Recently, many small partners came to consult:
- How should I prepare for a technical interview if I want to find a job in cybersecurity?
- I have worked for less than 2 years and want to change jobs to see opportunities. Are there any relevant interview questions?
In order to better help you get a high-paying job, today I will share with you a set of interview questions for network security engineers. I hope they can help you avoid detours and get offers faster in the interview!
PHP burst absolute path method?
Single quotation marks cause database error,
access wrong parameter or wrong path,
probe files such as phpinfo
scan and develop undeleted test files,
google hacking
phpmyadmin report path: /phpmyadmin/libraries/lect_lang.lib.php
use loopholes to read configuration files and find paths
for malicious use Website functions, such as the local image reading function to read non-existing images, and the upload point to upload files that cannot be imported normally
What are your commonly used penetration tools, and which one is the most commonly used?
burp, nmap, sqlmap, awvs, ant sword, ice scorpion, dirsearch, imperial sword, etc.
The use of xss blind typing to the intranet server
Phishing Administrator
Information Collection
Spear attacks and watering hole attacks?
Harpoon attack: Refers to the use of Trojan horse programs as email attachments, sending them to the target computer, inducing the victim to open the attachment to infect the Trojan horse
watering hole attack: analyzing the online activities of the attack target, and looking for the weaknesses of the websites frequently visited by the attack target , hack the website and implant malicious programs, waiting for the target to visit
What is a virtual machine escape?
Use the vulnerabilities of the virtual machine software or the software running in the virtual machine to attack to achieve the purpose of attacking or controlling the operating system of the virtual machine host
Man-in-the-middle attack?
principle:
In the same local area network, by intercepting normal network communication data, and performing data tampering and sniffing
defense:
Bind the MAC and IP address of the gateway on the host to be static
Bind the MAC and IP address of the host on the gateway
Use the ARP firewall
TCP three-way handshake process?
The first handshake: when the connection is established, the client sends a syn packet (syn=j) to the server, and enters the SYN_SEND state, waiting for the server to confirm the second handshake: the server
receives the syn packet and must confirm the client's SYN (ack=j +1), and at the same time send a SYN packet (syn=k), that is, a SYN+ACK packet, at this time the server enters the SYN_RECV state for the third
handshake: the client receives the SYN+ACK packet from the server, and sends a confirmation packet ACK to the server ( ack=k+1), the packet is sent, the client and server enter the ESTABLISHED state, and complete the three-way handshake
Seven-story model?
Application layer, presentation layer, session layer, transport layer, network layer, data link layer, physical layer
Understanding of cloud security
Integrating emerging technologies and concepts such as parallel processing, grid computing, and unknown virus behavior judgment, through the abnormal monitoring of software behavior in the network through a large number of mesh clients, obtain the latest information on Trojan horses and malicious programs in the Internet, and send them to the server Carry out automatic analysis and processing, and then distribute virus and Trojan horse solutions to each client
Know about websockets?
WebSocket is a protocol for full-duplex communication on a single TCP connection. The biggest feature is that the server can actively push information to the client, and the client can also actively send information to the server. It is a true two-way equal dialogue.
What is DDOS? What? What is a CC attack? What is the difference?
DDOS:
Distributed denial of service attack, using reasonable service requests to occupy too many service resources, so that legitimate users cannot get service responses
Main methods:
SYN Flood
UDP Flood
ICMP Flood
Connection Flood
HTTP Get
UDP DNS Query Flood
CC attack:
Simulate multiple normal users to continuously visit pages such as forums that require a large amount of data operations, resulting in waste of server resources, CPU at 100% for a long time, and network congestion
The difference between the two:
CC attacks the web page, DDOS attacks the server, it is more difficult to defend against
the CC threshold is low, DDOS requires a large number of servers
CC lasts for a long time, and the impact of DDOS is great
what is land attack
LAN denial-of-service attack, a type of DDOS attack, sends carefully constructed spoofed data packets with the same source address and destination address, causing the target device lacking corresponding protection mechanism to be paralyzed
How will you conduct information gathering?
Server information: ip, middleware, operating system, domain
name whois, ipwhois, network segment attribution, subdomain
detection
, website directory scanning, interface information scanning,
port scanning,
and major search engines for relevant information
What is a CRLF injection attack?
Inject HTTP streams through "carriage return" and "line feed" characters to achieve website tampering, cross-site scripting, hijacking, etc.
To prevent XSS, two angles at the front end and back end?
front end:
User input special characters filter and escape to html entity
User output encoding
rear end:
Entity encoding
Function filtering
Limit character length
How to protect the security of a port?
Utilize WAF, IDS, IPS and other equipment
Dangerous service ports prohibit external access or restrict IP access
Regularly updated versions of services
Webshell detection idea?
Static detection: match feature codes, feature values, and dangerous functions
Dynamic detection: WAF, IDS and other devices
Log detection: filter by IP access rules and page access rules
File integrity monitoring
Network Security Knowledge Sharing
What are GPCs? open how to bypass
GPC:
The magic_quotes_gpc in the php.ini configuration file implements adding backslashes for single quotes, double quotes, backslashes, and NULL characters passed in by get, post, and cookies
\
Bypass:
The GPC of PHP5 ignores $_SERVER, which can be injected in the http request header
Secondary injection
Wide byte injection
What are the commonly used encryption algorithms for the web?
One-way hash encryption MD5, SHA, MAC
Symmetric encryption AES, DES
Asymmetric encryption RSA, RSA2
What else can XSS do besides get cookies?
Get administrator ip
xss worm
Phishing attack
Front-end JS mining
Keylogging
Screen capture
Carrier (or other) network hijacking
Carrier hijacking: advertising
DNS hijacking: tampering with DNS and hijacking the network by various means
What is DNS spoofing
A deceptive behavior in which an attacker pretends to be a domain name server
Buffer Overflow Principles and Defenses
principle:
When the amount of data written into the buffer exceeds the maximum capacity of the buffer, a buffer overflow occurs, and the overflowed data is used by hackers to form a remote code execution vulnerability.
defense:
OS-based defense
Buffer bounds checking
Secure programming
Emergency response to network security incidents
Network disconnection: When conditions permit, disconnect the network first to prevent hackers from further operations or delete traces.
Forensics: Find the hacker’s IP by analyzing login logs, website logs, and service logs, and check the operations performed by hackers. Backup
: Backup server files and compare the changes before and after the invasion Documents
Leak detection: Find business weaknesses through the above steps, and repair vulnerabilities
Antivirus: Clear backdoors, webshells, and management accounts left by hackers
Source tracing: Through hacker ip addresses, intrusion methods, etc.
Records: Archiving, prevention
Internal Security
Real-name networking important network segment isolation prohibits access to any USB devices
Disable WIFI network IP and MAC address binding
Deploy network monitoring, IDS, IPS equipment
Regular training to improve employee security awareness
Before the business goes online, how to test and from which angles to test
Security testing: looking for product vulnerabilities, page vulnerabilities, service vulnerabilities, sensitive information leakage, logic vulnerabilities, weak passwords
Performance testing: stress testing,
functional integrity testing
The application has a vulnerability, but it cannot be repaired and disabled, what should you do?
Restrict IP whitelist access
Use WAF, IDS, firewall devices
How to protect against CSRF?
Verify HTTP Referer field
Add Token field and verify
Add custom field and verify
File upload bypass method?
WAF bypass:
Modify upload form fields
Form field case replacement
Add or reduce form fields
Form field string splicing
Construct double file upload form, upload double files at the same time
Encoding bypass
Junk data filling bypass
File name case bypass
Server detection bypass:
MIME type bypass
Front-end JS detection packet capture and packet modification bypass
Blacklist bypass: php3, asa, ashx, windows features (test.asp_, stream features), apache parsing vulnerabilities
Image content detection uses image horse bypass.htassess bypass
Whitelist detection bypass:
Truncated upload to bypass
IIS6/7/7.5 parsing vulnerability, nginx low version parsing vulnerability
file contains bypass
Verification code related utilization points
Verification code reuse
Verification code identifiable
Verification code invalid
Verification code DDOS
cookie you test what content
SQL injection
xss
permission bypass
sensitive information disclosure
Name a few types of business logic vulnerabilities?
Any user password reset
SMS bombing
Order amount modification
Forgot password bypass
Malicious ticket swiping
Verification code reuse
Profile file contains vulnerability
When calling a file containing function, the file name and path are not strictly limited, such as include(), require() and other functions
What are the examples of business logic loopholes and arbitrary password resets by users, and what factors cause them?
Ordinary users reset the management user
password
During the penetration test, I found a function that can only upload zip files. What are the possible ideas?
The shell is compressed and uploaded, and the program self-extracts getshell
to try to parse the vulnerability getshell
finds that the file contains a vulnerability
Trojan phishing administrator
Why is the aspx Trojan horse authority greater than asp?
Aspx uses .net technology, which is not supported by default in IIS. ASPX needs to rely on .net framework. ASP is only a script language. When invading, the Trojan horse of asp generally has guest authority. The Trojan horse of APSX generally has users authority.
What are some ideas for having only one login page?
SQL injection, universal password, brute
force cracking,
permission bypass,
directory scanning,
sensitive information leakage
Which of the request headers are harmful?
COOKIE injection
user-agent injection
X-Forwarded-For injection
Referer injection
Talk about the difference between horizontal/vertical/unauthorized unauthorized access?
Horizontal privilege access: ordinary users access ordinary users
without privileges Vertical privilege
access: ordinary users access administrative users without authorization
What is xss? The hazards and principles of executing stored xss
Storage type, reflection type, DOM type
Storage type XSS means that the application obtains unreliable data through web requests, and stores it in the database without checking whether the data has XSS code
Stored XSS hazards:
Stealing User Cookies
XSS Phishing Attacks
XSS Worm Attacks
Obtaining Keyloggers
Obtaining User Information
Obtaining Screenshots
The host is suspected of being compromised, where to check the logs
System login log
Service access log
Website log
Database log
Python commonly used standard library
Regular expression re
time module time
random number random
operating system interface os
scientific computing math
network request urlib
http library requests
crawler library Scrapy
multithreading library threading
The difference between reverse_tcp and bind_tcp?
reverse_tcp: The attack machine sets a port and IP, and the Payload executes on the test machine to connect to the port of the attack machine IP. At this time, if the attack machine listens to this port, it will be found that the test machine has been connected
. Set a port (LPORT), and the Payload will be executed on the test machine to open the port so that the attack machine can access the vernacular, that is, we actively connect to the controlled machine and use reverse_tcp, which is safer and generally will not be discovered by the firewall.
What might go wrong during the oauth authentication process, leading to what kind of loopholes?
CSRF
redirect_uri verification is not strict
Wrong parameter passing
How to obtain real IP for a website with CDN
Global ping
query history analysis records,
probe files such as phpinfo, etc.
Use commands to connect to our server or DNSlog
to find website configuration Scan the entire network
through the second-level domain name
, and the title matches
How to achieve cross-domain?
jsonp
CORS cross-domain resource sharing
proxy cross-domain request
Html5 postMessage method
modify document.domain cross-subdomain
based on Html5 websocket protocol
http://document.xxx + iframe
What is the difference between jsonp cross-domain and CORS cross-domain?
jsonp browser support is good, CORS does not support IE9 and below browsers
jsonp only supports GET, CORS supports all types of HTTP requests jsonp only sends one request, complex requests CORS sends twice
algorithm? Know what sort?
Bubble sort
Selection
sort Insertion sort
SSRF exploit?
Local file reading
Service detection, port scanning
Attack intranet redis, mysql, fastcgi and other services
- The protocols used are: http/s, file, gopher, tftp, dict, ssh, telnet
Common backdoor methods?
Windows:
Registry self-starting
shift backdoor
Remote control software
webshell
adding management users
Shadow users
Timed task
dll hijacking
Registry hijacking
MBR backdoor
WMI backdoor
Administrator password record
Linux:
SSH backdoor
SUID backdoor
Crontab scheduled task
PAM backdoor
Add administrator account
Rootkit
How to bypass open_basedir access directory restrictions?
Use the command to execute the function bypass
Use the symlink() function to bypass
the glob pseudo-protocol bypass
Problem-prone points in PHP code audit?
All methods of parameter splicing may cause SQL injection (cliché)
Global variable registration causes variable coverage
Fwrite parameter unfiltered code execution Caused
background function access due to permission verification omission Unserialize deserialization vulnerability for
arbitrary file upload on the interface
The scene and posture of the red and blue against the middle and blue team against the red team?
Fishing, Honeypot, Ant Sword RCE
Linux scheduled tasks, what would hackers do to hide their scheduled tasks?
Temporary tasks: at, batch commands
How many common getshell methods are Redis unauthorized?
web absolute path write shell
write ssh public key to obtain server permissions
master-slave copy getshell
Attack method of JWT? (header, payload, signature)
Encryption algorithm is set to null to bypass identity verification
Blasting weak key kid parameters: arbitrary file reading, SQL injection, command injection
Unverified signature, content re-encoding
Vulnerabilities in JAVA middleware, give a few examples?
JBoss deserialization
WebLogic deserialization
Tomcat arbitrary file writing, weak password + background getshell
What vulnerabilities can DNS takeout be used for?
SQL Blind Injection
Command execution without echo
XXE blind typing
SSRF blind typing
HTTP-Only prohibits JS from reading cookie information, how to bypass this to get cookie
Hijack login page phishing bypass
Summary of middleware vulnerabilities?
Only commonly exploited vulnerabilities are written here
IIS:
IIS6.0 PUT vulnerabilityIIS6.0
remote code execution
vulnerabilityIIS6.0 parsing vulnerabilityIIS enables .net short file name
vulnerabilityIIS7.0/7.5 parsing vulnerability
Apache:
Unknown extension parsing vulnerability
Parsing vulnerability and directory traversal caused by wrong coordination
Nginx:
Parsing vulnerabilities and directory traversal caused by configuration errors
Tomcat:
Arbitrary code execution and arbitrary file writing vulnerabilities caused by configuration errors Weak
password + management background war package deployment getshell manager/html
management background weak password blasting
JBoss:
5.x/6.x deserialization vulnerability (CVE-2017-12149)
JMXInvokerServlet deserialization
EJBInvokerServlet deserialization
JMX Console unauthorized access
Weak password + management background war package deployment getshell
WebLogic:
XMLDecoder deserialization vulnerability (CVE-2017-10271 & CVE-2017-3506)
wls9_async_response, wls-wsat deserialization remote code execution vulnerability (CVE-2019-2725)
WLS Core Components deserialization command execution vulnerability (CVE-2018) -2628)
Weak password + management background war package deployment getshell
Talk about the idea of escalating the rights of Windows system and Linux system?
Windows:
Database privilege escalation: mysql, sqlserver
Third-party software privilege escalation: serv-u DLL hijacking
System kernel overflow vulnerability privilege escalation: cve series
Linux:
sudo privilege escalation
suid privilege escalation
redis kernel privilege escalation
What frameworks does python have, and what vulnerabilities have appeared in them
Django, Flask, Scrapy Django arbitrary code execution
Flask template injection
Differences between Mini Program Penetration and Common Penetration
The infiltration process remains the same, it still captures the package and modifies the parameter infiltration. The
difference is that the applet will download the package to the local, and you can use the reverse restoration tool to decompile it.
The four major components of the vulnerability test of the app itself
Activity components:
Activity binding browserable and custom protocol
ActivityManager vulnerability
Service component:
Privilege Escalation, Denial of Service Attack
Broadcast Receiver component:
Improper rights management
BroadcastReceiver export vulnerability
Dynamic registration broadcast component exposure vulnerability
Content Provider component:
Read and write permission vulnerability
SQL injection vulnerability in Content Provider
Provider file directory traversal vulnerability
IDS/IPS protection principle and bypass ideas
principle:
IDS works at the network layer and is deployed in a bypass. By capturing and analyzing network traffic to detect attacks, IPS is generally bypassed at the network layer. It can be understood as an IDS with blocking capabilities, which is an upgraded version of IDS (there are also IDSs that detect attacks Notify the blocking device to execute the blocking action (device linkage mode), which can cover the network layer and application layer
Bypass:
TCP fragmentation: Split two TCP packets
IP fragmentation: The principle is the same as TCP fragmentation, but serious packet loss
Program bug/performance problem: Send a large number of invalid packets, consuming IPS performance
Fake TCP state: Bypass IPS based on state tracking
IPV6 bypass: use IPV6 address to bypass
The use of json's csrf
Use XMLHttpRequest and fetch to construct a JSON request, and use Flash's cross-domain and 307 jumps to bypass http custom header restrictions
What vulnerabilities can be detected by data packets in json format
csrf json hijacks xss
The information is compiled from the Internet, and it is only for free exchange and sharing, and the infringement will be deleted!