Cyber Security Vulnerability Assessment and Penetration Testing (VAPT) Interview Questions with Answers: Part 1

Vulnerability Assessment and Penetration Testing (VAPT) is one of the most established domains of cybersecurity. As most business prefer having an online presence to cater to a greater audience, they ultimately rely on websites showcasing their brand image. However, they don’t pay attention to the potential damage of reputation in case their website gets hacked or defaced. In the worst case the business and their customers can even face financial losses due to the compromise of stored credentials.

VAPT is one of the most in-demand jobs in the field of cybersecurity today.  Many tools and technologies have been developed to conduct VAPT.

A typical VAPT interviewer will not ask specific questions regarding the functioning of any tool, but would rather be more interested in understanding the general problem-solving approach of the candidate.

Following is a list of questions frequently asked in VAPT interviews:  

1. Please explain cross site scripting.

In Cross-Site Scripting (XSS) attacks malicious scripts are injected into other websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to the end-user. If successful, The attacker may gain access to users cookies, session IDs, passwords, private messages etc.

2. What are the types of cross site scripting

There are three major types of XSS attacks:

Persistent / Stored XSS

The malicious user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. and is reflected every time the page is visited by any user.

Reflected XSS

The malicious user input originates from the victim’s request and is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request, without that data being made safe to render in the browser, and without permanently storing the user provided data.
This input will not reflect in case the same web page is displayed by a different user.

DOM-based XSS:  

DOM actually allows client-side-scripts(Eg: Javascript) to dynamically access and modify the content, structure, and style of a webpage. DOM-based XSS relies on inappropriate handling, in the HTML page, of the data from its associated DOM. Among the objects in the DOM, there are several which the attacker can manipulate in order to generate the XSS condition, and the most popular, from this perspective, are the document.url, document.location and document.referrer objects.

3. Is cross site scripting attack browser based or server based?

Cross site scripting is a client side browser based attack as the script executes in the client browser.

4. What will you do as a developer to correct existing cross site scripting vulnerability in your code reported by the application security auditors

As a developer we should examine the code of the page where the vulnerability is residing and rectify the flaw by putting proper input validations in place to avoid any scripts from executing. In case it has been reported as a persistent XSS, we should also vet the database entries to look for any residing malicious script lying there.

5. Explain CSRF

Cross Site request forgery attacks takes advantage of the website trust in an authenticated user session. as an example, lets consider an application has a user that is logged on, an attacker tricks the user into submitting an HTTP request on the attacker’s behalf, which the application believes to be from the user. the success factor for CSRF relies in the fact that once authenticated,  websites typically don’t verify that a request came from an authorized user. Instead they verify only that the request came from the browser of an authorized user.

6. What is the prevention used for CSRF

Common techniques for preventing against CSRF attacks are:
1. Check CSRF Token
2. Verify the requests are coming from same origin

Tip: Go through OWASP Top Ten Vulnerabilities, their impact and countermeasures. Learn at least one practical example of each and you will get through with flying colors!!!

For more questions, click here.

Click to know which certification is best for your cyber security career??

Related posts

10 Thoughts to “Cyber Security Vulnerability Assessment and Penetration Testing (VAPT) Interview Questions with Answers: Part 1”

  1. john week

    What’s up mates, its great piece of writing regarding teachingand entirely defined, keep it up all the time.

  2. Suzanne

    Wow, this article is fastidious, my younger sister is analyzing such things, therefore I am going to convey her.

  3. 0mniartist

    Wow, amazing blog layout! How lengthy have you ever been running a blog for?
    you make blogging glance easy. The total glance of
    your site is excellent, let alone the content!

  4. 0mniartist

    Pretty great post. I simply stumbled upon your weblog and wanted to say that I have really enjoyed browsing your blog posts.

    After all I will be subscribing for your feed and I hope you write again soon!

  5. sehh213124131

    I like the valuable info you provide on your articles.

    I’ll bookmark your weblog and take a look at again right
    here regularly. I am somewhat certain I’ll be told many new
    stuff proper right here! Good luck for the following!

  6. ucuz takipçi satın al

    Thanks designed for sharing such a nice thinking, paragraph is good, thats why i have read it

  7. activate espn

    Good article! We will contact this cool post on our website.
    Keep up the good writing.

  8. Antoine Aarts


    I really liked your blog 🙂

    Well, Software penetration testing is a process of appraising the security of computer system or network of computer systems by simulating the attack from wicked outsiders not having an authorized access as well as from malicious insiders having an authorized access to the computers or the network of the company.

    Antoine Aarts

  9. Alisha henderson

    Hi Buddy,

    Great Post!!
    According to me, Penetration testers think outside of the box, and will try to get into your system by any means possible, like a real world attacker would. This could reveal lots of major vulnerabilities your security or development team never considered. The reports generated by penetration tests provide you with feedback on prioritizing any future security investment.

  10. Nice post. I learn something new and challenging on sites I stumbleupon everyday. It’s always helpful to read through articles from other writers and practice a little something from their websites.

    Please Read More: Download Ebook: Ultimate Guide To Job Interview Questions Answers:

    Best rgs

Leave a Comment