BOOK THIS SPACE FOR AD
ARTICLE ADPrecontext: This is the part 2 of the series of cyber security interview questions. If you haven’t read the first part go here -https://shifacyclewala.medium.com/cyber-security-interview-questions-part-1-ae00b96c5610
Explain your methodology to test for any web application?- It depends on the type of application and scope. So I have divided my methodology based on 3 scopes.
Small Scope, Medium scope, Large scope.
Small Scope for example.com
1. First starting with web fuzzing using ffuf( fuzz faster u fool) or dirb(directory buster) (Why? Because we may get directory listing with sensitive data or source code files are there and we can access to internal portal like php , my admin, which is a database)
2. Next I will Run a Port scan to identify apps on other ports and which may be running on default config. (nmap -sV -Pn -A -p- -T5 example.com -v). Where sV=service version detection, -Pn is ping probe , A=aggressive scan (to run nmap default scripts), -p-= all ports scanned 65535, -v=verbose to show detailed output on screen, -T5= Timing 5 Fastest scan.
3. Next, I will try to crawl the application and collect “all urls” and “endpoints” and test the params for multiple vulns like XSS, SQL etc
4. Next, I will Take url= or redir= , to= , types of parameters from URLs and test for Open Redirect and SSRF
5. Coming to the main web application, I will check for Auth Bypass, Login Bypass using SQL, Code Injection in username and password field by passing id, whoami command.
6. Registering by a xss payload and checking if xss occurs or using organisational emails to register if we may get more access as registering with organisation emails instead of normal gmail.com . or [ {7*7} Server Side Template Injection (SSTI) payload
7. Then I will Try Authentication Bypass for Email or IF phone number is asked try for OTP bypass by response manipulation (0 to 1 , false to true) or OTP Brute force using burp intruder
8. After successful login in the web app, will Check for functionality and check how data is stored. Then,I will try HTML Injection and Stored XSS.
9. Finally I will Check for all Inputs and try all owasp top 10 vulns.
10. Lastly, I will Check for access control (privilege escalation) and business logic issues ( eg- coupon code reuse, or any functionality which may cause business loss) and I believe will improve my methodology based on applications in your organization.
Medium Scope for example.com
If target is *.example.com then I will do “subdomain enumeration”. Rest all steps remain the same as above. Tools used are : “subfinder & findomain”
Large Scope for example.com
If target is *.example.com then does subdomain enumeration from ASN Range and other sources(crunchbase, crt.sh etc) to increase the “surface mapping”. Rest all steps remain the same as above.
2. Difference between CSRF vs SSRF?
i.) CSRF is a client side attack whereas SSRF is server side attack.
ii.) We need user interaction to perform CSRF but we don’t need user interaction in SSRF.
iii.) CSRF is not possible without actually logging in to the application , but in SSRF we don’t need to be logged in.
3. Explain your insights on CSRF Attack?
Two conditions for CSRF:
i.) Users should be logged in.
ii.)User should click on our poc
How to test for CSRF:
i.) Make a csrf poc using burp csrf poc generator from burp engagement tools menu.
ii.) Send the html poc to user
iii.) User will click and csrf will be done (if two conditions satisfy)
How to fix/mitigate CSRF:
Use rolling csrf tokens instead of static tokens. This way the server will not accept any request with the wrong token from the attacker and csrf attack will not work
4. What is CIA Triad
CIA triad can be defined as Confidentiality, Integrity and Availability. Together, these three principles make a company’s security intact and unbreakable.
Confidentiality ensures that only those who are authorized or will be authorized should have access to specific data and that those who are unauthorized are prevented from obtaining access to those datas.
Integrity ensures that data has not been tampered and can be trusted, data is correct, authentic, and reliable.
Availability ensures that authorized users have timely, reliable access to resources when they are needed.
Video: https://www.youtube.com/watch?v=7Ubgog1uNvc
5. What are cookie attributes ?
Cookie is basically such chunks of data which contains login or session information in browsers.
Secure attribute — The ‘Secure’ attribute makes sure that the cookie will only be sent with requests made over an encrypted connection and an attacker won’t be able to steal cookies by sniffing/ MITM.
HTTPonly attribute — Cross Site Scripting attacks can be used to steal cookies with the help of client-side scripts. Though it doesnt 100% eliminate client side attacks like XSS
Domain attribute — domain’ attribute signifies the domain for which the cookie is valid and can be submitted with every request for this domain or its subdomains.
Path attribute — signifies the URL or path for which the cookie is valid. The default path attribute is set as ‘/ slash
Expires attribute — This attribute is used to set persistent cookies. It signifies how long the browser should use the persistent cookie and when the cookie should be deleted.
6. What are the most common business logic issues?
Most common business logic issues are
i.) Coupon Code Reuse
ii.) Able to use in demo accounts/services multiple times with financial benefits
iii.) Abusing applications using @organisation emails and getting premium services
iv.) Adding a product to cart in amazon. Attackers can add all products in the cart and the app thinks the product inventory is empty on sale day and doesn’t allow users to purchase and says product is out of stock.
7. What are your fav open source tools?
FFUF — Its a very fast web fuzzer
Nuclei is my fav open source tool because it has a huge set of templates and it gets regular updates. In a very short time, we get a lot of potential issues.
Dirb (directory buster) — It’s a very fast directory fuzzer
subfinder : is my fav open source tool because, it gives very fast and accurate subdomains of a target , which can be very useful in asset discovery for target domains.
8. Any paid tools you wish to use and recommend us in organisation?
Burp Suite . (They will say we already have this. You can say i think most of the work can be done from it and there are plenty of other open source alternatives that can be used for other work)
9. What is a thick and thin client any tools ?
Thin client — basically means Application which requires server for communication and is limited to work on its own stand alone.
Thick Client — basically means Applications which can also work partially on its own installed on the system without a server.
Thick Client App: Application → App Server → Database
Tools to test for thick/thin client :
DLL Hijacker, Echo Mirage for DLL Hijacking
Burp Suite to check for inputs for SSRF, XSS etc.
ProcMon(process monitor), Process Explorer (Sysinternal Tools) for process analysis
WinHex for memory analysis
Wireshark for traffic analysis
10. Questions on burpsuite and its tabs?
Burp suite is a proxy tool which sits between the client and server.
There are many tabs in burp suite, mostly the major ones and Proxy, Repeater,Decoder, Intruder tabs.
Proxy Tab — This is used to configure proxy between burp and browser. There also rules for interception of request and response
Invisible Proxy — In some cases a thick client application will respect the proxy settings of the system you are using to run Burp Suite. However, it is often the case that these clients don’t support HTTP proxies. Burp’s invisible proxying allows non-proxy-aware clients to connect directly to a Proxy listener. This option is useful when we are testing a desktop application
Upstream Proxy — Upstream proxy settings allow you to use a proxy, acting in-between Burp Suite and your connection to the internet. (https://portswigger.net/support/burp-suite-upstream-proxy-servers)
Repeater — This tab is used to repeat requests in the burp suite.
Decoder-is used for decoding any encoded strings like base64 or url encoding.
Intruder — This tab is used for doing fuzzing and testing for various attacks.
There are 4 attack types in Intruder : Sniper, Battering Ram, Pitch Fork, Cluster Bomb
Sniper — The sniper attack uses only one payload set, and it replaces only one position at a time. It loops through the payload set, first replacing only the first marked position with the payload and leaving all other positions to their original value.
Battering Ram- The battering ram attack type, places the same payload value in all positions. It uses only “one payload set”. It loops through the payload set and replaces all positions with the payload value.
Pitchfork — The pitchfork attack type uses one payload set for each position. It places the first payload in the first position, the second payload in the second position, and so on.
Cluster Bomb — The cluster bomb attack tries all different combinations of payloads. It still puts the first payload in the first position, and the second payload in the second position. But when it loops through the payload sets, it tries all combinations.this is cluster bomb
Note: This is the second part of the article and there will be more upcoming parts with more questions.
🧑🏻🏫 💥Stay Tuned and follow us for more:💥🧑🏻🏫
🧑🏻💻 Cyber Security School : https://learn.hacktify.in
🔗 Udemy: https://www.udemy.com/user/rohit-gautam-38/
🧑🏻🏫 Live Trainings: https://hacktify.in/#live_training-slider
🔐Github: https://github.com/shifa123
📌 Youtube :
https://www.youtube.com/channel/UCS82DNnKOhXHcGKxGzQvNSQ
💬 Linkedin: https://www.linkedin.com/company/hacktifycs