Last active
June 19, 2023 16:54
-
-
Save themoonofendor/da6eb90f7b2a3f4db2ad42ecfb81977e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Threat Modelling / Code Review — | |
Resources-for-Application-Security | |
How to prepare for a security engineer interview by Eray Mitrani | |
Security_Engineer_Interview_Questions by Tad Whitaker | |
Security Engineer - Interview Questions by Namish | |
60 Cybersecurity Interview Questions 2019 Update by Daniel Miessler | |
https://www.youtube.com/watch?v=DJ41leCuUm0 | |
https://www.youtube.com/watch?v=-LL4IE663ng | |
https://www.youtube.com/watch?v=Kepd1HsoE8o | |
https://www.youtube.com/c/CyberSecurityTV/videos | |
https://www.youtube.com/watch?v=eQ1I0wzS8p0&t=3607s | |
https://www.owasp.trendmicro.com | |
https://www.rules.sonarsource.com | |
Security Concepts: | |
Cert Auth / Chain Of Trust | |
https://www.youtube.com/watch?v=heacxYUnFHA&t=663s | |
Digital Certs | |
https://www.youtube.com/watch?v=qXLD2UHq2vk | |
SQL Injection | |
https://cwe.mitre.org/data/definitions/89.html | |
SSRF | |
https://www.youtube.com/watch?v=nTCDQ0UmFgE&t=844s | |
XSS | |
https://www.youtube.com/watch?v=2YD4vygeghM&t=278s | |
API Security | |
https://www.youtube.com/watch?v=ijalD2NkRFg | |
https://www.youtube.com/watch?v=zTkv_9ChVPY | |
https://www.youtube.com/watch?v=aQGbYfalRTA&t=1179s | |
https://www.youtube.com/watch?v=5UTHUZ3NGfw&t=3234s | |
https://www.youtube.com/watch?v=qqmyAxfGV9c | |
Threat Modelling | |
https://www.youtube.com/watch?v=KGy_KCRUGd4&t=2565s | |
https://www.youtube.com/watch?v=-LL4IE663ng | |
https://www.youtube.com/watch?v=ClWw1znEUqI | |
https://www.youtube.com/watch?v=We2cy8JwVqc&t=885s | |
https://www.youtube.com/watch?v=l4GtDZZFcA8 | |
Oath | |
https://www.youtube.com/watch?v=lLeKTVobxDM&t=1763s | |
https://www.youtube.com/watch?v=0VWkQMr7r_c&t=3624s | |
HTTP Cookies | |
https://www.youtube.com/watch?v=sovAIX4doOE&t=2s | |
SAML | |
https://www.youtube.com/watch?v=SvppXbpv-5k&t=4s | |
OpenID | |
https://www.youtube.com/watch?v=rTzlF-U9Y6Y | |
ID Management | |
https://www.youtube.com/watch?v=Tcvsefz5DmA | |
OWASP Attacks | |
https://www.youtube.com/watch?v=pdC3H8SX-F4 | |
Which architecture is more secure? 2 tier or 3 tier? | |
Explain SSL Handshake? | |
https://www.youtube.com/watch?v=ubHZQrECeew | |
https://www.cloudflare.com/learning/ssl/how-does-ssl-work/ | |
https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/ | |
Recommend XXE mitigation for application which requires external entities to be called because of business requirement? | |
Explain CORS and SOP? | |
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS | |
https://portswigger.net/web-security/cors | |
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy | |
https://www.bedefended.com/papers/cors-security-guide | |
Does SOP mitigate CSRF attacks? | |
https://security.stackexchange.com/questions/157061/how-does-csrf-correlate-with-same-origin-policy | |
Exploiting SSRF attacks | |
https://portswigger.net/web-security/ssrf | |
https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF | |
https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital-one-breach-4c3c2cded3af | |
What is web cache deception? | |
https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/ | |
http://omergil.blogspot.com/2017/02/web-cache-deception-attack.html | |
https://portswigger.net/research/practical-web-cache-poisoning | |
What is HTTP request smuggling? | |
http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling | |
https://portswigger.net/web-security/request-smuggling | |
Explain DOM XSS. Can DOM XSS be stored? Can CSP header mitigate dom based XSS | |
https://www.html5rocks.com/en/tutorials/internals/howbrowserswork/ | |
https://html.spec.whatwg.org/multipage/parsing.html | |
https://portswigger.net/web-security/cross-site-scripting/dom-based | |
https://brutelogic.com.br/blog/dom-based-xss-the-3-sinks/ | |
https://www.scip.ch/en/?labs.20171214 | |
What will be your testcase for a file upload functionality? | |
https://medium.com/@satboy.fb/art-of-unrestricted-file-upload-exploitation-92ed28796d0 | |
https://resources.infosecinstitute.com/file-upload-vulnerabilities/#gref | |
https://pentestlab.blog/2012/11/19/abusing-file-upload/ | |
https://pentestlab.blog/2012/11/29/bypassing-file-upload-restrictions/ | |
What is HSTS? | |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security | |
Explain SSL Stripping | |
https://blog.cloudflare.com/performing-preventing-ssl-stripping-a-plain-english-primer/ | |
If you have API calls which need to fetch credentials, what will be the secure way to store secrets and making them available for API calls? | |
https://medium.com/hackernoon/where-do-you-keep-credentials-for-your-lambda-functions-cac746048480 | |
How does file compression work? | |
Which method is secure? Compress First and then Encrypt the data or Encrypt First then Compress? | |
You have found a vulnerability a product/infrastructure, how will you investigate if this was not exploited already by an attacker | |
What is SPF, DKIM and DMARC? | |
https://www.smartertools.com/blog/2019/04/09-understanding-spf-dkim-dmarc | |
https://www.endpoint.com/blog/2014/04/15/spf-dkim-and-dmarc-brief-explanation | |
https://www.reddit.com/r/sysadmin/comments/aph6ee/lets_talk_about_email_spoofing_and_prevention_alt/ | |
Explain DNS Exfiltration | |
Explain Log Poisoning using LFI/RFI | |
https://www.hackingarticles.in/apache-log-poisoning-through-lfi/ | |
https://www.hackingarticles.in/rce-with-lfi-and-ssh-log-poisoning/ | |
https://highon.coffee/blog/lfi-cheat-sheet/ | |
Do the HttpOnly cookie and X-XSS-Protection header mitigate cross-site scripting attacks? | |
How do you exploit XSS in a post request? | |
https://portswigger.net/blog/exploiting-xss-in-post-requests | |
Difference: IDOR, Missing function level access control and privilege escalation | |
How does burp suite work with HTTPs requests? | |
https://www.quora.com/How-is-it-possible-that-a-proxy-tool-like-Burp-Suite-is-able-to-decrypt-HTTPS-communication-like-plain-text-credentials | |
https://portswigger.net/burp/documentation/desktop/tools/proxy/using | |
Is the DNS service's communication encrypted? | |
Security implications in DNS | |
DNS over HTTPs | |
https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ | |
https://www.chromium.org/developers/dns-over-https | |
How does ssh authentication work? | |
https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process | |
https://gravitational.com/blog/ssh-handshake-explained/ | |
How to create and implement an SSL certificate? | |
How to verify if a database is encrypted? | |
If you want a script to use credentials from the system, where will you store the credentials? | |
Explain SDLC | |
In which phase of SDLC should security be integrated? | |
Explain encryption in Wifi network communication. | |
What are stateless and stateful requests? | |
https://www.geeksforgeeks.org/difference-between-stateless-and-stateful-protocol/ | |
How is the state of a request saved in HTTP? | |
What data does the shadow file contains? | |
https://www.cyberciti.biz/faq/understanding-etcshadow-file/ | |
What is salt in cryptography? | |
What is Double-Submit Cookie? | |
What is Preflight request? | |
https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request | |
What are Certificate Transparency Logs? | |
What is your favourite vulnerability and why? | |
Talk about any latest/interesting vulnerability or breach you learnt about. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment