Exploiting Application Vulnerabilities Flashcards
Which one of the following approaches, when feasible is the most effective way to defeat injection attacks?
a. Browser-based input validation
b. Input whitelisting
c. Input blacklisting
d. Signature detection
b. Input whitelisting approaches define the specific input type or range that users may provide. When developers can write clear business rules defining allowable user input, whitelisting is definitely the most effective way to prevent injection attacks.
Examin the following network diagram. What is the most appropriate location for a web application firewall (WAF) on this network?
Internet, A, B, C, Internal Network
DMZ
D
Web Server
a. Location A
b. Location B
c. Location C
d. Location D
d. Web application firewalls must be placed n front of web servers. This rules out location C as an option. The next consideration is placing the WAF so that it can filter all traffic headed for the web server but where it sees a minimum amount of extraneous traffic. This makes location D the best option for placing a WAF
Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?
a. Timing-based SQL injection
b. HTML injection
c. Cross-site scripting
d. Content-based SQL injection
a. The use of the SQL WAITFOR command is a signature characteristic of a timing-based SQL injection attack.
Which one of the following function calls is closely associated with Linux command injection attacks?
a. system()
b. sudo()
c. mkdir()
d. root()
a. The system() function executes a command string against the operating system from within an application and may be used in command injection attacks.
Tina is conducting a penetration test and is trying to gain access to a user account. Which of the following is a good source for obtaining user account credentials?
a. Social engineering
b. Default account lists
c. Password dumps from compromised sites
d. All of the above
d. Penetration testers may use a wide variety of sources when seeking to gain access to individual user accounts. These may include conducting social engineering attacks against individual users, obtaining password dumps from previously compromised sites, obtaining default account lists, and conducting password cracking attacks
What type of credential used in Kerberos is often referred to as the “golden ticket” because of its potential for widespread reuse?
a. Session ticket
b. Ticket-granting ticket (TGT)
c. Service ticket
d. User ticket
b. TGTs are incredibly valuable and can be created with extended life spans. When attackers succeed in acquiring TGTs, the TGTs are often call “golden tickets” because they allow complete access to the Kerberos connected systems, including creation of new tickets, account changes, an even falsification of accounts or services.
Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain to ensure that her attack will be successful?
a. Session ticket
b. Session cookie
c. Username
d. Username password
b. Websites use HTTP cookies to maintain sessions over time. If Wendy is able to obtain a copy of the user’s session cookie, she can use that cookie to impersonate the user’s browser and hijack the authenticated session.
Sherry is concerned that a web application in her organization supports unvalidated redirects. Which one of the following approaches would minimize the risk of this attack?
a. Requiring HTTPS
b. Encrypting session cookies
c. Implementing multifactor authentication
d. Restricting redirects to her domain
d. Unvalidated redirects instruct a web application to direct users t an arbitrary site at the conclusion of their transaction. This approach is quite dangerous because it allows an attacker to send users to a malicious site through a legitimate site that they trust. Sherry should restrict redirects so that they only occur within her trusted domains(s).
Joe checks his web server logs and sees that someone sent the following query string to an application running on the server: http://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892’ ; DROP TABLE Services;–. What type of attack was most likely attempted?
a. Cross-site scripting
b. Session hijacking
c. Parameter pollution
d. Man-in-the-middle
c. This query string is indicative of a parameter pollution attack. In this case, it appears that the attacker was waging a SQL injection attack and tried to use parameter pollution to slip the attack past content filtering technology. The two instances of the seviceID parameter in the query string indicate a parameter pollution attempt.
Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples:
http://www.mycompany.com/servicestatus.php?serviceID=1
http://www.mycompany.com/servicestatus.php?serviceID=2
http://www.mycompany.com/servicestatus.php?serviceID=3
http://www.mycompany.com/servicestatus.php?serviceID=4
What type of vulnerability was the attacker likely trying to exploit?
a. Insecure direct object reference
b. File upload
c. Unvalidated redirect
d. Session hijacking
a. The series of thousands of requests incrementing a variable indicate that the attacker was most likely attempting to exploit an insecure direct object reference vulnerability.
Joe’s adventures in web server log analysis are not yet complete. As he continues to review the logs, he finds the request: http://www.mycompany.com/../../../etc/passwd. What type of attack was most likely attempted?
a. SQL injection
b. Session hijacking
c. Directory traversal
d. File upload
c. In this case, the .. operators are the telltale giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server.
What type of attack depends on the fact that users are often logged into many websites simultaneously in the same browser?
a. SQL injection
b. Cross-site scripting
c. Cross-site request forgery (XSRF)
d. File inclusion
c. XSRF attacks work by making the reasonable assumption that users are often logged into many different websites at the same time. Attackers then embed code in one website that sends a command to a second website.
What type of cross-site scripting attack would not be visible to a security professional inspecting the HTML source code in a browser?
a. Reflected XSS
b. Stored XSS
c. Persistent XSS
d. DOM-based XSS
d. DOM-based XSS attacks hide the attack code within the Document Object Model. This code would not be visible to someone viewing the HTML source of the page. Other XSS attacks would leave visible traces in the browser.
Which one of the following attacks is an example of a race condition exploitation?
a. XSRF
b. XSS
c. TOCTTOU
d. SQLi
c. The time-of-check-to-time-of-use TOCTTOU issue is a race condition that occurs when a program checks access permission to far in advance of a resource request.
Tom is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance?
a. Code signing
b. Code endorsement
c. Code encryption
d Code obfuscation
a. Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer’s public key to verify that signature and ensure the code is legitimate and was not modified by unauthorized individuals.
