If you are applying for a penetration testing role, then chances are that you will go through an in-depth interview, for which you should prepare yourself. Let me give you a little bit of help and present some questions which are typically asked during a pentest interview.
The list presented below is by no means exhaustive. The variety of questions that can be asked in such an interview is very large. These questions are meant to help you prepare on your own, not give you “cast in stone” answers to memorize.
What are the most well-known penetration testing frameworks?
You should be able to, at least, list the most well-known pentest frameworks. Check this article for more details on 5 “penetration testing frameworks and methodologies“.
Is there a difference between penetration testing and vulnerability scanning?
There actually is a difference between the two and not knowing the answer to it may put you behind in the race against your fellow pen-testers from the start of an interview. Read the relevant article here to learn more.
What is the difference between black box, grey box, and white box testing?
A key question showing your functional knowledge of the penetration testing processes. Companies don’t want “run-and-gun” script kiddies acting as penetration testers. They want professionals who can be team members and follow processes.
What are some penetration testing types?
Internal/External network penetration testing, wireless penetration test, web application testing, mobile application testing, social engineering are among the common penetration testing types fit to answer such a question.
Which are the stages of a penetration test?
A basic question if you are an experienced professional in the field. Reconnaissance, scanning, vulnerability scanning, exploitation, and reporting are the common stages of a pentest, and you must be able to describe each one of them.
What should you include in your penetration testing report?
Handling the command line like a pro is great, but organizations need results. They need to know that you understand that you must produce a report which is actionable and can be read by people from the top management, who are not tech-savvy, to engineers who will be responsible for the actionable items for risk mitigation.
Management needs to understand the risk, and technical teams need to understand how you came up with your findings and what they should do to fix them.
Is there a difference between a bug bounty and a penetration test?
Security testing can be done both through a pentest and a bug bounty program. There are differences though which you should know and be able to explain during your interview.
How can you use a threat model in a penetration testing activity?
Explain what a threat model is and how you can leverage it during your pentest. You can mention how a threat model can help improve the quality of your pentest. Elaborate on how a threat model can greatly help in the accurate rating of the identified risks mentioned in your final report.
Explain what an SQL injection is and how many types exist
Of course, you will be tasked with testing the security of databases, so you must be able to explain what an SQL injection attack is, what is the risk of such vulnerability and what measures you would employ to protect the systems from such attack.
You best know all types of SQL injection types which exist and give a brief and concise description of each.
What is XSS?
A large part of your role will be testing the security of web applications, and you need to be able to explain what a cross-site scripting attack is, how it can be performed against a vulnerable target, and ways to mitigate the attack.
What is a CSRF attack and how can you detect one?
Explain what CSRF is and how an attacker can exploit such a vulnerability. Mention the techniques and tools you would use to test for such vulnerabilities.
Explain what an XXE payload is and how it works
Explain what an XXE (XML external entity injection) is, how it works and the different types of XXE attacks with some examples.
Which are the common HTTP methods and in what ways can you exploit them?
Make sure you know all HTTP methods (e.g. GET, POST, PUT, HEAD, DELETE, OPTIONS, etc.). Mention those which are exploitable and the different scenarios in which you could exploit them.
What is the difference between DoS and DDoS? Do you test them during a pentest?
Explain what DoS and DDoS are, give some real-life examples and present the scenarios under which you would use such attacks during a penetration test.
What is Open-Redirect?
Explain the “open redirect” vulnerability, how and for what purpose you would exploit one, and what is the impact to the organization.
E.g. for phishing attacks.
Can SSTI lead to RCE and how?
Give a description of the SSTI (Server-side template injection) vulnerability how it may lead to remote code execution and the impact to the organization.
What are some common file upload restrictions and can you bypass them?
What restrictions can you put in place to prevent potentially malicious files to be uploaded to a web application? Are there ways to bypass them and how would you test for such misconfiguration?
What is “salt” (in cybersecurity)?
Explain what a salt is, why, and how it’s being used to defend against hash attacks.
What is a deserialization vulnerability and how can you exploit one?
Describe the vulnerability, give examples and what the exploit of such a vulnerability can cause (e.g. DoS, authentication bypass, etc.).
Read more on examples and exploitation methods here.
What are SAML and OpenID (OIDC)
Explain what SAML and OpenID are, what they are used for, and what ways you may use to attack them.
Name as many security risks to web applications from OWASP top 10 as you can
Straight from the OWASP website.
I hope this list will help you prepare for your interview and make you identify gaps in your knowledge and your techniques.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.