Unity Interview Questions

  1. Cookie-based XSS
  2. How do you do a write-up
  3. The process how could you handle a pentest against a Web App
  4. For Session Management related testing, what kind of tests would you perform?
  5. Let me know how RoR handles session management
  6. Tell me HTTP methods
  7. Client Side Session Storage
  8. How to mitigate XSS
  9. How SSL Handshake works

1. Cookie-based XSS

As an attacker, if you can obtain the user''s cookie (e.g. with local access or session fixation), you don''t need XSS in the first place.

If you can inject script, you wouldn''t want to inject a script to set a cookie to steal the cookie, you would just steal the cookie in the first place.

The only way I see this as an issue is if the attacker can forge HTTP request headers to the target domain, which is unlikely.

It''s definitely still worth noting as part of defense in depth, and it''s impossible to think of every possible scenario/attack.

Ref: AppSec Notes: XSS via Cookie - How Severe?

Where the script injection is located in the Cookie header. The problem is there’s no good way (in a modern browser) to force a victims browser to send an HTTP request with a modified Cookie value (to include HTML/JS). While the website or Web application is still technically vulnerable to XSS this is usually considered unimplementable since no PoC code can be created and the risk/threat is therefore lowered.

Ref: Jeremiah Grossman: Converting unimplementable Cookie-based XSS to a persistent attack

This is certainly a form of persistent XSS, but not in the traditional sense as the injected script is stored on the client machine as opposed to the server and only ever exposed to a single victim.

Ref: Cookie Based Persistent XSS | Zscaler Blog

What is “Unexploitable” XSS?

A condition where a website is technically vulnerable to XSS, not properly encoding output, but for some reason it cannot be used maliciously against another user -- only against itself.

Examples:

  1. Injection point is located in a place where a cross- domain HTTP request cannot modified the user- supplied data (Cookies, User-Agent, etc. )
  1. Vulnerable functionality is protected by CSRF tokens or CAPTCHAs (post-login).

Slideshare


尽管cookie based xss, 被誉为unexploitable xss. 还是有机会exploit. 不过POC (1,2)依然有,只不过需要借助Flash xss,domain中有vulnerable的Flash

8. XSS Mitigation

  1. Sanitization
  2. White List / Black List
  3. XSS header

Ref: XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP

9. SSL Protocol

Ref: Cryptography 101 with SSL

  1. Client Hello
    The client’s browser sends the website a handshake record with multiple fields (Random, Session ID, Cipher Suites, etc)

  2. Server Hello
    Server responds with “Server Hello” handshake record.

  3. Compute Premaster Secret

  4. Compute Master Secret
    By now, both sides know the 48-byte premaster secret(#3 计算所得), the 28-byte client random number and the 28-byte server random number. Using these values and a pseudo random number generator, both client and server calculate the 48-byte master secret value.
    master_secret = PRF(pre_master_secret, “master secret”,ClientHello.random + ServerHello.random)

  5. Compute Key Block

  6. Server confirms Encryption

  7. Encrypt Application Data

后记

两周之后,我接到了HR的电话,说我能力不够胜任该职位。

我回想起面试的经历,自我感觉对于问题的回答都算能答得上。

落选的关键,估计在于,自己没有自行书写pen-test tool的能力。

交谈得知,他们采取的是半dev-ops的模式,不确定他们是否需要将Security融入CI/CD的流程。

尽管自己没有开发tool的能力,我应该强调自己拥有该方面的能力,只需稍加摸索,应该能具备此技能。

此外,我没有抓住机会,大谈bdd-security, zap在CI的应用。

这是一份不错的工作,只可惜实力不足,擦肩而过。

Show Comments