Auspicious Knowledge Planet/s?__biz=MzkwNjY1Mzc0Nw==&mid=2247485367&idx=1&sn=837891059c360ad60db7e9ac980a3321&chksm=c0e47eebf793f7fdb8fcd7eed8ce29160cf79ba303b59858ba3a6660c6dac536774afb2a6330#rd
"Network Security Interview Guide"/s?__biz=MzkwNjY1Mzc0Nw==&mid=2247484339&idx=1&sn=356300f169de74e7a778b04bfbbbd0ab&chksm=c0e47aef793f3f9a5f7abcfa57695e8944e52bca2de2c7a3eb1aecb3c1e6b9cb6abe509d51f&scene=21#wechat_redirect
"Java Code Audit"
Web Security
"Emergency Response"
"Guangwang Database"
Interview Position:Penetration testing
Let me briefly talk about this position. The current penetration is very detailed. Factory like Shenxinfu is generally divided into general penetration, that is, it will do penetration work in various provincial capital cities (penetration of websites). There is also a basic penetration called the Red Team. This Shenxinfu should be in their Deep Blue Laboratory. The requirements of this kind of red team are relatively high. They generally have to know how to handle points, code audit, intranet penetration, etc.; but the penetration test positions for fresh graduate interviews,The requirements are not that high, and you will ask more about the principles of some vulnerabilities, the use of tools, what cases or experiments have been done, etc., so as long as you have a solid basic knowledge of the principle of loopholes and other basic knowledge, and you have hit some shooting ranges, it is generally not a big problem.
Technical issues on both sides
1. Question: Let me introduce myself.
Answer: I don’t need to write anything about this, it’s just some things that you have to do with network security. I believe that friends who like network security will have a lot of things that I can’t finish. I just said it for about 3 minutes. The big guys can seize the time themselves.
2. What is the principle of deserialization vulnerability and how to exploit it
Answer: It’s a coincidence that I happened to have a look at deserialization the day before. I also reviewed the pronunciations of serialize and unserialize. I told him about the deserialization taught in the college, from object serialization to deserialization of string formats, and then to shooting range. . . . . . Of course, I called the shooting range a certain site. . Then there is unserialize in English. The interviewer was also a little stunned. Finally, he said he understood. Then he asked if there was any research on weblogic deserialization. I can only say that it is not true, but it has been scheduled. I will do this part of the research next week. But I said that it is amazing to fix weblogic deserialization. I will fix each version of deserialization from the perspective of operation and maintenance, and then this problem did not go deeper.
3. How to view web front-end security, briefly describe the risks of front-end security, and use specific examples to illustrate
Solution: The web front-end I understand refers to the client, or it can be said to be the browser side. Front-end security is a big branch such as cookie security, flash security, dom rendering (dom-type xss), character sets, cross-site (csrf), phishing, trust, etc. In terms of cookie security, if cookies are too trusted and no other processing is performed, it may cause csrf. Character sets may cause wide byte problems, such as escaping special symbols
In terms of trust, in fact, security offense and defense are based on trust. For example, the same-source strategy, the actual utilization includes: 1. Station A has high protection, but Station B under the same server and file system is invaded due to security issues. If the file permissions are not configured well, Station A will be successfully taken down because A and B have excessive trust and are not separated. 2. Website A and Website BjavascriptThe script is referenced by the <script> tag, which is actually equivalent to establishing a trust relationship. If this script is tampered with by a hacker, then Site A will also be endangered. In addition, I think social engineering should also be said that through Google hacking, SNS vertical search (Renren, Facebook, etc.) and various other information collection methods, this makes the offense and defense process a process of fighting wits and courage. In a successful invasion, social workers may play a very important role.
In summary, it is mainly divided into three categories: XSS/CSRF/interface operation hijacking Xss: Now the xss vulnerability is considered to be a vulnerability without any harm, including most src no longer accepts reflective xss vulnerabilities (difficulty in exploitation,chromeIf the browser will block it, it will also be blocked), but when talking about front-end security, xss is a big problem. If it is a site that is not updated for half a year, the probability of stealing administrator cookies is of course very low. So I took out the xss vulnerability separately because it must combine the corresponding scenario. In the case of unstandard use of html and js scripts (html has a fault tolerance mechanism, that is, forgetting to write a tag or a symbol, it can also run normally), or not filtering properly, it may cause xss vulnerabilities, such as message board page, submitting js code, not filtering or escape of special characters, resulting in successful submission and data being stored in the database csrf: a cross-site request, and the request is forged. User A logs into the dangerous website B while logging into Station A. There is a malicious code that requests Station A in Station B. Then User A operates website A without knowing it. In terms of defense:
1. Verify referer. 2. Use verification code. 3. Join token. 4. Limit the session life cycle. But the disadvantages are also obvious. Some requests may not have a referer, so there is no way to verify. Verification code will reduce the user experience. If the token randomness is not good enough, it may be guessed, or the token itself is leaked in some way. In addition, a dedicated server for token generation and verification is needed in large services, and all fields added to the form need to be changed. Time and complexity are also important issues. Of course, limiting the session life cycle is also a way to alleviate, and cannot effectively solve csrf. A big shot proposed the following method: the principle is similar to that of tokens: When a form is submitted, use JavaScript to add a temporary cookie field to this domain, and set the expiration time to 1 second before submitting it. The server side checks that this field is released, and if it does not, it is considered a CSRF attack.
Interface operation hijacking: click hijacking, drag-and-drop hijacking, touch screen hijacking. Clicking is basically a viewing and operational interface that is visible and operational, covering an invisible box, that is, an iframe is covered on a certain control, and the transparency of the iframe is 0, so there are more examples... In most undescribable websites, clicking a button or option will be adjusted to another website... This is a very terrible operation. Touch screen hijacking is also terrible. Just imagine, the user wants to query how far a supermarket is from him. After clicking the query, he actually conducted an online banking transaction operation... The general theory of web page design on mobile devices is similar to that on PC, and he talks about some indescribable websites. During the browsing process, the user does not jump to the page he wants to go to, but pops up or jumps directly to another site.
4. List some common tools for penetration testing, and briefly describe their application scenarios and use cases.
untie:
Burpsuite: Conduct packet capture and modify packets based on requests, and further tests can be performed on front-end parameters, such as testing logic vulnerabilities, blasting weak passwords, finding page parameters, etc.
Sqlmap: Sites that can detect or inject background databases into relational databases, and can also access the file system. Use -file-read "" to read files in the target directory. You can also use -os-cmd to execute operating system commands. -os-shell uses interactive operating system shells, which have very powerful functions. Its rich tamper also provides great help for bypassing some wafs. Of course, in most cases, you still have to manually judge the waf rules.
Yujian: A very excellent target scanning tool. In a real scene, I obtained the other party's database file through Yujian scan, saw the database ip, port and account password. After directly connecting to the database, everything I wanted was presented to me.
Mimikatz: Crawl the plaintext passwords of all users in the current system. When elevating power, you may use Owasp Zap/AWVS: vulnerability scanning tool. I personally don’t like to use missed scans. I use missed scans directly when not understanding the other party’s situation, which may lead to IP being banned. I have participated in some crowd test projects. Many white hats use missed scans to scan the targets in a crazy way, which leads to problems with the targets’ normal access, and they are a little disgusted with these operations. However, the missed scan tool will also allow us to understand the target information to a certain extent, such as paths, possible vulnerabilities, etc., so as not to miss certain points
Namp/masscan: Target open service scanning, weakness port scanning, operating system identification, belongs to information collection. If -p specifies the port, -sV identify the service version, -O identify the operating system, -sS (implicit scan without establishing a three-way handshake), sT (TCPScan, the information is relatively accurate), and for sites that prohibit ping, you can use -Pn, etc. In addition, powerful nmap scripts can also provide various methods, such as dos (may cause denial of service) and exploit (detect security vulnerabilities). In comparison, masscan scans faster and has better results (personally think), so the two can be used together. masscan quickly scans out ports, and nmap uses these ports to identify the service.
5. How to getshell in SQL injectionSolution: For examplemysqlselect into dumpfile, such as sqlserver's xp_cmdshell, etc. The interviewer did not ask this question in depth, but it can be used as a direction for me to understand the situation after the interview.
Three-sided problems/hr side
Then there are three sides, relax and talk about life, planning, etc. . .
Feelings of interview
Overall, most interviewers have good skills and learned a lot during the interview. Some interviewers also made me really upset. He couldn't understand what I said, and the questions he asked were inexplicable.
Suggestions for everyone
The main suggestions are the following
1. Don’t panic and be confident; the reason I wrote it in the first line is because this is the most important thing. The difference between my first interview and my last interview is very different. The first time I was like a stupid fool.
2. The interview is two-way. While the company chooses you, you are also choosing the company, with less routine and more sincerity.
3. You can write it on your resume if you don’t know what you don’t know, provided that you can understand everything you write before the interview, at least you can say it.
4. Collect information to find out the company you are going to interview. What they do mainly and what their security needs are like, you can understand everything you can think of.
5. The college’s shooting range and courses must be understood, and do not cut corners.
6. When the interviewer asks you, don’t be smart when you have any questions to ask me.
Recommended reading:
After learning this interview, you can easily harvest the offer of network security
Main protection database of network protection equipment, high-level interview of network protection junior high school
Getting started with Java code auditing zero foundation to complete set of code auditing
Web security: shooting range, penetration tools, information collection, input and output vulnerabilities, business logic vulnerabilities
【Necessary Skills for Protecting the Web】Emergency Response Knowledge Base