Deck C

Question 1

When does an SQL injection occur

Answer 1

When a user-input is used in an SQL query without proper sanitisation or filtering of the input

Question 2

What are the types of SQL Injections

Answer 2

In-band. Blind Out-of-band

Question 3

What are characters to use for testing of SQLi Discovery

Answer 3

” # ; )

Question 4

What are the 3 types of queries for MySQL fingerprint testing

Answer 4

SELECT @@version. SELECT POW(1.1). SELECT SLEEP(5)

Question 5

What is the expected output of SELECT @@version if MySQL

Answer 5

It will output the current MySQL version

Question 6

What is the expected output of SELECT @@version if NOT MySQL

Answer 6

In MSSQL it returns MSSQL version. Error with other DBMS

Question 7

What is the expected output of SELECT POW(1.1) if MySQL

Answer 7

1

Question 8

What is the expected output of SELECT POW(1.1) if NOT MySQL

Answer 8

Error with other DBMS

Question 9

What is the expected output of SELECT SLEEP(5) if MySQL

Answer 9

Delays page response by 5 seconds and returns 0

Question 10

What is the expected output of SELECT SLEEP(5) if NOT MySQL

Answer 10

Will not delay response with other DBMS

Question 11

If the web server is running Apache or Nginx what is likely the SQL server

Answer 11

MySQL

Question 12

If the web server is running IIS what is likely the SQL server

Answer 12

MSSQL

Question 13

What are the three types of XSS

Answer 13

Stored. Reflected and DOM-Based

Question 14

What is a Stored XSS

Answer 14

The most critical type of XSS which occurs when user input is stored on the back-end database and displayed upon retrieval

Question 15

What is a Reflected XSS

Answer 15

When a user input is displayed on the page after being processed by the backend server but without being stored

Question 16

What is a DOM based XSS

Answer 16

When a user input is directly shown in the browser and is completely processed on the client side without reaching the backend

Question 17

When can XSS be performed in Headers

Answer 17

When their values are displayed on the page

Question 18

What 3 ports does MSSQL run on

Answer 18

TCP 1433 and UDP 1434. Hidden mode: TCP 2433

Question 19

Query to verify MSSQL version

Answer 19

SELECT @@version

Question 20

Oracle RDBMS port

Answer 20

TCP Port 1521

Question 21

Query to verify Oracle RDBMS version

Answer 21

SELECT * FROM v$version;

Question 22

MySQL Port

Answer 22

Port 3306

Question 23

Query to verify MySQL version

Answer 23

SELECT VERSION()

Question 24

MySQL Error

Answer 24

“You have an error in your SQL syntax”

Question 25

PostgreSQL Port

Answer 25

TCP Port 5432

Question 26

PostgreSQL Error

Answer 26

“PGERROR” or includes PostgreSQL in error text

Question 27

Query to verify PostgreSQL version

Answer 27

SELECT version()

Question 28

MongoDB port

Answer 28

TCP Port 27017

Question 29

Query to verify MongoDB version

Answer 29

db.version()

Question 30

Redis Port

Answer 30

TCP Port 6379

Question 31

What is Spear Phishing

Answer 31

Instead of casting a wide net attackers research their victims and craft personalised messages increasing likelihood of success

Question 32

What is Whaling

Answer 32

A subtype of Spear Phishing but targeting high profile individuals within an organisation such as C-Suite

Question 33

What is Vishing

Answer 33

Voice Phishing involves using phone calls or voice messages to deceive victims into revealing sensitive information

Question 34

What is Virtualisation

Answer 34

Virtualisation refers to creating a virtual version of a resource. It allows for multiple OS or applications to run on a single physical system whilst keeping them isolated from one another

Question 35

VMWare ESXI Port

Answer 35

Port 902

Question 36

HyperV DCE/RPC Port

Answer 36

135

Question 37

Docker Port

Answer 37

Port 2375 and 2376

Question 38

IBM DB2 Port

Answer 38

50000

Question 39

What is the DB that contains schema info in MSSQL

Answer 39

INFORMATION_SCHEMA

Question 40

What is the DB that contains schema info in MySQL

Answer 40

INFORMATION_SCHEMATA

Question 41

In Blind SQLi what query can we use to extract length of a field

Answer 41

LEN(fieldName)

Question 42

In Blind SQLi what query can we use to extract name of field letter by letter

Answer 42

ASCII(SUBSTRING(fieldName,1,1))

Question 43

How to sleep in PGSQL

Answer 43

SELECT 1 FROM PG_SLEEP(10)

Question 44

How to sleep in MSSQL

Answer 44

WAITFOR DELAY ‘0:0:5’

Question 45

How to sleep in MySQL

Answer 45

SELECT SLEEP(5)

Question 46

How to enable xp_cmdshell

Answer 46

EXEC sp_configure ‘xp_cmdshell’. 1; RECONFIGURE;

Question 47

What does CSRF stand for

Answer 47

Cross Site Request Forgery

Question 48

What is CSRF

Answer 48

Where an attacker tricks a victim into submitting unwanted requests through a link

Question 49

Example of Insecure Headers

Answer 49

Missing CSP, Missing X-Frame-Options, Missing HSTS

Question 50

What does CSP stand for

Answer 50

Content Security Policy

Question 51

What does HSTS stand for

Answer 51

Header Strict-Transport-Security

Question 52

What does CSP do and what is risks of missing CSP

Answer 52

Helps mitigate XSS by defining which resources can be loaded by browser, missing CSP means malicious scripts could be injected and executed in user’s browsers

Question 53

What is HSTS and risks of missing HSTS

Answer 53

HSTS ensures that the website is only accessed from HTTPS and not HTTP, missing HSTS increases the risk of HTTPS downgrade attacks where the attacker forces the user to connect via HTTP allowing them to intercept data

Question 54

What are X-Frame-Options and what are risks of Missing X-Frame-Options

Answer 54

X-Frame-Options prevent clickjacking by disallowing the website to be embedded in an iframe, Missing X-Frame-Options means an attacker can embed the website in a malicious frame leading to clickjacking attacks

Question 55

What are risks of CSRF

Answer 55

Unauthorised actions being performed, data manipulation, account takeover

Question 56

What is XML Injection / XXE

Answer 56

When an attacker manipulates input in XML format, causing the web application to process unintended data or behaviour

Question 57

What are anti-CSRF, anti-XSS headers

Answer 57

SameSite Cookie, CSRF Tokens, CSP Header

Question 57

What are the risks of XML Injection / XXE

Answer 57

Data leakage, RCE, DoS

Question 57

How can we test/exploit an XXE

Answer 57

We can try including malicious XML entities such that they read the contents of file:///etc/passwd and then print out the contents of it

Question 58

What is a CSRF token

Answer 58

A unique and unpredictable value that is included in forms or headers for each request, these tokens must match a token stored in the user’s session

Question 58

What is a SameSite cookie

Answer 58

It controls when cookies are sent in cross-origin requests, Strict: cookies only sent in requests that originate from the same site

Question 59

What does CSP do

Answer 59

Restricts scripts, styles and other resources from being loaded or executed if they are not explicitly allowed, can prevent reflected and stored XSS by blocking malicious scripts

Question 60

What is Session Fixation

Answer 60

The attacker generates/creates a valid session and sends a victim a link using that cookie, which when the victim logs in, the attacker will have access to the account using the cookie

Question 60

What is a MIME-Type and what can it be exploited for

Answer 60

Determines the file type through its general format and byte structure and can be exploited for passing malicious files as allowed files (e.g: php scripts as a .jpg)

Question 61

What can be an example of Session Fixation

Answer 61

An attacker logs into an account, copies the session token, logs out to invalidate it, sends a crafted URL to a victim who will login and attacker will have possession of a valid session ID

Question 62

Name 3 laws relating to Cyber in Australia

Answer 62

Privacy Act 1988, Cybercrime Act 2001 and Security of Critical Infrastructure Act 2018

Question 63

What is the Cybercrime Act 2001

Answer 63

• Criminalises hacking and unauthorised access to data
• Addresses fraud involving computers and data manipulation

Question 64

What is the Privacy Act 1988

Answer 64

It regulates the handling of personal information about individuals, requires organisations to notify individuals and the Australian Information Commissioner about data breaches that are likely to result in serious harm

Question 65

What is the Security of Critical Infrastructure Act 2018

Answer 65

The SOCI Act identifies critical infrastructure assets and imposes obligations on owners and operators to protect their assets

Question 66

What are the top 3 international Cyber laws/standards

Answer 66

GDPR, PCI DSS and ISO 27001

Question 67

What does GDPR stand for

Answer 67

General Data Protection Regulation

Question 68

What does GDPR do

Answer 68

• Enhances individuals control over their personal data
• Requires timely reporting of data breaches
• Imposes fines for non-compliance

Question 69

What does PCI DSS stand for

Answer 69

Payment Card Industry Data Security Standard

Question 70

What does PCI DSS do

Answer 70

• Mandates encryption of cardholder data
• Requires restricted access to sensitive information

Question 71

What does ISO 27001 do?

Answer 71

• Emphasises the identification and management of information security risks
• Encourages ongoing enhancement of security measures

Question 72

What is the name of the scheme in the Privacy Act 1988 regarding notifying stakeholders

Answer 72

NDB scheme

Question 73

What is the NDB scheme

Answer 73

Mandates the reporting of data breaches that are likely to result in serious harm

Question 74

What TLS configuration does the PCI DSS find non-compliant

Answer 74

TLS 1.0

Question 75

What are some questions that can be asked during scoping

Answer 75

• A brief description of the service?
• How many endpoints and functions are there?
• Does the service have a login mechanism in order to access authenticated content?

Question 76

What is an open line in the Technical Summary

Answer 76

This section is targeted towards Project Managers or IT Managers wishing to delegate remediation tasks to various parties. It is a summary of all vulnerabilities with related risk ratings and business impacts designed to help prioritise resourcing for remediation.