Topics you should know to get a Pentester’s job (Pentester)
Hey guys! This is an informative blog about topics you must know before your interview. If you learn anything new then please share it with your friends. This part is focus on the pentesting based questions.
Pentest based questions :-
SOP :-
Same Origin Policy is a web browser security mechanism that aims to prevent websites from attacking each other. SOP restricts scripts on one origin from accessing data from another origin. An origin consists of a URI scheme, domain and port number.
For Example —
http://website.com/example/example.html
This uses the scheme http, the domain website.com and the port number 80. The following data shows how the SOP will be applied if content in the above URL tries to access other origins :-
Yes. Same Scheme, domain and port.
Yes. Same Scheme, domain and port.
No. Different Scheme and port.
http://en.website.com/example/
No. Different domain.
http://website.com:8080/example
No. Different Port.
CORS :-
Cross Origin Resource Sharing is a browser mechanism which enables controlled access to resources located outside of a given domain. It extends and adds flexibility to the SOP. However, it also provides potential for cross domain based attacks, if a website’s CORS policy is poorly configured and implemented. CORS is not a protection against cross origin attacks such as cross site request forgery.
CSP :-
Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including cross site scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.
Access Control | IDOR :-
Access control — (or authentication) is the application of constraints on who can perform attempted actions or access resources that they have requested. In the context of web apps, access control is dependent on authentication and session management. Broken access controls are a commonly encountered and often critical security vulnerability. Design and management of access control is a complex and dynamic problem that applies business, organization and legal constraints to a technical implementation. Access control design decisions have to be made by humans, not technology and the potential for error is high.
IDORS — Insecure Direct Object References are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. The term IDOR was popularized by its appearance in the OWASP Top Ten 2007. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation , but they can also arise in relation to vertical privilege escalation.
Blind XSS :-
It is a flavor of XSS where the attacker “blindly” deploys a series of malicious payloads on web pages that are likely to save them to a persistent state (like in a database or log file). Then, without knowing any details about where the payloads have ended up or if (and when) they are going to be executed, the attacker waits for the payloads to be pulled out of storage and render on a web page loaded by a user.
DOM XSS :-
It stands for Document Object Model based cross site scripting. A DOM based XSS attack is possible if the web application writes data to the document object model without proper sanitation. The attacker can manipulate this data to include XSS content on the web page.
The DOM is a convention used to represent and work with objects in an HTML document (as well as in other document types). All HTML documents have an associated DOM that consists of objects, which represents document properties from the point of view of the browser. When a client side script is executed, it can use the DOM of HTML page when the script runs. The script can access various properties of the page and change their values.
Template Injection :-
Server side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server side.
Cookies vs Session :-
Session — It creates a file in a temp directory on the server where registered session variables and their values are stored. This data will be available to all pages on the site during that visit. A session end with the user closes the browser or after leaving the site, the server will terminate the session after a predetermined period of time, commonly 30 mins.
Cookie — Cookies are text files stored on the client computer and they are kept of use tracking purpose. Server script sends a set of cookies to the browser. For example name, id, etc. The browser stores this information on a local machine for future use. When next time browser sends any request to web server then it sends those cookies information to the server and server uses that information to identify the user.
Cookies Security Attributes :-
Cookies are piece of information stored in the client side, which are sent to the server with every request made by the client. Cookies are primarily used for authentication and maintaining sessions. Hence securing a cookie effectively means securing a user’s identity. Cookies can be secured by properly setting cookie attributes. These attributes are
- Secure
- Domain
- Path
- HTTPOnly
- Expires
Second Order SQLi and Remediation :-
It arises when user-supplied data is stored by the application and later incorporated into SQL queries in an unsafe way. To deflect the vulnerability, it is normally necessary to submit suitable data in one location, and then use some other application function that processes the data in an unsafe way.
Remediation — The most effective way to prevent SQL injection is to use parameterized queries for all database access. This method uses 2 steps to incorporate potentially tainted data into SQL queries. First, the application specifies the structures of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each place holder.
CSRF :-
Cross Site Request Forgery is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email addresses on their account, to change their password, or to a funds transfer. Depending on the nature of the action, the attacker might be able to gain full control over the user’s account. If the compromised user has a privileged role within application, them the attacker might be able to take full control of all the application’s data and functionality.
Anti CSRF Token implementation in response body :-
A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client. When the later request is made, the server side application validates that the request includes the expected token and rejects the request if the token is missing or invalid. CSRF tokens should be treated as secrets and handled in a secure manner throughout their lifecycle. An approach that is normally effective is to transmit the token to the client within a hidden field of an HTML form that is submitted using the POST method. The token will be included as a request parameter when the form is submitted.
<input type = “hidden” name = “csrf-token” value=”CTENI35Sf….FUXZ”/>
SQL Testing on login pages :-
To check for potential SQL injection vulnerabilities we have entered a single quote into the “Name” field and submitted the request using the “login” button. The application provides us with on SQL error message. The error messages includes the SQL query used by the login function. We can use this information to construct and injection attack to bypass auth. The first account in s database is often an admin user, we can exploit this behavious to log in as the first user in DB.
Enter some appropriate syntax to modify the SQL query into the “Name” input. In this example we used “ ‘ or 1=1- -”. This causes the application to perform the query :-
SELECT * FROM user WHERE username =‘ ‘ OR 1=1- -’ AND password = ‘foo’. Because the comment sequence, it causes the remaining of the query to be ignored and is equivalent to
SELECT * FROM users WHERE username = ‘ ‘ OR 1=1
In this example the SQL injection attack has resulted in a bypass of login.
Threat| Risk | Vulnerability :-
Threat — Anything that can exploit a vulnerability, intentionally or accidentally and obtain damage or destroy assets.
Risk — The potential for loss, damage or destruction of an assets as a result of a threat exploiting a vulnerability.
Vulnerability — Weakness or loop holes in a security program that can be exploited by threats to gain unauthorized access to an assets.
VA | PT :-
VA — A vulnerability Assessment is a rapid automated review of network devices, servers and systems to identify key vulnerabilities and configuration issues that an attacker mat be able to take advantage of. It s generally conducted within network on internal devices and due to its low footprint can be carried out as often as everyday VA answers the questions “What are the issues on the network?”
PT — A Penetration test is an in-depth expert driven activity focused on identifying various possible routes an attacker could use to break into the network. In addition with the vulnerabilities it also identifies the potential damage and further internal compromise an attacker could carry out once they past the perimeter. Pentest answers the question “What a motivated hacker can do?”
Block vs Stream ciphers :-
Block Cipher — The plain text is divided into large blocks of size (64 bit or higher) and each block is encoded separately. The same encryption key is used for each block. Moreover, the encryption key helps to find which mathematical function to use on each block. However, using strong algorithms makes it difficult to find out the mathematical functions used on each block. Therefore, in block cipher it might be difficult to reverse the encrypted text.
Stream Cipher — The plain text is converted into cipher text by considering one byte at a time. A stream cipher uses a pseudorandom bit generator for encryption and decryption. It is capable of generating a random stream of bits called key stream. Furthermore, the cipher performs an exclusive OR (XOR) to create the cipher text. In other words, it performs XOR on each bit of the key with the plain text to produce the cipher text.
LFI vs RFI :-
LFI — Local file inclusion is similar to a Remote File inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for lead to remote code execution by including a file that contains attacker controlled data such as the web server’s access logs.
RFI — Remote File Inclusion occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user supplied parameters to the web application.
XXE :-
XML External Entity is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server file system, and to interact with any back-end or external systems that the application itself can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server side request forgery attacks.
SSRF & Blind SSRF :-
SSRF — Server Side Request Forgery is a web security vulnerability that allows on attacker to induce the server side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.
In typical SSRF examples, the attacker might cause the server to make a connection back to itself or to other web-based services within the organization’s infrastructure or to external third-party systems.
A successful SSRF attack often results in unauthorized actions or the access to data within the organization, either in the vulnerability application itself or on other backend systems that the application can communicate with sometimes. The SSRF might allow an attacker to perform arbitrary command execution.
Blind SSRF — Blind ssrf vulnerability arise when an application can be induced to issue a backend. HTTP request to a supplied URL, but the response from the backend request is not returned in the applications frontend response from the backend request is not returned in the applications frontend response.
Blind SSRF is generally is generally harder to exploit but can sometimes lead to full remote code execution on the server or other backend components.
RCE :-
Remote Code Execution refers to the ability of a cyber attacker to access and make changes to a computer owned by another, without authority and regardless of where the computer is geographically located. RCE allows an attacker to take over a computer or a server by running arbitrary malicious software. RCE vulnerability are one of the most dangerous kind as attackers may execute malicious code in the vulnerable server.
Broken Authentication :-
The essence of Broken Authentication is where you (web application) allows your user to get into your website by creating a new account and handling it for specific reasons.
Whenever a user logins into account, a session ID is being created and the session ID is allowed to that particular account only. Now if the web application is crafted securely in terms of authentication, then it is well and good but in case if it is not then the attacker may use several techniques.
