Q. Does a bridge divide a network into smaller segments?

Ans: Bridge is a simple network device that works in the data link layer. Basically, the bridge connects multiple LANs using similar protocols to form a single LAN.

Q. Utilizing RIP, what is the limit when it comes to the number of hops?

Ans: RIP stands for Routing Information Protocol. RIP helps the router to identify the reach of other routers and also provides information related to the distance of networks. The maximum number of hops allowed with RIP is 15. It simply means that the hop count of 0 indicates a network is directly connected to the router while 16 hops indicate the destination is unreachable as 15 is the limit.

Q. How do you configure a Cisco router to route IPX?

Ans: First you need to enable IPX routing. After enabling, RIP and SAP will also be enabled automatically.

#config t
(config)#ipx routing

Q. Why is UDP less favored when compared to TCP?

Ans: The main disadvantage of UDP over TCP is you can’t rely on UDP protocol in terms of reliability. Once you use UDP for message transfer, there is no acknowledgment of transfer message while TCP assures the reach of the message to the destination.

Q. What are some standards supported by the Presentation layer?

Ans: I am listing some standards as mentioned below:

• SSL
• FTP
• SSH
• IMAP

Q. What does the show protocol display?

Ans: show protocols display list of configured protocols. This command displays the global and interface-specific status of any configured Level 3 protocol.

Q. How do you go to privileged mode?

Ans: You may switch to the privileged mode by just use enable keyword:

>enable

Q. What is Bandwidth?

Ans: Bandwidth simply tells about what amount of information your network carries. Use of bandwidth command restricts traffic based on defined BW.

Q. Mention what is the size of IP address?

Ans: IP addresses are 32-bit numbers that contain two primary parts: the network prefix and the host number.  IP addresses are further divided into three different classes: class A, class B, and class C.

00000000 xxxxxxxx xxxxxxxx xxxxxxxx (Class A)
00000000 00000000 xxxxxxxx xxxxxxxx (Class B)
00000000 00000000 00000000 xxxxxxxx (Class C)

Additional Questions

Q. Mention what is BOOTP?

Q. What are the things that can be accessed in a CISCO router’s identifying information?

Q. What causes a triggered update to reset the router hold-down timer?

Q. In configuring a router, what command must be used if you want to delete the configuration data that is stored in the NVRAM?

Q. What are the benefits of IPv6?

Q. Mention what is the difference between the switch, hub, and router?

Q. Mention what is the size of IP address?

Q. Mention what does data packets consist of?

Q. Mention what is DHCP?

Q. Mention what is BOOTP?

Q. Mention what is the matric of EIGRP protocol?

Q. Mention what does the clock rate do?

The post CCNA Advanced Interview Questions first appeared on All About Testing.

Q1. Explain Transmission Control Protocol, TCP.

Ans:

• TCP is a connection-oriented protocol. It simply means when data is transferred from source to destination, the protocol takes care of data integrity by sending the data packet again if it is lost during transmission.
• TCP ensures reliability and an error-free data stream.
• TCP packets contain fields such as Sequence Number, AcK number, Data offset, Reserved, Control bit, Window,  Urgent Pointer, Options, Padding, checksum, Source Port, and Destination port.

Q2. Explain User Datagram Protocol, UDP.

Ans: 

• UDP is a connection-less protocol. In simple terms, if one data packet is lost during transmission, it will not send that packet again.
• This protocol is suitable where minor data loss is not a major issue.

Q3. How does TCP work?

Ans: TCP uses a three-way handshake to establish a connection between client and server. It uses SYN, ACK, and FIN flags (1 bit) for connecting two endpoints. After the establishment of the connection, data is transferred sequentially. If there is any loss of packet, it retransmits data.

Q4. List out common TCP/IP protocols.

Ans:

• HTTP – Used between a web client and a web server, for non-secure data transmissions.
• HTTPS – Used between a web client and a web server, for secure data transmissions.
• FTP – Used between two or more computers to transfer files.

Q5. Comparison between TCP/IP & OSI model.

Ans: TCP/IP is the alternate model that also explains the information flow in the network. It is a simpler representation in comparison to the OSI model but contains fewer details of protocols than the OSI model.

Q6. Is UDP better than TCP?

Ans: Both protocols are used for different purposes. If the user wants error-free and guarantees to deliver data, TCP is the choice. If the user wants fast transmission of data and little loss of data is not a problem, UDP is the choice.

Q7. What is the port number of Telnet and DNS?

Ans: 

• Telnet is a protocol used to access remote servers but insecurely. Port no of Telnet is 23.
• DNS is a protocol used to translate a domain name to IP address. Port no of DNS is 53.

Q8. What is the UDP packet format?

Ans: The UDP packet format contains four fields:

• Source Port and Destination Port fields (16 bits each): Endpoints of the connection.
• Length field (16 bits): Length of the header and data.
• Checksum field (16 bits): It allows packet integrity checking (optional).

Q9.What is the TCP packet format?

Ans: The TCP packet format consists of these fields:

Source Port and Destination Port fields (16 bits each); Sequence Number field (32 bits); Acknowledgement Number field (32 bits); Data Offset (a.k.a. Header Length) field (variable length); Reserved field (6 bits); Flags field (6 bits) contains the various flags: URG,  ACK, PSH, RST, SYN, FIN; Window field (16 bits); Checksum field (16 bits); Urgent pointer field (16 bits); Options field (variable length) & Data field (variable length).

Q10. List out common TCP/IP ports and protocols.

Ans: I am listing out common TCP/IP ports and protocols:

The post Top 10 Interview Questions & Answers | TCP/UDP first appeared on All About Testing.

Q1. Define OSI layers.

Ans: OSI stands for Open System Interconnection. There are 7 layers in the OSI model and each layer has a different capability. OSI model helps networking professionals in understanding information flow from one source to destination. Although the OSI model does not perform any function in the networking process.

Remember, all devices and software applications use the OSI model to explain data flow between source and destination.

Click Here for CCNA Interview Questions 

Q2. Are there any alternative models to the OSI model? If yes, define it.

Ans: TCP/IP is the alternate model that also explains the information flow in the network. It is a simpler representation compared to the OSI model but contains fewer details of protocols than the OSI model.

Q3. What is the difference between TCP and UDP?

Ans: TCP and UDP: Comparison between Two Transport Protocols

Q4. What is the importance of the Physical Layer in the OSI model?

Ans: Physical layer is the first layer that connects systems physically and resembles the actual transfer of information from source to destination in the form of bitstream – electrical impulse, light, or radio signal. In simple words, it accepts a frame from the data link layer and converts it into bits. It also accepts bits from the physical medium and converts them into the frame. It helps in managing the Network Interface Card’s (NIC) hardware interface such as cabling, voltage levels, etc.
Standard protocols for this layer are EIA/TIA-232, EIA/TIA-449, X.21, HSSI, V.24, V.35, and SONET.

Q5. Which layers perform error detection and flow control?

Ans:  On receiving and while transmission of information, Layer 2 – Data Link layer decoded and encoded data into bits. This layer is the firmware layer of NIC. It converts datagrams into frames and also adds start and stop flags to each frame.

The data link layer is further divided into two sublayers: The Media Access Control (MAC) layer and the Logical Link Control (LLC) layer. This layer also performs error checking and flow control.

Q6. How does the network administrator detect the problem?

Ans: Network administrators may use the OSI model to understand the information flow and try to find problems by further understanding each layer’s protocols. Experience in networking reduces the time to find problems and resolve them. Network problems may be a loose physical connection, configuration issues, etc.

Click Here for Practical Examples of OpenSSL 

Q7. What is the difference between flow control and error control?

Ans: As the name suggests, flow control controls the rate of information transmitted to ensure the receiver’s efficient delivery of data. While error controls check and correct errors in the data bits and packets.

Q8. What is Data encapsulation?

Ans: Data encapsulation is a process of adding extra information at each layer of the OSI model while information flow from one host to another host. Information such as source and destination address, protocol information, type of data, etc.

Q9. What are the differences between the MAC sublayer and LLC sublayer?

Ans: MAC sublayer stands for Media Access Control layer.  MAC address works on Layer 2- Data Link Layer. This layer controls the permission of data to transmit.

LLC sublayer stands for Logical Link Control layer. This layer controls frame synchronization, flow control, and error checking.

Q10. What is the difference between half-duplex and full-duplex?

Ans: In a half-duplex, information can flow in both directions but not simultaneously. While in full-duplex, information can flow in both directions simultaneously.

Miscellaneous Questions

Q. Explain the role of the presentation layer.

Ans: The presentation layer is number 6 in the OSI model. On the sending system, It will receive data from the application layer, transform and encrypt in a legible format and pass it to the session layer. On the receiving system, simply converts the incoming data from the session layer so that data is readable at the application layer.

Q. Explain the role of the Transport layer.

Ans: The presentation layer is number 4 in the OSI model. I am listing different roles of the transport layer as mentioned below:

1. to check the reliability of data
2. flow control of data
3. to check the order of data
4. ensure the reliability of data
5. to prevent congestion

The post Top 10 Interview Questions & Answers | OSI Model first appeared on All About Testing.

Q1. What are SSL/TLS certificates?

Ans: SSL/TLS is a standard security protocol that ensures the confidentiality and integrity of data while in transit. It encrypts the data flow between the web browser and web server, hence ensuring confidentiality. Also, the webserver and browser exchanges key to decrypt the data, which ensures the integrity of the data.

Q2. Explain how SSL/TLS works.

Ans: SSL/TLS layer provides confidentiality and integrity while data is transmitted from source to destination.

Steps involved:

1. The user initiates the connection by typing the website address. The browser initiates SSL/TLS communication by sending a message to the website’s server.
2. The website’s server sends back the public key or certificate to the user’s browser.
3. User’s browser checks for a public key or certificate. If it is ok, it creates a symmetric key and sends it back to the website’s server. If the certificate is not ok, the communication fails.
4. On receiving the symmetric key, the website’s server sent the key and encrypted the requested data.
5. The user’s browser decrypts the content using a symmetric key, which completes the SSL/TLS handshake. The user can see content as now connection is established.

Learn 15 Google Search Tips & Tricks for Best Results

Q3. What are asymmetric and symmetric encryption?

Ans: The major difference between symmetric and asymmetric cryptography is the use of the single key for encryption and decryption in the case of symmetric cryptography, while the use of the public and private key for encryption and decryption in the case of asymmetric cryptography.

Q4. How does SSL/TLS use both asymmetric and symmetric encryption?

Ans: SSL used symmetric encryption to encrypt data between the browser and the web server. In contrast, asymmetric encryption is used to exchange generated symmetric keys, which validate the client and server’s identity.

Q5. What is a Certificate Signing Request (CSR)?

Ans: Certificate Signing Request or CSR is encoded information that contains the applicant’s information such as a common name, a name of an organization, email address, city, state,  and country. This encoded information is used by certifying authority (CA) to issue an SSL certificate to the applicant.

Q6. What does a CSR look like?

Ans: CSR is base 64 encoded text to start with “—–BEGIN CERTIFICATE REQUEST—–” and end with“—–END CERTIFICATE REQUEST—–” lines.

Q7. Discuss some public-key encryption algorithms used in SSL.

Ans: Public key encryption is used to exchange the symmetric key between the browser and web server. Some of the algorithms used Elliptic curve cryptography (ECC), RSA etc.

Q8. What are pre-shared key encryption algorithms?

Ans: Pre-shared key encryption algorithms refer to the symmetric key used to encrypt data between the browser and web server. The most commonly used algorithms are Twofish, AES, or Blowfish as pre-shared key encryption algorithms.

Practical Examples of OpenSSL

Q9. What are the authentication levels of SSL/TLS certificates?

Ans: Authentication levels refer to the trustworthiness of a hosted URL. Certifying Authorities (CA) issue certificates to an organization on validating their identities.  It mainly categorizes Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV).

Q10. Explain Domain Validation (DV) authentication in SSL.

Ans: This is the lowest level of validation done by the Certifying Authority (CA) to issue a certificate to an organization. Here, CA only verifies whether an organization controls the domain or not. This process can be done via email.

Q11. Explain Organization Validation (OV) authentication in SSL.

Ans: This is the medium level of validation done by the Certifying Authority (CA) to issue a certificate to an organization. Here, CA validates the name, state, and country of an organization. This process can be done by physically verifying the organization’s location.

Q12. Explain Extended Validation (EV) authentication in SSL.

Ans: This is the highest level of validation done by the Certifying Authority (CA) to issue a certificate to an organization. Here, CA validates ownership, physical location, state, and country of organization. This process can be done by physically verifying the organization’s location and checking its legal existence.

The post Top 12 SSL/TLS Interview Questions | Network Security first appeared on All About Testing.

Q1. Explain what is the role of an information security analyst.

Ans: As an information security analyst,  you need to perform many tasks to secure an organization from any cyber attack. I am listing some of them:

• Conducting regular Vulnerability Assessment (VA)/Penetration Testing(PT) of IT infrastructure
• Prepare the plan to secure the assets of an organization
• Updates deployed software regularly
• Implement IDS/IPS in the network for monitoring traffic
• Recommending purchases of security infrastructure such as firewall, load balancer, antivirus, etc.
• Analyze the root cause of any security breach in past
• Conduct sessions to impart training to  employees of an organization
• Suggest tools and techniques to enhance the security of an organization
• Responsible for conducting security audits
• Responsible for creating security policies for an organization
• Plan and implement recovery of organization data in case of any network disaster

Q2. Mention what is data leakage. What are the factors that can cause data leakage?

Ans: In simple terms, data leakage is defined as the availability of confidential data to unauthorized persons. There can be many reasons for data leakage such as security breach by the hacker, security misconfiguration of servers, backup stored at a less secure place, logical flow in a web application that results in the data leak, etc.

Q3. List out the steps to successful data loss prevention controls.

Ans: I am listing some data loss prevention controls. Although this list is not exhaustive, by going through you have a clear idea regarding possible steps for data prevention controls.

• create an information risk profile for every data stored in the data center
• create impact severity and response chart which helps an organization to categorize data
• based on severity, plan to prioritize the breach incidents
• assign and document the roles and responsibilities of the network administrator, incident analyst, auditor, and forensic investigator
• implement data loss prevention controls
• monitor and review the results of techniques you deployed for data loss prevention weekly or monthly based on criticality.

Q4. Explain what is the 80/20 rule of networking.

Ans: 80/20 is a rule used for describing IP networks. According to this rule,  80% of network traffic should remain local while only 20% should be routed towards a remote network. This rule is more applicable to small-medium-sized network environments.

Q5. Mention what personal traits you should consider protecting data.

Ans: If you want to protect data on your personal computer, I am listing some measures:

• Always use genuine software
• Install antivirus/anti-spyware
• Never share your password with anyone
• If possible, always encrypt your personal data
• Ensure the operating system is updated with security patches
• plan to back up your data

Q6. What is WEP cracking? 

Ans: WEP stands for Wired Equivalent Privacy (WEP) and it is a security algorithm for wireless networks. Now, as the name suggests, WEP cracking signifies the exploitation of vulnerabilities present in the wireless network and access to confidential information.

Q7. Explain what is phishing. How can it be prevented?

Ans: Phishing is a technique to fool users to submit confidential information such as passwords and credit card numbers on fake web pages.

Prevention:

• If possible, only interact with secure websites
• Never download an attachment from an unknown person
• Never email your financial information

Q8. Mention what are web server vulnerabilities.

Ans: There is a list of web server vulnerabilities :

• Default settings
• Default username and password
• Security Patches not installed regularly
• Misconfiguration
• vulnerabilities in the operating system

Q9. List the techniques used to prevent web server attacks.

Ans: There is a list of techniques used to prevent web server attacks:

• Secure installation and configuration of the OS
• Safe installation and configuration of the webserver software
• Scanning system vulnerability
• Remote administration disabling
• Removing unused and default account
• Changing default ports and settings to customs port and settings
• Anti-virus and firewalls

Q10. For security analysts what are the useful certification?

Ans: 

Security Essentials (GSEC):  Good for systems security administration.

Certified Security Leadership: Enhancing knowledge of how to lead the security team.

CISSP: Good for mid-level management people in Information Security.

Certified Forensic Analyst:  It helps in enhancing knowledge to collect and analyze data from Windows and Linux computer systems.

Certified Firewall Analyst: It helps in enhancing knowledge in configuring routers, firewalls, and perimeter defense systems.

Offensive Security Certified Professional (OSCP): Concentrate on the deep technical knowledge required for penetration testing.

Q11. What is the goal of information security within an organization?

Ans: The goal of Information Security is to address the CIA triad. CIA stands for Confidentiality, Integrity, and Availability.
Confidentiality: It limits access to information. It is implemented by Encryption, Access control, and other security measures.
Integrity: It is the assurance that the information is not altered. It is implemented by using Hashing, Digital signatures, Certificates, and Non-repudiation.
Availability: It is a guarantee of reliable access to information by authorized people. It is implemented by creating redundancy (like a DR site) and fault tolerance.

Q12. How would you harden user authentication?

Ans: By using two-factor authentication, we can harden user authentication.
Two-factor authentication use “what they have” AND “what they know”.
“what they have” AND “what they know” generally refer to security tokens and passwords.

Q13. What are the steps to secure a server?

Ans: Steps to secure a server :

1. Implementation of SSH Keys.
2. Update patches and regular vulnerability assessment of Routers, Firewalls, and other network devices.
3. Implement VPNs and Private Networking to create secure connections between remote computers and servers.
4. Public Key Infrastructure and SSL/TLS Encryption
5. Service Auditing helps in knowing services running on systems, which ports are used for communication, and what protocols are accepted. This data helps the network administrator to configure the Firewall.
6. File Auditing and Intrusion Detection Systems

File auditing helps in comparing the current system against a record of the files
An Intrusion Detection System (IDS), helps in monitoring a system or network for unauthorized activity.

Q14. List out some important encryption techniques.

Ans: Encryption techniques are:

1. Triple DES
2. RSA
3. Blowfish
4. Twofish
5. AES

Q15. How do you determine a vulnerability’s severity?

Ans: Generally link severity with business risk. If you think vulnerability is not actually exploitable, but fixing also takes not much effort, it is good to fix those vulnerabilities. Try to find risks associated with the business, if you found the business may get hurt because of vulnerability, the severity will be high and vice versa.

Q16. How do you find security flaws in source code – manual analysis, automated tools, or both? 

Ans: It is very difficult to analyze thousands of lines of source code without using any automated tools. To find security flaws in source code, generally, both manual analysis and automated tools are used by a security analyst.

Q17. List the top 10 Web security vulnerabilities as per OWASP.

Ans: OWASP Top 10:2021 List

A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection
A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable and Outdated Components
A07 Identification and Authentication Failures
A08 Software and Data Integrity Failures
A09 Security Logging and Monitoring Failures
A10 Server Side Request Forgery (SSRF)

Q18. What is DDoS and what tools are used for DDoS attacks?

Ans: DDoS stands for Distributed Denial of Service.
DDoS is a type of DOS attack where multiple compromised system attacks on the application-hosted servers exhaust all resources.
Tools use for DDoS are LOIC, hyenae, HULK, etc.

Q19. What’s more secure, SSL, or TLS?

Ans: SSL and TLS are both cryptographic protocols that provide authentication and data encryption between servers, machines, and applications operating over a network. Both use similar ciphers and message digests.

SSL v3.0
Was exploited by the POODLE attack and is now obsolete. Must not be used

TLS v1.3
The newest TLS protocol and most secured

Enables better use of more secure ciphers
Features enhanced negotiation of the encrypted connections

Q20. What is DNS monitoring?

Ans: DNS monitoring uses network monitoring tools to test connectivity between your authoritative name servers and local recursive servers.
DNS monitoring allows you to test that:

• Your DNS server resolves correctly the URL that you have provided to the expected IPs.
• Your provided URL is resolved correctly to the expected IPs by your specified common DNS server.

The post Interview Questions & Answers | Information Security first appeared on All About Testing.

Click Here for 7 Important Principles of Software Testing

Q1. What is risk-based testing?

Ans: Risk-based testing is one kind of approach to doing software testing. In this kind, the tester tests the application based on the risk involved. Assuming that one particular module is related to payment (which is more critical for any organization), this feature has more elaborate test cases than others: more risk, more priority, and the number of test cases for that module.

Q2. What is the KEY difference between preventative and reactive approaches to testing?

Ans: As the name suggests, the preventive approach of testing is to create test cases before software development primarily based on documentation, while if test cases develop after development, it comes in the reactive approach to testing.

Q3. What is the purpose of exit criteria?

Ans: Exit criteria are generally identified in Test Plan before the actual testing starts. It also acts as the exit point for the testers to stop the testing of the product. Exit criteria may be the number of requirements tested, coverage of design document, etc.

Q4. When Is Decision table testing used?

Ans: Decision table, also called the cause-effect table, combines the input and output of the system for better coverage. This is generally used when there are so many conditions in the software module.

Q5. What is Rapid Application Development?

Ans: Rapid Application Development is a software development process where the team gets requirements instantaneously based on a prototype from the client. This type of development is generally employed when there is an urgency of product deployment within 2-3 months.

Q6. What is component testing?

Ans: Suppose in one software, there are 10 components. In this type of testing, the team tests each component thoroughly before testing it as a whole, called component testing.

Q7. What are the different methodologies in Agile Development Model?

Ans: Different methodologies in Agile Development Model

• Agile Modeling
• Agile Unified Process (AUP)
• Dynamic Systems Development Method (DSDM)
• Essential Unified Process (EssUP)
• Extreme Programming (XP)
• Feature Driven Development (FDD)
• Open Unified Process (OpenUP)
• Scrum
• Velocity tracking

Q8. What is typically the MOST important reason to use risk to drive testing efforts?

Ans: As testing of each feature is impossible, testers use risk as a basic approach to creating test cases. More the risk, the more the testing of that feature.

Q9. What is random/monkey testing? When is it used?

Ans: Random testing/monkey testing is when a tester tests any feature randomly to find new bugs. It is generally performed in the primary stages of testing.

Q10. What are the phases of a formal review?

Ans: Phases of formal review:

• Planning
• Kick-off
• Preparation
• Review meeting
• Rework
• Follow-up

The post Manual Testing | Interview Questions & Answers first appeared on All About Testing.

Q1. What is OWASP? Also Mention OWASP TOP 10 2021.

Ans: OWASP is a non-profit organization that releases the top 10 web vulnerabilities. It works as a community of cybersecurity professionals, who constantly work to build an ecosystem for awareness about secure web applications. Recently, OWASP released new top 10 vulnerabilities for 2021:

• A01 Broken Access Control
• A02 Cryptographic Failures
• A03 Injection
• A04 Insecure Design
• A05 Security Misconfiguration
• A06 Vulnerable and Outdated Components
• A07 Identification and Authentication Failures
• A08 Software and Data Integrity Failures
• A09 Security Logging and Monitoring Failures
• A10 Server Side Request Forgery (SSRF)

Q2. Mention what flaw arises from session tokens having poor randomness across a range of values.

Ans:  Session hijacking, is the issue related to A2: 2017 – Broken Authentication. It is also called cookie hijacking. In this type of attack, there is the possibility of exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a system. This flaw comes when there is poor randomness in the session key.

Q3. How to mitigate SQL Injection risks?

Ans: Mitigations of SQL injection:

• Prepared Statements with Parameterized Queries: Always ensure that your SQL interpreter can always differentiate between code and data. Never use dynamic queries which fail to find the difference between code and data. Instead, use static SQL query and then pass in the external input as a parameter to query.  The use of Prepared Statements (with Parameterized Queries) forces the developer first to define all the SQL code and then pass each parameter to the query later.
• Use of Stored Procedures: Stored Procedure is like a function in C where the database administrator calls it whenever he/she needs it. It is not completely mitigated SQL injection but definitely helps in reducing risks of SQL injection by avoiding dynamic SQL generation inside.
• White List Input Validation: Always use white list input validation and allow only preapproved input by the developer. Never use a blacklist approach as it is less secure than a whitelist approach.
• Escaping All User Supplied Input
• Enforcing the Least Privilege

Click Here for SQL Injection Interview Questions

Q4. How to mitigate the risk of Weak authentication and session management?

Ans: Weak Authentication and Session management can be mitigated by controls of strong authentication and session management. Such controls are as follows:

• Compliant with all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management).
• Always use a simple interface for developers. Consider the ESAPI Authenticator and User APIs as good examples to emulate, use, or build upon.
• Use standard practices to secure session id by cross-site scripting attack.

Q5. How to mitigate the risk of Sensitive Data Exposure?

Ans: Following are the mitigation techniques employed for secure applications from Sensitive data exposure:

• Prepare a threat model to secure data both in transit and at rest from both types of the attacker( e.g., insider attack, external user)
• Encrypt data to protect it from any cyber attack.
• Never store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.
• Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
• Always implement and ensure strong standard algorithms and strong keys are used, and proper key management is in place. Consider using FIPS 140 validated cryptographic modules.
• Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.

Q6. What is a bug bounty?

Ans: Bug bounty is a program run by many big organizations which rewards those individuals who report security vulnerabilities to them. These organizations generally publish those vulnerabilities on websites after fixing those issues.

Q7. What Is Failure to Restrict URL Access?

Ans: This vulnerability has been removed from OWASP Top 10 2013. Actually, this issue is related to forced browsing where a user forcibly accesses URLs which is not supposed to access by the user. The attacker may guess links and brute force techniques to find unprotected pages through this vulnerability.

Q8. How to Prevent Breaches Due to Failure to Restrict URL Access?

Ans: This can be mitigated by using secure techniques for proper authentication and proper authorization for each page of the web application. Some mitigation techniques are described below:

• Implement Authentication and authorization policies based on the role instead of based on the user.
• Policies are highly configurable in favor of standard practices.
• Deny all access by default, and allow only those controls that the user needs.

Q9. How can we Protect Web Applications From Forced Browsing?

Ans: To protect web applications from forced browsing, strictly monitor access-control settings to be accurate and up-to-date on every page and application on the site.

Q10. Mention what is the basic design of OWASP ESAPI.

Ans: OWASP ESAPI is short for OWASP Enterprise Security API which is voluntarily developed by the OWASP community to provide a free, open-source, web application security control library to web developers to help them to develop a less vulnerable web application.

The basic design of OWASP ESAPI includes a set of security control interfaces. For each security control, there is a reference implementation that can be implemented as the requirement of the organization.

The post Top 10 Interview Questions | OWASP TOP 10 first appeared on All About Testing.

Q1. What is the purpose of the Data Link?

Ans: Data Link is the second layer out of seven layers of the OSI model. OSI model stands for Open Systems Interconnection model and it is used as a standard to communicate digital data from source to destination.

For incoming data, the Data Link layer detects and corrects errors in the data stream coming from the physical layer.

For outgoing data, this layer receives data from the network layer and converts it into frames. Later, provide addressing information by adding the header to each frame. It also provides a flow control mechanism and an error control mechanism.

Q2. When does network congestion occur?

Ans: Network Congestion is a term when there is so much data in the network layer that it slows down network response time.

Congestion is the main reason for deteriorating quality in terms of data packet loss and more latency.

Q3. Differentiate full-duplex from half-duplex.

Ans: In simple words, there is two-way communication at the same time in full-duplex communication while in half-duplex communication, two-way communication is there but not simultaneously.

Q4. What is Network latency?

Ans: Latency is a term used to denote the time duration for getting output after providing input. Ideally, network latency should be zero.

Q5. Explain the benefits of VLANs.

Ans: A virtual LAN (VLAN) is a combination of one or more LANs configured so that all the work systems are on the same network virtually.

Benefits:

• If configured correctly, it improves the performance of a network.
• Improves the overall security of the network.

Q6. How does RIP differ from IGRP?

Ans: RIP and IGRP are different routing protocols. RIP stands for Routing Information Protocol while IGRP stands for Interior Gateway Routing Protocol. RIP and IGRP both are distance vector protocols.

RIP takes the best route decision to the network based on the number of hops in order to determine the best route to a network while IGRP takes the best route decision to the network based on bandwidth, reliability, MTU, and hop count.

Q7. What are the different memories used in a CISCO router?

Ans: Here is the list of memories used in the CISCO router:

• ROM (Read Only Memory)
• RAM (Random Access Memory)
• Flash RAM
• NVRAM (Non-Volatile Random Access Memory)

Q8. What is 100BaseFX?

Ans: 100BASE-X also referred to as “Fast Ethernet”. It provides a data transmission speed of 100 Mbps using a baseband.

Q9. What are the advantages of a layered model in the networking industry?

Ans: Here are the advantages of a layered model in the networking industry:

• Promote industry standardization by providing the role of the different layers.
• Network Administrators are able to troubleshoot network problems easily in a layer without affecting the other layers.

Q10. What is HDLC?

Ans: HDLC stands for High-level Data Link Control. It refers to the group of rules and protocols for transmitting data from different network nodes.

Q11. What is Routing?

Ans: Routing is the process of identifying the path for traffic in a network, or between or across multiple networks.

Q12. What is BootP?

Ans: BootP is also called Boot Program. This protocol basically assigns an IP address when the computer is connected to a network and boots its operating system.

Q13. How does cut-through LAN switching work?

Ans: In Cut-Through LAN switching, the router forwards the frame to the next segment as soon as it reads the destination address without waiting for the whole frame.

Q14. What are the different IPX access lists?

Ans: Standard and Extended are the different IPX access lists.

Standard Access List filters network traffic based only on the source or destination IP address.

An Extended Access List filters network traffic based on source and destination IP addresses, ports, sockets, and protocols.

Q15. What’s the simplest way to remotely configure a router?

Ans: Cisco AutoInstall Procedure is available to remotely configure a router. Obviously, you need to connect the internet or LAN to the router.

Q16. How are internetworks created?

Ans: Internetwork is a collection of many different networks to create a large network. Internetworks are created by using routers to connect different networks.

Q17. Give some benefits of LAN switching.

Ans: Here are some benefits of LAN switches:

• Increased network scalability
• less congestion
• low latency
• No single point of failure
• Improved bandwidth performance
• More network connections simultaneously

Q18. Briefly, explain the conversion steps in data encapsulation.

Ans: When a user sends an email or requests a pizza on the website, data is converted into segments. Segments are passed on different OSI layers and converted into packets. Packets are then converted into frames. Frames are also not transmitted via physical cables; instead, it converted into bits before actual transmission.

Q19. Differentiate Logical Topology from Physical Topology.

Ans: Logical Topology is a network that defined how data is transmitted from source to destination irrespective of the physical connection of devices.

Physical Topology is an actual physical interconnection of cables that are laid down for connectivity.

Q20. What is the role of the LLC sublayer?

Ans: The logical link control (LLC) is the upper sublayer of the data link layer of the OSI model. It provides flow control to the Network layer by using different codes. Error correction is another function of this layer.

The post Interview Questions : CCNA | Network Security first appeared on All About Testing.

Q1. What is Cross-Site Scripting (XSS)?

Ans: By using the Cross-Site Scripting (XSS) technique, users executed malicious scripts (also called payloads) unintentionally by clicking on untrusted links, and hence, these scripts pass cookies information to attackers.

Q2. What information can an attacker steal using XSS?

Ans: By using XSS, the session id of the genuine user can be stolen by the attacker. The browser uses the session id to identify your credentials in an application and helps you keep login in till you sign off from an application. An attacker can write a code to extract information from cookies that contain session-id and other information. Later, the same session id can be used by an attacker to browse the application on behalf of the user without actually logged in to the application.

Q3. Apart from mailing links of error pages, are there other methods of exploiting XSS?

Ans: Other methods where attackers store malicious scripts (also called payloads) are discussion forums, the comment section of websites, and other similar platforms. Whenever the user navigates those pages, payloads got executed, and the user’s cookies information automatically sends to an attacker.

Q4. What are the types of XSS?

Ans: Cross-site Scripting can be divided into three types:

• Stored XSS
• Reflected XSS
• DOM-based XSS

Q5. What is Stored XSS?

Ans: In Stored XSS, the attacker plants a malicious script (also called payload) on a web page. Comment pages, forums, and other similar platforms can be used to store payloads. When the user browses these pages, these payloads are executed and sends cookies information to an attacker.

Q6. What is Reflected XSS?

Ans: Reflected XSS is one of the most widespread attack techniques used by attackers. In this type of attack, the user sends a malicious request by clicking on malicious links (contains an XSS payload) to a web server available on social networking sites and other platforms. As a result, the webserver replied to the user with an HTTP response containing the payload, which was executed in the browser and stole the user’s cookies.

Q7. What is DOM-based XSS?

Ans: DOM-based XSS is a type of cross-site scripting that appears in DOM(Document Object Model), instead of HTML.

Q8. How can I prevent XSS?

Ans: XSS can be prevented by sanitizing user input to the application. Always allowed those elements as input which is absolutely essential for that field.

Q9. Can XSS be prevented without modifying the source code?

Ans: “http only” attribute can also be used to prevent XSS.

Q10. What is Cross-Site Tracing (XST)? How can it be prevented?

Ans: By using XST technique, attackers are able to steal cookies by bypassing “http only” attribute.

XST technique can be prevented by disabling the TRACE method on the webserver.

Miscellaneous Questions

Q. List out key HTML entities used in XSS.

Ans:

> (greater than)
' (apostrophe or single quote)
" (double quote)
< (less than)
& (ampersand)

Q. Which tools are helpful in identifying XSS vulnerabilities?

Ans: XSS is the most common vulnerability type available in web applications. Many tools are available to identify XSS. Some of them are listed below:

• OWASP ZAP – Basically a web scanner but it can also be used in identifying XSS vulnerability
• BurpSuite – Most popular tool among Security Researchers.
• ratproxy – Automated web application security scanning tool.
• XSS-Proxy – Advanced tool to identify XSS vulnerability.

References:

https://www.owasp.org

The post Top 10 Interview Questions: Cross-Site Scripting | OWASP | Application Security first appeared on All About Testing.

Q1. What is SQL Injection?

Ans: SQL injection is a vulnerability by which an attacker executes malicious SQL queries on the backend database by manipulating the input to the application.

Q2. Is it just ASP and SQL Server that are both platforms vulnerable?

Ans: SQL injection is the most widespread vulnerability among all platforms. Improper input validation and the use of dynamic SQL queries are the main causes of SQL injection.

Q3. Apart from username and password which variables are candidates for SQL Injection?

Ans: Any input field like credit card number, account number, etc., which extracts data from the database by using where clause are the candidates of SQL injection. In addition, to form fields, an attacker can use hidden fields and query strings for successful exploitation.

Q4. What’s the worst an attacker can do with SQL?

Ans: SQL, is a language used to create and manage databases stored in RDBMS. If SQL injection vulnerability is available in the application, the following are the possibilities:

1.  Bypass authentication may be possible
2.  confidentiality of data may be lost as an attacker may be able to see data on exploiting SQL injection vulnerability
3.  an attacker can delete entries in the database
4.  an attacker can alter data in the database

Q5. What is Blind SQL Injection?

Ans: Blind SQL Injection is a type of SQL injection where an attacker asks true and false questions to the database. Based on error messages, attackers craft more specific questions to the database to extract more information. This is a little difficult to exploit but not impossible.

Q6. How do we prevent SQL Injection in our applications?

Ans: Here are some options to prevent SQL injection:

1. Use prepared statements to write database queries.
2. Sometimes the use of stored procedures also helps in mitigating SQL injection.
3. Use whitelist input validation.
4. Provide less privilege to the database account. Don’t grant rights related to creating and delete to application accounts. Avoid running DBMS as root or system.

Q7. I’m using stored procedures for authentication, am I vulnerable?

Ans: The use of stored procedures is one way to secure web applications from SQL injection attacks. By using a stored procedure, the user input is no longer used to build the query dynamically. But still, one way left for SQL injection attack is if the stored procedure took input and used the same input to build a query without validating it. However, it is difficult in the practical scenario, but not impossible.

Q8. I’m using client-side JavaScript code for checking user input. Isn’t that enough?

Ans: If client-side Javascript code is checking user input, then it is not enough to mitigate SQL injection. An attacker may intercept requests in any proxy tool such as OWASP ZAP, Burpsuite, etc., and change the input of the request field.

Q9. Are Java servlets vulnerable to SQL injection?

Ans: Yes, Java servlets are also vulnerable to SQL injection if input validation is not enforced and builds SQL queries dynamically. Java servlets also have some mechanisms to mitigate SQL injection, such as Callable Statements and Prepared Statements.

Q10. Can an automated scanner discover SQL Injection?

Ans: Although security researchers work very hard to develop an automated scanner that discovers all the issues, sometimes the scanner misses some issues. So it is good practice to check SQL injection manually while doing security testing.

Miscellaneous Interview Questions

Q. List out some methods to detect SQL Injection Vulnerabilities.

Ans: Methods to identify SQL Injection vulnerability in a web application:

• The most obvious method is to enter a single quote ‘ in fields and check for errors.
• Enter Boolean conditions like “OR 1=1”, “OR 4=9” etc., and identify anomalies in responses.
• Fuzzing with SQL payloads and watching errors
• Fuzzing with different time-based payloads and checking delays in responses

Q. Is it possible to identify SQL injection vulnerability by code review?

Ans: Yes, code review is the best way to identify this type of vulnerability.

Q. Can we examine databases by using SQL injection?

Ans: Yes, It is the most important step that helps in knowing the database used in the application. This can be done by using different queries to identify the type and version of the database software. You can use the below queries to examine the database:

Q. Mention specific tools to identify SQL injection vulnerabilities.

Ans: sqlmap is an open-source tool that may be used to identify security vulnerabilities in web applications related to SQL injection. You can also use different Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) tools to identify vulnerabilities related to SQL Injection.

Q. Mention some payloads related to SQL injection vulnerability.

Ans: Below is the list of some payloads that may be used to identify SQL injection vulnerability:

‘
`
“
/
\
;
‘ or “

Q. How to test for SQL Injection vulnerabilities?

Ans: SQL Injection may be tested by using the following techniques:

• Just submit a single quote character  ‘ in the text fields or in any other input parameter. If SQL specific error comes, it confirms SQL Injection vulnerberabily
• Try different SQL payloads (including boolean 1=1, 1=2, etc.) and analyze application response
• Try the time delay function (e.g. sleep) and analyze the application response
• Use automated tools such as Burpsuite, sqlmap, etc. to identify vulnerabilities related to SQL injection

The post Top 10 Interview Questions: SQL Injection | OWASP | Application Security first appeared on All About Testing.

Q1. What port is for ICMP or pinging?

Ans: Ping doesn’t use any port. It is used to identify whether the remote host at the other end is active or not. It also helps in determining the packet loss and round-trip delay while communicating.

Just remember, ping basically uses the ICMP protocol.

Q2. Do you prefer Windows or Linux?

Ans: Both operating systems have their own pros and cons. Be ready with a justification for why you use a particular OS. But as security analysts, prefer to use Linux as it gives more flexibility and more security in comparison to Windows. Many security researchers have also contributed to enhancing features and securing Linux.

Q3. What security mechanism should be implemented on a login page?

Ans: There are a lot of mechanisms available to secure the login page. First and foremost, implement TLS protocol that helps in achieving confidentiality and integrity of customers’ sensitive data by encrypting it while transmitting. If TLS is not used, an attacker can see sensitive information such as username, password, session id, etc.

Implement two-factor authentication for accessing user accounts. On the server side, never store passwords in the database in cleartext format. Always store passwords in an encrypted format. The algorithm used for encryption must be tested and certified by an auditing agency.

Q4. How would an HTTP program handle the state?

Ans: HTTP is a stateless protocol. It uses cookies to handle the state of the web application. Basically, there are two ways in which HTTP can handle web application states: one is client side and another server side. The developer may store data in cookies or may store data in the web server session. In this way, the application maintains sessions during a particular period and is not logged out in between.

Q5. What is Cross Site Scripting or XSS?

Ans: Cross-site scripting is one of the common vulnerabilities found in web applications. Here, an attacker sends malicious scripts to the victim and tricked the victim to execute those scripts. On execution,  cookies, session tokens, or other sensitive information got compromised by an attacker.

Q6. What are the types of XSS?

Ans: Cross-site scripting (XSS) is broadly divided into three categories:

Reflected XSS: In this vulnerability, the attacker executed the malicious script and get instant output in form of an error message, cookie information, and other sensitive information. A malicious script is not stored in the database in case of this vulnerability.

Stored XSS: Here, malicious scripts got stored in the database, maybe because of comment fields, discussion forums etc. Whenever the victim visited those pages, it got executed.

DOM XSS: DOM stands for Document Object Model. It defines how documents are accessed and manipulated. In DOM XSS, the malicious script flows in the browser and act as source and sink for the script in DOM. This vulnerability arises when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data without sanitizing the input.

Q7. What is the business application of public key cryptography?

Ans: The main business application of public key cryptography is digital signing and encryption.

In digital signing, the sender sign the document with the private key and the receiver checks the integrity of that document with the sender’s public key.

In encryption, the sender encrypts the document with the public key of the receiver and the receiver decrypts it using his/her private key.

Q8. Explain Phishing attacks & How can you defend against phishing attempts?

Ans: In a Phishing attack, the attacker tricks the victim to access a fake web page and submitting sensitive information.

Check for XSS vulnerabilities and implement HTTP referer header are some mitigation techniques against a phishing attack.

Q9. What is the difference between public key cryptography and a private key for encrypting and signing content?

Ans: In digital signing, the sender signs the document with the private key and the receiver checks the integrity of that document with the sender’s public key.

In encryption, the sender encrypts the document with the public key of the receiver and the receiver decrypts it using his/her private key.

Q10. What can you use to defend against multiple login attempts?

Ans: There are many techniques to defend against multiple login attempts. You can create an account lockout policy based on the number of attempts. Another method is to implement a captcha on the login page to know if the user is a machine or a human.

The post Interview Questions & Answers: Web Application Security Testing first appeared on All About Testing.

Q1. What is a Digital Signature Certificate (DSC)?

Ans: Digital Signature Certificate (DSC) is an electronic equivalent of a physical signature. It proves your identity like an id card and proves your authentication. It is also used to access information or services on the internet. In other words, DSC is a method to validate the authenticity and integrity of electronic messages or data.

Q2. How does a Digital Signature Certificate (DSC) work?

Ans: This we can understand with help of the example. Assume Tom wants to send electronic documents to Eric digitally. Tom and Eric have acquired digital signatures. The digital signature has two attributes related to the subscriber: public and private keys.  First, both have shared public key with each other. Now, Tom encrypts the message with his private key and sends it to Eric. Upon receiving, Eric will use the shared public key of Tom to decrypt the message and assures the integrity of the message. In this way, Tom is able to exchange messages securely by using DSC.

Q3. What is an electronic document?

Ans: Electronic document is any data that needs the computer to access, interpret and process it. It can be an image, a drawing, or any other message which needs a computing system.

Q4. What is the difference between Electronic Signature and a Digital Signature?

Ans: Electronic signature is similar to your physical signature in digitized form by attaching a sound or symbol to the document. The digital signature is the more secure form that assures confidentiality, integrity, authentication, and non-repudiation.

Q5. What are the different classes of Digital Signature Certificates?

Ans: Different classes of Digital Signature Certificates:

Class 1 Certificate: These certificates are issued to individuals or private subscribers. Certifying Authorities assures the user’s name (or alias) and E-mail address of the subscriber in consumer databases.

Class 2 Certificate: These certificates are issued for both business personnel and private individuals’ use. Certifying Authorities assures the information in the application provided by the subscriber is consistent with the information in consumer databases.

Class 3 Certificate: This certificate is issued to individuals as well as organizations. As these are high assurance certificates, Certifying Authorities issue certificates only on the subscriber’s physical appearance before them and assures the information in the application provided by the subscriber is consistent with the information in consumer databases.

Q6. How is Digital Signature Validated and Secured?

Ans: Digital signature is mainly used for assurance of authentication and integrity of received data. If data is encrypted using the public key, data can be decrypted using the private key and vice-versa. In this way, the digital signature is validated and it ensures authentication, confidentiality, integrity, and non-repudiation.

Q7. What is the Certificate Revocation List (CRL)?

Ans: Certificate Revocation List (CRL) is a list of digital certificates issued by Certifying Authority (CA) and it contains revoked digital signatures before their scheduled expiry date. Certificates available in this list should no longer be trusted.

Q8. What does X.509 refer to as it relates to digital certificates?

Ans:  X.509 is a standard that defines the format of public key certificates. TLS/SSL also uses the same standard for defining certificates.

Q9. How Are Certifying Authorities Susceptible of Attack?

Ans: Although it is very difficult to attack Certifying Authorities, there are still some ways as mentioned below:

• Find out the private keys of CAs by reverse engineering the device
• If CAs use short-length keys, it is susceptible to attack.

Q10. Can a digital signature be forged?

Ans: It is very difficult to forge a digital signature. Highly complex algorithms are implemented which makes it nearly impossible to forge the signature.

Q11. What is a one-time signature scheme?

Ans: In cryptography, a one-time signature scheme is a method for creating a digital signature. This type of signature can be built from any cryptographically secure one-way function and is generally used to sign a single message.

Q12. What is an Undeniable Signature Scheme?

Ans: Undeniable signature schemes, also called non-self-authenticating signature schemes, where signatures can only be verified with the consent of the signer.

Q13. What are the types of Certificates issued by CAs?

Ans: As per X.509 Certificate Policy PKI published by the Controller of Certifying Authorities, there are five types of certificates:

• Signature Certificate,
• Encryption Certificate
• SSL Server Certificate
• Code Signing Certificate
• Document Signer Certificate

The post Interview Questions: Digital Signature Certificate (DSC) | PKI first appeared on All About Testing.

Ans: Performance Testing is a type of non-functional testing. Here, we test the system for response time, throughput and stability by using tools such as HP LoadRunner, JMeter, etc., for a fixed number of virtual users.

Q2. Mention different types of performance testing.

Ans: Types of Performance Testing:

Load Testing: This type of testing test the system for the normal expected load.

Stress Testing:  This type of testing test the system for a large load or peak load. It helps in understanding the behavior of the system under an extreme workload.

Endurance Testing: It is also called the stability test. This type of testing test the system for a large duration of time. Large duration range from some hours to many days.

Spike Testing: This type of testing tests the system for a sudden increase in load.

Volume Testing: This test populated so much data in the database. The main purpose is to see the behavior of the system under varying database volumes.

Scalability Testing: This test helps to find the feasibility of scaling up the capability of the system and tells which load needs the addition of hardware in the system.

Q3. What is the difference between Load testing and Stress testing?

Ans: Both Load Test and Stress Test are types of performance testing. First, test the system for the normal expected load while later test the system for a large load or peak load. It helps in understanding the behavior of the system under an extreme workload.

Q4. What is the Load testing process?

Ans: 

Q5. Explain what is Endurance Testing and Spike Testing.

Ans: As we discussed earlier, Endurance Testing test the stability of the system while Spike Testing test how the system deals with a sudden hike in load.

Q6. List out some of the performance testing tools.

Ans: I am listing some of the load test tools:

• HPLoadrunner
• Apache JMeter
• StresStimulus
• Dotcom-Monitor

Q7. How do you identify Performance test use cases of an application?

Ans: Identification of performance test cases is a tedious task. Generally, a performance tester tests those application scenarios which are more critical for an organization and which impact much to the organization. Suppose you are performing a load test for the e-commerce application. For select load test cases for this application,  you can identify the following test cases:

• Selection of product
• Search product
• Purchase product
• Payment for the product via a selection of different payment methods

Q8. List out some of the parameters considered for performance testing.

Ans: Although there are many parameters for performance testing important parameters are response time, throughput, memory usage, CPU usage, and hits per second.

Q9. Explain what are the common mistakes done in Performance Testing.

Ans: Common mistakes while doing performance testing:

• Identification of wrong test cases for testing
• Run load test from one location
• Unable to find a Service Level Agreement (SLA) of load test by different stakeholders
• Failing to identify a suitable tool for load test
• Assume failure of load test when it crashes the system

Q10. Mention what is the difference between benchmark testing and baseline testing.

Ans: Benchmark testing is a type of test when you test the system against one standard or established performance of a product while Baseline testing creates a base for any measurement, comparisons, or calculations of results of the performance test.

The post Top 10 Interview Questions | Performance Testing first appeared on All About Testing.

Q1. What is Information Security?

Ans: In simple words, Information Security is the practice to secure information from any unauthorized access. ISO/IEC 27000 defined this term as “Preservation of confidentiality, integrity, and availability of information. Note: Also, other properties, such as authenticity, accountability, non-repudiation, and reliability, can also be involved.”

Q2. What is the importance of A Penetration Test?

Ans: Penetration Testing is important for identifying vulnerabilities in an IT system from outside the network. Generally, it is an activity done after vulnerability assessment. In simple words, you can say, by doing Penetration testing, security analysts are attempting to gain access to resources without knowledge of usernames, passwords, and other normal means of access. You can only differentiate hackers from security experts is the permission given by the organization.

Q3. What are the phases of Network Penetration?

Ans: Penetration testing activity may be divided into 5 phases:
Phase 1 – Reconnaissance It is a process of collecting data about the target. It can be performed actively or passively. In this phase, you learn more and more about the target business and its operation. Activities include identifying the target, finding out the target IP address range, network, domain name, mail server, DNS records, etc.
Phase 2 – Scanning This is another crucial phase of penetration testing. In this phase, scanning has been done to identify vulnerabilities in the network and software and OS used by devices. After this activity, the pen tester learns about services running, open ports, firewall detection, vulnerabilities, OS, etc. There are a lot of tools available, both open-source and paid.
Phase 3 – Gaining Access In this phase, the pen tester started executing the attack by gaining access to vulnerable devices and servers. This can be done by using tools.  
Phase 4 – Maintaining Access As a pen tester already gained access to a vulnerable system, in this phase, he/she tries to extract as much data and also remain stealthy.
Phase 5 – Covering Tracks In this phase, the pen tester takes all the necessary steps to hide the intrusion and possible controls left behind for future visits. He/she also removes all kinds of logs, uploaded backdoor(s), and anything related to the attack.

Q4. What is XSS or Cross-Site Scripting?

Ans:  As explained by OWASP, “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser-side script, to a different end-user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.”

Q5. What is the difference between asymmetric and symmetric encryption?

Ans: The major difference between symmetric and asymmetric cryptography is the number of secret keys. In the case of symmetric cryptography, only a single key is used for encryption and decryption. While in the case of asymmetric cryptography, the use of public and private keys are used for encryption and decryption.

Q6. What is “Vulnerability”?

Ans: Vulnerability is a term that every information security expert wants to eradicate from the IT system. In simple terms, vulnerability is a weakness in a system. If someone exploited those vulnerabilities, it might result in an intentional or unintentional compromise of a system.

Q7. Discuss a recent project of pen test which you have done.

Ans: To answer this question, you can start with the last project you have done in a pen test field. Also, mention your approach, which tools you have used, which vulnerabilities you have found, and how you help the developer fix those issues.

Q8. What are the strengths and differences between Windows and Linux?

Ans: 

	Linux	Windows
Price	Available Free	Paid
Ease Of Use	Little difficult for beginners	User-friendly
Reliability	more reliable and secure	less reliable and secure
less reliable and secure	available for install both paid and free	software available for install both paid and free
Software Cost	most software available for free	mostly commercial software available
Hardware	In beginning, hardware compatibility was an issue. But now, the majority of physical appliance support Linux	Hardware compatibility never an issue for Windows
Security	Highly secure Operating System	As this OS used by the novice user, it is vulnerable to hackers
Support	Community support available online for rectifying any issue	Microsoft support available online and also many books published to diagnosed any issue.
Use Cases	Used mainly by corporate, scientific and educational institute	Used mainly by novice users, gamers, corporates etc. where more skills are not required

Q9. What kind of penetration can be done with the Diffie Hellman exchange?

Ans:  Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols.
Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS services is a kind of penetration test that can be done with this method.

Q10. What type of tools are there out there for packet sniffing?

Ans:  Packet Sniffing is a process of capturing network traffic and being able to see traffic on an entire network or only a certain segment of it with the help of a packet sniffing tool, depending on how the network switches are configured, placed, etc. The most popular packet sniffing tool available for free is Wireshark.

Q11. How will you protect the data during and after Penetration Testing?

Ans: Pen Tester specified a policy regarding the finding of user data while testing. The policy tells what to do if any data is encountered during and after testing. However, a Backup is a must to avoid any loss of data.

Q12. What is Intrusion Detection?

Ans: Intrusion Detection, as the name suggests, it protects IT infrastructure from any cyber attack.  It identifies security breaches from both outsides and within a network. Intrusion Detection performs a wide variety of functions, including monitoring and analyzing traffic, recognizing the pattern of attack, checking the integrity of files in servers, checking if any policy violation happens, etc.

Q13. What are the full names of abbreviations related to Software security: 2FA, 2S2D, 2VPCP, 3DES, 3DESE, and 3DESEP?

Ans: Full names of abbreviations:

• 2FA Two-Factor Authentication
• 2S2D Double-Sided Double-Density
• 2VPCP Two-Version Priority Ceiling Protocol
• 3DES Triple Data Encryption Standard
• 3DESE Triple Data Encryption Standard Encryption
• 3DESEP Triple Data Encryption Standard Encryption Protocol

Q14. List down some factors that can cause security vulnerabilities.

Ans: There are many factors that can cause security vulnerabilities. Some of them are listed below:

• The web application is not doing input validation
• Use of weak password
• The session id is not changing after login
• Sensitive data stored in clear text
• Errors reveal sensitive information about infrastructure
• The software installed not updated

Q15. List down parameters that define an SSL session connection.

Ans: The session identifier, peer certificate, compression method, cipher spec, a master secret, and resumable are the parameters that define SSL session connection.

Q16. List the benefits that can be provided by an intrusion detection system.

Ans: Here are some benefits of using IDS:

• Helps in identifying security incidents and Denial of Service attacks.
• Check for the unexpected and abstract behavior of traffic.
• Stops cross-site scripting, SQL injection, etc. attacks
• Protect vulnerable assets by providing temporary patches for known vulnerabilities.

Q17. What is SQL injection?

Ans: It is an attack in which an attacker inserts untrusted data in the application that results in revealing sensitive information about the database.

Q18. How does SSL/TLS work?

Ans: SSL/TLS layer ensures the confidentiality and integrity of data while it is transmitted from source to destination.

Steps involved:

1. The user initiates the connection by typing the website address. The browser initiates SSL/TLS communication by sending a message to the website’s server.
2. The website’s server sends the public key or certificate to the user’s browser.
3. User’s browser checks for a public key or certificate. If it is ok, it creates a symmetric key and sends it back to the website’s server. If the certificate is not ok, the communication fails.
4. On receiving the symmetric key, the website’s server sent the key and encrypted the requested data.
5. The user’s browser decrypts the content using a symmetric key, which completes the SSL/TLS handshake. The user can see content as now the connection is established.

Q19. What is the difference between a Vulnerability Scan, Risk Analysis, and Penetration Test?

Ans:

Parameter	Vulnerability Scan	Penetration Testing	Risk Analysis
Activity	Check for known vulnerabilities in configuration	Test for exploitability of vulnerabilities and test for how much data leak if an attacker successfully exploits the vulnerability.	Analysis of cost/benefit if the vulnerability is not fixed. It also involves calculation of loss incurred on any security breach.
Skill	Minimal as many tools available	Difficult to find all possible vulnerabilities and exploit them	It requires a skilled person who knows IT, statistics, finance, and probabilities.
Major tools	Nikto, Nessus, OpenVAS	Metaspoilt, Qualys	Difficult to automate

Q20. What network controls would you recommend to strengthen the network security of an organization?

Ans: Below is the list of top network controls that help in strengthening the network security of an organization. 90 percent of the issues may be removed by applying those controls in the IT system.

• Always install and run whitelisted applications and software.
• Regularly patch all the running applications and software.
• Update OS with the latest security patches.
• Minimize administrative privileges.

Q21. What tools/infrastructure do you have in your penetration testing lab?

Ans: As a penetration tester, you need to use a high-processing computer system and many penetration testing tools. Use virtual machines on your desktop and install operating systems such as Windows XP, Windows Server 2008, Windows Server 2012, Ubuntu, etc. to test the configurations. I am listing some tools below, that we can use for penetration testing.

• Burpsuite (both free and commercial versions available)
• Wireshark (open source)
• OWASP ZAP (open source)
• Nessus (both free and commercial versions available)
• Metasploit (open source)
• NMap (open source)
• Nikto (open source)
• OpenVAS (open source)
• Nipper Studio (commercial version available)

You can also install Kali Linux (an open-source operating system) on one of your virtual machines, which comes with many preinstalled security software. This is not an exhaustive list, but you have enough confidence to execute penetration testing jobs after learning these tools.

Q22. List out common network security vulnerabilities.

Ans: Some common network security vulnerabilities are listed below:

• Usage of default or weak passwords in network components such as the router, firewall, etc., and different servers.
• Missing security patches in software running on different network components and different servers.
• Misconfigured network firewall.
• Use of infected USB drives by network professionals in data centers.
• The data backup policy is not implemented properly.

Q23. What are the common ports to focus on during penetration testing?

Ans: You can use the Nmap tool for the port scan. Here is a list of common ports to focus on during penetration testing:

• FTP (port 20, 21)
• SSH (port 22)
• Telnet (port 23)
• SMTP (port 25)
• HTTP (port 80)
• NTP (port 123)
• HTTPS (port 443)

Q24. Do you hire criminals for a pen test? Aren’t former “black hats” the best penetration testers?

Ans: This interview question is related to ethics. You can hire a former “black hat” for penetration testing by doing proper verification checks. An organization can decide regarding the hiring of individuals based on company policies.

Q25. If we’re already performing vulnerability scanning, why should we perform a penetration test?

Ans: A vulnerability scan generally identifies weaknesses based on vulnerability signatures available in the scanning tool. While penetration testing helps in identifying the extent of data loss and exposure on occurring of cyber attacks.

Q26. We received a Penetration Test proposal that was quoted significantly lower than other proposals we received – why is that?

Ans: Charges of penetration testing vary from company to company. Generally, the quotation of penetration testing charges is based on the salary of the security tester, charges of tools used, size of the project, etc. Also, some infosec organization charges less than others based on competition in the market.

Q27. How do you schedule a penetration test?

Ans: It is advisable to conduct penetration testing regularly or on changes in any hosting infrastructure. Also, refer to company policy for the periodicity of a security audit.

Q28. What is an example of a large pen test engagement you’ve performed?

Ans: Here, give information regarding the penetration testing projects which you have performed in your previous organization. You can also mention the major vulnerabilities and tools used that you have found.

Q29. How long does it take to perform a penetration test?

Ans: It depends on many factors such as the size of the project, the skill of the penetration tester, the technology used, etc. You may decide the timelines based on the experience of the pentester.

Q30. How much experience do you have performing penetration testing?

Ans: Here, you can mention your experience in performing penetration testing jobs.

Q31. Can a penetration test break any system?

Ans: Every system has some security vulnerability- it may be known or unknown that is discovered by security researchers. No system is foolproof so if proper penetration testing is performed, any system can be broken by the security analyst. If the system is more secure, the security analyst will take more time to break and vice-versa. Time may vary from some days to months.

Q32. What certifications do you have to perform penetration testing?

Ans: Certifications are just additional qualifications of a penetration tester. But certifications are not proof of the skills of the tester. Some professionals don’t have any certification, but still, they are the best at their job.  Certifications that are beneficial for penetration testers are EC-Council Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), and GIAC Exploit Researcher & Advanced Penetration Tester (GXPN).

Q33. My data is stored in the cloud. Why do I need a Penetration test?

Ans: Even if data is stored in the cloud, penetration testing is still essential to see whether your data is secure or not. Also, to check the effectiveness of controls, a penetration test is required.

Q34. What types of systems have you performed penetration testing on?

Ans: Penetration testing performed on servers, endpoints, web applications, mobile devices, wireless networks, network devices, cloud services, and other potential targets of exposure.

Q35. How often should an organization have a penetration test performed by a third party?

Ans: It depends on the criticality of the organization’s data hosted on the system. If data is more sensitive, the penetration testing frequency should be higher and vice-versa.

Q36. Do penetration tests cause any disruption to an organization’s network?

Ans: It may disrupt services if the penetration tester successfully exploits the vulnerabilities. To minimize disruption, keep your client informed and also stop the testing if required.

Q37. Why is penetration testing important to an organization’s risk management strategy?

Ans: A risk management strategy is a process of identifying, accessing, and managing the risk in the system. Penetration testing is an assessment of the IT system from the perspective of a hacker. This activity gives confidence to management that the company’s IT assets are secure.

Q38. Can you target any IP Address for penetration testing?

Ans: Penetration testing started only after a detailed discussion regarding targets with the management and technical team of the company. The legal agreement was also signed between the pen-testing agency and the company and mentioned all IP addresses that are in the scope of the test.

Q39. We have a firewall in place. Do we still need network penetration testing if we have a Firewall?

Ans: Firewall is used for analyzing traffic and blocks it based on predetermined configuration. While penetration testing checks for the exploitability of IT assets including the firewall. Penetration testing is a necessary activity even with all the network components in place.

Q40. Why should a third party assess your system?

Ans: Generally organizations have their security teams to manage cybersecurity-related operations. But still, third-party penetration testing is recommended to build confidence in management and take advantage of the experience of other organizations in identifying new vulnerabilities in the system.

Q41. Does Pentesting do social engineering?

Ans: Generally, social engineering is not in the scope of penetration testing.  But nowadays some organizations do consider the social engineering aspect while doing pen-testing.

Q42. Are Denial-of-service attacks also tested?

Ans: Denial-0f-service (DoS) attacks are also within the scope of penetration testing. Many tools are available to see whether the system is vulnerable to DoS attacks or not.

Q43. Why should not only the network perimeter be tested, but also the internal network?

Ans: Internal networks are also vulnerable to some type of attack. The scope shouldn’t be just internet-facing servers, other internal servers also should be in scope for evaluation.

Q44. What time investment do you estimate for a Penetration Test?

Ans: Time estimate depends on the number of IT devices and experience of the tester, the time required for fixing security issues by developers, etc. 

Q45. Are there legal requirements for Penetration Tests?

Ans: Penetration testing starts only when there is an agreement signed by the organization and pen testing agency. In an agreement, the list of targets explicitly mentioned which are the scope of pen-testing. Testers are advised not to test any other target outside the scope.

Q46. How can you encrypt email messages?

Ans: OpenPGP is the most popularly used email encryption standard.  Both open source such as Gpg4win, and many commercial tools available that support the OpenPGP type of encryption.

Q47. Do You Automate Using Scripting?

Ans: Good pen testers generally do a lot of scripting in Python, Perl, shell, R etc. to automate day-to-day tasks.

Q48. What is a ‘Threat Model’?

Ans: A threat model is a process of analyzing the application or IT system in terms of security. In simple terms, it helps identify, quantify, and address the security risk available in the system.

Q49. What is STRIDE?

Ans: STRIDE is an acronym for the threat modeling system. It helps in categorizing all cyberattacks into the below techniques:

• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service (DoS)
• Elevation of privilege

Q50. What is file enumeration?

Ans: File enumeration, also called forced browsing, is a directory traversal technique when a security analyst accesses those files and folders which are not linked by an application.

The post Top 50 Interview Questions & Answers | Penetration Testing [Updated 2023] first appeared on All About Testing.