IS3445 CHAP 6 MITIGATING WEB SITE RISKS, THREATS, AND VULNERABILITIES Flashcards
___ is a protocol primarily responsible for the authentication and integrity verification of data packets.
(AH) Authentication Header
___ is the result when an attacker compromises authentication credentials, gaining access to all resources associated with those credentials.
Broken authentication
___ exploits the trust a Web site has for a user’s browser. This can occur because once a visitor is authenticated and logged onto a particular Web site, that site trusts all requests that come from the browser.
(CSRF) Cross-site request forgery attack
___ is a protocol that provides encryption services to network data. It can also be used for authentication and integrity services. This differs from AH authentication in the this protocol includes only the header, trailer, and payload portions of a data packet.
(ESP) Encapsulating Security Payload
___ occurs when an attacker browses unprotected areas and data on a Web server. This attack is enabled by Web applications that fail to restrict vulnerabilities.
Failure to restrict URL access attack
___ is the exploitation by an attacker of information found or gathered which was intended only for authorized users.
Information leakage
___ enables an attacker to bypass an application’s access controls and create, change, delete, or read any data the application can access.
Injection flaw attack
___ is the verification of all data that is received. This helps prevent malicious data from entering an application. This is a form of filtering in which unexpected or unwanted input is automatically rejected and the underlying database remains inaccessible.
Input validation
___ is a threat that occurs when an administrator fails to secure directories and folders in a Web server. It enables an attacker to traverse through a Web server’s directories, leading to the access of sensitive resources and information leakage.
Insecure direct object reference vulnerability
___ is an organization that researches and publishes known security threats to Web applications and Web services.
(OSWAP) Open Web Application Security Project
___ uses social engineering to initiate an XSS attack. This uses a malicious script that is embedded in a URL link to target a single victim.
Reflected XSS attack
___ is the standard security technology for establishing an encrypted link between a Web server and a Web browser. This link ensures that all data passed between the Web server and browsers remains private and intact.
(SSL) Secure Sockets Layer
___ is a security agreement between two systems on a network that enables the secure exchange of data.
(SA) Security association
___ is the tracking of requests and communications between a Web server and a user. Because HTML is “stateless” by design, Web applications and Web sites must create a session to pass information and authentication from page to page.
Session
___ is a type of attack designed to break through database security and access the information.
SQL injection attack
___ is an attack that embeds malicious script into a Web page that permits and stores user-sullied content, such as a social networking site or an online forums, where it will be accessible to multiple potential victims. The victim retrieves the malicious script from the Web server when it requests the stored information.
Stored XSS attack
___ is a type of attack in which the attacker changes the appearance of a Web site. The attacker might replace a company’s home page, for example, with a Web page that displays messages from the attacker.
Web site defacement
___ is an attack in which malicious scripts are saved to a Web server but run in a client browser. If the script code is executed, the attacker gains access to personal data on the Web server or the victim’s personal computer.
XSS attack
- Reflected and stored are types of XSS attacks.
TRUE OR FALSE
TRUE
- An attack has occurred on your network. An attacker was able to traverse several files and folders, looking for sensitive data. What type of attack has occurred?
- Insecure direct object reference
- XSS
- CRFS
- Injection flaw
Insecure direct object reference
- AH is the protocol within IPSec used for encryption services.
TRUE OR FALSE
FALSE
- As network administrator, you are concerned with the plain text transmission of sensitive data on the network. Which of the following protocols are used to help secure communications? (Select three)
- IPSec
- HTTP
- SSL
- IKE
IPSec
SSL
IKE
- To increase network security, you have decided to use HTTPS on your shopping cart site. Which of the following ports does HTTPS use?
- 80
- 53
- 443
- 51
443
- ___ and AH are used to secure IPSec transmissions.
Encapsulating Security Payload or ESP
- CSRF attacks exploit the trust a Web site has for a user’s Web browser.
TRUE OR FALSE
TRUE
- Kerberos is a(n) ___ protocol.
Authentication
- To increase overall communication security, you decide to implement 3DES encryption. Which of the following statements is true of 3DES?
- Its key length is 168 bits
- It cannot be used in a Windows-based environment
- It uses 128 bit encryption
- It has to be used with Kerberos
Its key length is 168 bits
- You are concerned about a cross-site forgery attack, Which of the following can you do to help prevent such an attack?
- Ensure antivirus protection is up to date
- Log out of Web sites when finished
- Use stronger passwords
- Encrypt stored passwords
Log out of Web sites when finished
- To establish IPSec encryption, two hosts must create a shared key with each other before SA negotiations can take place.
TRUE OR FALSE
FALSE
