12) Application Security Flashcards

1
Q

Which software development vulnerability is stopped by proper bounds checking?

A

Buffer overflows

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

___ is a web-related technology used to develop web pages while ___ refers to an attack where malicious code is embedded into the web page.

A

CSS & XSS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

CSS is a web-related technology used to develop web pages while XSS refers to an attack where malicious code is embedded into the web page. What does CSS stand for?

A

Cascading Style Sheets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CSS is a web-related technology used to develop web pages while XSS refers to an attack where malicious code is embedded into the web page. What does XSS stand for?

A

Cross-site scripting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A database is vulnerable to SQL injection attacks through direct attempts to the database server or through applications software, including web applications. What is the most effective way of mitigating these attacks?

A

Validating user inputs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A type of software development problem that occurs when we do not properly account for the size of the data input into our applications.

A

Buffer overflows/overruns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A type of software development vulnerability that occurs when multiple processes or multiple threads within a process control or share access to a particular resource, and the correct handling of that resource depends on the proper ordering or timing of transactions.

A

Race conditions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A type of attack that can occur when we fail to validate the input to our applications or that steps to filter out unexpected or undesirable content.

A

Input validation attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A type of attack that can occur when we fail to use strong authentication mechanisms for our applications.

A

Authentication attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A type of attack that can occur when we fail to use authorization best practices for our applications.

A

Authorization attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A type of attack that can occur when we fail to properly design our security mechanisms when implementing cryptographic controls in our applications.

A

Cryptographic attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A type of attack that takes advantage of weaknesses in the software loaded on client machines, or one that uses social engineering techniques to trick us into going along with the attack.

A

Client-side attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An attack carried out by placing code in the form of a scripting language into a web page, or other media, that is interpreted by a client browser.

A

XSS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

XSS is an attack carried out by placing code in the form of a scripting language into a web page, or other media, that is interpreted by a client browser. What does XSS stand for?

A

Cross-site scripting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In this type of attack, the attacker places a link on a web page in such a way that it will be automatically executed, in order to initiate a particular activity on another web page or application where the user is currently authenticated.

A

XSRF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

XSRF is an attack where the attacker places a link on a web page in such a way that it will be automatically executed, in order to initiate a particular activity on another web page or application where the user is currently authenticated. What does XSRF stand for?

A

Cross-site request forgery

17
Q

An attack that takes advantage of the graphical display capabilities of our browser to trick us into clicking on something we might not otherwise

A

Clickjacking

18
Q

A type of attack on the web server that can target vulnerabilities such as lack of input validation, improper or inadequate permissions, or extraneous files left on the server from the development process.

A

Server-side attack

19
Q

A type of tool that analyzes web pages or web-based application and searches for common flaws such as XSS or SQL injection flaws, and improperly set permissions, extraneous files, outdated software versions, and many more such items.

A

Web application analysis tool

20
Q

A web server analysis tool that performs checks for many common server-side vulnerabilities, and creates an index of all the files and directories it can see on the target web server.

A

Nikto/Wikto

21
Q

A well-known web analysis tool that offers a free and a professional version; the pro version includes advanced tools for conducting more in-depth attacks.

A

Burp Suite

22
Q

A type of tool that works by bombarding our applications with all manner of data and inputs from a wide variety of sources, in the hope that we can cause the application to fail or to perform in unexpected ways.

A

Fuzzer

23
Q

A tool developed by Microsoft to find flaws in file-handling source code.

A

MiniFuzz File Fuzzer

24
Q

A tool developed by Microsoft to examine source code for general good practices.

A

BinScope Binary Analyzer

25
Q

A tool developed by Microsoft for testing certain pattern-matching expression for potential vulnerabilities.

A

SDL Regex Fuzzer

26
Q

Which software development vulnerability occurs when multiple processes control or share a particular resource, and the correct handling of that resource depends on the proper ordering or timing of transactions?

A

Race conditions

27
Q

Which of the following is NOT a major category of database security issues?

a) Unauthenticated access
b) Arbitrary code execution
c) Privilege escalation
d) Protocol issues
e) Improper indexing

A

e) Improper indexing

28
Q

Which type of tool bombards out application with inputs from a wide variety of sources in an attempt to cause the application to fail or behave unexpectedly?

A

Fuzzers

29
Q

Which tool performs checks for many common server-side vulnerabilities, and creates an index of all the fields and directories it can see on the target Web server?

A

Nikto/Wikto

30
Q

Which Microsoft fuzzing tool examines source code for general good practices?

A

BinScope Binary Analyzer