preface

It’s time for the annual school enrollment again. Recalling the 2018 school enrollment, I can only say bitter tears.

As an unknown school of undergraduate students, the university of the major is network engineering major, although the school is not too bad, but in a variety of 211, 985 university in front, or very competitive, can only say that the degree dragged a bit of hind legs.

I have been very interested in computer since CHILDHOOD (mainly playing games). Due to my serious failure in the college entrance examination, I set myself the goal of entering dachang before entering the university. I decided to work hard to be as good as my classmates in other famous universities, and I wanted to prove that I was no worse than them.

But now looking back, it was really young and frivolous ah, also did not think of zero basis learning computer, actually need so long efforts.

Fortunately, although I took some detours in the pursuit of my goal, it was generally smooth.

Below share my four years of college learning and job hunting experience, methods, skills and experience, in the end of the careful summary, suggest everyone to collect, and regularly compare with their own current situation, according to my experience, every student can enter dachang!

A freshman

In fact, my freshman year is more water skiing, too many new things, let me gradually forget the goal before enrollment, ignore the importance of learning, but this should also be the true portrayal of most students. When I first entered the university, I joined many clubs. I just played happily with my brothers and sisters and didn’t care about my grades at all. Fortunately, I joined a studio that developed a website for the school, and the boss assigned me some tasks to infiltrate my study. Therefore, I also learned a little knowledge outside the textbook last semester, but my performance in specialized courses was really mediocre.

Make some plans for yourself and follow the outline

After talking to my friends at elite universities during the winter vacation, I realized that I had forgotten what I had set out to do, so I decided to turn over a new leaf and work hard. Through the communication with my friends, I realized that it is far from enough to learn network security well only through the school courses. So, I bought several books, in the first winter vacation of the university, learned the network security common Linux150 commands, common attacks on websites, Web penetration technology and so on, more are looking for e-books on the Internet. It was really difficult to study independently at the beginning, so I got up at 8 o ‘clock every morning and studied until the evening. During that time, I was almost locked in the house, so I felt that time passed quickly. Oneself to this winter holiday also did not have what deep memory, sometimes because of a difficult stay up to midnight depressed mood.

When I first started learning about network security, the examples I read in my books were one that I forgot over and over again and learned nothing after reading for a long time. So, I will follow the book to knock some code, each example is understood, thoroughly, carefully complete the after-class exercise, and will exercise examples combined with their own ideas to do some modification, try to make a small webpage, and then attack their own website. The process of learning and achieving results by myself is very cool. Without the shackles of textbooks and homework, I gradually developed an interest in network security, and also planted the seeds for the future continuous efforts to study independently.

In the second semester of freshman year, I first corrected my attitude and began to seriously study the school’s professional courses, hoping to get a good result. In addition to the basic courses taught in school, I learned more knowledge about network security in the website development studio, took the initiative to undertake the campus website service tasks, and recorded my learning process on the blog with the techniques I learned.

As THE study of network security gradually deepened, I realized that grasping grass, the computer industry is really a lifetime of learning ah, and began to study harder.

During the period is non-stop watching video, B station to see the network security collection video, he also found a lot of video to see. Learned a lot of actual combat technology

At the same time, in this semester, I took two opportunity, the first is as a captain to declare the national college students’ innovative undertaking project, the project of the declaration is true not easy, I was turned down by the teacher several times, each time he refused, I will be an idea, design a scheme, finally managed to seize the opportunity to do the project, the time when the course is the busiest, At that time, just doing the courses gave me a headache, but I was driven by the sense of responsibility. I was able to complete the project at 2-3 o ‘clock every night.

A second chance, I joined a mentor graduate student team do project, opportunities are on their own fight for, simple said is the duty, although at that time I only learned simple attack and defense, but I believe I can pass the liver, although not entertain wild hope catch up with the pace of the seniors, also don’t pull your leg, do more contribution for the project.

By doing projects alone, I have earned tens of thousands of yuan and become economically independent. At the same time, I have accumulated some experience and achieved good results in specialized courses.

It was enough for me to keep going at this pace.

A sophomore

In my sophomore year, in addition to serving as the monitor, I also served as the minister of the Student Union and the minister of the association. Therefore, in addition to studying specialized courses, I still had many other things to deal with. However, no matter how late everything else was, I always set aside a few hours each day to teach myself technology, even if I stayed up until 3 or 4 am and woke up at 8 am the next day. When I feel sleepy in class, I do relatively mindless tasks, such as taking notes for lab presentations. Then when I got back to my dorm room, I lay on the bed, put my computer on the quilt, and I would perk up and start studying independently.

In the first semester of my sophomore year, I spent almost every day in the teaching building, college building or library. In order to consolidate their knowledge base.

In the winter vacation of my sophomore year, I participated in a CTF competition and was lucky to find an excellent upperclassman who also played CTF. We got the certificate together. In this process, I learned a lot of team skills and learned a lot of knowledge from seniors. I got the offer from Ali for the senior school recruitment, which also brought me a lot of encouragement.

In this winter vacation, in addition to learning knowledge, I read some books on computer network to supplement my theoretical knowledge, and basically studied all day long. Only in the evening, I went out to play board games with my friends. Even when playing, I might take time to think about the problems I met during the day, pain and happiness.

Until the first three months of the autumn recruit, to buckle the brush brush, brush the problem at least there are hundreds, summary

1. How does XSS steal cookies? 2. TCP, UDP and TCP three-way handshake, syn attack? 3. Why does a MYSQL database station have only one port 80 open? 4. What is the meaning of directory scanning when penetrating a mature and relatively secure CMS? 5. What should I do first when I see an editor on a background news editing screen? 6. What’s the point of reviewing upload point elements? 7. What is the difference between CSRF, XSS and XXE, and the repair method? 8.3389 Connection Failure 9. List owASPTop102019 10. Name at least three business logic vulnerabilities and how to fix them? 11. The target site is not protected, the uploaded image can be accessed normally, but the uploaded script format can be accessed 403. What is the reason? 12. The target station prohibits the registration of users, the password retrieval randomly input user name prompt: “this user does not exist”, you think how to use here? 13. SQL injection classification? 14. Idea of Intranet penetration? What are the vulnerabilities of OWASPTop10? Difference between forward proxy and reverse proxy 17. Similarities and differences between forward SHELL and reverse SHELL Windows weight 20.php deserialization

It’s a bit too much to write, so I’ve sorted it out below

Later is the interview, autumn recruit locked Tencent

[One side] 60min

1, briefly describe the process from entering the URL to the browser display

2, TCP why three handshake four wave

3. How does TCP ensure the validity of data packets

4. The difference between HTTPS and HTTP

5, symmetric and asymmetric encryption

What is the same-origin policy?

7. Linux system commands

Asked some basic questions briefly

[Second interview] 60min

1. Self-introduction 2. Project introduction: History, time and language 3. Are you interested in the security and identity authentication capabilities of PKI on the cloud?

5. What does Bytedance bootcamp do?

6. What are the principles and defense schemes of Sql injection?

7. How does WAF protect SQL injection?

8. How is the division of labor and cooperation in this training camp? What is your role? What is your contribution? Is it possible to improve efficiency?

9. Is bug digging pure tools or some manual work?

10. What are the functions of the BACK-END API of WAF management platform?

11. Is the increase, deletion, change and check data of WAF large?

12. What problem does Redis solve?

13. How to ensure the consistency of hot data in REDis and DB?

14. How is user login authentication done?

How to protect the security of Token?

16. How should the content of Token be designed?

17. How to ensure that the data is not tampered with?

18. Ideas for SDN vulnerability mining?

19. Have RCE vulnerabilities been excavated?

20. Is there any research on stack overflow and heap overflow?

21. Tell me the process of HTTPS protocol.

22. How many random numbers are there?

23. What if there was one?

Are you familiar with C++ or C?

25. Principles of hash tables and conflict resolution? (Repeated)

Mysql > select * from ‘Mysql’;

Mysql isolation level

28. Explain optimistic locks and pessimistic locks.

29. Is multi-concurrent programming involved?

30. Have read/write locks and mutex/exclusive locks been used? What’s the difference? Why?

31. Have a software copyright, what kind of software?

[Three sides] 60min

1. Small talk

2. Talk about project

3. Difficulties and challenges of the project

4. In the SDN vulnerability mining project, can you list a relatively technical vulnerability? Vulnerability principle and mining process?

5. The difference between Python2 and Python3?

6. What do Xrange and range return?

7. The function of database index? Mysql index change?

8. Database weak password, how to lift rights after entering?

9. How do you defend against SQL injection when you write your own projects?

10. How to perform CSRF defense?

11.Token encryption what things?

Check what?

13. Why is Token encrypted? Is it ok to use plaintext random numbers?

14. How do I defend against replay attacks?

Tencent did not face, the back went to a small company, treatment is also good, stable down

Personal feelings

I feel in the stage of technical key is not whether you will actually, better is, in fact, you know in a two problems on special details, or project experience, can chat with the interviewer for a long time, so that can send the interviewer during the interview to your own point, such as when the interviewer asks site access process, I speak the special details, And leave HTTPS and HTTP at the end, extending through HTTPS to some cryptographic problems in reverse engineering, or extending to man-in-the-middle attacks, which can often surprise an interviewer. Also feel I ask the interviewer about his own assessment or what place do bad to this kind of problem still cautious, performed perfectly if I can ask, if the interviewer is not likely to have been praised you, general will only simple kua, then racking their brains to think you have what place do bad, it’s virtually reminds him your shortcomings.

Click here if you need my document.