## General - What makes you fit for the job? (INTERN) - What drives you in security (INTERN) - What's your mandate for the internship (INTERN) - Imagine yourself in 10 years' time (INTERN) - What do you do in your spare time (INTERN) - What kind of work appeals to you, for example writing tools, vulnerability discovery, security design? - Any other skills you have not mentioned in the interview? ## HR - Expected salary - Start date - Have you got other offers - What's your impression of the team leader from the previous interview - What's your greatest challenge - A person who has influenced you - What are the three considerations for your first job - 你的优势和劣势 - 实习的时候是怎么选择那家公司的 - 你对安全有什么看法 - 你认为做好网络安全最重要的是什么 - 对这工作你有什么相关的经验 ## Experience - The most interesting thing you have come acrooss in projects you have done (INTERN) - What are some relevant modules you have taken (INTERN) - Three things you have learned from your OSCP (INTERN) - Any red-team experience? - Any HTB or bug bounty experience? - Any Incident response experience - Any software development experience? - What did you do in NUS Greyhats - What bugs did you find in the pentest module - What security modules and projects have you done in school - 讲一个能体现你能力的题，把题目背景，技术细节，解决思路讲清楚 - 实习经历中表现好的不足的地方在哪 - 实习中遇到最大的困难，怎么解决 ## Web - Do you know about OWASP? (INTERN) - 2021年新版的owasp top 10出来了，可以关注一下 - Difference between session and cookie - CSRF attacks & prevention - How browser prevents CSRF - XSS attacks & prevention - XSS除了cookie还有哪些危害 - What is site-isolation - 什么是XXE - XXE怎么RCE - 什么是SSRF - SSRF怎么防御 - Blind SSRF 如何 get shell - 命令注入常用的字符 - SQLi预编译不能防御什么 - 推荐阅读： - https://mp.weixin.qq.com/s?__biz=Mzg2NDU3Mzc5OA==&mid=2247485996&idx=1&sn=32413497b87b815b27e22af3db2fa70d&source=41#wechat_redirect - https://blog.nowcoder.net/n/9d9987c816214f62b9266276da65e11f - https://blog.nowcoder.net/n/be73b8f592504ae8b1d00368433061be ## Nework - Difference between TCP and UDP (INTERN) - Difference between HTTP and HTTPS (INTERN) - What cryptography does SSL use (INTERN) - Common DoS attacks (INTERN) - What is class A/B IP address (INTERN) - https密钥交换过程 - What are the network layers and the protection at different layers - IPSec use case? - What is the protection at application layer - 基于udp的协议 - DNS相关漏洞 - DNS cache poisoning怎么防御 - TCP三次握手 ## Crypto - What are symmetric and asymetric cryptography (INTERN) - 非对称加密有哪些，分别基于什么数学问题 - AES你会用什么模式 - ECB, CBC有什么脆弱性，具体怎么攻击 - how do you ## Infrastructure security - Whare are malware, common techniques in malware, and how to defend? (INTERN) - What is APT (INTERN) - How to harden a host (INTERN) - Given full control of a web and the server, how would you protect it - What are the access control models - Have you built a complex system before? - Any experience with database management and tuning - How to build a HIDS? - What kind of logs should be collected at hosts - How to ensure log-collection does not affect services - What kind of detection you have applied? - How to investigate an security incidence - Familar with container technology? - How do achieve a docker bypass? - 如果进行漏洞检测防御，怎么做 - 云架构有什么安全问题 - 怎么部署大型数据库 - linux从启动到登录界面经历了什么 ## Application Security - What software development project you have done - Familar with SDLC? - Find bug in this code ``` e.exports = { sdk_host: " https://www.digits.com ", [..] onReceiveMessage: function(t) { this.config && -1 !== this.config.get("sdk_host").search(t.origin) && this.resolve(t.data) }, ``` - Find bug in this code ``` public ParcelFileDescriptor openFile(Uri uri, String mode) { File file = new File(DIR, uri.getLastPathSegment()); return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY); } ``` - Find exploit in this scenario ``` Let's say a webview is able to load localfiles. How do we steal the files and sent to our remote server? Hint: file stream like file:///data/data/com.income.incomeapp/shared_prefs/prefs.xml ``` - 分析安卓应用时，brup拦截后发现被加密，怎么解决 - activity劫持后怎么利用 - 安卓四大组件 - 如下三个场景有哪些业务逻辑漏洞 ``` 1. 用户用手机号进行注册 2. 新用户兑换优惠券 3. 购物付款 ``` - What is the best practice of authentication - 昨天的漏洞怎么防御（apache-log4j） - 如下代码的漏洞（假设secCheck无法绕过） ``` func CheckPrefix(ctx *gin.Context) { prefix := path.Clean(ctx.Query("prefix")) if len(prefix) == 0 || !util.SecCheck(prefix) { ctx.JSON(200, gin.H{ "code": 1501, "errMsg": "prefix error", }) } sql := fmt.Sprintf( "select did, url from xxx where is_deleted=0 "+ " and url like '%s%%'", prefix, ) logs.Info(sql) // query data var data []PrefixData err := db.Query(sql, &data) if err != nil { ctx.JSON(200, gin.H{ "code": 1502, "errMsg": "error: " + err.Error(), }) return } // ... } ``` - 上面场景sqli获取数据库信息的payload - 如下场景的漏洞 ``` 假设一个安卓app里有一个api js-bridge(url, path)的可以下载native到/app目录，会发送什么安全问题 ``` - 如何防御上述情况 - 如下流量获取ip和path的regex ``` 199.180.11.91 - - [06/Mar/2019:04:22:58 +0100] “GET /robots.txt HTTP/1.1” 404 1228 “-“ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)” 199.180.11.91 - - [06/Mar/2019:04:22:58 +0100] “GET /api/v1/query?id=1 HTTP/1.1” 200 1228 “-“ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)” ``` - 如上流量怎么检测爬虫 - 如下场景的漏洞 ``` 假设自研一个http服务器，有文件下载功能，接受accept-range header作为返回的包的大小比如 GET /sth.zip Accept-Range: 1-1024 假设sth.zip只有512 bytes，而后端malloc会malloc accept-range指定的大小。 问会造成什么问题，如何利用这个binary漏洞 ``` ## Programming language - Compare any two languages you are familar with (INTERN) - What other tools you have developed? ## Penetration testing - What are some common vulnerability in AD (INTERN) - What is Psexec (INTERN) - What is golden ticket (INTERN) - What is kerborousting (INTERN) - What is a webshell, how do you get a webshell (INTERN) - How do you use nmap (INTERN) - Have you built any tools or scripts for pentesting? (INTERN) - With end-goal of dumping a database, how you conduct the pentest (INTERN) - how do you enumerate subdomains, name a few tools - how do you do lateral movement - how do you do persistence on a Mac PC - how do you evade the EDR - 信息收集有哪些独到的思路 - 进入内网后一般会做什么 - 开了6379端口怎么攻击 - 得到管理员后台，怎么拿到webshell ## Binary (PWN/RE) - How do you approach RE for an executable (INTERN) - What are the challenges in solving RE (INTERN) - What is the difference in solving PWN and RE (INTERN) - Name some obfuscators in LLVM (INTERN) - 二进制方面有什么经验 - How IAT hook works - What is ROP and what security mechanism it bypasses - 二进制对甲方安全有什么帮助 - stack-cookie的作用，如何绕过 - 做过最难的PWN题 - 知不知道虚拟化 - 有没有玩过内核PWN - 懂不懂操作系统底层知识 - 编译原理讲一下 - got, plt的区别 - double-free怎么利用 - strcmp侧信道漏洞 - nx, dp的防御，绕过 - 动态插装用法 - 符号执行的难点 - 污点分析原理 - AFL fuzzer原理 - Z3之类的求解器原理 - 讲一个接触过的实际漏洞 - 分析过什么经典的漏洞（比如windows kernel），比较有技巧性的漏洞 ## Malware - 一个恶意程序发送加密信息，怎么分析 - 如果socket函数断后，调用没有看到加密函数什么原因，怎么办 - 如果下断点，没有断下来是什么原因 - 静态分析如何快速找到加密函数 - anti-VM的方法 - anti-debugger的方法 - 虚拟化技术可以绕过这些anti-debugger方法吗？ - 如果有上千万的sample，怎么批量分析 - 二进制相似度查询怎么做 - CFG怎么生成 - 怎么定义CFG的block - 怎么判断是不是一个function - 函数参数调用顺序 - 长跳转，短跳转，间接跳转有什么区别 - 做一个benign function的库，你要怎么做 - 如果有一个软件让它不容易被分析，怎么做 - 如何检测sample里的加密算法 - 如果要开发一个沙箱，你会怎么做 - 遇到过什么反调试很多的软件 - rootkit怎么隐藏自己 - rootkit会包含exploit吗