will open the port on the test machine so that the attack machine can
access the vernacular, that is, we actively connect to the controlled machine and use reverse_tcp, which is safer and generally will not be discovered by the firewall. - What might go wrong during the oauth authentication process, leading to what kind of loopholes?
CSRF
redirect_uri verification is not strict
Wrong parameter passing - How to obtain the real IP of a website with a CDN
Global ping
query history analysis records,
probe files such as phpinfo, etc.
Use commands to connect to our server or DNSlog
to find website configuration Scan the entire network
through the second-level domain name
, and the title matches - How to achieve cross-domain?
jsonp
CORS cross-domain resource sharing
proxy cross-domain request
Html5 postMessage method
modify document.domain cross-subdomain
based on Html5 websocket protocol
document.xxx + iframe - What is the difference between jsonp cross-domain and CORS cross-domain?
jsonp浏览器支持较好,CORS不支持IE9及以下浏览器 jsonp只支持GET,CORS支持所有类型的HTTP请求 jsonp只发一次请求,复杂请求CORS发送两次
- algorithm? Know what sort?
Bubble sort
selection sort
Insertion sort
- SSRF exploit?
Local file reading
Service detection, port scanning
Attack intranet redis, mysql, fastcgi and other services
The protocols used are: http/s, file, gopher, tftp, dict, ssh, telnet - Common backdoor methods?
Windows:
Registry self-starting
shift backdoor
remote control software
webshell
to add management usersShadow user
Timing task
dll hijacking
Registry hijacking
MBR backdoor
WMI backdoor
administrator password recordLinux
:
SSH backdoor
SUID backdoor
Crontab scheduled task
PAM backdoor
Add administrator account
Rootkit - How to bypass open_basedir access directory restrictions?
Use the command to execute the function bypass
Use the symlink() function to bypass
the glob pseudo-protocol bypass - Problem-prone points in PHP code audit?
All methods of parameter splicing may cause SQL injection (cliché)
Global variable registration causes variable coverage
Fwrite parameter unfiltered code execution Caused
background function access due to permission verification omission Unserialize deserialization vulnerability for
arbitrary file upload on the interface - The scene and posture of the red and blue against the middle and blue team against the red team?
Fishing, Honeypot, Ant Sword RCE
- Linux scheduled tasks, what would hackers do to hide their scheduled tasks?
Temporary tasks: at, batch commands
- How many common getshell methods are Redis unauthorized?
web absolute path write shell
write ssh public key to obtain server permissionsMaster-slave copy getshell
- Attack method of JWT? (header, payload, signature)
Encryption algorithm is set to null to bypass identity verification
Blasting weak key kid parameters: arbitrary file reading, SQL injection, command injection
Unverified signature, content re-encoding - Vulnerabilities in JAVA middleware, give a few examples?
JBoss deserialization
WebLogic deserialization
Tomcat arbitrary file writing, weak password + background getshell - What vulnerabilities can DNS takeout be used for?
SQL Blind Injection
Command execution without echo
XXE blind typing
SSRF blind typing - HTTP-Only prohibits JS from reading cookie information, how to bypass this to get cookie
Hijack login page phishing bypass
- Summary of middleware vulnerabilities?
Here are only commonly used vulnerabilities
IIS:
IIS6.0 PUT vulnerability
IIS6.0 remote code execution vulnerability
IIS6.0 parsing vulnerability IIS enables .net short file name vulnerability
IIS7.0/7.5 parsing vulnerability
Apache:
Unknown extension parsing vulnerability
Coordination error Parsing vulnerabilities and directory traversal caused by
Nginx:
Parsing vulnerabilities and directory traversal caused by configuration errors
Tomcat:
Arbitrary code execution and arbitrary file writing vulnerabilities caused by configuration errors
Weak password + management background war package deployment getshell manager/htmlManagement background weak password blasting
JBoss:
5.x/6.x deserialization vulnerability (CVE-2017-12149)
JMXInvokerServlet deserialization
EJBInvokerServlet deserialization
JMX Console unauthorized access
Weak password + management background war package deployment getshell
WebLogic:
XMLDecoder Deserialization Vulnerability (CVE-2017-10271 & CVE-2017-3506)
wls9_async_response,wls-wsat Deserialization Remote Code Execution Vulnerability (CVE-2019-2725)
WLS Core Components Deserialization Command Execution Vulnerability (CVE-2018- 2628)
Weak password + management background war package deployment getshell - Talk about the idea of escalating the rights of Windows system and Linux system?
Windows:
database privilege escalation: mysql, sqlserver
third-party software privilege escalation: serv-u DLL hijacking
system kernel overflow vulnerability privilege escalation: cve series
Linux:
sudo privilege escalation
suid privilege escalation
redis kernel privilege escalation - What frameworks does python have, and what vulnerabilities have appeared in them
Django, Flask, Scrapy Django arbitrary code execution
Flask template injection - The difference between the infiltration of small programs and ordinary infiltration
The infiltration process remains the same, it still captures the package and modifies the parameter infiltration. The
difference is that the applet will download the package to the local, and you can use the reverse restoration tool to decompile it. - The four major components of the vulnerability test of the app itself
Activity component:
activity binds browserable and custom protocol
ActivityManager vulnerability
Service component:
privilege escalation, denial of service attackBroadcast Receiver component:
Improper permission management
BroadcastReceiver export vulnerability
Dynamic registration broadcast component exposure vulnerability
Content Provider component:
Read and write permission vulnerability
SQL injection vulnerability in Content Provider
Provider file directory traversal vulnerability - IDS/IPS protection principle and bypass ideas
Principle:
IDS works at the network layer and is deployed in a bypass. Attacks are found by capturing and analyzing network traffic. IPS is generally bypassed at the network layer. It can be
understood as an IDS with blocking capabilities, which is an upgraded version of IDS (also has IDS detection To the attack notification blocking device to perform blocking action
(device linkage mode), which can cover the network layer and application layer
Bypass:
TCP fragmentation: split into two TCP packets
IP fragmentation: the principle is the same as TCP fragmentation, but packet loss Serious
Program bugs/performance issues: sending a large number of invalid packets, consuming IPS performance
Forging TCP state: bypassing IPS based on state tracking
IPV6 bypass: using IPV6 address to bypass -
The use of json's csrf
Use XMLHttpRequest and fetch to construct a JSON request, and use Flash's cross-domain and 307 jumps to bypass http custom header restrictions
-
What vulnerabilities can be detected by data packets in json format
csrf json hijacks xss
-
Briefly describe the principle and utilization of xxe vulnerabilities
Principle:
XML external entity injection, when the application parses the XML input, when the external entity is allowed to be referenced, malicious content can be constructed to generate a vulnerability Exploitation
:
DTD
Document Type Definition
DTD internal declaration <!DOCTYPE root element [element declaration]>
DTD external Reference <!DOCTYPE root element name SYSTEM "URI of external DTD">
reference public DTD <!DOCTYPE root element name PUBLIC "DTD distinguished name" "URI of public DTD">
ENTITY?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY x "First Param!"> <!ENTITY y "Second Param!"> <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root><x>&x;</x><y>&y;</y><xxe>&xxe;</xxe></root
-
Intranet server, how to collect information?
Use scripts to collect: port information, service information
System command collection: users in the domain can use domain commands to collect domain information, net group "domain users" /domain, etc.
Port scanning tools scan the entire section
of the machine Information collection: manage passwords, login logs to see management User ip, service password collection, network segment information viewing, historical record viewing
Intranet DNS domain transfer vulnerability -
If a certain machine in the boundary layer of the intranet is taken down, how to detect others on the intranet?
First, use a proxy to enter the intranet reg, ew, etc.
Second, collect information on the local machine, including administrator ip, port service, account password, routing information, network segment information, etc. Third,
expand to the collected network segment for penetration, using Commonly used services: SMB, MYSQL, SQLserver, ftp, telnet, etc.
Use lightweight scripts or scanners to scan, but generally do not do this, too much movement is easy to be discovered by administrators
Need a pdf interview document, you can comment and get it, I will send it one by one