HackerBook

Technologies
8549995000

Contents
1. What is meant by SQL injection? .......................................................................................................... 5
2. What are the Types of SQL Injections? ................................................................................................. 5
3. How do you prevent SQL Injection? ..................................................................................................... 5
4. What is the tool that is used for SQL Injection? ................................................................................... 6
5. Tell me some commands for sqlmap? .................................................................................................. 6
6. What is Cross Site Scripting (XSS)?........................................................................................................ 6
7. What are the Different Types of XSS? .................................................................................................. 6
8. Which is the most severe among all the XSS Vulnerabilities? .............................................................. 7
9. What is the difference between Stored XSS and DOM Based XSS? ..................................................... 7
10. What is the Impact of XSS? ............................................................................................................... 7
11. What are the Prevention Techniques for XSS? ................................................................................. 7
12. What is Content Security Policy (CSP)? ............................................................................................. 7
13. What is meant by CSRF and how do you test it? .............................................................................. 7
14. What are the Mitigations of CSRF? ................................................................................................... 8
15. What is CSRF Tokens? ....................................................................................................................... 8
16. What is meant by SSRF and its Impact? ................................................................................................. 8
17. How to test SSRF and What is the Root cause of SSRF? ................................................................... 9
18. What are the Mitigations of SSRF? ................................................................................................... 9
19. What is the difference between CSRF and SSRF? ............................................................................. 9
20. What is meant by CORS?......................................................................................................................... 9
21. What is Same Origin Policy? ................................................................................................................... 9
22. What are the Preventions mechanism for CORS? ................................................................................ 10
23. What is XXE Attack? .............................................................................................................................. 10
24. What are the Different types of XXE attacks? ...................................................................................... 10
25. How to prevent XXE vulnerabilities?..................................................................................................... 10
26. What is meant by IDOR and how do you test IDOR? ............................................................................ 11
27. How do you design application to protect from IDOR? ........................................................................ 11
28. Privilege escalation? Types? ................................................................................................................. 11
29. How do you prevent Privilege Escalation?............................................................................................ 11
30. What is meant by Click jacking Vulnerability? ...................................................................................... 11
31. What is the mitigation for Click jacking Vulnerability? ......................................................................... 11
 HackerBook
Technologies
8549995000

32. What do you understand by Insecure Deserialization? ........................................................................ 11

33. What is the Impact of Insecure Deserialization? .................................................................................. 12
34. What are the Prevention mechanisms for Insecure Deserialization? .................................................. 12
35. What is Insecure Design? ...................................................................................................................... 13
36. What is LFI and how do you prevent? .................................................................................................. 13
37. What is RFI and how do you prevent? .................................................................................................. 13
38. How do you Configure Burp Suite? ....................................................................................................... 13
38. What are the features of Burp Suite? ................................................................................................... 13
39. What is meant by JWT Token and where do we use it? ....................................................................... 13
40. Tell me some Vulnerability related to JWT Token? .............................................................................. 14
41. What are the components of JWT Token? ........................................................................................... 14
42. How do you test the login page when there is a Username, Password and SUBMIT Button and list out
all the possible scenarios? .......................................................................................................................... 14
43. If there is a functionality of file upload what are the scenarios that we are going to test it? ............. 14
44. What is the difference between Encryption, Hashing and Encoding?.................................................. 14
45. What is the difference between Asymmetric and Symmetric Encryption?.......................................... 15
46. What is the test methodology that you have follow to do security testing? ....................................... 15
47. What are the tools you have used for DAST? ....................................................................................... 15
48. What are the tools that you have used for SAST? ................................................................................ 15
49. What are the tools that you have used for Network security Assessment? ........................................ 15
50. Provided the website, what is the methodology for doing the pen testing? ....................................... 15
51. Provided one IP address, what is the methodology for doing the pen testing? .................................. 15
52. Tell me what is meant by Treat modelling and list some techniques of threat modelling? ................ 16
53. Tell me SDLC and its phases and security testing activities in those phases? ...................................... 16
54. Full form of SAST, DAST, SDLC, CVSS, GDPR, PCIDSS, VAPT? ............................................................... 16
55. Tell me some interesting Vulnerabilities’ that you have found so far? ................................................ 16
56. What is meant by Zero day attack and list some Zero day attack? ...................................................... 17
57. Tell me about GDPR? ............................................................................................................................ 17
58. Tell me about PCIDSS and some guideline principles of PCIDSS? ......................................................... 17
59. Tell me about Log4j Vulnerability? ....................................................................................................... 18
60. What is the full form of OWASP? .......................................................................................................... 18
61. List all the OWASP Top 10 Vulnerabilities of 2021?.............................................................................. 18
62. List all the OWASP Top 10 Vulnerabilities API? .................................................................................... 18
 HackerBook
Technologies
8549995000

63. What are the tools you have worked on Mobile security?................................................................... 19
64. How do you test API, what are the tools you have used for API? ........................................................ 19
65. What is the latest TLS? .......................................................................................................................... 19
66. What is the purpose of NMAP? ............................................................................................................ 19
67. What is the Difference between Authentication and Authorization? ............................................ 19
68. What’s the difference between HTTP and HTTPS? ......................................................................... 19
69. What’s the protocol responsible for secure communication? ....................................................... 20
70. What’s the purpose of digital Certificates? .................................................................................... 20
71. Can you name 2 or 3 Digital Certificate provides (CA)? .................................................................. 20
72. Assume a user is trying to launch a secure banking website and the sending a feedback. Will that
be Symmetric or Asymmetric or both encryption mechanisms? ............................................................... 20
73. What is the SSL Handshake?? ......................................................................................................... 20
74. What are the 3 steps that are invoked in 3 way tcp-ip handshake? .............................................. 21
75. What is the default port for RDP?................................................................................................... 21
76. What is the default port for SMTP? ................................................................................................ 21
77. What's purpose of SMTP server? For E-mail purpose? .................................................................. 21
78. What is the default port for DNS? .................................................................................................. 21
79. What's purpose of DNS server?--> resolving names to Ip address we call it as reverse DNS. ....... 22
80. What is the default port for web proxy? ........................................................................................ 22
81. What is Threat Modelling? List 2 or 3 techniques for Threat Modelling? ...................................... 22
82. What is the difference between STRIDE and DREAD? .................................................................... 22
83. What's the full form of STRIDE? ...................................................................................................... 23
84. What's the full form of DREAD? ...................................................................................................... 23
85. What’s the purpose of CVSS? ......................................................................................................... 23
86. What’s the range of CVSS?.............................................................................................................. 23
87. What is the severity of the vulnerability/defect for the CVSS score 9.5?....................................... 23
88. What is the severity of the vulnerability/defect for the CVSS score 2.0?....................................... 23
89. What are the severity ratings for the vulnerabilities under CVSS? ...................................................... 23
90. Give one example for critical severity? ................................................................................................. 23
91. Explain about Security Misconfiguration? ............................................................................................ 23
92. What's a DOS attack? ............................................................................................................................ 24
93. DDOS stands for? .................................................................................................................................. 24
94. What is the DDOS attack? ..................................................................................................................... 24
 HackerBook
Technologies
8549995000

95. What are the steps involved in 3 way TCP-IP handshake? ................................................................... 24
96. What's the difference between TCP connect scan (Full duplex) and Stealth scan (Half duplex)? ....... 24
97. Identity of the attacker is hidden during Full duplex scan or Half duplex scan? .................................. 25
98. What’s are the arguments to be used for Null scan and Finish scan in nmap? .................................... 25
99. What’s are the arguments to be used for Version scan in nmap? ....................................................... 25
100. Name all the TCP flags in a TCP packet? ............................................................................................. 25
100. What’s the difference between RST and FIN? .................................................................................... 25
101. What’s the difference between PSH and URG? .................................................................................. 25
102. What are the 3 principles of Information Security? ........................................................................... 25
103. What is the Threat that gets triggers by Lack of availability? ............................................................. 25
104. What is full form of DDOS and how do you test DDOS? ..................................................................... 26
105. Do you design application to protect from DOS or DDOS? ................................................................ 26
106. How do you test Session management? ............................................................................................. 26
107. How do you design application to protect from Session Hijacking Attacks?...................................... 26
108. How do you test Brute Force Attack for a Login page? ...................................................................... 26
109. How do you design application to protect from Brute Force Attacks? .............................................. 26
110. How do you implement login feature of a website for better security? ............................................ 27
111. What’s the importance of HSTS? ........................................................................................................ 27
112. Different bw Open, Closed and Filtered? ........................................................................................... 27
113. Test Strategy? ..................................................................................................................................... 27
114. CVSS Scoring? ...................................................................................................................................... 27
115. False Positive means? ......................................................................................................................... 28
116. Data vs Info?....................................................................................................................................... 28
117. Meanings of Vulnerability, exploit, Payload, Threat ? ........................................................................ 28
118. TLS communication works? ................................................................................................................ 28
119. Session Hijacking -- Types ................................................................................................................... 28
120. How does the Firewall work?.............................................................................................................. 28
121. How do the IDS work?......................................................................................................................... 28
122. What’s the difference between IDS and IPS? ..................................................................................... 29
123. Name 1 or 2 examples of Firewalls? ................................................................................................... 29
124. Name 1 or 2 examples of IPS /IDS? ..................................................................................................... 29
125. Name 1 or 2 examples of AV or Anti Malware?.................................................................................. 29
126. What’s meant by Virus? ...................................................................................................................... 29
 HackerBook
Technologies
8549995000

127. What’s meant by Trojan? .................................................................................................................... 30

128. What’s meant by Rootkit? .................................................................................................................. 30
129. How do you perform penetration testing in production without any tools? ..................................... 30
130. What’s the difference between Pre-Prod and Live? ........................................................................... 30
131. What’s the difference between Blue Team and Red-Team? .............................................................. 30
132. What’s the difference between Black box Testing and White box testing? ....................................... 31
133. What’s the difference between Black box Testing, White box testing and Grey box testing? .......... 31
134. What’s the difference between Black Hats, White Hats and Grey Hats? ........................................... 31
135. What’s the difference between SAST and DAST? ............................................................................... 31

1. What is meant by SQL injection?

SQL stands for structured query language. Where attacker tries to inject some crafted
malicious payloads in the input field along with the URL parameters and try to get some
sensitive information/ data which is not intended to display.

2. What are the Types of SQL Injections?

Error based, Blind SQL, Boolean, Time based, Second order
Error based: In this an attacker tries to give some payloads in the input field to get syntax error. If there
is syntax error, attacker can make use of that payload and tries to extract all the sensitive information of
the database and finally he can control over the database.
Payloads like ‘“% & order by……
Blind SQL: Time based and Boolean based
Time based: In this attacker tries to give some payloads like sleep(5), sleep(10) and then he can able to
see the delay in response like 5seconds, 10 seconds. Basically web application firewall will identify this
request and it blocks.
Boolean based: we will construct Boolean statements like 1+2=4 and its responding for true or false
condition. Then there is a Boolean based SQL.
Second order SQL Injection: In this attacker tries to give some payloads that payload will get stored
and it will get executed later on in a malicious way.

3. How do you prevent SQL Injection?

Don’t use dynamic SQL. Don’t construct queries from user Input, instead we use prepared statements and
stored procedures.
Input sanitization
Patch and update regularly
 HackerBook
Technologies
8549995000

Consider WAF(web application firewall)

Use appropriate privilages.do not use admin privileges all the times

4. What is the tool that is used for SQL Injection?

Sqlmap

5. Tell me some commands for sqlmap?

Sqlmap –u url

Sqlmap –u url --dbs

Sqlmap –u url –current –db

Sqlmap –u url –D dvwa --tables

Sqlmap –u url –D dvwa -T –columns

Sqlmap –u url –D dvwa –T users –columns --dump

6. What is Cross Site Scripting (XSS)?

XSS stands for Cross Site Scripting. It is a type of security vulnerability that can be found in
some web applications. In this attacker tries to inject some malicious java scripts in the
vulnerable page.
Script like <script>alert (xss) </script>

7. What are the Different Types of XSS?

There are 3 types of XSS: Reflected
Stored
DOM based
Reflected: Execution happens only once.
Stored: The payloads are stored in the server and executes every time when victim launches the
vulnerable page.
DOM based: it makes use of DOM objects for executing payloads.
When it occur? the most common source for DOM XSS is the URL which is typically
accessed with the’ window.loaction’ object an attacker can construct link to send a victim to a vulnerable
page with a payload in the query string and fragment portion of URL.
Payloads like Document. Cookie, Document. Location
 HackerBook
Technologies
8549995000

8. Which is the most severe among all the XSS Vulnerabilities?

Stored Cross Site Scripting is the more severe as is stored in the server and executes multiple times

9. What is the difference between Stored XSS and DOM Based XSS?
In Stored XSS the payload is stored in the server and it executes multiple times when victim launches the
vulnerable page.

DOM XSS is a client side attack. It makes use of DOM Objects to executes the payload.

Payloads are like document.cookie, document.url

10. What is the Impact of XSS?

The impact is Session stealing, Session hijacking, downloading malicious scripts in the victims browser

11. What are the Prevention Techniques for XSS?

Input filtering
Output encoding
Use appropriate response headers (use the content type and x-content type options headers)
Content security policy

12. What is Content Security Policy (CSP)?

It is used to reduce the severity of the XSS vulnerability that still occur
CSP is a browser security mechanism that aims to control or restrict the resources like images or scripts
where the page gets loaded. Some of the examples are directives of iframe ansisters.

13. What is meant by CSRF and how do you test it?

CSRF stands for Cross Site Request Forgery.
CSFR is an attack that forces authenticated users to submit a request to a web application against
they are currently authenticated.
It is a web security vulnerability that allows an attacker to induce users to perform actions which
they are not intended performs.
Ex: Assume like, there is a user and he login into the banking application and transfer funds. But
the attacker will do forgery while user transferring the funds. Assume like after user login he
receives a mail with some offer along with the offer attacker set a link for updating phone
number, password change, address change. After clicking on transfer he opened a voucher and
he took some vouchers. The moment user took voucher automatically users phone number will
be updated to attackers phone number so that, attacker can update details like phone, password,
profile, images, videos, delete.
Link:- <img style=”display: none”
src=”http://192.168.183.128/dvwa/vulnerabilities/csrf/password=new-welcome123 & password-
conf=welcome123&change=change alt..>
How do you test CSRF?
 HackerBook
Technologies
8549995000

First I login to the application as a normal user, Even though am an attacker and I try to capture
a request and I try to frame a request by modifying some of the details like password, address,
phone number or zip code. Then I send this CSRF through any social engineering attacks to the
victim. If incase the victim is already login to the application and parallel if he runs our link the
password or the phone will gets updated.

14. What are the Mitigations of CSRF?

For mitigating there are some attributes under response headers like, same site, http only, deny
Those has to be set to avoid CSRF
- We have request headers and response headers we are getting cookie in request headers
from browsers. As we are using same browsers we are able to get the cookie ie. PHPSESSID
- Assume like you are sending unique attributes or unique value from the request which
can’t be guessed by the attacker these called as “Tokens”.
- Make sure that “CSF Tokens” should be there under “request headers”. If tokens are in
headers it is not possible for CSRF attack to hack.

15. What is CSRF Tokens?

CSRF Token is a unique, secrete, unpredictable value that is generated by the server side
application and transmitted to the client in such way that it is included in a subsequent http
request is made the server side application validates that the request includes the expected token
and rejects the request if the token is missing or invalid.
CSRF Tokens can prevent CSRF attacks by making it impossible for an attacker to construct a
fully valid http request suitable for feeding to a victim user. Since attacker can’t determine or
predict the value of users CSRF Token, they can’t construct a request with all the parameters that
are necessary for the application to honor the request.

16. What is meant by SSRF and its Impact?

-SSRF stands for Server Side Request Forgery.
-Basically attacker makes use of servers in the back end to perform some malicious activity. So,
to do that we need any of the listening tools like burp collaborator client or Netcat to run the
services there and in the application once you intercept the request we try to provide that service
as payload in the interceptor request.
-Once that get processed in backend server we should be able to gain the access to remote
servers.
Impact:
-Gains access to sensitive data from backend services
-Performed unauthorized activity in the backend services or external system
-Even cause command injection in the backend system
 HackerBook
Technologies
8549995000

17. How to test SSRF and What is the Root cause of SSRF?

We run Burp Collaborator client, where it runs a service through some socket that service we
mention in any of the intercepted request. If attack is success then we will be able to list the
backend servers in the burp client.
Root Cause:
SSRF is that a web application needs to retrieve resources from another domain to fulfil the
requests. But, the input URL is not properly sanitized and allows attacker to manipulate the
destination.

18. What are the Mitigations of SSRF?

Limit user permissions to the backend
Whitelisting the hostname (DNS name)
IDS
Whitelisting the IP Addresses

19. What is the difference between CSRF and SSRF?

CSRF stands for Cross Site Request Forgery. CSRF is tries to do unauthorised access to a single account

SSRF stands for Server Side Request Forgery. In SSRF the attacker tries to gain access to the back end
servers

20. What is meant by CORS?

- CORS stands for Cross Origin Resource Sharing is a browser mechanism. If the application is referring
to the any kind of external domains for the resources then you need to configure the CORS.
It makes use of some of the headers called Access control allow origin, Access control allow method.
It extends and adds flexibility to the SOP (Same Origin Policy). However it also provide potential for
cross domain implemented.
- CORS is not a protection against cross origin attacks such as cross site request forgery (CSRF).

21. What is Same Origin Policy?

Same origin policy is a restrictive cross origin specification that limits the ability for a
website to interact with the source domain.
The same origin policy was defined many years ago to respond to potentially malicious
cross domain interactions, such as one website stealing private data from another.
In generally allows a domain to issue requests to other domains but not to access the
responses.
Relaxation of the same origin policy:
 HackerBook
Technologies
8549995000

- The same origin policy is very restrictive & consequently various approaches have been devised to
circumvent the constraints.
- Many websites interact with sub domains or third party sites in a way that requires full cross origin
access
- A controlled relaxation of the same origin policy is possible using cross origin resource sharing
- CORS protocol uses a suite of http headers that defines trusted web origin and associated properties
such as whether authenticated access is permitted.
- These are combined in a header exchange

22. What are the Preventions mechanism for CORS?

Proper configuration of a cross origin request
Only allow trusted sites
Avoid whitelisting shell
Avoid wildcard in internal network
CORS is not a substitute for server side security policies

23. What is XXE Attack?

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker
to interfere with an application's processing of XML data. It often allows an attacker to view files on the
application server filesystem, and to interact with any back-end or external systems that the application
itself can access.

In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other
back-end infrastructure, by leveraging the XXE vulnerability to perform SSRF attacks.

24. What are the Different types of XXE attacks?

There are various types of XXE attacks:

Exploiting XXE to retrieve files, where an external entity is defined containing the contents of a file, and
returned in the application's response.
Exploiting XXE to perform SSRF attacks, where an external entity is defined based on a URL to a back-end
system.
Exploiting blind XXE filtrate data out-of-band, where sensitive data is transmitted from the application
server to a system that the attacker controls.
Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error
message containing sensitive data.

25. How to prevent XXE vulnerabilities?

Virtually all XXE vulnerabilities arise because the application's XML parsing library supports potentially
dangerous XML features that the application does not need or intend to use. The easiest and most
effective way to prevent XXE attacks is to disable those features.
 HackerBook
Technologies
8549995000

Generally, it is sufficient to disable resolution of external entities and disable support for XInclude.
This can usually be done via configuration options or by programmatically overriding default behavior.
Consult the documentation for your XML parsing library or API for details about how to disable
unnecessary capabilities.

26. What is meant by IDOR and how do you test IDOR?

Insecure direct object reference

Try to access resources which you are not authorised it can be API, Library, Method etc
Ex: ABC BANK.com, a/c no: 2233, a/c no: 2333

27. How do you design application to protect from IDOR?

Proper access control – role based permissions, proper authentication

28. Privilege escalation? Types?

Privilege escalation is a type of network attack used to gain unauthorized access to systems
within a security perimeter. Attackers start by finding weak points in an organization's
defenses and gaining access to a system.
There are two types 1.Horizantal 2. Vertical

29. How do you prevent Privilege Escalation?

Role based access control and Attribute based control

30. What is meant by Click jacking Vulnerability?

Click jacking Vulnerability through which an attacker that tricks a user into clicking a webpage element
which is invisible as another element.

This can cause users to unwittingly download malware, visit malicious webpages, provided credentials
or sensitive data/information.

31. What is the mitigation for Click jacking Vulnerability?

X-Frame options in response headers

Deny, Same origin, Allow from Url

32. What do you understand by Insecure Deserialization?

Serialization: is the process of converting complex data structure, such as objects and their fields, in
to a flatter format that can be sent and received as a sequential stream of objects.

Serialization data makes it much simpler to

Write complex data to inter process memory. A file, or database

 HackerBook
Technologies
8549995000

Send complex data, for example, over a network between different components of an application or in an
API call.
Deserialization: is the process of restoring this byte stream to fully functional replica of the original
object, in the exact state as when it was serialized.

The website’s logic can then interact with this desterilized object, just like it would with any other
objects.

Insecure Deserialization:

Insecure deserialization is when user controllable data is desterilized by a website.

This potentially enables an attacker to manipulate serialized objects in order to pass harmful data in the
application code.

It is even possible to replace a serialized object with an object of an entirely different class.

Alarmingly objects of any class that is available to the website will be desterilized and instantiated
regardless of which class was expected.

For this reason, insecure deserialization is sometimes known as object injection vulnerability.

An object of an unexpected class might cause an exception

By this time however the damage may already be done.

Many deserialization based attacks are completed before deserialization in finished

This means that the deserialization itself can initiate an attacker even if the websites own functionality
does not directly interact with the malicious object

For this reason website whose logic is based on strongly types languages can also be vulnerable to these
techniques.

33. What is the Impact of Insecure Deserialization?

- Impact of this can be very severe because it provides an entry point to a massively increased attack
surface

- It allows an attacker to reuse existing application code in harmful ways, resulting in numerous other
vulnerabilities, often remote code execution.

- Even in cases where remote code execution is not possible, insecure deserialization can lead to
privilege escalation arbitery file access and DOS attack.

34. What are the Prevention mechanisms for Insecure Deserialization?

-Introduce digital signature and other integrity checks to stop malicious object creation or other data
interfering.

- Run deserialization code in privilege environment

-keep a log with deserialization exceptions and failures

 HackerBook
Technologies
8549995000

-execute strict constraints for the deserialization process before object creation

35. What is Insecure Design?

Insecure design is focused in the risks associated with flaws in design and architecture.

It focuses on the need for threat modelling, secure design patterns and principles.

These flaws in insecure design are not something that can be rectified by an implementation.

36. What is LFI and how do you prevent?

LFI: Stands for Local file inclusion

Local File Inclusion attacks are used by attackers to trick a web application into running or exposing files
on a web server. If the attack is successful, it will expose sensitive information, and in severe cases, can
lead to XSS and remote code execution.

Ex: /etc/passwd,/etc/shadow etc.

Mitigations:

37. What is RFI and how do you prevent?

Stands for Remote file Inclusion

Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically
reference external scripts. The perpetrator's goal is to exploit the referencing function in an application
to upload malware (e.g., backdoor shells) from a remote URL located within a different domain.

Mitigations: Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that
dynamically reference external scripts. The perpetrator's goal is to exploit the referencing function in an
application to upload malware (e.g., backdoor shells) from a remote URL located within a different
domain.

38. How do you Configure Burp Suite?

In Burp Suite proxy setting as proxy loop back IP address as 127.0.0.1 and proxy port number as
8080. The same way you have to set in browser under preference proxy setting as same which we have
provided in Burp Suite.

38. What are the features of Burp Suite?

Proxy, Intruder, Repeater, Sequencer, Spider, Decoder, Extender, Scanner

39. What is meant by JWT Token and where do we use it?

JWT Token is used for authorization purpose and JWT is constructed with the help of headers, payload
and signature. JSON Web Token is the full form of JWT.
 HackerBook
Technologies
8549995000

40. Tell me some Vulnerability related to JWT Token?

41. What are the components of JWT Token?

JWT is constructed with the help of headers, payload and signature.

42. How do you test the login page when there is a Username, Password and SUBMIT
Button and list out all the possible scenarios?
Brute force attack
SQL injection bypass payload as 1’ or ‘1’=’1
Click jacking
User enumeration (to check whether the user is there or not)
2FA (By giving all*** in the place of OTP to bypass 2fa)
(We can change some parameters to disable OTP options)
Captcha (Default captchas or disabling the captcha)
Default usernames and passwords like admin and welcome

43. If there is a functionality of file upload what are the scenarios that we are going to test it?
File Extension (we can extend how much we want)

File Size (no limit)

File path (is visible)

Execution (if we upload files with .html, .php, scripts also accepting and getting executed)

Sensitive details (showing sensitive details like filepath…location)

File content ( by not even checking the file content of file it is accepting to upload)

Eicar (It is a latest version of virus file)

../../ (give like same in the browser and try to upload a file and file path is getting displayed)

Virus files

Change file name while storing in server (this will mitigate the exploitation of files)

44. What is the difference between Encryption, Hashing and Encoding?

Encryption: It is used to protect Confidentiality and it is a 2 way functions. The plain text is
converted in to cipher text basically there are two types 1. Asymmetric 2. Symmetric

Hashing: It is used to protect integrity. Whatever the size of input we give it will convert into
unique hash value and it is irreversible.

Encoding: it has no keys. Data is converted to other forms. There are techniques like

URL encoding HTML encoding Base 64

 HackerBook
Technologies
8549995000

45. What is the difference between Asymmetric and Symmetric Encryption?

Symmetric: In this process for the encryption of data we use secrete key i.e. +1 for the decryption
of data and getting original data we use another secret key i.e. -1
Algorithm: AES 256, DES

Asymmetric: It has two keys for the cryptography Public key, Private Key

If we use Public key for encryption means then we will use private key for decryption, and vice versa

Algorithms: RSA, Diffie – Hellman, DSA

46. What is the test methodology that you have follow to do security testing?
Basically the approach varies based on the client requirement we do get requirement to perform any
automated scanning and we do get requirement for both automated scan and manual pen testing.
When we perform automated scan the approach is like we scan the application and we try to perform
the automated scan where we provide the username and password and record the login sequence and
initiate the scan once the report gets generated we do manual verification for their vulnerabilities and
we prepare a consulted report based on CVSS score. We refer to OWASP for manual security test cases
and along with automated scan results even we attach this normal security test results as well.

47. What are the tools you have used for DAST?
Burp Suite, App Scan, VeraCode, ZAP, Nikto, NMAP, Nessus, Netsparker

48. What are the tools that you have used for SAST?
Checkmarks, Sonarqube, AppScan, Veracode, Fortify, GitLab, Coverity

49. What are the tools that you have used for Network security Assessment?
I have used tools like NMAP, Nessus, Nexpose for Network pen testing

50. Provided the website, what is the methodology for doing the pen testing?
We follow a hybrid model where we scan the application and do the analysis and we do the manual pen
testing. As part of manual pen testing we don’t do any automated scans, we check for the OWASP
Vulnerabilities, common web vulnerabilities, business logic vulnerabilities and we execute all those
scenarios and we will collect all the Proof of Concepts and finally we work on the reporting. This is how
like we perform the manual based pen testing and the methodology for website.

51. Provided one IP address, what is the methodology for doing the pen testing?
For IP Address we do the information gathering (Reconnaissance) and then scanning and then finding
vulnerabilities and exploitations. As part of Reconnaissance we try to collect as many details as possible
like IP addresses, name service, domain name service, sub domains, services that are running in that IP
 HackerBook
Technologies
8549995000

address, open port numbers, and known vulnerabilities and then we check for the vulnerabilities and
the exploitation . depending upon the service it is running we try to do more enumeration.

52. Tell me what is meant by Treat modelling and list some techniques of threat modelling?
Basically threat modelling is done in the initial stage of the SDLC. We usually do security testing based on
the designed documents, requirement documents & architecture. There is lot of techniques like STRIDE,
DREAD, CVSS and PASTA.

I have experienced on SRTIDE mechanism for Spoofing, Tampering, Repudiation, Information Disclosure,
DOS and Elevation of privilege. And try to find all the critical assets we check their connections with
respect to the different users and then we draw the diagrams based on that we try to identify threats.
This is very important stage because all test strategy should base on the threat modelling.

53. Tell me SDLC and its phases and security testing activities in those phases?
Requirement gathering & Analysis, We do Threat Modelling
Design
Develop - Secure coding
Testing - Dynamic scan and Manual PT
Deployment - Hardening

54. Full form of SAST, DAST, SDLC, CVSS, GDPR, PCIDSS, VAPT?
SAST: Static Application Security Testing

DAST: Dynamic Application Security Testing

SDLC: Software Development Life Cycle

CVSS: Common Vulnerability Scoring System

GDPR: General Data Protection Regulation

VAPT: Vulnerability assessment and Penetration Testing

PCIDSS: Payment Card Industry Data Security Standards

55. Tell me some interesting Vulnerabilities’ that you have found so far?
XSS Vulnerability

Time based SQL Injection Vulnerability

Vulnerability that is being blocked with WAF

CSRF Vulnerability

SSRF Vulnerability
 HackerBook
Technologies
8549995000

56. What is meant by Zero day attack and list some Zero day attack?
Zero days has Vulnerability meant where the developers don’t know t to fix

CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT)

Remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling
application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code
with the privileges of the calling application. The attacker can then installs programs, view, change, or
delete data, or create new accounts in the context allowed by the user’s rights.

57. Tell me about GDPR?

Stands for General Data Protection Regulation

It’s having 7 principles as fallows

Lawful, fairness and transparency

Purpose limitation

Accuracy

Storage limitation

Data minimization

Integrity & Confidentiality

Acceptability

It is used to provide a set of standatised data protection laws across all the member countries

58. Tell me about PCIDSS and some guideline principles of PCIDSS?

PCIDSS stands for Payment Card Industry Data Security Standard. It is a set of security standards
designed to ensure that all companies that accept, process, store or transmit credit card information
maintain a secure environment.

Guidelines or Requirements:

Build and maintain a secure network and system

Protect cardholder data

Maintain a vulnerability management program

Implement strong access control measures

Regularly monitor and test networks

Maintain an information security policy

 HackerBook
Technologies
8549995000

59. Tell me about Log4j Vulnerability?

It’s the logging services like any application. Log the activities for that it uses log4j and basically the
attacker was trying to make use of Remote code execution that was enabled because of this log4j.It
happens for application which process java frame works and active directory

60. What is the full form of OWASP?

Open Web Application Security Project

61. List all the OWASP Top 10 Vulnerabilities of 2021?

Broken access control

Cryptographic failures

Injection

Insecure design

Security misconfiguration

Vulnerable and outdated components

Identification and authentication failures

Software and data integrity failures

SSRF

62. List all the OWASP Top 10 Vulnerabilities API?

Broken Object Level Authorization

Broken User Authentication

Excessive Data Exposure

Lack of Resources & Rate Limiting

Broken Function Level Authorization

Mass Assignment

Security Misconfiguration

Injection

Improper Assets Management

 HackerBook
Technologies
8549995000

Insufficient Logging & Monitoring

63. What are the tools you have worked on Mobile security?

64. How do you test API, what are the tools you have used for API?
For testing the API’s first we need to construct the request . for construct the request we need the
request details, API request details, end point url, request method type, if not like either we can get the
entire JSON Collection or the Swagger url, once the request details are framed then we can perform the
pen testing, we need to configure the proxy in the API tool like Postman tool and take that request to
the Burp Suite then try all the scenarios with different payloads and positions.

65. What is the latest TLS?

1.3 But still 1.2 is widely used

66. What is the purpose of NMAP?

It can be used for port scanning in the scanning phase of pen testing

67. What is the Difference between Authentication and Authorization?

Authentication is used for checking the user identity and credentials for the user to access the
application.

Authorization comes up after the authentication process and it is used for checking the access or the
permissions across different pages or resources.

68. What’s the difference between HTTP and HTTPS?

HTTP URL in your browser's address bar is http:// and the HTTPS URL is https://.

HTTP is unsecured while HTTPS is secured.

HTTP sends data over port 80 while HTTPS uses port 443.

HTTP operates at application layer, while HTTPS operates at transport layer.

No SSL certificates are required for HTTP, with HTTPS it is required that you have an SSL
certificate and it is signed by a CA.

HTTP doesn't require domain validation, where as HTTPS requires at least domain validation
and certain certificates even require legal document validation.

No encryption in HTTP, with HTTPS the data is encrypted before sending.

 HackerBook
Technologies
8549995000

69. What’s the protocol responsible for secure communication?

Https internally uses SSL/TLS communication
The Secure Sockets Layer (SSL) is a cryptographic protocol designed to secure
communications over TCP/IP networks. SSL was developed by Netscape during the early .

70. What’s the purpose of digital Certificates?

If we want to host an HTTPS website we need the digital certificate. Digital Certificate is used
to encrypt online data/information communications between an end-users browser and a website.
After verifying that a company owns a website, certificate authority will sign their certificate so
it is trusted by internet browsers.

71. Can you name 2 or 3 Digital Certificate provides (CA)?

Amazon, DigiCert, GoDaddy, commodo, RapidSSLonline.

72. Assume a user is trying to launch a secure banking website and the sending a feedback.
Will that be Symmetric or Asymmetric or both encryption mechanisms?

Both – SSL handshake happens here 4-step process (Asymmetric Encryption )

Send feedback – symmetric encryption.

73. What is the SSL Handshake??

An SSL/TLS handshake is a negotiation between two parties on a network – such as a browser
and web server – to establish the details of their connection.

Phase 1:

Client - hello: -> SSL details

Server – hello : certificates and servers public key

Validate the certificate and inistall, send “session key” (encrypt with public key of server (session)}
 HackerBook
Technologies
8549995000

Decrypt the session key by servers private key

Phase 2:

Any communication happens through symmetric process.

Client hello: The client sends a client hello message with the protocol version, the client random, and a
list of cipher suites.

Server hello: The server replies with its SSL certificate, its selected cipher suite, and the server random.
In contrast to the RSA handshake described above, in this message the server also includes the following
(step 3):

Server's digital signature: The server uses its private key to encrypt the client random, the server
random, and its DH parameter*. This encrypted data functions as the server's digital signature,
establishing that the server has the private key that matches with the public key from the SSL certificate.

Digital signature confirmed: The client decrypts the server's digital signature with the public key,
verifying that the server controls the private key and is who it says it is. Client DH parameter: The client
sends its DH parameter to the server.

Client and server calculate the premaster secret: Instead of the client generating the premaster secret
and sending it to the server, as in an RSA handshake, the client and server use the DH parameters they
exchanged to calculate a matching premaster secret separately.

Session keys created: Now, the client and server calculate session keys from the premaster secret, client
random, and server random, just like in an RSA handshake.

74. What are the 3 steps that are invoked in 3 way tcp-ip handshake?

SYNC, SYNC+ ACK, ACK

75. What is the default port for RDP?

3389

76. What is the default port for SMTP?

25

77. What's purpose of SMTP server? For E-mail purpose?

SMTP (Simple Mail Transfer Protocol) server is an application that’s primary purpose is to send,
receive, and/or relay outgoing mail between email senders and receivers.

78. What is the default port for DNS?

53
 HackerBook
Technologies
8549995000

79. What's purpose of DNS server?--> resolving names to Ip address we call it as reverse
DNS.

The Domain Name System (DNS) is the phonebook of the Internet. Humans access information
online through domain names, like nytimes.com or espn.com. Web browsers interact through
Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can
load Internet resources.
Each device connected to the Internet has a unique IP address which other machines use to find
the device. DNS servers eliminate the need for humans to memorize IP addresses such as
192.168.1.1 (in IPv4), or more complex newer alphanumeric IP addresses such as
2400:cb00:2048:1::c629:d7a2 (in IPv6).

80. What is the default port for web proxy?

8080
Under Proxy server, click to select the Use a proxy server for your LAN check box. In the
Address box, type the IP address of the proxy server. In the Port box, type the port number that is
used by the proxy server for client connections (by default, 8080).

81. What is Threat Modelling? List 2 or 3 techniques for Threat Modelling?

To identify all possible threats in an application by using some of the techniques.

STRIDE

DRIED

OCTAVE

P.A.S.T.A.

82. What is the difference between STRIDE and DREAD?

STRIDE for check for possible threats

DRIED for to give Severity rating for threats
 HackerBook
Technologies
8549995000

83. What's the full form of STRIDE?

Spoofing, Tampering, Repudiation, Information disclosure, DOS, Elevated Privileges

84. What's the full form of DREAD?

Damage, Reproduce, Easy to exploit, Affected users, Discover

85. What’s the purpose of CVSS?

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal
characteristics of vulnerability and produce a numerical score reflecting its severity.

86. What’s the range of CVSS?

0 TO 10

87. What is the severity of the vulnerability/defect for the CVSS score 9.5?
Critical

88. What is the severity of the vulnerability/defect for the CVSS score 2.0?
Low

89. What are the severity ratings for the vulnerabilities under CVSS?
0.0-3.9 is considered "Low" ; 4.0-6.9 is "Medium" , 7.0 TO 8.9 – High, 9.0-10.0 is
"Critical" severity.

90. Give one example for critical severity?

For Example, In the email service provider like Yahoo or Gmail, after typing the correct
username and the password, instead of logging in, the system crashes or throws the error
message, this defect is classified as critical as this defect makes the whole application unusable.
91. Explain about Security Misconfiguration?

We need set some Headers like

X-Frame Options
 HackerBook
Technologies
8549995000

Strict Transport Security

X-Content-Type-Options
X-XSS Protection

We need to set
X-Frame Options to Deny or Same Origin
Strict Transport Security To Max value of 2 years
X-Content-Type-Options to No Sniff
X-XSS Protection To 1

92. What's a DOS attack?

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making
it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with
traffic, or sending it information that triggers a crash.

93. DDOS stands for?

Distributed Denial-of-Service (DoS) attack

94. What is the DDOS attack?

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic
of a targeted server, service or network by overwhelming the target or its surrounding
infrastructure with a flood of Internet traffic.
Like one system compromised it acts as BOT, by using this BOT it compromises many systems
called as JOMBIES by using this JOMBIES we will generate many traffics.

95. What are the steps involved in 3 way TCP-IP handshake?

SYN: The active open is performed by the client sending a SYN to the server. ...

SYN-ACK: In response, the server replies with a SYN-ACK. ...

ACK: Finally, the client sends an ACK back to the server.

96. What's the difference between TCP connect scan (Full duplex) and Stealth scan (Half
duplex)?
TCP Connect scan establish a full connection with the target but SYN scan completes only a half
of the connection with target.
For full duplex -> sync, sync+ack, ack
For half duplex -> sync, sync+ack, reset
 HackerBook
Technologies
8549995000

97. Identity of the attacker is hidden during Full duplex scan or Half duplex scan?
Half duplex scan

98. What’s are the arguments to be used for Null scan and Finish scan in nmap?
Null scan (-sN)

Does not set any bits (TCP flag header is 0)

FIN scan (-sF)

Sets just the TCP FIN bit.

99. What’s are the arguments to be used for Version scan in nmap?

-sV

100. Name all the TCP flags in a TCP packet?

1st Flag - Urgent Pointer. The first flag is the Urgent Pointer flag

2nd Flag - Acknowledgement. The Acknowledgement flag is used to acknowledge the successful
receipt of packets. ...

3rd Flag - PUSH. ...

4th Flag - Reset (RST) Flag. ...

5th Flag - Synchronisation Flag. ...

6th Flag - FIN Flag. ...

100. What’s the difference between RST and FIN?

FIN says no more data from the sender. ... An RST says reset the connection. It must be sent
whenever a segment arrives which apparently is not intended for the current connection.

101. What’s the difference between PSH and URG?

Ex : like share auto we use push flag because we have wait till the all packets are full, like
personal hire no need to wait to fill all packets so we use URGENT flag.
When the URG bit is set the Urgent Pointer is also set (in the TCP header Options field: 16 bit).
... The purpose of the PSH bit is to tell TCP that do not wait for the buffer to become full and
send the data immediately.

102. What are the 3 principles of Information Security?

The fundamental principles of information security are confidentiality, integrity, and availability.

103. What is the Threat that gets triggers by Lack of availability?

Dos (denial of service) & DDOS (distributed denial of service)attack
 HackerBook
Technologies
8549995000

104. What is full form of DDOS and how do you test DDOS?
A Denial of Service (DOS) attack is a malicious attempt to affect the availability of a targeted
system, By using HPING3 Tool.

105. Do you design application to protect from DOS or DDOS?

Buy more bandwidth. ...

Build redundancy into your infrastructure. ...

Configure your network hardware against DDoS attacks. ...

Deploy anti-DDoS hardware and software modules. ...

Deploy a DDoS protection appliance. ...

Protect your DNS servers.

106. How do you test Session management?

Try to login as different users in different browsers like admin & non admin, try to
capture Admin session id paste it in non admin session id and we see the session as Admin.

107. How do you design application to protect from Session Hijacking Attacks?
Session configuration-session Id should be long & unique.
Implement proper timeouts/ expiration for cookie expiration
Set secure flag for the cookie – communication over HTTPS
Set HTTP flag for the cookie- accessible the cookie only HTTP
Set HSTS request header- avoid forcible launch of application through HTTP

108. How do you test Brute Force Attack for a Login page?
By using Burp suite tool, for login id use some kind of default passwords, for both Used id and
password we use cluster bomb method, is there any deviation from expected output we conform
para meter length.

109. How do you design application to protect from Brute Force Attacks?
Use Strong Passwords
Restrict Access to Authentication URLs
Limit Login Attempts
 HackerBook
Technologies
8549995000

Use CAPTCHAs

Use Two-Factor Authentication (2FA)

110. How do you implement login feature of a website for better security?
https should be used for website
input filtering for username like string @string
user name case sensitivity
password strength should be minimum above 8 chars & case sensitive
multifactor authentication required like OTP, 2-step Verification, finger print, secret code, Captcha. Etc
don’t display generic errors for login failure
storage of passwords should be Hashing + Salt
password history – minimum 3 months

111. What’s the importance of HSTS?

HTTP Strict Transport Security (HSTS) is a method for web applications to ensure they only use TLS to
support secure transport. It protects users against passive eavesdropper and active man-in-the-middle
(MITM) attacks.

112. Different bw Open, Closed and Filtered?

Open: the port is open, services are accessible.
Closed: the port is open, services are not accessible.
Filtered: we don’t know the services are existing or not behind the port, Because am unable to see the
ports open or not.

113. Test Strategy?

A test strategy is an outline that describes the testing approach of the software development
cycle. The purpose of a test strategy is to provide a rational deduction from organizational, high-
level objectives to actual test activities to meet those objectives from a quality assurance
perspective.

114. CVSS Scoring?

The Common Vulnerability Scoring System is a free and open industry standard for assessing the
severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to
vulnerabilities, allowing responders to prioritize responses and resources according to threat.
 HackerBook
Technologies
8549995000

115. False Positive means?

A false positive is an error in binary classification in which a test result incorrectly indicates the
presence of a condition such as a disease when the disease is not present, while a false
negative is the opposite error where the test result incorrectly fails to indicate the presence of a
condition when it is .

116. Data vs Info?

Data is a collection of facts. Information is how you understand those facts in context. Data is
unorganized, while information is structured or organized.

117. Meanings of Vulnerability, exploit, Payload, Threat ?

Vulnerability: weakness or loophole or gaps in a security system (s/w program, or device, or network)
that can be used by the hacker for malicious activities.
Exploit: sequence of steps performed by the hacker to achive the goal of hacking like remote acess or
make the server down etc..
Payload: some piece of malicious code
Threat: anything that could cause potential damage to our assets either intentionally or un intentionally.

118. TLS communication works?

TLS uses a combination of symmetric and asymmetric cryptography, as this provides a good
compromise between performance and security when transmitting data securely. ... The session
key is then used for encrypting the data transmitted by one party, and for decrypting the data
received at the other end.

119. Session Hijacking -- Types

There are two types of session hijacking depending on how they are done. If the attacker directly
gets involved with the target, it is called active hijacking, and if an attacker just passively
monitors the traffic, it is passive hijacking.
Like MIMA, MIBA, session fixation

120. How does the Firewall work?

Firewalls are software or hardware that work as a filtration system for the data attempting to
enter your computer or network. Firewalls scan packets for malicious code or attack vectors that
have already been identified as established threats.

121. How do the IDS work?

Intrusion detection systems are used to detect anomalies with the aim of catching hackers before
they do real damage to a network. They can be either network- or host-based. ... Intrusion
 HackerBook
Technologies
8549995000

detection systems work by either looking for signatures of known attacks or deviations from
normal activity.

122. What’s the difference between IDS and IPS?

The primary difference between the two is that one monitors while the other
controls. IDS systems don't actually change the packets. They just scan the packets and check
them against a database of known threats. IPS systems, however, prevent the delivery of the
packet into the network.

123. Name 1 or 2 examples of Firewalls?

ZoneAlarm Free Firewall 2017.
Tinywall.
Anti NetCut3.
Comodo Free Firewall.
PeerBlock.
Little Snitch [Mac]
Private Eye [Mac]

124. Name 1 or 2 examples of IPS /IDS?

SolarWinds Security Event Manager (FREE TRIAL)
SNORT.
Security Onion.
Bro Network Security Monitor.
WinPatrol.
Osquery.

125. Name 1 or 2 examples of AV or Anti Malware?

Examples include Avast Free Anti- Malware, AVG Free Malware Removal Tools, and Avira
AntiVir Removal Tool.

126. What’s meant by Virus?

A computer virus is a type of computer program that, when executed, replicates itself by
modifying other computer programs and inserting its own code. When this replication succeeds,
the affected areas are then said to be "infected" with a computer virus.
 HackerBook
Technologies
8549995000

127. What’s meant by Trojan?

A Trojan horse, or Trojan, is a type of malicious code or software that looks legitimate but can
take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general
inflict some other harmful action on your data or network. ... Once installed, a Trojan can
perform the action it was designed for.

128. What’s meant by Rootkit?

Rootkits are a type of malware that are designed so that they can remain hidden on your
computer. But while you might not notice them, they are active. Rootkits give cybercriminals
the ability to remotely control your computer.

129. How do you perform penetration testing in production without any tools?

like social engineering can be done by humans only. Manual checking includes design, business
logic as well as code verification.

it done in 2-ways are : block box testing, and white box testing

in black box testing we get the details like :- information gathering, scanning, gain access – find
vulnerabilities.

In white box testing there is more chances to found vulnerabilities here

Test user for the web application
Try to see all data flow like incoming & outgoing
What are the 3rd party applications are consuming data
Risk analysis🡪 for rating the threats
Remediation : problem solving methods
Mitigation :- tying to reduce the risk through some mechanisms.

130. What’s the difference between Pre-Prod and Live?

Staging means is used to test out newer versions of software before it is moved live into
production. Staging is a pre-production environment, for final testing immediately prior to
deploying to production.

131. What’s the difference between Blue Team and Red-Team?

Red teams are focused on penetration testing of different systems and their levels of security
programs. They are there to detect, prevent and eliminate vulnerabilities.
 HackerBook
Technologies
8549995000

A blue team is similar to a red team in that it also assesses network security and identifies any
possible vulnerabilities.

132. What’s the difference between Black box Testing and White box testing?

Black Box Testing is a software testing method in which the internal structure/ design/
implementation of the item being tested is not known to the tester.

White Box Testing is a software testing method in which the internal structure/ design/
implementation of the item being tested is known to the tester.

133. What’s the difference between Black box Testing, White box testing and Grey box
testing?

Both white box testing & black box testing combination

Black Box Testing is also known as functional testing, data-driven testing, and closed box
testing. White Box Testing is also known as structural testing, clear box testing, code-
based testing, and transparent testing. Grey Box Testing is also known as translucent testing as
the tester has limited knowledge of coding.

134. What’s the difference between Black Hats, White Hats and Grey Hats?
Black hat hackers are criminals eager to hack into apps and steal information. White hat hackers are
researchers and security experts who use their security expertise to protect people and systems.
Gray hat hackers occupy a more complex middle ground.

135. What’s the difference between SAST and DAST?

Static application security testing (SAST) is a white box method of testing. ... Dynamic
application security testing (DAST) is a black box testing method that examines an application
as it's running to find vulnerabilities that an attacker could exploit.
HackerBook
Technologies
8549995000
HackerBook
Technologies
8549995000