Cybersecurity Interview Questions & Answers Scenario-Based

-

 


Scenario-Based Cybersecurity Interview Questions & Answers

1. Web Application Penetration Testing (WAPT)

Bypassing WAF to Exploit a Web App

Scenario: You are testing a website with a WAF (Web Application Firewall) in place. Your SQL injection payloads are being blocked.

Question:
- How would you bypass the WAF to successfully exploit an SQL injection?
- What techniques could you use to avoid detection?
- How would you detect if a WAF is in place?

Answer:
- Bypassing WAF: Use case manipulation, encoding (e.g., CHAR() functions), and comment-based obfuscation (UNION/**/SELECT).
- Avoiding Detection: Slow rate requests, randomizing payloads, or using tools like SQLmap with tamper scripts.
- WAF Detection: Observing different error messages, analyzing HTTP responses, and checking headers for known WAF signatures.

 

 SQL Injection Attack in Production Database

Scenario:
You are testing a financial web application that has a login page and a search functionality. While testing, you find that the search bar is not sanitizing user input and returns SQL errors when you input ' OR 1=1 --.

Question:

· How would you exploit this further to extract database information?

· What steps would you take to confirm if the vulnerability is blind SQL injection?

· How would you mitigate this issue?

Expected Answer:

· Use UNION-based SQL injection to extract table names and user credentials.

· Use Boolean-based blind SQL injection (e.g., ' AND 1=1 -- vs. ' AND 1=2 --) to see response differences.

· Use time-based SQLi (e.g., SLEEP(5)) to confirm if the backend is MySQL.

· Mitigation: Use parameterized queries (Prepared Statements), WAF rules, and limit database permissions.

 

 

Bypassing File Upload Restrictions

Scenario: A web application allows users to upload profile pictures but restricts file types to .jpg and .png. You suspect it is possible to bypass this restriction.

Question:
- How would you attempt to upload a malicious file?
- What techniques could bypass extension-based filtering?
- How should this vulnerability be mitigated?

Answer:
- Exploitation:
  - Use double extensions (shell.php.jpg).
  - Modify Content-Type in the request (image/jpeg instead of application/x-php).
  - Exploit filename spoofing with null bytes (shell.php%00.jpg).
- Mitigation:
  - Implement server-side MIME type verification.
  - Use a whitelist approach and store files outside the webroot.
  - Disable execution permissions on uploaded directories.

 

Exploiting Unrestricted File Upload for Remote Code Execution (RCE)

Scenario: You find an unrestricted file upload feature in a web application. The uploaded files are stored in a publicly accessible directory, and you suspect the server executes certain file types.

Question:
- How would you confirm and exploit this vulnerability?
- What payloads would you use for different environments (PHP, ASP, etc.)?
- How should the developer prevent this issue?

Answer:
- Exploitation:
  - Upload a web shell (e.g., `<?php system($_GET['cmd']); ?>` for PHP or `cmd.exe /c <command>` for ASP).
  - Access the file via URL and execute commands.
- Payload Examples:
  - PHP: `<?php echo shell_exec($_GET['cmd']); ?>`
  - ASP: `<% eval request("cmd") %>`
- Mitigation:
  - Restrict executable file uploads (e.g., block .php, .jsp, .asp files).
  - Store uploaded files outside the web root.
  - Use secure upload libraries that enforce validation and random file naming.

 

Exploiting Cross-Origin Resource Sharing (CORS) Misconfiguration

Scenario: You find that a website allows CORS requests from any origin (Access-Control-Allow-Origin: *).

Question:
- How would you exploit this vulnerability?
- What impact could it have?
- How would you remediate this issue?

Answer:
- Exploitation: Inject JavaScript to send authenticated requests from a victim’s browser.
- Impact: Exfiltrating sensitive user data (tokens, credentials) using a malicious domain.
- Mitigation: Restrict allowed origins, enforce credentials policy, and use CSRF tokens.

2. API Pentesting

Rate Limiting Bypass on an API

Scenario: An API limits login attempts to 5 per minute per IP, but you suspect this can be bypassed.

Question:
- How would you bypass API rate limiting?
- How would you confirm if rate limiting is ineffective?
- What remediation would you recommend?

Answer:
- Bypass Techniques: Using rotating IPs (Burp Suite cluster bomb, proxies) or modifying headers (X-Forwarded-For).
- Confirming Weakness: Sending multiple concurrent requests and checking if limit enforcement fails.
- Mitigation: Implement server-side rate limiting with user tracking, CAPTCHA after repeated failures, and IP reputation checks.

Exploiting IDOR in an API

Scenario: An API endpoint /user/{id} allows fetching user details by ID. You test by changing the id in the request and successfully retrieve another user's data.

Question:
- What is the impact of this vulnerability?
- How would you automate exploitation?
- How should developers fix this issue?

Answer:
- Impact: Unauthorized access to sensitive data (PII, financial details).
- Automation: Use Burp Suite Intruder or a Python script to cycle through id values.
- Mitigation: Implement proper authorization checks (e.g., check session tokens against requested resources).

 

Android/iOS App Pentesting

5. Reverse Engineering an Encrypted SQLite Database in an Android App

Scenario:
You find that an Android app stores sensitive user data in an encrypted SQLite database.

Question:

· How would you extract and decrypt this data?

· What tools would you use?

· How should developers prevent this attack?

Expected Answer:

· Extraction: Pull the database using adb pull /data/data/com.app/databases/mydb.db.

· Decryption: Use Frida hooks or find hardcoded encryption keys via JADX.

· Mitigation: Implement secure encryption (AES-256 with strong keys) and store keys in Android Keystore.

 

6. Dynamic Analysis to Bypass SSL Pinning

Scenario:
An iOS banking app uses SSL pinning, preventing proxying traffic via Burp Suite.

Question:

· How would you bypass SSL pinning for analysis?

· What tools would you use?

· How should developers strengthen SSL pinning?

Expected Answer:

· Bypassing: Use Frida scripts (objection -g app explore) or modify app binaries (iOS Hopper).

· Tools: Frida, iOS TrustStore, SSL Kill Switch.

· Mitigation: Implement certificate transparency, multiple pinned certificates, and strong root-of-trust verification.

· 

6.1 API Key Exposure in Mobile App

Scenario:
While testing a mobile banking app, you decompile the APK and find an API key inside AndroidManifest.xml. The key is used for authentication with the backend server.

Question:

· What are the security risks of hardcoding API keys in mobile apps?

· How would you confirm if this API key has high privileges?

· What mitigation measures would you recommend?

Expected Answer:

· Risk: Attackers can extract the key and use it to make unauthorized API requests.

· Confirmation: Use Burp Suite/Postman to send requests with the API key and check if it allows access to sensitive data.

· Mitigation: Store API keys securely using Android Keystore (for Android) or Keychain Services (for iOS), and use OAuth with short-lived tokens.

 

 

Thick Client Testing

7. Exploiting an Unprotected IPC Mechanism in a Windows Thick Client

Scenario:
You are testing a Windows-based application that communicates via named pipes.

Question:

· How would you check for insecure IPC?

· How can an attacker exploit it?

· What are mitigation strategies?

Expected Answer:

· Detection: Use PipeList.exe to enumerate named pipes, check permissions using AccessChk.

· Exploitation: Abuse unsecured named pipes to inject messages (MitM attack).

· Mitigation: Restrict access controls (DACL & SACL), use encrypted IPC messages.

 

Source Code Review

8. Hardcoded SSH Keys in a Repository

Scenario:
During a source code review, you find private SSH keys committed to a public GitHub repository.

Question:

· What are the risks associated with this?

· How would you check if the key is active?

· What steps should the organization take to mitigate this?

Expected Answer:

· Risks: Unauthorized access to internal servers, lateral movement.

· Verification: Use ssh -i key.pem user@server to test access.

· Mitigation: Rotate SSH keys, remove commits (git filter-branch), use Vault solutions.

 

Network Pentesting

9. Sniffing Cleartext Passwords in a Corporate Network

Scenario:
You find that an internal application transmits credentials over unencrypted HTTP.

Question:

· How would you capture these credentials?

· What are the risks?

· How would you fix this?

Expected Answer:

· Sniffing: Use Wireshark with tcp.port == 80 filter or tcpdump.

· Risks: Exposure to MITM attacks, credential theft.

· Fix: Enforce TLS 1.2+, enable HSTS, and remove legacy HTTP endpoints.

Red Teaming

10. Abusing Misconfigured S3 Buckets for Data Exfiltration

Scenario:
You find an S3 bucket with public read/write access during an external assessment.

Question:

· How would you confirm its exploitability?

· What sensitive data might be at risk?

· How should the organization secure the bucket?

Expected Answer:

· Confirmation: Use aws s3 ls s3://bucket-name --no-sign-request.

· Sensitive Data: Config files, customer data, API keys.

· Mitigation: Block public access, enable encryption, restrict IAM policies.

 

11. Domain Admin Privilege Escalation via Kerberoasting

Scenario:
You have initial access to a Windows AD environment and want to escalate privileges.

Question:

· What steps would you take to perform Kerberoasting?

· How would you extract and crack service account hashes?

· What defenses should be implemented?

Expected Answer:

· Steps: Use GetUserSPNs.py (Impacket) to extract TGS hashes, crack with Hashcat (mode 13100).

· Defense: Enforce AES-only encryption, limit service accounts, use strong passwords.

 

 

 

12. Pivoting from a Compromised Internal Machine

Scenario:
You have gained access to an internal employee workstation in a red team engagement. Your next goal is to move laterally to access a database server.

Question:

· How would you identify lateral movement opportunities?

· What techniques would you use to pivot?

· How would you mitigate these risks?

Expected Answer:

· Identification:

o Use BloodHound to map Active Directory relationships.

o Check for saved RDP credentials.

· Pivoting Techniques:

o Use SSH tunneling or proxychains for hidden network access.

o Exploit Pass-the-Hash (PtH) attacks if NTLM hashes are available.

· Mitigation:

o Enforce strong authentication (disable NTLM, use Kerberos).

o Enable network segmentation to limit access between critical systems.

 

 

Comments

Post a Comment

Popular posts from this blog

Windows Privilege Escalation THM Room

-
Image
Windows Privilege Escalation     INTRODUCTION During a penetration test, you will often have access to some Windows hosts with an unprivileged user. Unprivileged users will hold limited access, including their files and folders only, and have no means to perform administrative tasks on the host, preventing you from having complete control over your target. This room covers fundamental techniques that attackers can use to elevate privileges in a Windows environment, allowing you to use any initial unprivileged foothold on a host to escalate to an administrator account, where possible.  If you want to brush up on your skills first, you can have a look through the   Windows Fundamentals Module   or the   Hacking Windows Module .   Windows Privilege Escalation Windows Privilege Escalation Simply put, privilege escalation consists of using given access to a host with "user A" and leveraging it to gain access to "user B" by abusing a weakness in the ta...
Read more

Linux Privilege Escalation THM Room

-
Image
 Linux Privilege Escalation All Task Solution All Task Solution 2   Privilege escalation is a journey. There are no silver bullets, and much depends on the specific configuration of the target system. The kernel version, installed applications, supported programming languages, other users' passwords are a few key elements that will affect your road to the root shell. This room was designed to cover the main privilege escalation vectors and give you a better understanding of the process. This new skill will be an essential part of your arsenal whether you are participating in CTFs, taking certification exams, or working as a penetration tester.   What does "privilege escalation" mean? At it's core, Privilege Escalation usually involves going from a lower permission account to a higher permission one. More technically, it's the exploitation of a vulnerability, design flaw, or configuration oversight in an operating system or application to ga...
Read more

Eternal blue Using Termux

-
Image
  Introduction On 14 April 2017, a hacker group know by the name of Shadow Brokers leaked exploitation toolkit used by the National Security Agency (NSA). The leak was also used as part of a worldwide WannaCry ransomware attack. EternalBlue is also an exploit developed and used by the NSA according to former NSA employees. Lab Environment Target Machine: Windows 7 Ultimate x64 bit Attacker Machine: Android 5.1 What is EternalBlue EternalBlue actually exploits a vulnerabili t y found in Server Message Block (SMB) protocol of Microsoft Windows various platforms. This vulnerability can be found under CVE-2017–0144 in the CVE catalog.The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. Windows 7 Operating with Release Effected by EternalBlue For Full List of Operating System Effected by Eternal Blue please : Click Here Installing Metasploit Framework on ...
Read more