Exploiting Application Vulnerabilities Flashcards
Which one of the following approaches, when feasible, is the most effective way to defeat injection attacks?
A. Browser‐based input validation
B. Input whitelisting
C. Input blacklisting
D. Signature detection
Answer:
B. Input whitelisting approaches define the specific input type or range that users may provide. When developers can write clear business rules defining allowable user input, whitelisting is definitely the most effective way to prevent injection attacks.
Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?
A. Timing‐based SQL injection
B. HTML injection
C. Cross‐site scripting
D. Content‐based SQL injection
Answer:
A. The use of the SQL WAITFOR command is a signature characteristic of a timing‐based SQL injection attack.
Which one of the following function calls is closely associated with Linux command injection attacks?
A. system()
B. sudo()
C. mkdir()
D. root()
Answer:
A. The system() function executes a command string against the operating system from within an application and may be used in command injection attacks.
Tina is conducting a penetration test and is trying to gain access to a user account. Which of the following is a good source for obtaining user account credentials?
A. Social engineering
B. Default account lists
C. Password dumps from compromised sites
D. All of the above
Answer:
D. Penetration testers may use a wide variety of sources when seeking to gain access to individual user accounts. These may include conducting social engineering attacks against individual users, obtaining password dumps from previously compromised sites, obtaining default account lists, and conducting password cracking attacks.
What type of credential used in Kerberos is often referred to as the “golden ticket” because of its potential for widespread reuse?
A. Session ticket
B. Ticket‐granting ticket (TGT)
C. Service ticket
D. User ticket
Answer:
B. TGTs are incredibly valuable and can be created with extended life spans. When attackers succeed in acquiring TGTs, the TGTs are often called “golden tickets” because they allow complete access to the Kerberos‐connected systems, including creation of new tickets, account changes, and even falsification of accounts or services.
Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain to ensure that her attack will be successful?
A. Session ticket
B. Session cookie
C. Username
D. User password
Answer:
B. Websites use HTTP cookies to maintain sessions over time. If Wendy is able to obtain a copy of the user’s session cookie, she can use that cookie to impersonate the user’s browser and hijack the authenticated session.
Sherry is concerned that a web application in her organization supports unvalidated redirects. Which one of the following approaches would minimize the risk of this attack?
A. Requiring HTTPS
B. Encrypting session cookies
C. Implementing multifactor authentication
D. Restricting redirects to her domain
Answer:
D. Unvalidated redirects instruct a web application to direct users to an arbitrary site at the conclusion of their transaction. This approach is quite dangerous because it allows an attacker to send users to a malicious site through a legitimate site that they trust. Sherry should restrict redirects so that they only occur within her trusted domain(s).
Joe checks his web server logs and sees that someone sent the following query string to an application running on the server:
http://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892’ ; DROP TABLE Services;–
What type of attack was most likely attempted?
A. Cross‐site scripting
B. Session hijacking
C. Parameter pollution
D. Man‐in‐the‐middle
Answer:
C. This query string is indicative of a parameter pollution attack. In this case, it appears that the attacker was waging a SQL injection attack and tried to use parameter pollution to slip the attack past content filtering technology. The two instances of the serviceID parameter in the query string indicate a parameter pollution attempt.
Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples:
- http://www.mycompany.com/servicestatus.php?serviceID=1
- http://www.mycompany.com/servicestatus.php?serviceID=2
- http://www.mycompany.com/servicestatus.php?serviceID=3
- http://www.mycompany.com/servicestatus.php?serviceID=4
- http://www.mycompany.com/servicestatus.php?serviceID=5
- http://www.mycompany.com/servicestatus.php?serviceID=6
What type of vulnerability was the attacker likely trying to exploit?
A. Insecure direct object reference
B. File upload
C. Unvalidated redirect
D. Session hijacking
Answer:
A. The series of thousands of requests incrementing a variable indicate that the attacker was most likely attempting to exploit an insecure direct object reference vulnerability.
Joe’s adventures in web server log analysis are not yet complete. As he continues to review the logs, he finds the request:
http://www.mycompany.com/../../../etc/passwd
What type of attack was most likely attempted?
What type of attack was most likely attempted?
A. SQL injection
B. Session hijacking
C. Directory traversal
D. File upload
Answer:
C. In this case, the .. operators are the telltale giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server.
What type of attack depends on the fact that users are often logged into many websites simultaneously in the same browser?
A. SQL injection
B. Cross‐site scripting
C. Cross‐site request forgery (XSRF)
D. File inclusion
Answer:
C. XSRF attacks work by making the reasonable assumption that users are often logged into many different websites at the same time. Attackers then embed code in one website that sends a command to a second website.
What type of cross‐site scripting attack would not be visible to a security professional inspecting the HTML source code in a browser?
A. Reflected XSS
B. Stored XSS
C. Persistent XSS
D. DOM‐based XSS
Answer:
D. DOM‐based XSS attacks hide the attack code within the Document Object Model. This code would not be visible to someone viewing the HTML source of the page. Other XSS attacks would leave visible traces in the browser.
Which one of the following attacks is an example of a race condition exploitation?
A. XSRF
B. XSS
C. TOCTTOU
D. SQLi
Answer:
C. The time‐of‐check‐to‐time‐of‐use (TOCTTOU or TOC/TOU) issue is a race condition that occurs when a program checks access permissions too far in advance of a resource request.
Tom is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance?
A. Code signing
B. Code endorsement
C. Code encryption
D. Code obfuscation
Answer:
A. Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer’s public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.
Which one of the following tools may be used to debug applications written on a Mac platform?
A. IDA
B. OllyDbg
C. GDB
D. Covenant
Answer:
A. Interactive Disassembler (IDA) is a commercial debugging tool that works on Windows, Mac, and Linux platforms. OllyDbg and Covenant are Windows‐specific tools, and GNU Debugger (GDB) is a widely used open source debugger for Linux that works with a variety of programming languages.
Norm is performing a penetration test of a web application and would like to manipulate the input sent to the application before it leaves his browser. Which one of the following tools would assist him with this task?
A. AFL
B. ZAP
C. GDB
D. DOM
Answer:
B. ZAP is an interception proxy developed by the Open Web Application Security Project (OWASP). Users of ZAP can intercept requests sent from any web browser and alter them before passing them to the web server.
What control is most commonly used to secure access to API interfaces?
A. API keys
B. Passwords
C. Challenge‐response
D. Biometric authentication
Answer:
A. API use may be restricted by assigning legitimate users unique API keys that grant them access, subject to their own authorization constraints and bandwidth limitations.
Which one of the following is a debugging tool compatible with Linux systems?
A. WinDbg
B. GDB
C. OllyDbg
D. SonarQube
Answer:
B. GDB is a widely used open source debugger for the Linux platform. WinDbg and OllyDbg are also debuggers, but they are only available for Windows systems. SonarQube is a continuous security assessment tool and is not a debugger.
During a penetration test, Bonnie discovers in a web server log that the testers attempted to access the following URL:
http://www.mycompany.com/sortusers.php file=C:\uploads\attack.exe
What type of attack did they most likely attempt?
A. Reflected XSS
B. Persistent XSS
C. Local file inclusion
D. Remote file inclusion
Answer:
C. This URL contains the address of a local file passed to a web application as an argument. It is most likely a local file inclusion exploit, attempting to execute a malicious file that the testers previously uploaded to the server.
