Appendix H

Question 1

What can be found within HTML source code that may be beneficial to an attacker

Answer 1

Hidden Form Fields
Database Connection Strings
Credentials
Developer Comments
Other included files
Authenticated only URLs

Question 2

What Nmap script can be used to discover supported methods on a Web site

Answer 2

nmap –script=http-methods.nse ipaddress -n -p 80

Question 3

What Metasploit plugin can be used to discover supported methods on a Web site

Answer 3

auxilary/scanner/http/options

Question 4

What can be used to identify Verb tampering

Answer 4

Nmap script for verb tampering:
nmap –script=http-method-tamper.nse

msfplugin for verb tampering:
auxilary/scanner/http/verb_auth_bypass

Question 5

How does Basic authentication send data

Answer 5

In plaintext

Question 6

How does Digest authentication work

Answer 6

It sends a hash of the password

Question 7

What is a common misconfiguration with the Apache .htaccess file

Answer 7

An application configured with basic security which limits to a specific HTTP request may be susceptible to Verb tampering. Meaning that by simply using a different request i.e. using GET instead of POST, it would be possible to access otherwise restricted forms.

Question 8

What is the best practice of input validation

Answer 8

Web applications should perform input validation checking of all client provided variables, to strip dangerous characters used in many attacks (SQLi / XSS) such as ‘;–| and directives, HTML tags, and JavaScript strings.

Question 9

What are the four strategies for validating data

Answer 9

Accept Known Good - “Whitelist” or “positive”

Checks that data is one of the known good values in list.
Any data that doesn’t match is rejected.

Accept Known Bad - “Blacklist” or “negative”

Blocks unexpected characters, strings or JavaScript which are known in list.
Requires an up to date list of negative characters.

Sanitise with Whitelist

Changes user input into an acceptable form.
Any character which aren’t part of approved list are removed, encoded or replaced.

Sanitise with Blacklist

Sanitises unexpected characters, strings or JavaScript which are known in list.
Requires an up to date list of negative characters.

Question 10

What are the three types of XSS

Answer 10

Stored, Reflected, DOM

Question 11

What is stored XSS

Answer 11

Injected code is stored permanently on the server and executed every time the page is visited

Question 12

What is reflected XSS

Answer 12

When the XSS is not stored on the site, need to send the XSS parameters each time you visit the page.

Question 13

What is DOM XSS

Answer 13

When the payload is executed as a result of modifying the DOM environment in the browser used by the original client side script.

Question 14

What are the potential implications of SQLi

Answer 14

Recovery of data, command execution and compromising data

Question 15

What would the following SQL injection do?

a’ UNION SELECT null,load_file(‘/etc/passwd’) #

Answer 15

Output the contents of /etc/passwd

Question 16

The following injection fails, what is the likely cause?

a’ OR 1=1–

Answer 16

The page says error is near “ ‘ “, more than likely the ‘–’ comment isn’t working, replace ‘–’ with ‘#’