Penetration testers and ethical hackers are responsible for identifying and testing vulnerabilities within an organization. These individuals can be in-house employees, third-party contractors or freelancers.
With security attacks on the rise, pen testers are in demand across all industries and areas. The average salary for a pen tester in the U.S. is around $113,000, according to Indeed, but pen testers with extensive experience can expect to earn more.
Pen testers need a mix of technical skills, such as experience with programming languages, computer networking, reverse-engineering, cryptography, and critical thinking and problem-solving skills. Security certifications, such as CompTIA PenTest+, Certified Ethical Hacker and Global Information Assurance Certification Penetration Tester, are also useful.
But, before getting a pen testing job, you have to face a pen testing interview. Prep by reading this excerpt from Chapter 3 of Hack the Cybersecurity Interview by Ken Underhill, Christophe Foulon and Tia Hopkins, published by Packt, and learn how to answer 10 common pen testing interview questions.
Common interview questions for a pentester career
The questions that follow are primarily knowledge-based questions. During a junior pentester interview, you will likely experience many knowledge-based questions, with some hands-on testing assessments possible. For senior and principal pentester job interviews, you often receive a hands-on test of your pentesting skills after the initial phone screen from the recruiter or human resources (HR). You're likely to encounter questions similar to these:
- Where do you go to research the latest vulnerabilities, and why?
Your answer could include following specific security researchers on Twitter, following blogs such as Krebs and Threatpost, podcasts you listen to, and more. There isn't usually a wrong answer here, but the interviewer does want to see how you stay current on recent vulnerabilities and the latest cybersecurity news.
- Do you have a favorite hacker in history, and why are they your favorite?
This question is asked to see how passionate you are about the history of hacking. This is another question with no wrong answer, and you might not have a favorite, which is OK. An example of a famous hacker in history is Kevin Mitnick.
- What are some areas you are planning to improve in?
This question is being asked to see whether you are a continuous learner and to see how you identify areas of self-improvement. Even as a junior pentester, you should expect to be learning something new continuously, and you need to be able to assess your skill set and know the areas you need to improve in. For example, I'm good at social engineering but not so good at programming. As a pentester, I focused less practice on social engineering since that came naturally and focused instead on becoming better at coding so that I could write my own tools.
- I need you to perform an internal pentest and I have an ROE document in place. What do you do next?
The interviewer is identifying your methodology for approaching a pentest with this question. If you're interviewing for your first pentesting job, you always want to make sure you review and verify the ROE (scoping) document to know what is off limits and what you can attack. Clients sometimes list wrong IP addresses, so you also need to verify that anything listed as available to attack is actually owned by the client. Otherwise, you can get yourself into legal trouble.
- What are the types of cross-site scripting (XSS), and which is the most dangerous?
There are three types of XSS, which are reflected, stored, and Document Object Model (DOM)-based. The specific danger of each depends on the situation. Stored XSS is typically more dangerous because it is stored on the server side and the payload only has to be stored once to continue infecting anyone connecting to the server.
- Can you explain XSS as though you were talking to a 10-year-old kid?
This question is designed to see whether you can break down complex cybersecurity topics for stakeholders. Here in the US, statistics vary, but most people understand it at an 8th-grade level or below, which means you have to communicate information to stakeholders as though they are 10-year-old kids in many situations. I would explain this one with something like this statement:
With XSS, you can log in to anyone's account with a username and password. This is important to fix because an attacker can use attacks such as XSS to perform illegal transactions, which can lead to the company losing money.
When you're presenting to corporate stakeholders, you can also mention how XSS can lead to cookie stealing and be used to perform privilege escalation and in phishing attacks.
- How can you perform XSS if <script> or alert tags are blocked?
If <script> tags are blocked, you could use things such as image payloads or video payloads. Instead of using alert tags, you could use tags such as prompt and confirm.
- What are some ways to mitigate XSS attacks?
You can use encoding, validate user input properly, sanitize output, and use web application firewalls (WAFs).
- What was the last script that you wrote, and what was its purpose?
I want to stress here that as a junior pentester, you don't have to have coding skills, but if you want to be successful in the long term, it's important for you to learn at least one language so that you can write new tools on the fly during an engagement. This question is used to assess your scripting skills, and you might write something simple such as a keylogger that you can show off during the interview.
- What are some types of threat actors?
This question is usually looking for your broader knowledge of threat actors, so mentioning nation-state groups, state-sponsored groups, hacktivists, organized criminal gangs, script kiddies, and insider threats is good for this question. It's also a good idea to stay current on cybersecurity breaches and the threat actors behind them, or at least know a few of the well-known threat actor groups (that is, APT29) from searching a website such as the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) website.
About the authors
Ken Underhill is CEO, executive producer and host of the syndicated Cyber Life television show. Underhill educates around 2.6 million people each year through his online cybersecurity courses and sits on the advisory board of Breaking Barriers Women in CyberSecurity and the Whole Cyber Human Initiative, along with sitting on the board for a number of cybersecurity startup companies.
Christophe Foulon, senior manager and cybersecurity consultant at F10 FinTech, brings over 15 years of experience as a CISO, information security manager, adjunct professor, author and cybersecurity strategist. He also has spent more than 10 years leading, coaching and mentoring people.
Tia Hopkins is field CTO and chief cyber risk strategist at eSentire and adjunct professor of cybersecurity at Yeshiva University. Hopkins was recognized by SC Media as an outstanding educator in 2019, as well as one of the Top 25 Women Leaders in Cybersecurity and Top 100 Women in Cybersecurity, both in 2020. In 2021, she was recognized as a Top Influencer in the Security Executives category by IFSEC Global. Hopkins is also founder of Empow(H)er Cybersecurity, a nonprofit organization aimed at inspiring and empowering women of color to pursue cybersecurity careers.