Comprehensive Penetration Testing Process, Common Vulnerabilities, Exploitation Techniques, and Security Interview Questions

1. Penetration Testing Workflow

Information gathering – collect server IP, OS version, open ports, WAF, DNS records, WHOIS data, subdomains, Google hacking, directory enumeration, banner grabbing, and protocol/exp information.

Vulnerability discovery – scan ports, weak passwords, directories; test for XSS, SQL injection, file upload, command injection, CSRF, cookie security, sensitive data leakage, brute‑force, arbitrary file upload, unauthorized access, directory traversal, file inclusion, replay attacks, and use automated scanners.

Exploitation & privilege escalation – MySQL, Serv‑U, Oracle, Windows overflow, Linux Dirty COW, kernel exploits, etc.

Cleanup & reporting – clear logs, generate penetration test report with remediation suggestions.

Retesting – verify that no new vulnerabilities appear and archive results.

2. Common Security Interview Questions & Answers

1) First step on a target site – perform thorough information collection (WHOIS, subdomains, server fingerprinting, weak‑password checks, etc.).

2) Importance of identifying CMS – enables searching for known exploits and source code review if open‑source.

3) Value of scanning directories on a mature CMS – locate backup files, misconfigurations, hidden admin panels.

4) Typical web server containers – IIS, Apache, Nginx, Lighttpd, Tomcat.

5) Conditions for MySQL injection via a single‑line tool – need root privileges and absolute file path.

6) Known parsing vulnerabilities – IIS 6.0, IIS 7.0/7.5, Nginx ≤0.8.37, Apache double‑extension tricks, Lighttpd.

7) Quick OS fingerprint – case‑sensitivity of file system (Linux vs Windows).

8) Single open port on a MySQL site – port change, service separation, 3306 firewalling.

9) Reasons RDP (3389) may be unreachable – port closed, port changed, firewall, internal network.

10) Bypassing character escaping in injection – wide‑character injection, hex encoding.

11) When seeing an editor in a backend – identify its name/version and search for public exploits.

12) Using .htaccess to execute PHP code – <FilesMatch "xxx.jpg"> SetHandler application/x-httpd-php</FilesMatch> .

13) Injection is not limited to credential theft – can harvest entire databases.

14) Security dog (web‑application firewall) can be evaded by varying signatures.

15) Converting a downloaded .mdb file to a usable database – rename extension.

16) Avoid spaces in writable directories for exploits – many payloads rely on space‑delimited arguments.

17) Shared database leads to shared user accounts across sites.

18) Order‑by injection without AND/OR – possible after confirming injection point.

19) Anti‑injection system logs – typical warning messages with IP and timestamp.

20) Leveraging logged injection strings to obtain configuration files and shells.

21) Fixing garbled uploaded scripts – change browser encoding.

22) Upload element inspection – front‑end validation can be bypassed by adding types.

23) Reading hidden admin passwords via element inspection – change type="password" to type="text" .

24) Exploiting insecure download endpoints – manipulate file= parameter to retrieve arbitrary files.

25) Scanning known sub‑directories for sensitive files.

26) Using XSS for persistent control after gaining a shell.

27) Reading masked admin passwords – modify input element attributes.

28) 403 on script uploads – server configuration blocks execution, try extension bypass.

29) Identifying protection software via HTML source inspection.

30) Purpose of a hidden .zhongzi folder – conceal tools from administrators.

31) Choosing between two SQL injection test URLs – avoid + due to URL‑encoding ambiguity.

32) Base64‑encoded injection payloads – decode before testing.

33) Preferred method to obtain a webshell via SQL injection – use UNION SELECT … INTO OUTFILE or sqlmap --os-shell .

34) Differences and fixes for CSRF, XSS, XXE – input validation, output encoding, token/Referer checks, XML parser hardening.

35) CSRF vs SSRF vs replay attacks – client‑initiated, server‑initiated, and packet‑replay respectively.

36) Sample business‑logic flaws – password reset abuse, brute‑force, credential leakage, session fixation, cookie hijacking, CAPTCHA bypass.

37) Session capture example – raw HTTP request with headers.

38) General penetration testing methodology under authorized scope.

39) Using sqlmap for GET, POST, and cookie‑based injections.

40) Nmap scanning techniques – various scan types.

41) Types of SQL injection – error‑based, boolean‑based, time‑based, wide‑byte.

42) Ten common error‑based injection functions – e.g., extractvalue() , updatexml() , geometrycollection() , etc.

43) Detecting time‑based blind injection – if(ascii(substr("hello",1,1))=104, sleep(5),1) .

44) Commonality of blind and time‑based injection – character‑by‑character probing.

45) General approaches to obtain a webshell – upload, template editing, SQL file write, command execution, known CMS backdoors.

46) SQL functions for writing files – SELECT 'data' INTO OUTFILE 'path' , INTO DUMPFILE .

47) CSRF mitigation – verify Referer, use anti‑CSRF tokens.

48) OWASP Top‑10 vulnerabilities – SQLi, broken authentication, XSS, insecure direct object references, security misconfiguration, sensitive data exposure, missing access control, CSRF, using components with known vulnerabilities, unvalidated redirects.

49) SQL injection defenses – use safe APIs, escape special characters, whitelist validation, server‑side filtering.

50) PHP code execution, file read, command execution functions – eval , assert , system , file_get_contents , etc.

51) Alternative ways to discover admin paths via img tags – remote script src, referer leakage.

52) ASPX vs ASP trojan privileges – .NET (ASPX) often runs with higher privileges.

53) WAF bypass techniques – case manipulation, noise characters, encoding, parameter duplication.

54) Writing a webshell to a server – upload vulnerabilities, MySQL INTO OUTFILE , HTTP PUT.

55) Common ports for web, database, and special services – e.g., 80/443, 3306, 6379, 3389, 11211, 27017, etc.

3. Security Vendor Interview Topics

Typical questions include: known vulnerabilities, file‑upload defenses, port scanning tools, injection detection and mitigation, tamper scripts, common ports, OSI layers, web development experience, writing webshells, XSS platforms, penetration testing flow, MySQL privilege escalation, encryption methods, DDoS mitigation, packet capture and Wireshark filters, log cleaning.

4. SQL Injection Prevention

Use safe APIs, escape special characters, whitelist inputs, client‑side restrictions, server‑side filtering, enforce proper character set encoding.

5. Why Parameterized Queries Prevent SQL Injection

Parameters are bound separately from the SQL statement, so the database treats them as data, not executable code.

6. SQL Header Injection Vectors

User‑Agent, Referer, Cookie, IP address.

7. Blind Injection Overview

Blind injection occurs when errors are suppressed; attackers infer results via boolean responses or time delays.

8. Wide‑Byte Injection Causes and Mitigation

Mismatch between client and server character sets (e.g., character_set_client vs character_set_connection ) leads to escape bypass; unify charset to UTF‑8 and use proper escaping functions.

9. XSS Types and Defenses

Reflection, stored, and DOM‑based XSS; defenses include input validation, output encoding (HTML, JavaScript), HTTP‑Only cookies, and CSP.

10. CSRF Mechanics and Defenses

Cross‑site request forgery is client‑initiated; mitigate with token validation and strict Referer checks (tokens are more reliable).

11. SSRF Fundamentals

Server‑side request forgery forces the server to request internal resources; detection via request analysis, mitigation by restricting protocols, IP whitelisting, and disabling redirects.

12. File Upload Vulnerabilities

Root cause: insufficient server‑side validation; bypass methods include case changes, double extensions, and front‑end validation removal; defenses involve non‑executable upload directories, whitelist MIME types, random filenames.

13. File Inclusion Risks

Local file inclusion via functions like include() , require() , fopen() , etc.; attacker controls the included path.

14. Logic Flaws in Financial Applications

Data tampering, race conditions, privilege escalation, order bypass, and information leakage.

15. Man‑in‑the‑Middle (MITM) Attacks

Occurs due to lack of mutual authentication in SSL/TLS; mitigations include PKI mutual auth, latency tests, and alternative key exchange methods.

16. ARP Spoofing

Attacker poisons ARP cache to intercept traffic; defenses: static ARP entries, ARP firewalls, gateway MAC binding.

17. DDoS Principles and Defenses

SYN flood and HTTP flood overload resources; defenses include SYN cookies, rate limiting, and traffic scrubbing.

18. Privilege Escalation Techniques

MySQL UDF and MOF exploits on Windows, using CREATE FUNCTION … SONAME 'udf.dll' and MOF event injection to add admin users.

19. Special Vulnerabilities

Struts2‑045, unauthenticated Redis, Jenkins, MongoDB, Memcached, FFmpeg local file read; each with specific exploitation paths and hardening steps.

20. Security Knowledge Summary

Web frameworks (Struts, Spring), same‑origin policy, JSONP attacks, PHP command execution functions, database file locations, log cleaning techniques, SSH hardening, password‑hashing basics, TCP/IP fundamentals, HTTPS handshake, Wireshark filters, firewall hardening.