Tanked Pentest Job Interview

Had my first interview in a long time, and it was a phone interview, which I've never been good at (I do better in person). I froze up on so many obvious questions because of anxiety and lack of confidence. Just to give one example, she asked what I would do during a webapp pentest if I'm at a login webpage. In my brain, I was thinking "first thing is I'd look at the page source, see if there are any obvious vulnerabilities in the code, then check for input validation, perhaps try common login/password combos...is that allowed? I don't know if that's allowed...better not say that. I'm not sure", but all I said to her was "uhhh...I don't know." It was pretty sad on my part. Most of the questions went that way.

Of course friends were like, "ehhh...I'm sure you did fine." Nope...I really didn't. Got the rejection email today. Kind of a shame because I think that job would have been a good fit.

Find more posts tagged with

Comments

PCTechLinc

Well, don't be TOO hard on yourself. Obviously you know where you need to improve. The only way you'll get better is through practice. Only thing I can say is just like a certification exam, don't second-guess yourself too quickly. Most of the time your first instinct is correct. Even if you're dead wrong, the worst that can happen is they say no, which is exactly what happens if you trip up. Might as well go the way that has better potential.

You'll do better next time buddy.

tedjames

Write all of this stuff down and keep it handy for next time you do a phone interview.

We interviewed someone via Skype (out of state) and paid attention to where his eyes went when we asked questions.

johndoee

thedudeabides wrote: »

Had my first interview in a long time, and it was a phone interview, which I've never been good at (I do better in person). I froze up on so many obvious questions because of anxiety and lack of confidence. Just to give one example, she asked what I would do during a webapp pentest if I'm at a login webpage. In my brain, I was thinking "first thing is I'd look at the page source, see if there are any obvious vulnerabilities in the code, then check for input validation, perhaps try common login/password combos ...is that allowed? I don't know if that's allowed...better not say that. I'm not sure", but all I said to her was "uhhh...I don't know." It was pretty sad on my part. Most of the questions went that way.

Of course friends were like, "ehhh...I'm sure you did fine." Nope...I really didn't. Got the rejection email today. Kind of a shame because I think that job would have been a good fit : .

A good fit although you didn't do well on the interview? You lost me at your last sentence.

I feel that people in general have to understand what they are applying for. If in the job description it states a tool or emphasis on web applications, research has to be done...even out of the scope of the job description. An individual has to understand the scope of the job and an idea of the tools.

The idea is to understand your scope. Which wasn't properly laid out. But, the first thing anybody would do under normal circumstances is try not minimize or eliminate the generation of logs. That is personally what I would do. Which is what trying a combination of what you call "common" login/passwords will generate. More security device, I mean all security devices and correlation mechanism will generate logs, especially for incorrect login attempts. That is like knocking on a door and expecting them not to see you out of the peep hole.

You said you said uhhh I don't know. I feel that in a help desk interview that would be a turn off. At Level 1 Help Desk saying uhhh... I don't know is not the right answer. That basically says that you aren't able to articulate yourself. You have to work on your communications skills. I suggest you work on YOUR interviewing skills. That seems the be one of my best solutions.

From a phone interview, people can dial into the interview from a phone number at the comfort of a desk. Someone can be at work and do the interview. Someone can be in Thailand and do the interview. I remember I did a phone interview with HP and the manger worked remote and wasn't even at the office. So, I feel that in order to not waste a single persons time..a phone interview should be done first! If I was at home with my wife working remote and had to come into an interview an you said uhhhh...I don't know some could see that as a waste of time. Some things are automatically a turn off depending on the interviewer.

LordQarlyn

johndoee wrote: »

A good fit although you didn't do well on the interview? You lost me at your last sentence.

I feel that people in general have to understand what they are applying for. If in the job description it states a tool or emphasis on web applications, research has to be done...even out of the scope of the job description. An individual has to understand the scope of the job and an idea of the tools.

The idea is to understand your scope. Which wasn't properly laid out. But, the first thing anybody would do under normal circumstances is try not minimize or eliminate the generation of logs. That is personally what I would do. Which is what trying a combination of what you call "common" login/passwords will generate. More security device, I mean all security devices and correlation mechanism will generate logs, especially for incorrect login attempts. That is like knocking on a door and expecting them not to see you out of the peep hole.

You said you said uhhh I don't know. I feel that in a help desk interview that would be a turn off. At Level 1 Help Desk saying uhhh... I don't know is not the right answer. That basically says that you aren't able to articulate yourself. You have to work on your communications skills. I suggest you work on YOUR interviewing skills. That seems the be one of my best solutions.

From a phone interview, people can dial into the interview from a phone number at the comfort of a desk. Someone can be at work and do the interview. Someone can be in Thailand and do the interview. I remember I did a phone interview with HP and the manger worked remote and wasn't even at the office. So, I feel that in order to not waste a single persons time..a phone interview should be done first! If I was at home with my wife working remote and had to come into an interview an you said uhhhh...I don't know some could see that as a waste of time. Some things are automatically a turn off depending on the interviewer.

LOL it's always amusing to read your replies "johndoee". You tell it like it is and don't sugarcoat anything.

To the OP, it's safe to say almost all of us had interviews that, well, could have frankly gone much better. As with writing good CVs, interviewing skills are one of those things they rarely teach in school, which is sad because those skills are perhaps the most valuable skills that will serve one for life. I was fortunate in that regards, one of my classes, Technical Writing, actually had a week long course on resume writing, followed by a week long on interviewing skills, which included mock interviews done by volunteer local hiring managers who did provide blunt but constructive feedback. Even that wasn't enough in my view, there should be an entire course on those skills.

Job applications are marketing campaigns they let prospective employers looking for candidates, that you are out there. A good marketing campaign gets people interested and wanting to know more about the product. In the case of job applications, the product is your skills, expertise, and experience. So you need to have a good marketing campaign, that is, a resume or CV that grabs attention and compels prospective employers to want to know more. You did that part, you got the interview.
The interview is the sales meeting, plain in simple, you are selling your skills, expertise, and experience for a salary and other tangible and intangible benefits. You got the company's attention, the interview is where you make your sales pitch, that is, why you bring the most value to the employer for their offering price - which can be negotiable. As important as it is to have the right set of skills, expertise, and experience, just as important, probably even more so, is how you do your sales pitch. In short, the delivery is at least as important as the content. If anyone ever had a coworker or boss who didn't know the first thing about their job, they probably got hired because they are good at sales and marketing of themselves. Which is one area where probably many of us can improve on, certainly I can. You could have invented the system, but if you flub during the interview you won't get the job. During the interview you must project confidence, stability, convey drive and initiative, as well showing you bring what they are looking for to the table, make a connection with the interviewer.
Finally, every job you apply for, preparation is absolutely vital. Read the job posting, try to get in the mind of the hiring manager, try to discern what he or she is looking for. Then market yourself as the solution they need. Anticipate interview questions and practice them. Do some recon work, research the company and if possible the hiring manager. It's not the end of the world to mess up an interview, learn from the experience and do better next time.

Sheiko37

thedudeabides wrote: »

she asked what I would do during a webapp pentest if I'm at a login webpage.

It's a weird question, because in real life what you'd do is just log in with the supplied credentials and start testing the application.

tedjames

Sheiko37 wrote: »

It's a weird question, because in real life what you'd do is just log in with the supplied credentials and start testing the application.

What if they don't give you credentials?

Sheiko37

I'd email the client saying they haven't forwarded the credentials, then go get a coffee.

mgeoffriau

Sheiko37 wrote: »

I'd email the client saying they haven't forwarded the credentials, then go get a coffee.

What? It sounds like they're asking "How would you test a login page for vulnerabilities?"

Regarding the OP's interview, I can understand that the job might have been a good fit, once he was out of the high-pressure situation of the interview.

But that's kind of the point here -- some people are naturally better at interviews than others, but everyone can get better at it. If nerves are the biggest issue, then there's not much better for that than practice. Start applying to jobs you're only mildly interested in, just to see if you can get to the interview portion and gain some practice. When the next job that you really want comes along, you'll be ready.

tedjames

mgeoffriau wrote: »

What? It sounds like they're asking "How would you test a login page for vulnerabilities?"

That's my point. Essentially, what happens if you hit a roadblock? Do you give up or do you try to find another way in? A hacker would see a login page as a challenge. How can I get in? Can I brute force my way in? I would do some reconnaissance and try to find their default account username structure. A little Google Dorking goes a long way. They also could still be using default credentials, like admin/admin. If I were interviewing someone for a penetration testing job, this is the kind of thing I'd want to hear.

josephandre

i like this guy

mgeoffriau

tedjames wrote: »

That's my point. Essentially, what happens if you hit a roadblock?

I'm in full agreement with you, and see that question as 100% on point when interviewing for a pentest position. I was responding to Sheiko37, who seemed to think he would have to be given credentials for the pentest.

Syntax

tedjames wrote: »

That's my point. Essentially, what happens if you hit a roadblock? Do you give up or do you try to find another way in? A hacker would see a login page as a challenge. How can I get in? Can I brute force my way in? I would do some reconnaissance and try to find their default account username structure. A little Google Dorking goes a long way. They also could still be using default credentials, like admin/admin. If I were interviewing someone for a penetration testing job, this is the kind of thing I'd want to hear.

I think maybe what they were saying is the easiest and first thing an effective hacker would do is ask someone nicely for the credentials. Then the rest of that stuff doesn't matter, you've broken in.

nole07

tedjames wrote: »

Write all of this stuff down and keep it handy for next time you do a phone interview.

We interviewed someone via Skype (out of state) and paid attention to where his eyes went when we asked questions.

Yeah but you don't want to make it look like you're looking at notes or anything. We just interviewed someone for a job over skype. I'm pretty sure that the guy was looking down at his phone and googling answers, but would hem and haw like he was really reaching in his brain for the answer.

I interviewed for an IT job once and i bought a dry erase board, and put it against the wall behind the webcam trying to make it less noticeable. I basically had port numbers written down on it (not the easy ones like ftp and ssh), just in case they came up...and they did.

PCTechLinc

This may shoot me in the foot eventually, but it has served me well so far. I don't study anything for a job interview, and I don't practice. I give whatever I have, so they see me for who I am. No one is going to have all the answers all the time, so I would hope they evaluate me for everything I bring to the table, and not just fact recall. If I don't know the answer, I am completely honest, but tell them how I would go about getting the answer and resolving the issue. I would much rather not get the job than to get the job and possibly fail myself out into the unemployment line. Just my two cents.

tedjames

Syntax wrote: »

I think maybe what they were saying is the easiest and first thing an effective hacker would do is ask someone nicely for the credentials. Then the rest of that stuff doesn't matter, you've broken in.

That's very much true. If you can social engineer your way in, the rest is gravy. Good point!

Sheiko37

tedjames wrote: »

That's my point. Essentially, what happens if you hit a roadblock? Do you give up or do you try to find another way in? A hacker would see a login page as a challenge. How can I get in? Can I brute force my way in?

The client is paying you to test the web application, not yourself.

Ok, lets play it out. The interviewer tells you that the login is rate limited, uses a captcha, you also have no idea what the username format is, there's no blatant vulnerable software in use, and social engineering is out of scope. What's your next step? What is going in your report?