Common Software Vulnerabilities and Controls Flashcards

Question 1

Q

What are the vulnerability databases and tracking systems?

Answer

A

National Vulnerability Database (NVD); US Computer Emergency Response Team (CERT) Vulnerability Notes Database; Open Source Vulnerability Database; Common Vulnerabilities and Exposures (CVE); OWASP Top 10; Common Weakness Enumeration (CWE™)

Question 2

Q

NVD

Answer

A

National Vulnerability Database includes security checklists, security-related software flaws, misconfigurations of products, products affected, and impact metrics.

Question 3

Q

CERT

Answer

A

US Computer Emergency Response Team (CERT) Vulnerability Notes Database - In software that is being developed, they focus on vulnerability discovery, and in software that is already deployed, on vulnerability remediation.

Question 4

Q

Open Source Vulnerability Database is an independent and open source database that is created by and for …

Answer

A

the security community, with the goal of providing accurate, detailed, current, and unbiased technical information on security vulnerabilities.

Question 5

Q

CVE

Answer

A

The Common Vulnerabilities and Exposures is a dictionary of publicly known information security vulnerabilities and exposures. It is free for use and international in scope.

Question 6

Q

CWE

Answer

A

The Common Weakness Enumeration provides a common language for describing architectural, design, or coding software security weaknesses.

Question 7

Q

The CWE/SANS top 25 lists of most dangerous programming errors fall into the following three categories:

Answer

A

Insecure interaction between components; Risky resource management; Porous defenses.

Question 8

Q

Injection flaws, such as SQL, OS, and LDAP injection, occur when …

Answer

A

untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

Question 9

Q

Broken Authentication and Session Management compromises the application functions related to authentication and session management that are often not implemented correctly, allowing attackers to …

Answer

A

compromise passwords, keys, session tokens, or exploit implementation flaws to assume other users’ identities.

Question 10

Q

Cross-Site Scripting (XSS) flaws occur whenever an application takes …

Answer

A

untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Question 11

Q

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key.
Insecure Direct Object References occur because …

Answer

A

without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

Question 12

Q

Security Misconfiguration can be avoided by …

Answer

A

having a secure configuration defined for the application, framework, web server, application server, and platform; all these settings should be defined, implemented, and maintained as many are not shipped with secure defaults.

Question 13

Q

Many web applications do not properly protect sensitive data at rest or when it is in motion. In order to avoid Sensitive Data Exposure, appropriate protection mechanisms shall be implemented such as … in addition, When transport layer protection is limited only to certain operations like authentication and end-to-end transport layer protection is absent, …

Answer

A

encryption/hashing or secure transport; sensitive information can be intercepted and disclosed.

Question 14

Q

Missing Function Level

XXXXXXXXXXX

Answer

A

When resources are requested by the browser, virtually all web applications validate resource requests for access rights by verifying function level access rights, prior to serving up that request to the User Interface (UI). One kind of well-known check is the check of the Uniform Resource Locator (URL) access rights check, which the web application performs before rendering protected links and buttons. When web applications fail to perform access control checks attackers will be able to forge requests and URLs to access these unauthorized functionality and pages.

Question 15

Q

Cross-Site Request Forgery (CSRF) attack forces a logged-on victim’s browser to send …

Answer

A

a forged HTTP request, including the victim’s session cookie and any other authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Question 16

Q

Using Components (libraries, frameworks, and other software modules) with Known Vulnerabilities almost run with full privilege. So, if exploited, they can cause …

Answer

A

serious data loss or server takeover; applications using these vulnerable components may undermine their defenses and enable a range of possible attacks and impacts.

Question 17

Q

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages.
Unvalidated Redirects and Forwards occur when web applications do not perform …

Answer

A

proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Question 18

Q

A buffer overflow is a condition that occurs when …

Answer

A

data that is being copied into the buffer (contiguous allocated storage space in memory) is more than what the buffer can handle.

Question 19

Q

EIP

Answer

A

Execution Instruction Counter (EIP) is used to maintain the sequence order of functions indicating the address of the next instruction to be executed.

Question 20

Q

Stack overflow

Answer

A

If a malicious user manages to overwrite the return address (RET) to point to an address space in memory, where an exploit code (also known as payload) has been injected, then upon the completion of a function, the overwritten return address will be loaded into the EIP register, and program execution will be overflowed, potentially executing the malicious payload.

Question 21

Q

Which are the Unsafe functions that may lead to memory overflow?

Answer

A

strcpy() and strcat(), since they do not intrinsically perform length checks before copying data into the memory buffer.

Question 22

Q

Heap overflow

Answer

A

Heap overflows does not necessarily overflow but corrupts the heap memory space (buffer), overwriting variables and function pointers on the heap.

Question 23

Q

Heap corruption can cause …

Answer

A

serious side effects including denial of service and exploit code execution and protection mechanisms must not be ignored.

Question 24

Q

What are the reasons that can be attributed to causing buffer overflows?

Answer

A

Copying of data into the buffer without checking the size of input; Accessing the buffer with incorrect length values; Improper validation of array index; Integer overflows or wraparound; Incorrect calculation of buffer size before its allocation.

Question 25

Q

What are the defensive implementations of controls in code to avoid memory overflow?

Answer

A

Input size validation; double-checking buffer size to ensure that the buffer is sufficiently large to handle the input data copied into it; checking buffer boundaries to make sure that the functions in a loop don’t attempt to write past the allocated space; and performing integer type (size, precision, signed/unsigned) checks to make sure that they are within the expected range and values.

Question 26

Q

What are the other controls to avoid memory overflow in requirements, architectural, build/compile, and operations controls?

Answer

A

Choose a programming language that performs its own memory management and is type-safe; Use a proven and tested library or framework that include safer string manipulation functions (e.g. Safe C); Replace deprecated, insecure, and banned API functions that are susceptible to overflow issues with safer alternatives that perform
size checks before performing its operations; …

Question 27

Q

Injection Flaws occurs when an attacker …

Answer

A

supplies data that is accepted as is and interpreted as a command or part of a command, thus allowing the attacker to execute commands using an injection vector.

Question 28

Q

How injection flaws can be discoverable?

Answer

A

Using code review and scanners, including fuzzing scans, can be employed to detect them.

Question 29

Q

SQL Injection is when an attacker exploits …

Answer

A

the way in which database queries are constructed, the supply input becomes part of the (Structured Query Language) query that the database processes as a command.

Question 30

Q

The attack flow in SQL Injection is comprised of the following steps:

Answer

A

1) Exploration by hypothesizing SQL queries to determine if the software is susceptible to SQL injection; 2) Experimenting to enumerate internal database schema by forcing database errors; 3) Exploiting the SQL injection vulnerability to bypass checks or modify, add, retrieve or delete data from the database.

Question 31

Q

Blind SQL injection is when …

Answer

A

instead of using information from error messages to facilitate SQL injection, the attacker constructs simple Boolean SQL expressions (true/false questions) to iteratively probe the target database; depending on whether the query was successfully executed or not, the attacker can determine the syntax and structure of the injection.

Question 32

Q

OS Command Injection is when the software …

Answer

A

allows the execution of Operation System (OS) level commands using the supplied user input without sanitization or validation.

Question 33

Q

LDAP (Lightweight Directory Access Protocol) Injection is when …

Answer

A

unsanitized and unvalidated input is used to construct or modify syntax, contents, and commands that are executed as an LDAP query.

Question 34

Q

XML Injection occurs when the software …

Answer

A

does not properly filter or quote special characters or reserved words that are used in XML, allowing an attacker to modify the syntax, contents, or commands before execution. Two main types are XPATH injection and XQuery injection.

Question 35

Q

In XPATH injection, the XPath expression that is used to retrieve data from the XML data store is …

Answer

A

not validated or sanitized prior to processing and built dynamically using user-supplied input.; an attacker can take advantage of this weakness by injecting malformed XML expressions, allowing the attacker to perform malicious operations such as modifying and controlling logic flow, retrieving unauthorized data and/or circumventing authentication checks.

Question 36

Q

The consequences of injection flaws are varied and serious such as:

Answer

A

disclosure, alteration, or destruction of data; compromise of the Operating System; discovery of the internal structure (or schema) of the database or data store; enumeration of user accounts from a directory store; circumventing nested firewalls; bypassing authentication; execution of extended procedures and privileged commands.

Question 37

Q

Mitigation and prevention strategies and controls for injection flaws that are commonly employed are …

Answer

A

consider all input to be untrusted and validate all user input; Encode output using the appropriate character set, escape special characters and quote input, besides disallowing meta-characters; Use structured mechanisms to separate data from code; avoid dynamic query construction; User parameterized queries; Display generic error messages that yield minimal to no additional information; Implement the least privilege by using views, and restricting tables, queries and procedures to only the authorized set of users and/or accounts.

Question 38

Q

Mitigate strategies to avoid the OS command injection are …

Answer

A

run the code in a sandbox environment that enforces strict boundaries between the processes being executed and the Operating System.

Question 39

Q

Implement defenses against LDAP injection attacks are …

Answer

A

filter or quote LDAP syntax from user-controlled input.

Question 40

Q

Some of the common software programming failures that end up resulting in broken authentication and broken session management include …

Answer

A

Allowing more than one set of authentication or session management controls that allow access to critical resources via multiple communication channels or paths; Transmitting authentication credentials and session IDs over the network in cleartext; Storing authentication credentials without hashing or encrypting them; Not using a random or pseudo-random mechanism to generate system-generated passwords or session IDsNot implementing transport protection or data encryption; improper/ insufficient timeouts.

Question 41

Q

Mitigation and prevention of authentication and session management flaws shall implement …

Answer

A

built-in and proven authentication and session management mechanisms; Use a single and centralized authentication mechanism that supports multi-factor authentication and role-based access control; Using a unique, non-guessable, and random session identifier; encrypt or hash the credentials before storing them in a configuration file or data store; Do not hard code database connection strings, passwords or cryptographic keys in cleartext in the code; …

Question 42

Q

How to detect XSS vulnerabilities in software?

Answer

A

Code review and testing.

Question 43

Q

Non-persistent or Reflected XSS

XXXXXXXXXXXX

Answer

A

Attacks in which the user supplied input script that is injected is not stored but merely included in the response from the web server, either in the results of a search or an error message.

Question 44

Q

Non-persistent or Reflected XSS can inject

XXXXXXXXXXXXXX

Answer

A

(i) they provide the input script directly into your web application; (ii) they can send a link with the script embedded and hidden in it.

Question 45

Q

Persistent or Stored XSS

XXXXXXXXXXXX

Answer

A

The injected script is permanently stored on the target servers, either in a database, a message forum, a visitor log or an input field (e.g. Samy Worm and the Flash worm).

Question 46

Q

DOM based XSS

XXXXXXXXXXXXXXXX

Answer

A

The payload is executed in the victim’s browser as a result of DOM environment modifications on the client side. The HTTP response is not modified, but weaknesses in the client side allows the code contained in the web page client to be modified, so that the payload can be executed.

Question 47

Q

The consequences of a successful Cross-site scripting (XSS) attack are …

Answer

A

steal authentication information using the web application; hijack and compromise users sessions and accounts; tamper or poison state management and authentication cookies; cause Denial of Service (DoS); insert hostile content; ….

Question 48

Q

Security controls against XSS attacks include …

Answer

A

Handle the output to the client only after it is sanitized; Validating user-supplied input with a whitelist also provides additional protection against XSS; Disallow the upload of .htm or .html extensions; Use the innerText properties of HTML controls instead of the inner HTML property when storing the input supplied; Use secure libraries and encoding frameworks that provide protection against XSS issues; The client can be secured by disabling the active scripting option
in the browser; Use the HTTPOnly flag on the session or any custom cookie so that the cookie cannot be accessed by any client side code or script (if the browser supports it) which mitigates XSS attacks.

Question 49

Q

Secure libraries and encoding frameworks that provide protection against XSS issues are …

Answer

A

Microsoft Anti-Cross Site Scripting, OWASP ESAPI Encoding module, Apache Wicket and the SAP Output Encoding framework.

Question 50

Q

Insecure Direct Object References

AQUI

Answer

A

An unauthorized user or process can invoke the internal functionality of the software by manipulating parameters and other object values that directly reference this functionality.

Question 51

Q

Most common impacts of Insecure Direct Object References

Answer

A

Data disclosure, privilege escalation, authentication and authorization checks bypass, and restricted resource access.

Question 52

Q

The most effective control against insecure direct object reference attacks

Answer

A

To avoid exposing internal functionality of the software using a direct object reference that can be easily manipulated.

Question 53

Q

Some defensive strategies to avoid Insecure Direct Object References attack

Answer

A

Use indirect object reference by using an index of the value or a reference map; Do not expose internal objects directly via URLs or form parameters to the end user; Either mask or cryptographically protect (encrypt/hash) exposed parameters, especially querystring key value pairs; Validate the input to ensure that the change is allowed as per the whitelist; Perform multi access control and authorization checks each and every time a parameter is changed, according to the principle of complete mediation; Use RBAC to enforce roles at appropriate boundaries and reduce attack surface by mapping roles with the data and functionality.

Question 54

Q

Hardening software applications

Answer

A

Hardening software applications involves determining

the necessary and correct configuration settings and architecting the software to be secure by default.

Question 55

Q

Some of the common examples of security misconfiguration include

Answer

A

Missing software and operating system patches; Lack of perimeter and host defensive controls such as firewalls, filters, etc.; Installation of software with default accounts and settings; Installation of the administrative console with de;fult configuration
settings; Installation or configuration of unneeded services, ports and protocols, unused pages, and unprotected files and directories; Not disabling directory listing on the server; Not explicitly setting up error and exception handling; Leaving behind any sample applications; Deploying tightly coupled applications and system-of-systems.

Question 56

Q

Effective controls (primary recommendation) against security misconfiguration issues include

Answer

A

Changing any default configuration settings; Removing any unneeded or unnecessary services and processes; Establishing and maintaining a configuration of the minimum level of security that is acceptable (MSB); Establishing a process that hardens (locks down) the OS and the applications that run on top of it; Establishing a controlled patching process; Establishing a scanning process to automatically detect and report on software and systems that are not compliant to the established MSB; Handling errors explicitly using redirects and error messages; Removing any sample applications from production systems after installation; Deploying applications and systems that have a loosely coupled and
highly cohesive architecture.

Question 57

Q

Some of the primary reasons for sensitive data exposure include

Answer

A

Insufficient data-in-motion protection; Insufficient data-at-rest protection and Electronic social engineering.

Question 58

Q

Common attack for Insufficient Data-in-Motion Protection

Answer

A

Monitoring network traffic using a passive sniffer is a common means by which attackers steal information when the data is in motion (in transit).

Question 59

Q

transport layer (SSL/TLS) and/or network layer (IPSec) security technologies can be used to mitigate Insufficient Data-in-Motion Protection attack (e.g. MITM), however …

Answer

A

It is insufficient to merely use SSL/TLS just during the authentication process; a 3-tier web architecture, transport layer protection needs to be from the client to the web server and from the web server to the
database server.

Question 60

Q

The primary sources of insufficient data-at-rest protection include

Answer

A

Local storage; Browser settings; Cache; Backups, logs and configuration files; Comments in code; Hardcoded secrets in code; Unhandled exceptions and error messages; Backend data stores.

Question 61

Q

Human trust can be exploited to reveal sensitive information social engineering techniques such as:

Answer

A

Phishing; Pharming; Vishing; SMSishing

Question 62

Q

Phishing

Answer

A

A method of tricking users into submitting their personal information using electronic means such as deceptive emails and websites.

Question 63

Q

Pharming

Answer

A

A scamming practice in which malicious code is installed on a system or server which misdirects users to fraudulent web sites without the user’s knowledge or consent.

Question 64

Q

Domain Name System (DNS) poisoning

Answer

A

The DNS table in the server is altered to point to fraudulent web sites even when the request to the legitimate ones is made.

Answer 65

A

An attacker steals sensitive information using deceptive social engineering techniques on VoIP networks.

Answer 66

A

The attackers sends a message to the victim, as if it originated from a reputable source (such as the victim’s bank), usually has a message to the victim, stating that they need to call back to verify some information, with a sense of urgency.

Answer 67

A

Human trust

Answer 68

A

Exploitable weaknesses such as no proper ACLs to host systems and servers; lack of spyware protection that can modify settings and weaknesses in software code.

Answer 69

A

To set the HTTPOnly flag, which instructs browsers to not allow Javascript access to the cookies.

Answer 70

A

Using “Private Browsing” mode in browsers and other plugins or extensions that don’t cache the visited pages; Disable autocomplete features in browser forms; Disable caching of sensitive data or ncrypt the cache and/or explicitly set cache timeouts;

Answer 71

A

bcrypt, PBKDF2 or scrypt

Answer 72

A

Ensure that the session cookie’s secure flag is set. This causes the browser cookie to be sent only over encrypted channels (HTTPS and not HTTP).

Answer 73

A

Sending bogus and faulty information to the phisher

with the intent to dilute the real information that the attacker is soliciting.

Answer 74

A

One of the most easily exploitable weaknesses in many applications is the failure to restrict access to privileged functionalities or URLs.

Answer 75

A

Role-Based Access Control (RBAC) of functions and URLs that denies access by default, along with requiring explicit grants to users and roles; Obfuscation of URLs provides some defense against attackers who attempt forced browsing by guessing the URL; Whitelisting valid functions and URLs and validating library files that are referenced.

Answer 76

A

JAAS authorization and the OWASP ESAPI.

Answer 77

A

Cross-Site Request Forgery - an attacker masquerades (forges) a malicious HTTP request as a legitimate one and tricks the victim into submitting that request. CSRF is also known by a number of other names, including XSRF, Session riding attack, sea surf attack, hostile linking, automation attack and Cross Site Reference Forgery.

Answer 78

A

(1) User authenticates into a legitimate web site and receives the authentication token associated with that site; (2) User is tricked into clicking a link that has a forged malicious HTTP request to be performed against the site that the user is already authenticated to; (3) Since the browser sends the malicious HTTP request, the authentication credentials, this request surfs or rides on top of the authenticated token and performs the action as if it was a legitimate action requested by the user.

Answer 79

A

Authentication bypass, identity compromise and phishing some examples;

Answer 80

A

To implement the software so that it is not dependent on the authenticated credentials that are automatically submitted by the browser.

Answer 81

A

To implement the software to use a unique session specific token that is generated in a random, non-predictable, non-guessable and/or sequential manner.; CAPTCHAs; The uniqueness of session tokens is to be validated on the server side; Use POST methods instead of GET requests; Use a double-submitted cookie; Check the URL referrer tag for the origin of request before processing the request; re-authenticate each and every time; Use transaction signing to assure that the request is genuine; Build in automated log out functionality; Leverage industry tools that aid with CSRF defense; Mitigate XSS vulnerabilities.

Answer 82

A

In situations where the target URL is supplied as an unvalidated parameter, an attacker can specify a malicious URL hosted in an external site and redirect users to that site. Once the victim lands on the malicious page the attacker can phish for sensitive and personal information.

Answer 83

A

a code review and making sure that the target URL is a valid and legitimate one.

Answer 84

A

The 3XX series HTTP response codes (300-307) are

the ones that deal with redirection.

Answer 85

A

Avoiding redirects and forwards (transfers) if possible; Use a whitelist target URLS that a user can be redirected to; Don’t allow the user to specify the target (destination) URL as a parameter; Use an index value to map to the target URL and use that mapped
value as the parameter; Architect the software to inform the user using an intermediate page; Mitigate scripts attacks vulnerabilities that can be used to change document location.

Answer 86

A

Malicious file execution; Path traversals; Improper file includes; Download of code without integrity check.

Answer 87

A

Accepting user supplied file names and files without validating it; Not restricting files to non-executable types; Uploading hostile data to the file system via image uploads; Using compression or audio streams that allow the access of remote resources without the inspection of internal flags and settings; Using hostile Document Type Definitions (DTDs) that forces the
XML parser to load a remote DTD and parse and process the results.

Answer 88

A

Use a whitelist of allowable file extensions; Allow only one extension to a file name; Use an indirect object reference map and/or an index for file names; Explicitly taint check; Automatically generate a filename instead of using the user supplied
one; Avoid using file functions and streams-based APIs to construct filenames; Configure the application to demand appropriate file permissions;

Answer 89

A

Use a whitelist to validate acceptable file paths and locations; Limit character sets before accepting files for processing; Harden the servers by configuring them to not allow directory browsing or contents; Decode once and canonical file paths to internal representation so that dangerous inputs are not introduced after the checks are performed; Use a mapping of generic values to represent known internal actual file names and reject any values not configured explicitly.

Answer 90

A

Store library, include and utility files outside of the root or system directories; Restrict access to files within a specified directory; Limit the ability to include files from remote locations.

Answer 91

A

Use integrity checking on code downloaded from remote locations (e.g. hashing, code signing and authenticode technologies.); To detect DNS spoofing attacks, perform both forward and reverse DNS lookups; When source code is not developed by you or not available, the use of monitoring tools to examine the software’s interaction with the OS and the network can be used to detect code integrity issues.

Answer 92

A

There must be at least two threads or control flows executing concurrently.

Answer 93

A

The threads executing concurrently are both accessing the same object.

Answer 94

A

At least one of the control flows must alter the state of the shared object.

Answer 95

A

Identifying and eliminating race windows; performing atomic operations on shared resources; using mutex operations; using multi-threading and thread-safe capabilities and functions and abstractions on shared variables; minimizing the usage of shared resources and critical sections that can be repeatedly triggered; …

Answer 96

A

Attackers can use non-conventional means to discover sensitive and secret information about our software and even a full-fledged implementation of the controls determined from the threat model can fall short to provide total software assurance.

Answer 97

A

Timing attacks; Power Analysis attacks; TEMPEST attacks (or radiation monitoring attack); Acoustic Cryptanalysis attacks; Differential Fault Analysis attacks; Distant Observation attacks; Cold Boot attacks.

Answer 98

A

Use a system where the time to compute an operation is independent of the input data or key size; Leverage standardized cryptographic algorithms that are known to be less prone to side channel information leakage; Avoid the usage of branching and conditional operational logic in critical code sections to compute operations; The most effective protection against timing attacks is to standardize on the time that each computation will take; Balancing power consumption independent of the type of operation; Adding noise is a known and proven control against acoustic
analysis; …

Brainscape's Knowledge GenomeTM

Common Software Vulnerabilities and Controls Flashcards

Brainscape's Knowledge Genome^TM