Skip to content

Penetration Tester interview questions

Offensive security: recon, exploitation, privilege escalation, reporting and the methodology behind an engagement.

63 questions questions in this setStart a quiz
How do you decrypt a SHA-256 hash back to the original input?

You don't — cryptographic hashes are one-way functions with no inverse. 'Cracking' a hash means guessing candidate inputs, hashing each, and comparing (dictionary, brute force, rainbow tables), which is exactly why slow salted hashes are used for passwords. There is no key that 'decrypts' a hash. If something can be decrypted it was encrypted, not hashed — and Base64 is reversible encoding, not hashing.

JuniorCryptography
The full answer
Is 127.0.0.1 the only loopback address?

No. The whole 127.0.0.0/8 range is reserved for loopback, so 127.0.0.2, 127.1.1.1, and so on all resolve to the local host. This matters for SSRF and allow-list bypasses — an attacker may use 127.0.0.2 or other encodings to dodge a naive 'block 127.0.0.1' check — and for binding multiple local services. (In IPv6, loopback is the single address ::1.)

JuniorNetworkingLinux Internals
The full answer
Is a device's MAC address permanent and globally unique?

No. A MAC is assigned by the vendor (OUI plus device id) and is 'burned in,' but essentially every OS lets you override it in software (macchanger, ip link set address). So MAC addresses are spoofable and must not be relied on for authentication — MAC filtering is weak, and phones now randomize MACs for privacy. 'Permanent and unique' is the misconception.

JuniorNetworking
The full answer
Is data sent via HTTP POST hidden or more secure than data sent via GET?

No. POST simply carries parameters in the request body instead of the URL; that body is plaintext and fully visible to anyone who can see the traffic unless HTTPS is used. POST is preferable for state-changing actions and keeps params out of URLs, logs, and browser history, but it provides no confidentiality on its own. The misconception confuses 'not in the URL' with 'encrypted' — only TLS encrypts either method's data in transit.

JuniorWeb Security
The full answer
What port does traceroute use?

Trick question — there's no single traceroute port. Classic Unix traceroute sends UDP datagrams to high, unlikely ports starting around 33434 with an increasing TTL; Windows tracert uses ICMP Echo instead. It works by reading the ICMP Time Exceeded messages routers return as the TTL expires, not by hitting a reserved port. And ICMP itself has no ports at all.

JuniorNetworking
The full answer
Users upload profile images; the server stores them in the web root and serves them back. What's the risk?

If an attacker can upload a server-executable file (or HTML/SVG) into a servable directory, they may achieve remote code execution or stored XSS. Validate the real content type, store uploads outside the web root or on a non-executing store, randomize filenames, and serve them so they can't be executed or interpreted as markup. Slower page loads and disk usage are operational issues, not the security risk an attacker exploits here.

Mid-levelWeb Security
The full answer
A business-critical production service looks vulnerable to a memory-corruption exploit that might crash it. What do you do?

Rules of engagement usually exclude DoS on production, and an unplanned crash causes real business damage and can void the engagement. Verify scope first; if a destructive proof-of-concept isn't authorized, prove the vulnerability through safer means and clearly document the likely impact. Firing the exploit for a screenshot is reckless. Running it repeatedly for 'reliability metrics' multiplies the outage. Skipping it silently hides a serious, exploitable risk from the client.

Mid-levelNetworkingGovernance, Risk & Compliance
The full answer
You're wrapping up an engagement where you uploaded webshells and created test accounts. What must you do?

Professional engagements end with full cleanup and an artifact inventory, so you don't leave new attack surface or muddy the client's environment. Leaving shells or accounts for the client to find is negligent and dangerous — a real attacker could reuse them. Keeping a backdoor 'for next time' is unethical and likely illegal. Deleting your own activity logs destroys the audit trail the client needs to validate the test and reconstruct what you did.

Mid-levelGovernance, Risk & Compliance
The full answer
You crack a service-account password from a captured hash. What's the highest-value next step to demonstrate risk?

The point is impact: a reused or over-privileged service credential that unlocks domain admin or critical systems is the finding that matters, so test for reuse and map the privilege and lateral-movement path. Cracking every other hash first is busywork that delays the real story. Changing the service-account password is destructive, breaks production, and tips off defenders. Emailing a live credential in plaintext is itself an exposure and bad operational security.

SeniorIdentity & Access ManagementNetworking
The full answer
During testing you find indicators that a REAL attacker is already inside the client's environment. What now?

Discovering an active intrusion is an out-of-band emergency: the rules of engagement should define an escalation path, so invoke it immediately, preserve evidence, and avoid contaminating an active incident. Continuing to test can interfere with the real attacker or destroy the very evidence responders need. Trying to evict the attacker yourself is out of scope, risky, and may tip them off. Waiting until the final report could mean days of ongoing breach and data loss.

SeniorDFIR (Forensics & Incident Response)Governance, Risk & Compliance
The full answer
For an authorized social-engineering test, which pretext is acceptable?

Social-engineering tests must stay within agreed, ethical pretexts: realistic enough to be useful but without coercion, impersonating authorities, or exploiting personal or medical situations. A generic IT password reset agreed in the rules of engagement is fair game. Impersonating a real employee's sick child or threatening someone with being fired causes genuine psychological harm. Pretending to be law enforcement impersonates authorities and is often illegal even with a signed engagement.

Mid-levelGovernance, Risk & Compliance
The full answer
You have SQL injection on a production app and could dump the entire customer database to prove impact. What's the responsible proof?

Prove the vulnerability without harming the client or hoarding their data: show you can read arbitrary data via the DB version, schema, or a single redacted sample, then stop. Dumping the full PII dataset creates breach-notification and data-handling liability for both parties. Dropping a table is destructive and well beyond proof-of-concept. Encrypting the database and demanding a bounty is extortion, not testing — it is a crime, not a finding.

Mid-levelWeb SecurityGovernance, Risk & Compliance
The full answer
Mid-engagement you discover an exploitable host that is clearly NOT in the agreed scope. What do you do?

Authorization defines the engagement, so testing outside the agreed scope is potentially illegal and breaches the rules of engagement no matter how tempting the target. Document what you saw, stop, and obtain written client approval before going further. Exploiting for 'more findings' is never a justification for unauthorized access. Quietly exploiting it if you think you won't be caught is both unethical and a crime, and self-extending the scope strips the client of informed consent.

Mid-levelNetworkingGovernance, Risk & Compliance
The full answer
Your report has 30 findings. How should you present them to be most useful to the client?

A useful report drives remediation: rank by business risk (likelihood × impact), surface the exploit chains that lead to critical compromise, and give actionable fixes for each finding. Alphabetical ordering buries what matters under what happens to start with 'A'. Longest-writeup-first rewards verbosity over severity. Dropping the lows hides real risk and the patterns the client needs for defense-in-depth, leaving them with a falsely reassuring picture.

Mid-levelGovernance, Risk & ComplianceWeb Security
The full answer
What is the instance metadata service (IMDS) and how does IMDSv2 mitigate SSRF?

IMDS is a link-local endpoint (169.254.169.254) that gives an instance its metadata, including temporary credentials for its attached IAM role. SSRF can trick the server into fetching that URL and leaking those credentials. IMDSv2 requires a PUT to obtain a short-lived session token, sets a default IP TTL/hop limit of 1, and rejects requests with certain headers — so a simple SSRF GET can no longer reach it.

SeniorCloudIdentity & Access Management
The full answer
What are common S3 bucket misconfigurations and how do you prevent them?

The classic mistakes are public ACLs or bucket policies that allow anonymous or all-AWS-users access, overly broad principals or wildcard actions, no default encryption, and no logging. Prevent them by enabling account-level Block Public Access, using IAM/bucket policies with least privilege, enforcing default encryption and TLS, and turning on access logging and Config rules to catch drift.

Mid-levelCloudIdentity & Access Management
The full answer
What's the difference between Diffie-Hellman and RSA?

RSA is an asymmetric algorithm used to encrypt data or create digital signatures using a key pair. Diffie-Hellman is a key-agreement protocol that lets two parties derive a shared secret over a public channel without ever transmitting it. They solve different problems: RSA proves identity and can wrap keys; DH negotiates a session key — and its ephemeral variant gives forward secrecy.

Mid-levelCryptography
The full answer
How does an HMAC work and why use it instead of a plain hash?

HMAC is a keyed message authentication code: it hashes the message together with a secret key using a nested construction (inner and outer hash with key-derived pads). It proves both integrity (the message wasn't altered) and authenticity (it came from someone holding the key). A plain hash proves neither, since anyone can recompute it; HMAC also resists length-extension attacks.

Mid-levelCryptography
The full answer
How do JWTs work, and what security pitfalls should you watch for?

A JWT is three base64url parts — header, payload (claims), and signature — joined by dots. The server signs the header and payload with a secret or private key, and verifies that signature on each request to trust the claims without server-side session state. Pitfalls: accepting alg=none, RS256-to-HS256 key confusion, not validating expiry/issuer/audience, putting secrets in the readable payload, and no revocation path.

Mid-levelIdentity & Access ManagementWeb Security
The full answer
Explain how Kerberos authentication works with TGTs and service tickets.

Kerberos relies on a trusted Key Distribution Center (KDC). The client authenticates once to the Authentication Server and gets a Ticket-Granting Ticket (TGT) encrypted with the KDC's key. To reach a service, it presents the TGT to the Ticket-Granting Service and receives a service ticket encrypted with that service's key. The service decrypts and trusts it. Passwords never traverse the network, and tickets are time-limited.

SeniorIdentity & Access ManagementWindows Internals
The full answer
Walk me through the TLS 1.3 handshake.

Client and server agree on a shared secret in a single round trip using ephemeral Diffie-Hellman (ECDHE). The ClientHello carries the supported groups and a key share; the server replies with its key share and certificate, both sides derive the same keys, and application data flows immediately — with forward secrecy by default.

Mid-levelNetworkingCryptography
The full answer
Is ARP a TCP or UDP protocol?

Neither. ARP is a Layer-2 (link-layer) protocol that is encapsulated directly in an Ethernet frame, not inside an IP packet. Because it never rides on IP, it cannot use TCP or UDP — those are Layer-4 transports that require IP underneath. ARP's job is to resolve a known IP address to the MAC address on the same local network segment.

JuniorNetworking
The full answer
Your alert() XSS test fires but the popup is blank — what does that tell you?

It confirms XSS. If alert() fired at all, the browser parsed and executed your injected JavaScript in the page context — that is the vulnerability. A blank/empty popup just means the string argument you passed didn't render as expected (quote handling, encoding, or context mangling broke the message), not that the payload is being blocked. The execution sink is live; you refine the payload from here.

SeniorWeb Security
The full answer
On a firewall, would you rather a port be filtered or closed?

Filtered. A filtered port silently drops the packet, so the scanner gets no response and must wait for a timeout — it learns nothing about whether the host even exists, and scanning is slowed dramatically. A closed port sends back a TCP RST, which confirms the host is alive and responding, handing the attacker reconnaissance value for free.

Mid-levelNetworking
The full answer
Does HTTPS fully prevent man-in-the-middle attacks?

Not on its own. HTTPS prevents MITM only when certificate validation is strictly enforced and the client reaches the site over HTTPS to begin with. If a rogue CA is trusted (corporate proxy, malware-installed root), if the user clicks through cert warnings, or if SSL stripping downgrades the connection to HTTP before TLS starts, an attacker can still sit in the middle.

Mid-levelNetworking
The full answer
What port does ping use?

Trick question — ping uses no port. It runs on ICMP, which is a Layer-3 protocol that sits directly on top of IP. Ports only exist in Layer-4 protocols like TCP and UDP, so ICMP (and therefore ping) has none. ICMP uses type and code fields instead, e.g. Echo Request type 8 and Echo Reply type 0.

JuniorNetworking
The full answer
How many packets are exchanged in the TCP three-way handshake?

Three. The client sends a SYN, the server replies with a combined SYN-ACK (one packet that both acknowledges the client's SYN and sends the server's own SYN), and the client finishes with an ACK. The trick is that SYN-ACK is a single packet, not two, so the total is three — exactly what 'three-way' names.

JuniorNetworking
The full answer
What is coordinated vulnerability disclosure and how should it work?

Coordinated vulnerability disclosure is a process where a researcher reports a flaw privately to the vendor, both sides agree on remediation and a timeline, and details are published only after a fix is available (or an agreed deadline lapses). It balances giving defenders time to patch against the public's right to know. A security.txt file and a clear policy make reporting frictionless; bug bounty programs add structured rewards on top.

Mid-levelWeb SecurityThreat Intelligence
The full answer
How do you structure a web application test using the OWASP WSTG?

The WSTG is a checklist-backed methodology that walks an app through testing categories: information gathering, configuration and deployment, identity and authentication, authorization, session management, input validation (injection/XSS), error handling, cryptography, business logic, and client-side. It gives systematic coverage with stable test IDs so findings are reproducible and nothing obvious gets skipped.

Mid-levelWeb Security
The full answer
Walk me through a penetration testing methodology like PTES.

PTES defines seven phases: pre-engagement (scope, rules of engagement, authorization), intelligence gathering (OSINT, recon), threat modeling, vulnerability analysis, exploitation, post-exploitation (pivoting, data of value, persistence), and reporting. The structure makes engagements repeatable, defensible, and tied to business risk rather than ad-hoc hacking — pre-engagement and reporting are the phases juniors underrate.

Mid-levelNetworkingWeb Security
The full answer
What is purple teaming and how do you run a purple team exercise?

Purple teaming is collaborative rather than adversarial: the red side executes specific, agreed TTPs (often mapped to MITRE ATT&CK) while the blue side watches their telemetry in real time to confirm whether each technique is logged, alerted, and detectable. You measure detection coverage technique-by-technique, tune detections and close gaps immediately, then re-test. The deliverable is improved, measurable detection — not a list of who 'won.'

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
How does a red team engagement differ from a penetration test?

A pentest aims for broad coverage — find as many vulnerabilities as possible in a scoped target. A red team is objective-driven adversary emulation: pick a goal (e.g., reach the crown-jewel data), emulate a specific threat actor's TTPs, stay stealthy to test detection and response, and avoid noisy scanning. Red teaming measures the blue team and the whole org, not just the asset; both need tight rules of engagement and authorization.

SeniorNetworkingThreat Intelligence
The full answer
What ports do SSH, HTTP, HTTPS, DNS, RDP, and SMB use, and why do they matter?

SSH is TCP 22, HTTP is TCP 80, HTTPS is TCP 443, DNS is 53 (UDP and TCP), RDP is TCP 3389, and SMB is TCP 445. Knowing the well-known ports lets you read scan output, write firewall rules, and triage alerts quickly — a service on its expected port versus an unexpected one is an immediate signal.

JuniorNetworking
The full answer
Walk me through how you enumerate a brand-new target box.

Start with a full TCP port scan, then enumerate every open service in depth — banners, versions, default creds, anonymous access, and web content — before touching any exploit. Most boxes fall to thorough enumeration, not clever exploits, which is the core of the 'try harder' mindset.

JuniorNetworkingLinux Internals
The full answer
Why scan all 65535 ports, and how do you do it efficiently with nmap?

The default nmap scan only covers the top 1000 ports, so a service on a high port would be missed entirely. The efficient pattern is a fast SYN scan of all 65535 ports first, then a focused version and default-script scan against only the ports found open.

JuniorNetworking
The full answer
You have a low-priv shell on a Linux box. How do you escalate?

Enumerate systematically: check sudo -l, SUID/SGID binaries, cron jobs, the kernel and OS version, writable files in privileged paths, capabilities, and stored credentials. Tools like LinPEAS automate the sweep, but you still verify each finding against GTFOBins or a known technique.

Mid-levelLinux Internals
The full answer
How do you find and safely use a public exploit against a target?

Map the exact service and version, search Exploit-DB or searchsploit for a matching PoC, then read the code line by line before running it — fix the target IP, port, and reverse-shell address, regenerate any shellcode, and understand what it does so it cannot backfire on you.

Mid-levelMalwareLinux Internals
The full answer
You've dumped some password hashes. How do you crack them?

First identify the hash format (hashid or context), then run hashcat or John with the correct mode against a wordlist like rockyou, applying rules to mutate candidates. Use the right format flag (NTLM, sha512crypt, NetNTLMv2, etc.) so the tool hashes guesses the same way the target did.

Mid-levelCryptography
The full answer
You've compromised a host with a second network interface. How do you pivot?

Use the compromised host as a relay into the unreachable subnet. Set up port forwarding for a single service, or a dynamic SOCKS proxy (SSH -D or chisel) and route your tools through it with proxychains, so your attacker box can reach internal hosts via the pivot.

SeniorNetworking
The full answer
What do you check when you find SMB and SNMP open on a host?

For SMB, enumerate shares, check for anonymous/null-session access, list users, and identify the version for known CVEs. For SNMP, try default community strings like 'public' and walk the MIB to extract usernames, running processes, installed software, and network details.

Mid-levelWindows InternalsNetworking
The full answer
You catch a reverse shell but it's unstable. How do you upgrade it?

Spawn a pseudo-terminal (commonly python -c 'import pty; pty.spawn("/bin/bash")'), background it with Ctrl-Z, run stty raw -echo on your local side, foreground it, and reset TERM and the rows/columns. That gives you a full TTY with job control, tab completion, and working editors.

JuniorLinux Internals
The full answer
How do you enumerate a web server you've never seen before?

Identify the stack from headers and source, then brute force directories and files with gobuster or feroxbuster using a good wordlist and relevant extensions. Look for admin panels, backups, config files, and upload points, and check virtual hosts when the site responds to a hostname.

JuniorWeb Security
The full answer
How do you approach privilege escalation on a Windows target?

Enumerate current privileges (whoami /priv), misconfigured services (weak permissions, unquoted service paths), AlwaysInstallElevated, scheduled tasks, stored credentials, and missing patches. WinPEAS or PowerUp automates the sweep; token-privilege abuses like SeImpersonate are common high-value wins.

SeniorWindows Internals
The full answer
Show me how you'd combine common web bugs — say SQL injection and XSS — into impact beyond a single finding.

Individually, SQLi exposes or modifies data and can reach RCE; stored XSS hijacks sessions in victims' browsers. Chained, you can use SQLi to plant a stored XSS payload that fires in an admin's session, steal their session, and escalate to full application control.

Mid-levelWeb Security
The full answer
Walk me through Kerberoasting — how it works, why it's possible, and how defenders stop it.

Any authenticated domain user can request a Kerberos service ticket (TGS) for any account with an SPN. That ticket is encrypted with the service account's NTLM password hash, so you extract it and crack the password offline — no privileged access needed to start, and it's near-silent.

SeniorWindows InternalsCryptography
The full answer
Explain the difference between passive and active reconnaissance, with examples of each.

Passive reconnaissance gathers information without directly interacting with the target's systems — OSINT, DNS records, certificate transparency. Active reconnaissance touches the target, like port scanning or banner grabbing, which is noisier but yields more detail.

JuniorNetworkingThreat Intelligence
The full answer
Walk me through the phases of a penetration test from kickoff to delivery.

A pentest moves through pre-engagement (scope and rules of engagement), reconnaissance, scanning and enumeration, exploitation, post-exploitation, and reporting. Each phase feeds the next, and reporting is where the value is actually delivered to the client.

JuniorNetworkingWeb Security
The full answer
You've compromised a host on a segmented network. Explain how you pivot to reach systems you can't touch directly.

Pivoting turns a compromised host into a relay so you can reach internal segments your machine can't route to. You use port forwarding, a SOCKS proxy over your C2 channel (e.g. Chisel, SSH dynamic forwarding), or agent-based routing, then run tools through that tunnel to attack the next subnet.

SeniorNetworkingWindows Internals
The full answer
You have a low-privileged shell on a Linux box. Walk me through how you'd escalate to root.

Enumerate first: current privileges, sudo rights, SUID/SGID binaries, cron jobs, writable files in PATH, kernel version, and stored credentials. Then exploit the easiest reliable path — often a misconfigured sudo rule or a SUID GTFOBin — before reaching for a kernel exploit.

Mid-levelLinux InternalsNetworking
The full answer
You've landed a low-privileged shell on a Windows host. How do you escalate privileges?

Enumerate the account's privileges and the host's misconfigurations: token privileges like SeImpersonate, unquoted service paths, weak service permissions, AlwaysInstallElevated, and stored credentials. Then abuse the most reliable one — token impersonation (Potato attacks) is a common route to SYSTEM.

Mid-levelWindows InternalsIdentity & Access Management
The full answer
Explain reverse shells versus bind shells and when you'd choose each.

A bind shell opens a listening port on the target and waits for you to connect to it. A reverse shell makes the target connect outbound to a listener you control. Reverse shells usually win because outbound traffic bypasses inbound firewall rules and NAT.

Mid-levelNetworkingLinux Internals
The full answer
A client asks why they should pay for a pentest when they already run vulnerability scans. How do you answer?

A vulnerability scan is an automated, breadth-first inventory of potential weaknesses, often with false positives. A penetration test is human-driven: it validates findings, chains them together, and demonstrates real business impact through actual exploitation.

JuniorNetworkingWeb Security
The full answer
The technical work is done. What goes into a report that the client will actually act on?

A good report serves two audiences: an executive summary that frames business risk for leadership, and detailed, reproducible findings with evidence, accurate risk ratings, and prioritized remediation for the technical team. The report — not the exploit — is the deliverable.

SeniorWeb SecurityDFIR (Forensics & Incident Response)
The full answer
What is CSRF and how do tokens and SameSite stop it?

CSRF tricks a logged-in user's browser into sending a state-changing request to a site where they are authenticated, abusing the fact that cookies are sent automatically. It is stopped with anti-CSRF tokens (a secret per-session value the attacker cannot read or guess) and the SameSite cookie attribute, which stops cookies from riding along on cross-site requests.

Mid-levelWeb Security
The full answer
What is the OWASP Top 10?

The OWASP Top 10 is a community-driven awareness document that ranks the most critical web application security risks, refreshed every few years from real-world data. It is not a checklist or standard but a starting point — recent entries include Broken Access Control (#1), Cryptographic Failures, Injection, and Insecure Design.

JuniorWeb Security
The full answer
How do prepared statements prevent SQL injection?

Prepared statements send the query template to the database first, with placeholders, so the structure is fixed before any user data arrives. Parameters are then bound as pure data and can never be parsed as SQL — so input like ' OR 1=1 is treated as a literal string, not code. This separation is the canonical, reliable fix for injection.

Mid-levelWeb Security
The full answer
How do you prevent XSS?

The primary defense is contextual output encoding — encode untrusted data for the exact place it lands (HTML body, attribute, JavaScript, URL). Pair that with safe DOM APIs (textContent over innerHTML), framework auto-escaping, input validation, and a Content-Security-Policy as a defense-in-depth backstop that limits what scripts can run.

Mid-levelWeb Security
The full answer
Explain the Same-Origin Policy and CORS.

The Same-Origin Policy is the browser rule that script from one origin (scheme + host + port) cannot read responses from a different origin, which protects authenticated sessions. CORS is a controlled relaxation: a server returns Access-Control-Allow-Origin headers to explicitly opt in to letting specific origins read its responses, so it loosens SOP rather than bypassing it.

Mid-levelWeb Security
The full answer
What do the HttpOnly, Secure, and SameSite cookie flags do?

HttpOnly hides the cookie from JavaScript so XSS cannot steal it via document.cookie. Secure ensures the cookie is only sent over HTTPS, blocking network interception. SameSite controls whether the cookie is sent on cross-site requests, mitigating CSRF. Together they harden session cookies against the most common theft and abuse paths.

JuniorWeb Security
The full answer
What are the main types of SQL injection?

SQL injection lets attacker input alter a query. In-band techniques return data directly: union-based appends a UNION SELECT to pull extra columns, and error-based leaks data through database error messages. When no output is visible, attackers use blind SQLi — boolean-based infers data from true/false response differences, and time-based uses delays like SLEEP() to read data one bit at a time.

Mid-levelWeb Security
The full answer
What is SSRF and why is the cloud metadata service a target?

SSRF tricks a server into making HTTP (or other) requests to a destination the attacker chooses, abusing the server's network position to reach internal services behind the firewall. In the cloud it is especially severe because the instance metadata service (e.g. 169.254.169.254) can hand back IAM credentials, turning an SSRF into cloud account compromise.

SeniorWeb SecurityCloud
The full answer
Explain stored, reflected, and DOM-based XSS.

All XSS injects attacker-controlled script into a victim's browser. Stored XSS persists the payload on the server (e.g. a comment) and hits everyone who views it; reflected XSS bounces the payload off the server in a single response, usually via a crafted link; DOM-based XSS never reaches the server logic — vulnerable client-side JavaScript writes untrusted input into the page.

Mid-levelWeb Security
The full answer
What is an XXE attack and how do you mitigate it?

XXE abuses an XML parser that resolves external entities defined in a document's DTD. An attacker declares an entity pointing at a local file or internal URL, and the parser fetches it — enabling file disclosure, SSRF, and denial of service. The fix is to disable DTD processing and external entity resolution in the parser configuration.

SeniorWeb Security
The full answer

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.