From February to April, I went through about 20 interviews of various sizes. Here's a record of some of them:
- Have you heard of the Tomcat AJP vulnerability?
- Java deserialization vulnerability
- JNDI injection, difference between Java 7 and Java 8 (I dug my own hole here, I mentioned in my resume that I know Java auditing and JNDI injection, but I didn't prepare well, so the interviewer caught on to Java)
- How to utilize XXE if unable to connect to the internet (nested error XXE or using the system's built-in DTD file)
- What are you good at?
I don't know why, but I felt awkward talking to the Changting interviewer. The interview ended after only 20 minutes, and of course, the result was not good.
ByteDance - Enterprise Application Security#
- Specific code auditing case
- Explain the principles, exploits, risks, and defenses of four types of vulnerabilities you know
- Do you know XSS?
- Explain the frontend vulnerabilities you are familiar with
- Python sandbox escape
- What do you think are your strengths?
- Plans for the future
The first round at ByteDance felt great. The interviewer guided me throughout the process and respected my opinions.
- Have you heard of the Electron framework (the one used to develop VSCode)? I said no, but I know Vue.
- How to defend against CSRF in Vue (I'm not very familiar with defending against CSRF in Vue, so I talked about defending against CSRF in general)
- Prompted that Vue connects with the backend through AJAX, and I remembered, so I mentioned using CORS for defense and explained CORS defense
- Continued questioning. CORS is divided into simple requests and non-simple requests. How to differentiate a POST request?
- What have you done with Java?
- Do you know mXSS?
- Briefly explain parameter stack pushing and popping
- How do you apply what you've learned from CTF in practical scenarios?
- Do you have any knowledge of Go?
The second round interviewer was also great, the only problem was... their child was too noisy... interrupting my train of thought several times.
The third round was with the department leader. I thought they would continue asking technical questions, but... they asked a bunch of questions related to life, and my answers weren't good enough to fully demonstrate my abilities...
- First experience with CTF (because of this question, I kept talking about CTF, maybe the leader thought my perspective was too narrow)
- Your plans for the future (this kind of question is really hard to answer)
- How did you choose this major?
- What skills do you think you need to improve?
- What should you pay attention to when learning programming languages?
- Go's garbage collection mechanism (I shouldn't have mentioned that I've learned a bit of Go, I couldn't answer this question)
- What are the concurrency mechanisms in Go? (I only knew about channels...)
After the interview on Friday, I was rejected on Monday. Later, I transferred to the Security and Risk Control Department, but it turned out to be a development position, and the questions asked were all related to programming.
I only recorded a few questions:
- Difference between HTTP 1.0 and 1.1
- Principles of hashtable
- Difference between process and thread
- Methods of inter-process communication
- Resolving hash collisions
- TCP and UDP protocols
- Implementing insertion and deletion in a doubly linked list using C
The interview lasted for over an hour... In the end, the interviewer said they read my blog and thought I was good at vulnerability discovery and penetration testing, and suggested that I apply to other departments. I told them that I had transferred here...
KnownSec - 404 Laboratory#
I applied to KnownSec on March 5th, but the interview wasn't scheduled until the end of March, so I had almost forgotten about it.
- Share a few CMS vulnerability discovery cases
- Approach to code auditing
- Suppose you find a deserialization entry point in a CMS, how would you discover a POP chain?
- If you can't find a POP chain in the CMS, how would you exploit it? (I didn't know, the interviewer told me to use the built-in classes for deserialization)
- Most memorable CTF question
- Explain your analysis of the Tomcat AJP vulnerability
- Besides CTF, where else do you learn about security?
- How to exploit stored XSS when it's httponly?
- Explain the Redis master-slave replication vulnerability
- Explain the global variable lock in Python
- When would you use multithreading in Python? When would you use multiprocessing?
- Why is multithreading in Python considered pseudo-multithreading?
- How would you develop an automated code auditing tool for a CMS?
Tencent - Application Operations Security#
Later, I found out about Tencent's interview process. They have a common resume pool, and each department fishes out resumes from there. If they see a resume they like, they will call to learn more about the candidate (so I received several calls to learn more about me). If they want to interview you, they need to lock your resume, which means other departments cannot interview you, only the department with the locked resume can.
After two rounds of phone calls to learn more about me, my resume was sent to the Application Operations Security department, but I don't know which business group specifically.
- Incident response
- Logic vulnerability in password reset
- RMI exploitation process
- Flask SSTI vulnerability
- How to protect against XSS
- How to bypass CSP
- Secure development process
- Common remote control software
- How to bypass SQL filtering of single quotes
- How to protect against SQL injection
- Linux commands to view processes and ports
Afterwards, the online application page indicated that I had entered the next round, but it was not updated until it turned gray.
Tencent - Backend Strategy Security#
I thought I had no hope with Tencent, as everyone was being sent to Xinjiang for training, but the Tencent WeChat business group contacted me to ask if I was interested.
April 9th - Pre-interview#
Asked questions for about an hour, felt like they were just trying to understand my situation. Later, I found out it wasn't even the first round. Let's just call it the pre-interview. I didn't make any notes after the interview, so I'll have to rely on my memory.
- Explain Python sandbox escape
- Do you know about Node.js sandbox escape?
- Have you heard of DLL injection?
- Familiar with binary security, such as common packers and unpacking methods
- Familiar with big data?
- Coding question: Move odd numbers to the front and even numbers to the back of an array
April 11th - First Round#
- Difference between HTTPS and HTTP
- How to prevent ISPs from tampering with your traffic
- Operating system process communication methods
- XSS and CSRF
- Second-order injection
- Have you summarized any methodologies for web security?
- What is the minimum scheduling unit in an operating system? What is the minimum unit for allocating resources in an operating system? What happens if a process crashes? What happens to its threads?
- Why does TCP require three-way handshake? Why not two-way or four-way?
- Ways to unpack binaries
- Coding question: Binary search
April 13th - Second Round#
This round felt quite awkward, and I felt like I didn't do well. After the interview, I couldn't help but check the status on the official website every day.
- Have you had any experience with penetration testing?
- What reverse engineering have you done?
- How to prevent cheating in mini-games, like "Jump Jump"
- What have you learned about binary security?
- What have you learned about Java security?
- Have you done any APK reverse engineering?
- How does the hashtable in Java work?
- Do you know about hash flooding attacks?
- TCP flooding attacks
- What do you think are your advantages compared to others?
- What WeChat games have you played?
- Do you know about content security?
- Coding question: Remove duplicates from an array
April 17th - Third Round#
First time doing an interview at the airport... I had no choice, it was the last day of Tencent's campus recruitment, so I had to finish the interview.
However, I couldn't understand the questions the interviewer asked me.
- How do you detect developers bypassing our set policies?
- How do you detect content security?
- How do you prevent cheating in games?
- Anything else you want to add? (Then I started rambling)
Because I was at the airport, the interview only lasted for about half an hour.
April 18th - HR Round#
- What do you think are your advantages compared to others?
- No previous internship experience
- Have you applied to other security companies before?
- Do you think this position is a good fit for you?
- What do your parents do? How have they influenced you?
We chatted for about ten minutes, and the interviewer had a distinctive voice. The interview invitation was sent in the early morning of April 18th, probably after working overtime, hhhh.
At the end of February, I saw a senior from Alibaba Cloud Security Team on a blog, and it said that they were recruiting interns for a long-term period. So I contacted them and had a simple informal interview. They also helped me with an internal referral when campus recruitment started.
The first round was quite easy, less than twenty minutes. It felt like a simple understanding of the situation.
- Have you done any penetration testing?
- How do you detect reverse shell?
- How do you detect hackers invading a Linux server?
- Explain the Structs2 vulnerability
- Explain CMS auditing
- Explain privilege escalation
- Have you given any presentations?
- What achievements do you have in security?
- What have you produced in the field of IoT?
I didn't answer very well, so I was rejected.
Huawei's written test this time was really difficult. It only had multiple-choice questions, but there were no partial points for multiple-choice questions (if you missed any option, you wouldn't get any points), and there was also a programming question.
- There were many questions about fuzzing frameworks, and they all asked about their uses, but I didn't know any of them.
- There were also some questions about Linux operations, such as the fact that environment variables set in the
/etc/profilefile apply to all users.
- Web security was also covered, with some questions directly giving you source code and asking about the vulnerability points, as well as some basic concepts, which were not difficult.
- Binary security had a question directly asking about ROP chains and asking you to choose the stack layout.
I don't know if there will be any further interviews.
Campus recruitment still values fundamentals, but for companies like Changting and KnownSec, which are more focused on the offensive side, they may require you to have some expertise and ask more detailed questions. Big companies mainly look at whether your basic knowledge is solid. Many interview questions can be found online, but it's still necessary to ask them. In the end, it feels like interviews are 30% luck and 70% skill, so don't give up until the end, just in case.