Cyber Security VAPT Interview Questions and Answers: Part 2

VAPT Interview Questions

Vulnerability Assessment and Penetration Testing (VAPT) is one of the most established domains of cyber security. As most business prefer having an online presence to cater to a greater audience, they ultimately rely on websites showcasing their brand image. However, they don’t pay attention to the potential damage of reputation in case their website gets hacked or defaced. In the worst case the business and their customers can even face financial losses due to compromise of stored credentials. VAPT is one of the most in-demand jobs in the field of cybersecurity today.  Many tools and technologies have been developed to conduct VAPT. A typical VAPT interview will have questions regarding the functioning of commonly used security testing tools and the general problem-solving approach of the candidate.

Following is a list of frequently asked for VAPT interview questions. Please feel free to leave more vapt interview questions in the comments and our team will be happy to share the answers. 

1. What is encoding and why it is used.

Encoding: The purpose of output encoding is to convert untrusted input into a safe form especially where the input is displayed as data to the user without executing as code in the browser. Basically, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter.

Encoding is a common technique to help protect against many types of attacks, including injection attacks and Cross-site Scripting (XSS).

Examples are as follows:

  • ” is replaced with "
  • & is replaced with &
  • < is replaced with &lt;
  • > is replaced with &gt;





2. What do you understand by unvalidated URL redirect vulnerability. Why is it a concern?

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

  • Example: http://example.com/example.php?url=http://maliciouswebsite.com

External Urls should not be allowed in direct parameters. If no validation is applied, a malicious user could create a hyperlink to redirect your users to an unvalidated malicious website.

3. How do we prevent SQL injection attacks.

Some ways of preventing SQL injection are as follows:

1. Use of Prepared Statements (with Parameterized Queries)
Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker. If an attacker were to enter the userID of tom’ or ‘1’=’1, the parameterized query would not be vulnerable and would instead look for a username that literally matched the entire string tom’ or ‘1’=’1.

2. Use of Stored Procedures
Stored procedures can be written to validate any input that is sent to them to ensure the integrity of the data and Parameters can be checked for valid ranges.

3. Escaping All User Supplied Input for any sensitive characters

Eg:  ‘, =, and, — etc.




4. What do you prefer, blacklisting or whitelisting? and why?

  • A blacklist is a detailed list of what is not allowed
  • A whitelist is a detailed list of what is allowed

From the Security premise, a whitelist is usually preferred to only allow the known good and considering everything else as untrusted and bad.

5. What is Clickjacking?

“Clickjacking” (which is a subset of “UI redressing”) is a malicious technique that consists of deceiving a web user into interacting (in most cases by clicking) with something different to what the user believes they are interacting with.

This is a “client-side” security issue that affects a variety of browsers and platforms.

To carry out this type of technique the attacker has to create a seemingly harmless web page that loads the target application through the use of an iframe.

Tip: Go through OWASP Top Ten Vulnerabilities, their impact and countermeasures. Learn at least one practical example of each and you will get through with flying colors!!!

Related posts

2 Thoughts to “Cyber Security VAPT Interview Questions and Answers: Part 2”

  1. Thanks for the update! It is so useful for me to understand about IT Information Security. Got so many useful resources about cyber security at United Data Technologies. It provides flexible and interoperable services, including mobility, cloud, collaboration, data, cyber security and software and IT as a service. The company also provides technical, professional and managed services.

  2. hima bindu

    Very Usefull blog

    Excellent blog

Leave a Comment