Common VA PT Questions Asked in An Interview

These questions are generally asked in an interview for an entry penetration testing role

These were specifically Asked to me in an VAPT RedTeam role

1. What is mutation XSS ? Explain how you’ll check for stored XSS and exploit it.
2. What is LFI and RFI?
3. How will you exploit a vulnerable AD if you’re granted a user access (not password, just the access as a user)
4. How will exploit a service in Azure? What services are vulnerable in Azure ?
5. How do you escalate privilege in a Windows machine?
6. Where is password of Windows user stored? Can you see that in clear text, if yes, how?
7. What is Intruder in Burp? How will you use to find SSRF?
8. Explain SSRF, and how will you exploit it? How can you escalate gain access as admin EC2 bucket via SSRF?
9. How will you find SQLi and can you use SQLi for privilege escalation ? If yes how?
10. How will you escalate privilege on android app?
11. How will you do phising assessment if we provide you with 100 emails of company employees?
12. How will you escalate privilege in Linux besides suid and sudo?
13. How will you tamper JWT?
14. How will you do a pentest on 10 IPs and exploit them? Explain your methodology briefly?
15. How will you find an API vulnerability and exploit the API?
16. What is bind shell and reverse shell?
17. How will you bypass an AV

Besides this there also some other questions which I prepared for but sadly only some of them were asked

Interview Questions I prepared for.

Network Questions:

1) OSI Model and Layers

2) Transport and Network Layer

3) ICMP & Traceroute working

4) OS Detection using Ping

5) Nmap is which layer tool and its OS detection

6) WPA-2 4way handshake

7) ICMP, TCP, IP Header Length

8) SSL Handshake

9) What happens when we type google.com in browser

10) Router working

11) Subletting

12) Public/Private IP and Ranges

13) Cryptography ( Asym | Sym)

14) Encoding | Hashing | Encryption

15) Pivoting

16)Port Knocking

17) TCP 3-Way Handshake

18) HTTP is stateless and HTTPS is stateful protocol

19) SSH Local Forwarding

20) Scenario Based Question

21) SSH working(Detailed Description)

22) Nmap switches and their working

23) DHCP

24) ARP

25) Mac and Switching

26) Lateral Movement

27) Reverse | Bind Shell

28) Web Shell

29) Network Tools used in recon

30) SOCKS Proxy and it’s working

Web Questions

1) SOP

2)CORS

3)CSP

4) Access Control | IDOR with Mitigation

5) Blind XSS

6) DOM XSS | Source & Sync

7) Template Injection

8) Cookies vs Session

9) Cookies Security Attributes

10) Second Order SQLi and Remediation

11) CSRF | Mitigation

12) Scenario Question (CSRF,XSS,CORS)

13) Anti CSRF Toke Implementation in Response Body | Headers which is secure

14) Recon Approach

15) SQL Testing on Login Page

16) Business Logic

17) JWT Basics and Common Attacks

18) OAuth Working

19) Session vs Token Based Authentication Difference

20) Threat | Risk | Vulnerability

21) VA | PT

22) Block vs Stream Ciphers

23) LFI vs RFI

24) XXE | Mitigation

25) SSRF & Blind SSRF

26) RCE

27) Broken Authentication

28) LFI to RCE, leading to Log Poisoning

29) HTTP 1.0 vs 1.1

30) Ping Sweep Program (Any Language)