Module 6 Questions Flashcards
You are examining log files and notice several connection attempts to a hosted web server. Many attempts appear as such:
http://www.example.com/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows\system32\cmd.exe
A. SQL injection
B. Unicode parameter tampering
C. Directory traversal
D. Cross-site scripting
C. This connection is attempting to traverse the directory from the Inetpub folders to a command shell for the attacker. Instead of dot-dot-slash, Unicode is used in this example to bypass potential IDS signatures.
The accounting department of a business notices several orders that seem to have been made erroneously. In researching the concern, you discover it appears the prices of items on several web orders do not match the listed prices on the public site. You verify the web server and the ordering database do not seem to have been compromises. Additionally, no alerts have displayed in the Snort logs concerning a possible attack on the web application. Which of the following might explain the attack in play?
A. The attacker has copied the source code to his machine and altered hidden fields to modify the purchase price of the items.
B. The attacker has used SQL injection to update the database to reflect new prices for the items.
C. The attacker has taken advantage of a server-side include that altered the price.
D. The attacker used Metasploit to take control of the web application.
A. In this case, because the logs and IDSs show no direct attack, it’s most likely the attacker has copied the source code directly to his machine and altered the hidden “price” fields on the order form. All other types of attack would have, in some form or fashion, shown themselves easily.
A pen test team member uses the following entry at the command line:
nmap –script http-methods –scripts-args somesystem.com
Which of the following is true regarding the intent of the command?
A. The team member is attempting to see which HTTP methods are supported by somesystem.com.
B. The team member is attempting XSS against somesystem.com.
C. The team member is attempting HTTP response splitting against somesystem.com.
D. The team member is attempting to site mirror somesystem.com.
A. The http-methods script tests a target to see what HTTP methods are supported (by sending an HTTP OPTIONS request). Why would an attacker do this? If you know what GET, POST and PUT do, then you know the answer to this question already.
You are examining IDS logs and come across the following entry:
Mar 30 10:31:07 [1123} : IDS/NOPS-86: 64.118.55.64.:1146-> 192.168.119.56:53
What can you infer from this log entry?
A. The attacker, using address 192.168.119.56, is attempting to connect to 64.118.55.64 using a DNS port.
B. The attacker, using address 64.118.55.64, is attempting a directory traversal attack.
C. The attacker is attempting a known SQL attack against 192.168.119.56.
D. The attacker is attempting a buffer overflow against 192.168.119.56.
D. The log file shows that the NOP sled signature is being used against 192.168.119.56. There is no indication in the log file about SQL or directory traversal.
Which of the following would be the best protection against XSS attacks?
A. Invest in top of the line firewalls.
B. Perform vulnerability scans against your systems.
C. Configure input validation on your systems.
D. Have a pen test performed against your systems.
C. “Best” is always a tricky word. In this case, configuring server-side operations to validate what’s being put in the input field is by far the best mitigation. Could vulnerability scans and pen tests tell you something is wrong? Sure, but by themselves they don’t do anything to protect you.
Which of the following is true regarding n-tier architecture?
A. Each tier must communicate openly with every other tier.
B. N-tier always consists of presentation, logic, and data tiers.
C. N-tier is usually implemented on one server.
D. N-tier allows each tier to be configured and modified independently.
D. While usually implemented in three tiers, n-tier simply means you have three or more independently monitored, managed, and maintained collection of servers, each providing a specific service or tasking.
Which character is the best choice to start a SQL injection attempt? A. Colon B. Semicolon C. Double quote D. Single quote
D. The single quote should begin SQL injection attempts, even though in many database systems it’s not always an absolute.
Which of the following is a true statement?
A. Configuring the web server to send random challenge tokens is the best mitigation for XSS attacks.
B. Configuring the web server to send random challenge tokens is the best mitigation for buffer overflow attacks.
C. Configuring the web server to send random challenge tokens is the best mitigation for parameter-manipulation attacks.
D. Configuring the web server to send random challenge tokens is the best mitigation for CSRF attacks.
D. The requests from the bad guy masquerading with your session ID through your browser can be largely stopped by making sure each request has a challenge token—if the server gets one without a token, it’s naughty and dropped.
Which of the following is a true statement?
A. SOAP cannot bypass a firewall.
B. SOAP encrypts messages using HTTP methods.
C. SOAP is compatible with HTTP and SMTP.
D. SOAP messages are usually bidirectional.
C. SOAP is compatible with HTTP and SMTP, and usually the messages are “one way” in nature.
SOAP is used to package and exchange information for web services. What does SOAP use to format this information? A. XML B. HTML C. HTTP D. Unicode
A. SOAP formats its information exchange in XML.
A security administrator monitoring logs comes across a user login attempt that reads UserJoe)(&). What can you infer from this username login attempt?
A. The attacker is attempting SQL injection.
B. The attacker is attempting LDAP injection.
C. The attacker is attempting SOAP injection.
D. The attacker is attempting directory traversal
B. The )(&) indicates an LDAP injection attempt.
A security administrator sets the HttpOnly flag in cookies. Which of the
following is he most likely attempting to mitigate against?
A. CSRF
B. CSSP
C. XSS
D. Buffer overflow E. SQL injection
C. Of the answers provided, XSS is the only one that makes sense. This setting prevents cookies from being accessible by a client-side script.
Which of the following are true statements? (Choose two.)
A. WebGoat is maintained by the IETF.
B. WebGoat is maintained by OWASP.
C. WebGoat can be installed on Windows or Linux.
D. WebGoat is designed for Apache systems only.
B, C. WebGoat has 30 or so “lessons” imbedded to display how security vulnerabilities work on a system. It is maintained by OWASP, can be installed on virtually any platform, works well with Java and .NET, and provides the perfect “black box” testing opportunity for new, and seasoned, pen testers to practice on without fear of breaking something.
In nmap, the http-methods script can be used to test for potentially risky HTTP options supported by a target. Which of the following methods would be considered risky per the script?
A. CONNECT
B. GET
C. POST
D. HEAD
A. The http-methods script usage syntax is nmap –script http-methods , where is the IP of the system you’re after.
OWASP, an international organization focused on improving the security of software, produced a “Top Ten Security Priorities” for web applications. Which item is the primary concern on the list?
A. XSS
B. Injection
C. SQL injection
D. Broken authentication
B
• Number 1: Injection OWASP lumps several attacks into this one (SQL injections, OS injections, LDAP injections, and so on).
- Number 2: Broken Authentication and Session Management This one deals with problems in authentication and session management (allowing attackers to compromise passwords, encryption keys, session tokens, and so on).
- Number 3: XSS Cross-site scripting (XSS) happens when an attacker injects code (a script) into the web page of a legitimate company or user—usually into input fields on a web form.
- Number 4: Insecure Direct Object References This occurs when an application references an internal object without appropriate access controls.
- Number 5: Security Misconfiguration This one is all about insecure default settings in applications and systems.
A web application developer wishes to test a new application for security flaws. Which of the following is a method of testing input variations by using randomly generated invalid input in an attempt to crash the program?
A. Insploit
B. Finglonger
C. Metasplation
D. Fuzzing
D. Even if you didn’t know what “fuzzing” meant, you probably could’ve whittled this down by eliminating the known wrong answers.
Which of the following uses HTML entities properly to represent ?
A.
B. script
C. &script&
D. "script"
A. Cross-site scripting generally relies on web pages not properly validating user input, and HTML entities can be used to take the place of certain characters. In this case, the less-than sign () surround the word script. The appropriate HTML entity for each is < and > (the lt and gt should give that one away).
An attacker tricks a user into visiting a malicious website via a phishing e-mail. The user clicks the e-mail link and visits the malicious website while maintaining an active, authenticated session with his bank. The attacker, through the malicious website, then instructs the user’s web browser to send requests to the bank website. Which of the following best describes this attack?
A. CSPP
B. XSS
C. CSRF
D. Hidden form field
C. There are few truisms in life, but here’s one: you will definitely be asked about CSRF on your exam. Cross-site request forgery (CSRF) attacks are exactly what’s being described here—an attacker takes advantage of an open, active, authenticated session between the victim and a trusted site, sending message requests to the trusted site as if they are from the victim’s own browser
Which of the following is used by SOAP services to format information?
A. Unicode
B. HTML entities
C. NTFS
D. XML
D. Simple Object Access Protocol (SOAP) is a protocol designed for exchanging structured information within web services across multiple variant systems.
A web application developer is discussing security flaws discovered in a new application prior to production release. He suggests to the team that they modify the software to ensure users are not allowed to enter HTML as input into the application. Which of the following is most likely the vulnerability the developer is attempting to mitigate against?
A. Cross-site scripting
B. Cross-site request forgery
C. Connection string parameter pollution
D. Phishing
A. XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping.
Which of the following is a common SOA vulnerability?
A. SQL injection
B. XSS
C. XML denial of service
D. CGI manipulation
C. Service-oriented architecture (SOA) is a software design idea that is based on specific pieces of software providing functionality as services between applications.
The source code of software used by your client seems to have a large number of gets() alongside sparsely used fgets(). What kind of attack is this software potentially susceptible to?
A. SQL injection
B. Buffer overflow
C. Parameter tampering
D. Cookie manipulation
B. A buffer overflow is an attempt to write more data into an application’s prebuilt buffer area in order to overwrite adjacent memory, execute code, or crash a system (application).
Which of the following would be the best choice in the prevention of XSS?
A. Challenge tokens
B. Memory use controls
C. HttpOnly flag in cookies
D. Removing hidden form fields
C. In addition to input validation controls (always good for bunches of vulnerability mitigations), setting the HttpOnly flag in cookies can be used in mitigation against some XSS attacks.
You are examining log files and come across this URL:
http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f%70%61%73%73%77%64
Which of the following best describes this potential attack?
A. This is not an attack but a return of SSL handshakes.
B. An attacker appears to be using Unicode.
C. This appears to be a buffer overflow attempt.
D. This appears to be an XSS attempt.
B. Unicode is just another way to represent text, so why not use it to try to get past an IDS?
Which MSFconsole command allows you to connect to a host from within the console?
A. pivot
B. connect
C. get
D. route
B. Questions on Metasploit can be very generalized, or—like this question—pretty darn specific. MSFconsole, opened with the msfconsole command, is a common method of interfacing with Metasploit.
Which character is your best option in testing for SQL injection vulnerability?
A. The @ symbol
B. A double dash
C. The + sign
D. A single quote
D. SQL injection is all about entering queries and commands into a form field (or URL) to elicit a response, gain information, or manipulate data.
An angry former employee of the organization discovers a web form vulnerable to SQL injection. Using the injection string SELECT * FROM Orders_Pend WHERE Location_City = ’Orlando’, he is able to see all pending orders from Orlando. If he wanted to delete the Orders_Pend table altogether, which SQL injection string should be used?
A. SELECT * FROM Orders_Pend WHERE Location_City = Orlando’;DROP TABLE Orders_Pend –
B. SELECT * FROM Orders_Pend WHERE ’Orlando’;DROP_TABLE –
C. DROP TABLE Orders_Pend WHERE ’Orlando = 1’ –
D. WHERE Location_City = Orlando’1 = 1’: DROP_TABLE –
A. SQL queries usually read pretty straightforward, although they can get complicated pretty quickly. In this case you’re telling the database, “Can you check the table Orders_Pend and see whether there’s a city called Orlando? Oh, by the way, since you’re executing any command I send anyway, just go ahead and drop the table called Orders_Pend while you’re at it.
Efforts to gain information from a target website have produced the following error message:
Microsoft OLE DB Provider for ODBC Drivers error ’80040e08’
[Microsoft]{OBDC SQL Server Driver}
Which of the following best describes the error message?
A. The site may be vulnerable to XSS.
B. The site may be vulnerable to buffer overflow.
C. The site may be vulnerable to SQL injection.
D. The site may be vulnerable to a malware injection.
C. Once again, you will get a few “gimme” questions on the exam. The error message clearly displays a SQL error,
An attacker discovers a legitimate username (user1) and enters the following into a web form authentication window:
Images
Which of the following is most likely the attack being attempted?
A. SQL injection
B. LDAP injection
C. URL tampering
D. DHCP amplification
B. LDAP injection works a lot like SQL injection—you enter code that is passed by the application to something behind it for processing.
Which of the following is a standard method for web servers to pass a user’s request to an application and receive data back to forward to the user?
A. SSI
B. SSL
C. CGI
D. CSI
C. Common Gateway Interface (CGI) is a standardized method for transferring information between a web server and an executable (a CGI script is designed to perform some task with the data).
An attacker performs a SQL injection attack but receives nothing in return. She then proceeds to send multiple SQL queries, soliciting TRUE or FALSE responses. Which attack is being carried out?
A. Blind SQL injection
B. SQL denial of service
C. SQL code manipulation
D. SQL replay
A. Blind SQL injection is really kinda neat, even if you’re not a nerd. Sometimes a security admin does just enough to frustrate efforts, and you don’t receive the error messages or returned information you originally counted on.
A tester is attempting a CSPP attack. Which of the following is she most likely to use in conjunction with the attack?
A. ;
B. :
C. ‘
D. “
E. –
F. ~
A. CSPP (connection string parameter attack) is another form of an injection attack.
An attacker is attempting to elevate privileges on a machine by using Java or other functions, through nonvalidated input, to cause the server to execute a malicious piece of code and provide command-line access. Which of the following best describes this action?
A. Shell injection
B. File injection
C. SQL injection
D. URL injection
A. When it comes to web application attacks, there are many vectors and avenues to take. One of the more common is injecting something into an input string to exploit poor code.
An attacker is successful in using a cookie, stolen during an XSS attack, during an invalid session on the server by forcing a web application to act on the cookie’s contents. How is this possible?
A. A cookie can be replayed at any time, no matter the circumstances.
B. Encryption was accomplished at the application layer, using a single key.
C. Authentication was accomplished using XML.
D. Encryption was accomplished at the network layer.
B. Cookies can be used for all sorts of things. If you can grab all user cookies, you can see what they visited and sometimes even how long they’ve been there. Cookies can also hold passwords—and because most people use the same password on multiple sites, this can be a gold mine for the attacker.
HTML forms include several methods for transferring data back and forth. Inside a form, which of the following encodes the input into the Uniform Resource Identifier (URI)?
A. HEAD
B. PUT
C. GET
D. POST
C. An HTTP GET is a method for returning data from a form that “encodes” the form data to the end of the URI (a character string that identifies a resource on the Web, such as a page of text, a video clip, an image, or an application).
An attacker is looking at a target website and is viewing an account from the store on URL http://www.anybiz.com/store.php?id=2. He next enters the following URL:
http://www.anybiz.com/store.php?id=2 and 1=1
The web page loads normally. He then enters the following URL:
http://www.anybiz.com/store.php?id=2 and 1=2
A generic page noting “An error has occurred” appears.
Which of the following is a correct statement concerning these actions?
A. The site is vulnerable to cross-site scripting.
B. The site is vulnerable to blind SQL injection.
C. The site is vulnerable to buffer overflows.
D. The site is not vulnerable to SQL injection.
B. The URLs shown here are attempting to pass a SQL query through to see what may be going on in the background. Notice the first URL entered added and 1=1.
Which of the following is not true regarding WebGoat?
A. WebGoat is maintained and made available by OWASP.
B. WebGoat can be installed on Windows systems only.
C. WebGoat is based on a black-box testing mentality.
D. WebGoat can use Java or .NET.
B. WebGoat, now in version 7
An attacker is viewing a blog entry showing a news story and asking for comments. In the comment field, the attacker enters the following:
Nice post and a fun read
onload=window.location=’http://www.badsite.com’
What is the attacker attempting to perform?
A. A SQL injection attack against the blog’s underlying database
B. A cross-site scripting attack
C. A buffer overflow DoS attack
D. A file injection DoS attack
B. This is a classic (an overly simplified but classic nonetheless) example of cross-site scripting.
Which of the following is one of the most common methods for an attacker to exploit the Shellshock vulnerability?
A. SSH brute force
B. CSRF
C. Form field entry manipulation
D. Through web servers utilizing CGI (Common Gateway Interface)
D. I would bet very large sums of cash you will see Shellshock on your exam—maybe even a couple of times.
You are examining website files and find the following text file:
Images
Which of the following is a true statement concerning this file?
A. All web crawlers are prevented from indexing the listing.html page.
B. All web crawlers are prevented from indexing all pages on the site.
C. The Googlebot crawler is allowed to index pages starting with /tmp/.
D. The Googlebot crawler can access and index everything on the site except for pages starting with /tmp/.
D. The robots.txt file was created to allow web designers to control index access to their sites.
