Cyber Security Vulnerability Assessment and Penetration Testing (VAPT) Interview Questions with Answers: Part 1

 

Vulnerability Assessment and Penetration Testing (VAPT) is one of the most established domains of cyber security. As most business prefer having an online presence to cater to a greater audience, they ultimately rely on websites showcasing their brand image. However, they don’t pay attention to the potential damage of reputation in case their website gets hacked or defaced. In the worst case the business and their customers can even face financial losses due to compromise of stored credentials.

VAPT is one of the most in-demand jobs in the field of cyber security today.  Many tools and technologies have been developed to conduct VAPT.

A typical VAPT interviewer will not ask specific questions regarding the functioning of any tool, but would rather be more interested in understanding the general problem solving approach of the candidate.

Following is a list of questions usually asked for VAPT interviews:

1. Please explain cross site scripting.

In Cross-Site Scripting (XSS) attacks malicious scripts are injected into other web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to the end user. If successful, The attacker may gain access to users cookies, session IDs, passwords, private messages etc.

http://smartnsecure.blogspot.com/2018/04/Cyber-security-VAPT-Interview-Questions-2.html

2. What are the types of cross site scripting

There are three major types of XSS attacks:

Persistent / Stored XSS

The malicious user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. and is reflected every time the page is visited by any user.

Reflected XSS

The malicious user input originates from the victim’s request and is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request, without that data being made safe to render in the browser, and without permanently storing the user provided data.
This input will not reflect in case the same web page is displayed by a different user.

DOM-based XSS:  

DOM actually allows client-side-scripts(Eg: Javascript) to dynamically access and modify the content, structure, and style of a webpage. DOM-based XSS relies on inappropriate handling, in the HTML page, of the data from its associated DOM. Among the objects in the DOM, there are several which the attacker can manipulate in order to generate the XSS condition, and the most popular, from this perspective, are the document.url, document.location and document.referrer objects.

3. Is cross site scripting attack browser based or server based?

Cross site scripting is a client side browser based attack as the script executes in the client browser.

4. What will you do as a developer to correct existing cross site scripting vulnerability in your code reported by the application security auditors

As a developer we should examine the code of the page where the vulnerability is residing and rectify the flaw by putting proper input validations in place to avoid any scripts from executing. In case it has been reported as a persistent XSS, we should also vet the database entries to look for any residing malicious script lying there.

5. Explain CSRF

Cross Site request forgery attacks takes advantage of the website trust in an authenticated user session. as an example, lets consider an application has a user that is logged on, an attacker tricks the user into submitting an HTTP request on the attacker’s behalf, which the application believes to be from the user. the success factor for CSRF relies in the fact that once authenticated,  websites typically don’t verify that a request came from an authorized user. Instead they verify only that the request came from the browser of an authorized user.

6. What is the prevention used for CSRF

Common techniques for preventing against CSRF attacks are:
1. Check CSRF Token
2. Verify the requests are coming from same origin

Tip: Go through OWASP Top Ten Vulnerabilities, their impact and countermeasures. Learn at least one practical example of each and you will get through with flying colors!!!

For more questions, click here.

Click to know which certification is best for your cyber security career??

 

Related posts

5 Thoughts to “Cyber Security Vulnerability Assessment and Penetration Testing (VAPT) Interview Questions with Answers: Part 1”

  1. Nice post. I learn something new and challenging on sites I stumbleupon everyday. It’s always helpful to read through articles from other writers and practice a little something from their websites.

    Please Read More: Download Ebook: Ultimate Guide To Job Interview Questions Answers:

    Best rgs

  2. Hi Buddy,

    Great Post!!
    According to me, Penetration testers think outside of the box, and will try to get into your system by any means possible, like a real world attacker would. This could reveal lots of major vulnerabilities your security or development team never considered. The reports generated by penetration tests provide you with feedback on prioritizing any future security investment.

    Penetration Testing Services

  3. Hey,

    I really liked your blog 🙂

    Well, Software penetration testing is a process of appraising the security of computer system or network of computer systems by simulating the attack from wicked outsiders not having an authorized access as well as from malicious insiders having an authorized access to the computers or the network of the company.

    Regards
    Antoine Aarts

  4. Thanks for the motivation!!
    Feels great to write content being liked. Will continue the efforts.

  5. We offer the best Database Testing Interview Questions and Answers for Fresher, Experienced. These are useful questions for freshers and experienced candidates.

Leave a Comment