CH10 Secure Software Development Flashcards
(where email=support@diontraining.com and password=‘ or 7==7’)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What type of attack is being performed?
a. XML injection
b. SQL injection
c. Header manipulation
d. Cross-site scripting
b. SQL Injection
SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common technique in SQL injection is to insert a statement that is always true, such as 1 == 1, or in this example, 7 == 7.
<script> alert("This site is vulnerable to an attack!") </script>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, “This site is vulnerable to an attack!” Based on this response, what vulnerability have you uncovered in the web application?
a. Buffer overflow
b. Cross-site request forgery
c. Distributed denial of service
d. Cross-site scripting
d. Cross-site scripting
This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
https://www.diontraining.com/add_to_cart.php?itemId=5”+perItemPrice=”0.00”+quantity=”100”+/><item+id=”5&quantity=0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on this line, what type of attack do you expect has been attempted?
a. SQL injection
b. Buffer overflow
c. XML injection
d. Session hijacking
c. XML injection
This is an example of a XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of an application, and XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server’s XML structure. The real key to answering this question is identifying the XML structured code being entered as part of the URL, which is shown by the bracketed data.
A security analyst is conducting a log review of the company’s web server and found two suspicious entries:
[12Nov2020 10:07:23] “GET /loon.php?user=test’_oR+7>1%20-HTTP/1.1” 200 5825
[12Nov2020 10:10:03] “GET /loon.php?user=admin’;%20-HTTP/1.1” 200 5845
——————————-
END LOG
The analyst contacts the web developer and asks for a copy of the source code to the logon.php script. The script is as follows:
<?php
include(‘../../config/db_connect.php’);
$user = $_GET[ ‘user’ ];
$pass = $_GET[ ‘pass’ ];
$sql = “SELECT * FROM USERS WHERE username = ‘ ‘$user’ AND password = ‘$pass’”;
$result = MqSQL_query($sql) or die (“couldn’t execute query”);
if (MySQL_num_rows($result) !=0 ) scho ‘Authentication granted!’;
else echo ‘Authentication failed!’;
?>
Based on source code analysis, which type of vulnerability is this web server vulnerable to?
a. Command injection
b. SQL injection
c. Directory traversal
d. LDAP injection
b. SQL injection
OBJ-1.3: Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (‘) used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.
Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks?
a. Directory traversals
b. Faulty input validation
c. Output encoding
d. File inclusions
b. Faulty input validation
OBJ-3.2: A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website’s running process. The file is either constructed to be malicious or manipulated to serve the attacker’s malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker’s site.
Which of the following type of threats did the Stuxnet attack rely on to cross an air gap between a business and an industrial control system network?
a. Directory traversal
b. Removal media
c. Session hijacking
d. Cross-site scripting
b. Removal media
OBJ-2.7: Air gaps are designed to remove connections between two networks to create physical segmentation between them. The only way to cross an air gap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside the web server’s root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an air gap.
During a penetration test, you find a hash value related to malware associated with an APT. What best describes what you have found?
a. XSRF
b. Botnet
c. SQL injection
d. Indicator of compromise
d. Indicator of compromise
OBJ-1.2: An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers’ domain names. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. A botnet consists of many Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection.
Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered?
a. Unknown environment testing
b. Known environment testing
c. Partially known environment testing
d. Semi-trusted environment testing
a. Unknown environment testing
OBJ-1.8: An unknown environment penetration test requires no previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior information about the target system or network in an unknown environment penetration test. These tests provide a realistic scenario for testing the defenses, but they can be costlier and more time-consuming to conduct as the tester is examining a system from an outsider’s perspective. A partially known environment tester has the user’s access and knowledge levels, potentially with elevated privileges on a system. These partially known environment penetration testers typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network. A known environment test is known by several different names, including clear-box, open-box, auxiliary, or logic-driven testing. It falls on the opposite end of the spectrum from an unknown environment test because the penetration testers have full access to source code, architecture documentation, and so forth. A known environment penetration tester can also perform static code analysis, so familiarity with source code analyzers, debuggers, and similar tools are necessary for this type of testing. A semi-trusted environment test is made up term and is used as a distractor in this question.
A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer’s phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit?
a. Broken authentication
b. Sensitive data exposure
c. Race condition
d. Dereferencing
c. Race condition
OBJ-1.6: Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker’s exploit is racing to modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls. Broken authentication refers to an app that fails to deny access to malicious actors. Dereferencing attempts to access a pointer that references an object at a particular memory location.
Which type of threat will patches NOT effectively combat as a security control?
a. Malware with defined indicators of compromise
b. Discovered software bugs
c. Zero-day attacks
d. Known vulnerabilities
c. Zero-day attacks
OBJ-3.2: Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, a patch or mitigation is normally available. If a piece of malware has well-defined indicators of compromise, a patch or signature can be created to defend against it, as well.
What control provides the best protection against both SQL injection and cross-site scripting attacks?
a. Hypervisor
b. Input validation
c. Network layer firewall
d. CSRF
b. Input validation
OBJ-1.3: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.