C836 C.12

Question 1

Buffer overflows/overruns

Answer 1

A type of software development problem that occurs when we do not properly account for the size of the data input into our applications

Question 2

Race conditions

Answer 2

A type of software development vulnerability that occurs when multiple processes or multiple threads within a process control or share access to a particular resource, and the correct handling of that resource depends on the proper ordering or timing of transactions

Question 3

Input validation attack

Answer 3

A type of attack that can occur when we fail to validate the input to our applications or take steps to filter out unexpected or undesirable content

Question 4

Authentication attack

Answer 4

A type of attack that can occur when we fail to use strong authentication mechanisms for our applications

Question 5

Authorization attack

Answer 5

A type of attack that can occur when we fail to use authorization best practices for our applications

Question 6

Cryptographic attack

Answer 6

A type of attack that can occur when we fail to properly design our security mechanisms when implementing cryptographic controls in our applications

Question 7

Client-side attack

Answer 7

A type of attack that takes advantage of weaknesses in the software loaded on client machines, or one that uses social engineering techniques to trick us into going along with the attack

Question 8

Cross-site scripting (XSS)

Answer 8

An attack carried out by placing code in the form of a scripting language into a web page, or other media, that is interpreted by a client browser

Question 9

Cross-site request forgery (XSRF)

Answer 9

In this type of attack, the attacker places a link on a web page in such a way that it will be automatically executed, in order to initiate a particular activity on another web page or application where the user is currently authenticated

Question 10

Clickjacking

Answer 10

An attack that takes advantage of the graphical display capabilities of our browser to trick us into clicking on something we might not otherwise

Question 11

Server-side attack

Answer 11

A type of attack on the web server that can target vulnerabilities such as lack of input validation, improper or inadequate permissions, or extraneous files left on the server from the development process

Question 12

Name the four main categories of database security issues

Answer 12

Protocol issues, unauthenticated access, arbitrary code execution, and privilege escalation

Question 13

Web application analysis tool

Answer 13

A type of tool that analyzes web pages or web-based applications and searches for common flaws such as XSS or SQL injection flaws, and improperly set permissions, extraneous files, outdated software versions, and many more such items

Question 14

A web server analysis tool that performs checks for many common server-side vulnerabilities, and creates an index of all the files and directories it can see on the target web server (a process known as spidering)

Answer 14

Nikto/Wikto

Question 15

Burp Suite

Answer 15

A well-known web analysis tool that offers a free and a professional version; the pro version includes advanced tools for conducting more in-depth attacks

Question 16

Fuzzer

Answer 16

A type of tool that works by bombarding our applications with all manner of data and inputs from a wide variety of sources, in the hope that we can cause the application to fail or to perform in unexpected ways

Question 17

MiniFuzz File Fuzzer

Answer 17

A tool developed by Microsoft to find flaws in file-handling source code

Question 18

BinScope Binary Analyzer

Answer 18

A tool developed by Microsoft to examine source code for general good practices

Question 19

SDL Regex Fuzzer

Answer 19

A tool developed by Microsoft for testing certain pattern-matching expressions for potential vulnerabilities