Chap 9 - Exploiting Application Vulnerabilities

Question 1

Which one of the following approaches, when feasible, is the most effective way to defeat injection attacks?

A. Browser‐based input validation
B. Input whitelisting
C. Input blacklisting
D. Signature detection

Answer 1

Input whitelisting

Input whitelisting approaches define the specific input type or range that users may provide. When developers can write clear business rules defining allowable user input, whitelisting is definitely the most effective way to prevent injection attacks.

Question 2

Where should WAFs be placed?

Answer 2

Web application firewalls must be placed in front of web servers

Question 3

Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?

A. Timing‐based SQL injection
B. HTML injection
C. Cross‐site scripting
D. Content‐based SQL injection

Answer 3

Timing‐based SQL injection

The use of the SQL WAITFOR command is a signature characteristic of a timing‐based SQL injection attack.

Question 4

Which one of the following function calls is closely associated with Linux command injection attacks?

A. system()
B. sudo()
C. mkdir()
D. root()

Answer 4

system()

The system() function executes a command string against the operating system from within an application and may be used in command injection attacks.

Question 5

Tina is conducting a penetration test and is trying to gain access to a user account. Which of the following is a good source for obtaining user account credentials?

A. Social engineering
B. Default account lists
C. Password dumps from compromised sites
D. All of the above

Answer 5

All of the above

Penetration testers may use a wide variety of sources when seeking to gain access to individual user accounts. These may include conducting social engineering attacks against individual users, obtaining password dumps from previously compromised sites, obtaining default account lists, and conducting password cracking attacks.

Question 6

What type of credential used in Kerberos is often referred to as the “golden ticket” because of its potential for widespread reuse?

A. Session ticket
B. Ticket‐granting ticket (TGT)
C. Service ticket
D. User ticket

Answer 6

Ticket‐granting ticket (TGT)

TGTs are incredibly valuable and can be created with extended life spans. When attackers succeed in acquiring TGTs, the TGTs are often called “golden tickets” because they allow complete access to the Kerberos‐connected systems, including creation of new tickets, account changes, and even falsification of accounts or services.

Question 7

Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain to ensure that her attack will be successful?

A. Session ticket
B. Session cookie
C. Username
D. User password

Answer 7

Session cookie

Websites use HTTP cookies to maintain sessions over time. If Wendy is able to obtain a copy of the user’s session cookie, she can use that cookie to impersonate the user’s browser and hijack the authenticated session.

Question 8

Sherry is concerned that a web application in her organization supports unvalidated redirects. Which one of the following approaches would minimize the risk of this attack?

A. Requiring HTTPS
B. Encrypting session cookies
C. Implementing multifactor authentication
D. Restricting redirects to her domain

Answer 8

Restricting redirects to her domain

Unvalidated redirects instruct a web application to direct users to an arbitrary site at the conclusion of their transaction. This approach is quite dangerous because it allows an attacker to send users to a malicious site through a legitimate site that they trust. Sherry should restrict redirects so that they only occur within her trusted domain(s).

Question 9

Joe checks his web server logs and sees that someone sent the following query string to an application running on the server:

http://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892’ ; DROP TABLE Services;–
What type of attack was most likely attempted?

A. Cross‐site scripting
B. Session hijacking
C. Parameter pollution
D. Man‐in‐the‐middle

Explanation

This query string is indicative of a parameter pollution attack. In this case, it appears that the attacker was waging a SQL injection attack and tried to use parameter pollution to slip the attack past content filtering technology. The two instances of the serviceID parameter in the query string indicate a parameter pollution attempt.

Answer 9

Parameter pollution

This query string is indicative of a parameter pollution attack. In this case, it appears that the attacker was waging a SQL injection attack and tried to use parameter pollution to slip the attack past content filtering technology. The two instances of the serviceID parameter in the query string indicate a parameter pollution attempt.

Question 10

Parameter pollution

Answer 10

Parameter pollution is a technique where attackers send a web application multiple values for the same input variable, potentially bypassing input validation and security controls.

For example, by appending additional instances of a parameter in a URL, an attacker may exploit a web platform’s mishandling of multiple parameters, enabling attacks such as SQL injection to evade content filters

Question 11

Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples:

http://www.mycompany.com/servicestatus.php?serviceID=1
http://www.mycompany.com/servicestatus.php?serviceID=2
http://www.mycompany.com/servicestatus.php?serviceID=3
http://www.mycompany.com/servicestatus.php?serviceID=4
http://www.mycompany.com/servicestatus.php?serviceID=5
http://www.mycompany.com/servicestatus.php?serviceID=6
What type of vulnerability was the attacker likely trying to exploit?

A. Insecure direct object reference
B. File upload
C. Unvalidated redirect
D. Session hijacking

Answer 11

Insecure direct object reference

The series of thousands of requests incrementing a variable indicate that the attacker was most likely attempting to exploit an insecure direct object reference vulnerability.

Question 12

Insecure direct object reference

Answer 12

Insecure Direct Object Reference (IDOR) occurs when an application allows direct access to objects based on user-supplied input without proper authorization checks. This vulnerability can let attackers manipulate identifiers (like document IDs) in requests to access unauthorized data

Question 13

What type of attack depends on the fact that users are often logged into many websites simultaneously in the same browser?

A. SQL injection
B. Cross‐site scripting
C. Cross‐site request forgery (XSRF)
D. File inclusion

Answer 13

Cross‐site request forgery (XSRF)

XSRF attacks work by making the reasonable assumption that users are often logged into many different websites at the same time. Attackers then embed code in one website that sends a command to a second website.

Question 14

What type of cross‐site scripting attack would not be visible to a security professional inspecting the HTML source code in a browser?

A. Reflected XSS
B. Stored XSS
C. Persistent XSS
D. DOM‐based XSS

Answer 14

DOM‐based XSS

DOM‐based XSS attacks hide the attack code within the Document Object Model. This code would not be visible to someone viewing the HTML source of the page. Other XSS attacks would leave visible traces in the browser.

Question 15

Persistent (or Stored) XSS

Answer 15

A persistent (or stored) XSS attack involves injecting malicious scripts into a website’s stored data, such as a database, which are then served to users who access the compromised content.

These attacks are “persistent” because the injected code remains on the server even when the attacker is not actively exploiting it

Question 16

Which one of the following attacks is an example of a race condition exploitation?

A. XSRF
B. XSS
C. TOCTTOU
D. SQLi

Answer 16

TOCTTOU

The time‐of‐check‐to‐time‐of‐use (TOCTTOU or TOC/TOU) issue is a race condition that occurs when a program checks access permissions too far in advance of a resource request.

Question 17

TOCTTOU

Answer 17

TOCTTOU, or Time-of-Check to Time-of-Use, is a race condition vulnerability that arises when access permissions are checked far in advance of resource usage.

For example, if a system checks a user’s permissions at login but does not reassess these permissions during the session, a revoked permission may still allow access until the session end

Question 18

SQLi

Answer 18

short hand for SQL injection attack

Question 19

Which one of the following tools may be used to debug applications written on a Mac platform?

A. IDA
B. OllyDbg
C. GDB
D. Covenant

Answer 19

IDA

Interactive Disassembler (IDA) is a commercial debugging tool that works on Windows, Mac, and Linux platforms. OllyDbg and Covenant are Windows‐specific tools, and GNU Debugger (GDB) is a widely used open source debugger for Linux that works with a variety of programming languages.

Question 20

IDA

Answer 20

IDA refers to the Interactive Disassembler, a commercial tool used for debugging and reverse engineering. It supports platforms like Windows, macOS, and Linux, making it a valuable asset for analyzing malware or applications

Question 21

Norm is performing a penetration test of a web application and would like to manipulate the input sent to the application before it leaves his browser. Which one of the following tools would assist him with this task?

A. AFL
B. ZAP
C. GDB
D. DOM

Answer 21

ZAP

ZAP is an interception proxy developed by the Open Web Application Security Project (OWASP). Users of ZAP can intercept requests sent from any web browser and alter them before passing them to the web server.

Question 22

ZAP

Answer 22

ZAP (Zed Attack Proxy) is an interception proxy developed by the OWASP project. It allows testers to intercept and manipulate web traffic sent from browsers to servers, making it useful for testing vulnerabilities such as injection attacks or bypassing browser-based input validation

Question 23

AFL

Answer 23

AFL refers to American Fuzzy Lop, a popular fuzz testing toolkit for Linux systems. It is widely used for identifying software bugs by generating numerous test cases to find vulnerabilities in applications

Question 24

Which one of the following is a debugging tool compatible with Linux systems?

A. WinDbg
B. GDB
C. OllyDbg
D. SonarQube

Answer 24

GDB

GDB is a widely used open source debugger for the Linux platform. WinDbg and OllyDbg are also debuggers, but they are only available for Windows systems. SonarQube is a continuous security assessment tool and is not a debugger.

Question 25

SonarQube

Answer 25

SonarQube is an open-source tool used for continuous inspection of code quality and security. It is primarily employed for static application security testing (SAST), helping to detect bugs, vulnerabilities, and code smells in supported programming languages

Question 26

During a penetration test, Bonnie discovers in a web server log that the testers attempted to access the following URL:

http://www.mycompany.com/sortusers.php?file=C:\uploads\attack.exe
What type of attack did they most likely attempt?

A. Reflected XSS
B. Persistent XSS
C. Local file inclusion
D. Remote file inclusion

Answer 26

Local file inclusion

This URL contains the address of a local file passed to a web application as an argument. It is most likely a local file inclusion exploit, attempting to execute a malicious file that the testers previously uploaded to the server.