Identifying Application Attacks

Question 1

What process optimizes databases and when is a database considered optimized?

Answer 1

Normalization optimizes databases.

A DB is considered optimized when the first 3 forms of normalization are applied.

Question 2

input validation and stored procedures reduce the risk of what type of attack?

Answer 2

SQL injection attack

Question 3

’ or ‘1’=’1’ is used for what purpose?

Answer 3

it’s an SQL command used in many SQL injections attacks

Question 4

directory traversal is a specific type of what type of attack? How does it work?

Answer 4

Command injection attack

an attacker would enter a directory path into a web page form to retrieve a file

Question 5

What is the name given for an attack where bad code HTML or JS code is written into a website and it will execute on the client-side (victim’s browser) when a user visits the site?
What can prevent this type of attack?

Answer 5

XSS (Cross Site Scripting)

Input validation

Question 6

What type of attack involves an attacker creating a webpage that is configured to execute a command that takes advantage of the trust that another website has for the victims browser. If the victim clicks it, the command is executed without the user knowing. It can be used to purchase goods for instance

Answer 6

Cross-Site Request Forgery (XSRF)

Session Riding/One-click attack

Question 7

cookie expiry period or dual authentication can protect against what type of attack? Why?

Answer 7

Cross-Site Request Forgery (XSRF)
Having the cookie expire after a short period prevents automatic login to a site
Dual authentication forces the user to log BEFORE any actions can be taken
Both techniques prevent links programmed by the attacker from getting past the login.