Module 6 Questions Flashcards
You are examining log files and notice several connection attempts to a hosted web server. Many attempts appear as such:
http://www.example.com/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows\system32\cmd.exe
A. SQL injection
B. Unicode parameter tampering
C. Directory traversal
D. Cross-site scripting
C. This connection is attempting to traverse the directory from the Inetpub folders to a command shell for the attacker. Instead of dot-dot-slash, Unicode is used in this example to bypass potential IDS signatures.
The accounting department of a business notices several orders that seem to have been made erroneously. In researching the concern, you discover it appears the prices of items on several web orders do not match the listed prices on the public site. You verify the web server and the ordering database do not seem to have been compromises. Additionally, no alerts have displayed in the Snort logs concerning a possible attack on the web application. Which of the following might explain the attack in play?
A. The attacker has copied the source code to his machine and altered hidden fields to modify the purchase price of the items.
B. The attacker has used SQL injection to update the database to reflect new prices for the items.
C. The attacker has taken advantage of a server-side include that altered the price.
D. The attacker used Metasploit to take control of the web application.
A. In this case, because the logs and IDSs show no direct attack, it’s most likely the attacker has copied the source code directly to his machine and altered the hidden “price” fields on the order form. All other types of attack would have, in some form or fashion, shown themselves easily.
A pen test team member uses the following entry at the command line:
nmap –script http-methods –scripts-args somesystem.com
Which of the following is true regarding the intent of the command?
A. The team member is attempting to see which HTTP methods are supported by somesystem.com.
B. The team member is attempting XSS against somesystem.com.
C. The team member is attempting HTTP response splitting against somesystem.com.
D. The team member is attempting to site mirror somesystem.com.
A. The http-methods script tests a target to see what HTTP methods are supported (by sending an HTTP OPTIONS request). Why would an attacker do this? If you know what GET, POST and PUT do, then you know the answer to this question already.
You are examining IDS logs and come across the following entry:
Mar 30 10:31:07 [1123} : IDS/NOPS-86: 64.118.55.64.:1146-> 192.168.119.56:53
What can you infer from this log entry?
A. The attacker, using address 192.168.119.56, is attempting to connect to 64.118.55.64 using a DNS port.
B. The attacker, using address 64.118.55.64, is attempting a directory traversal attack.
C. The attacker is attempting a known SQL attack against 192.168.119.56.
D. The attacker is attempting a buffer overflow against 192.168.119.56.
D. The log file shows that the NOP sled signature is being used against 192.168.119.56. There is no indication in the log file about SQL or directory traversal.
Which of the following would be the best protection against XSS attacks?
A. Invest in top of the line firewalls.
B. Perform vulnerability scans against your systems.
C. Configure input validation on your systems.
D. Have a pen test performed against your systems.
C. “Best” is always a tricky word. In this case, configuring server-side operations to validate what’s being put in the input field is by far the best mitigation. Could vulnerability scans and pen tests tell you something is wrong? Sure, but by themselves they don’t do anything to protect you.
Which of the following is true regarding n-tier architecture?
A. Each tier must communicate openly with every other tier.
B. N-tier always consists of presentation, logic, and data tiers.
C. N-tier is usually implemented on one server.
D. N-tier allows each tier to be configured and modified independently.
D. While usually implemented in three tiers, n-tier simply means you have three or more independently monitored, managed, and maintained collection of servers, each providing a specific service or tasking.
Which character is the best choice to start a SQL injection attempt? A. Colon B. Semicolon C. Double quote D. Single quote
D. The single quote should begin SQL injection attempts, even though in many database systems it’s not always an absolute.
Which of the following is a true statement?
A. Configuring the web server to send random challenge tokens is the best mitigation for XSS attacks.
B. Configuring the web server to send random challenge tokens is the best mitigation for buffer overflow attacks.
C. Configuring the web server to send random challenge tokens is the best mitigation for parameter-manipulation attacks.
D. Configuring the web server to send random challenge tokens is the best mitigation for CSRF attacks.
D. The requests from the bad guy masquerading with your session ID through your browser can be largely stopped by making sure each request has a challenge token—if the server gets one without a token, it’s naughty and dropped.
Which of the following is a true statement?
A. SOAP cannot bypass a firewall.
B. SOAP encrypts messages using HTTP methods.
C. SOAP is compatible with HTTP and SMTP.
D. SOAP messages are usually bidirectional.
C. SOAP is compatible with HTTP and SMTP, and usually the messages are “one way” in nature.
SOAP is used to package and exchange information for web services. What does SOAP use to format this information? A. XML B. HTML C. HTTP D. Unicode
A. SOAP formats its information exchange in XML.
A security administrator monitoring logs comes across a user login attempt that reads UserJoe)(&). What can you infer from this username login attempt?
A. The attacker is attempting SQL injection.
B. The attacker is attempting LDAP injection.
C. The attacker is attempting SOAP injection.
D. The attacker is attempting directory traversal
B. The )(&) indicates an LDAP injection attempt.
A security administrator sets the HttpOnly flag in cookies. Which of the
following is he most likely attempting to mitigate against?
A. CSRF
B. CSSP
C. XSS
D. Buffer overflow E. SQL injection
C. Of the answers provided, XSS is the only one that makes sense. This setting prevents cookies from being accessible by a client-side script.
Which of the following are true statements? (Choose two.)
A. WebGoat is maintained by the IETF.
B. WebGoat is maintained by OWASP.
C. WebGoat can be installed on Windows or Linux.
D. WebGoat is designed for Apache systems only.
B, C. WebGoat has 30 or so “lessons” imbedded to display how security vulnerabilities work on a system. It is maintained by OWASP, can be installed on virtually any platform, works well with Java and .NET, and provides the perfect “black box” testing opportunity for new, and seasoned, pen testers to practice on without fear of breaking something.
In nmap, the http-methods script can be used to test for potentially risky HTTP options supported by a target. Which of the following methods would be considered risky per the script?
A. CONNECT
B. GET
C. POST
D. HEAD
A. The http-methods script usage syntax is nmap –script http-methods , where is the IP of the system you’re after.
OWASP, an international organization focused on improving the security of software, produced a “Top Ten Security Priorities” for web applications. Which item is the primary concern on the list?
A. XSS
B. Injection
C. SQL injection
D. Broken authentication
B
• Number 1: Injection OWASP lumps several attacks into this one (SQL injections, OS injections, LDAP injections, and so on).
- Number 2: Broken Authentication and Session Management This one deals with problems in authentication and session management (allowing attackers to compromise passwords, encryption keys, session tokens, and so on).
- Number 3: XSS Cross-site scripting (XSS) happens when an attacker injects code (a script) into the web page of a legitimate company or user—usually into input fields on a web form.
- Number 4: Insecure Direct Object References This occurs when an application references an internal object without appropriate access controls.
- Number 5: Security Misconfiguration This one is all about insecure default settings in applications and systems.
A web application developer wishes to test a new application for security flaws. Which of the following is a method of testing input variations by using randomly generated invalid input in an attempt to crash the program?
A. Insploit
B. Finglonger
C. Metasplation
D. Fuzzing
D. Even if you didn’t know what “fuzzing” meant, you probably could’ve whittled this down by eliminating the known wrong answers.
