Module 6 Questions Flashcards
You are examining log files and notice several connection attempts to a hosted web server. Many attempts appear as such:
http://www.example.com/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows\system32\cmd.exe
A. SQL injection
B. Unicode parameter tampering
C. Directory traversal
D. Cross-site scripting
C. This connection is attempting to traverse the directory from the Inetpub folders to a command shell for the attacker. Instead of dot-dot-slash, Unicode is used in this example to bypass potential IDS signatures.
The accounting department of a business notices several orders that seem to have been made erroneously. In researching the concern, you discover it appears the prices of items on several web orders do not match the listed prices on the public site. You verify the web server and the ordering database do not seem to have been compromises. Additionally, no alerts have displayed in the Snort logs concerning a possible attack on the web application. Which of the following might explain the attack in play?
A. The attacker has copied the source code to his machine and altered hidden fields to modify the purchase price of the items.
B. The attacker has used SQL injection to update the database to reflect new prices for the items.
C. The attacker has taken advantage of a server-side include that altered the price.
D. The attacker used Metasploit to take control of the web application.
A. In this case, because the logs and IDSs show no direct attack, it’s most likely the attacker has copied the source code directly to his machine and altered the hidden “price” fields on the order form. All other types of attack would have, in some form or fashion, shown themselves easily.
A pen test team member uses the following entry at the command line:
nmap –script http-methods –scripts-args somesystem.com
Which of the following is true regarding the intent of the command?
A. The team member is attempting to see which HTTP methods are supported by somesystem.com.
B. The team member is attempting XSS against somesystem.com.
C. The team member is attempting HTTP response splitting against somesystem.com.
D. The team member is attempting to site mirror somesystem.com.
A. The http-methods script tests a target to see what HTTP methods are supported (by sending an HTTP OPTIONS request). Why would an attacker do this? If you know what GET, POST and PUT do, then you know the answer to this question already.
You are examining IDS logs and come across the following entry:
Mar 30 10:31:07 [1123} : IDS/NOPS-86: 64.118.55.64.:1146-> 192.168.119.56:53
What can you infer from this log entry?
A. The attacker, using address 192.168.119.56, is attempting to connect to 64.118.55.64 using a DNS port.
B. The attacker, using address 64.118.55.64, is attempting a directory traversal attack.
C. The attacker is attempting a known SQL attack against 192.168.119.56.
D. The attacker is attempting a buffer overflow against 192.168.119.56.
D. The log file shows that the NOP sled signature is being used against 192.168.119.56. There is no indication in the log file about SQL or directory traversal.
Which of the following would be the best protection against XSS attacks?
A. Invest in top of the line firewalls.
B. Perform vulnerability scans against your systems.
C. Configure input validation on your systems.
D. Have a pen test performed against your systems.
C. “Best” is always a tricky word. In this case, configuring server-side operations to validate what’s being put in the input field is by far the best mitigation. Could vulnerability scans and pen tests tell you something is wrong? Sure, but by themselves they don’t do anything to protect you.
Which of the following is true regarding n-tier architecture?
A. Each tier must communicate openly with every other tier.
B. N-tier always consists of presentation, logic, and data tiers.
C. N-tier is usually implemented on one server.
D. N-tier allows each tier to be configured and modified independently.
D. While usually implemented in three tiers, n-tier simply means you have three or more independently monitored, managed, and maintained collection of servers, each providing a specific service or tasking.
Which character is the best choice to start a SQL injection attempt? A. Colon B. Semicolon C. Double quote D. Single quote
D. The single quote should begin SQL injection attempts, even though in many database systems it’s not always an absolute.
Which of the following is a true statement?
A. Configuring the web server to send random challenge tokens is the best mitigation for XSS attacks.
B. Configuring the web server to send random challenge tokens is the best mitigation for buffer overflow attacks.
C. Configuring the web server to send random challenge tokens is the best mitigation for parameter-manipulation attacks.
D. Configuring the web server to send random challenge tokens is the best mitigation for CSRF attacks.
D. The requests from the bad guy masquerading with your session ID through your browser can be largely stopped by making sure each request has a challenge token—if the server gets one without a token, it’s naughty and dropped.
Which of the following is a true statement?
A. SOAP cannot bypass a firewall.
B. SOAP encrypts messages using HTTP methods.
C. SOAP is compatible with HTTP and SMTP.
D. SOAP messages are usually bidirectional.
C. SOAP is compatible with HTTP and SMTP, and usually the messages are “one way” in nature.
SOAP is used to package and exchange information for web services. What does SOAP use to format this information? A. XML B. HTML C. HTTP D. Unicode
A. SOAP formats its information exchange in XML.
A security administrator monitoring logs comes across a user login attempt that reads UserJoe)(&). What can you infer from this username login attempt?
A. The attacker is attempting SQL injection.
B. The attacker is attempting LDAP injection.
C. The attacker is attempting SOAP injection.
D. The attacker is attempting directory traversal
B. The )(&) indicates an LDAP injection attempt.
A security administrator sets the HttpOnly flag in cookies. Which of the
following is he most likely attempting to mitigate against?
A. CSRF
B. CSSP
C. XSS
D. Buffer overflow E. SQL injection
C. Of the answers provided, XSS is the only one that makes sense. This setting prevents cookies from being accessible by a client-side script.
Which of the following are true statements? (Choose two.)
A. WebGoat is maintained by the IETF.
B. WebGoat is maintained by OWASP.
C. WebGoat can be installed on Windows or Linux.
D. WebGoat is designed for Apache systems only.
B, C. WebGoat has 30 or so “lessons” imbedded to display how security vulnerabilities work on a system. It is maintained by OWASP, can be installed on virtually any platform, works well with Java and .NET, and provides the perfect “black box” testing opportunity for new, and seasoned, pen testers to practice on without fear of breaking something.
In nmap, the http-methods script can be used to test for potentially risky HTTP options supported by a target. Which of the following methods would be considered risky per the script?
A. CONNECT
B. GET
C. POST
D. HEAD
A. The http-methods script usage syntax is nmap –script http-methods , where is the IP of the system you’re after.
OWASP, an international organization focused on improving the security of software, produced a “Top Ten Security Priorities” for web applications. Which item is the primary concern on the list?
A. XSS
B. Injection
C. SQL injection
D. Broken authentication
B
• Number 1: Injection OWASP lumps several attacks into this one (SQL injections, OS injections, LDAP injections, and so on).
- Number 2: Broken Authentication and Session Management This one deals with problems in authentication and session management (allowing attackers to compromise passwords, encryption keys, session tokens, and so on).
- Number 3: XSS Cross-site scripting (XSS) happens when an attacker injects code (a script) into the web page of a legitimate company or user—usually into input fields on a web form.
- Number 4: Insecure Direct Object References This occurs when an application references an internal object without appropriate access controls.
- Number 5: Security Misconfiguration This one is all about insecure default settings in applications and systems.
A web application developer wishes to test a new application for security flaws. Which of the following is a method of testing input variations by using randomly generated invalid input in an attempt to crash the program?
A. Insploit
B. Finglonger
C. Metasplation
D. Fuzzing
D. Even if you didn’t know what “fuzzing” meant, you probably could’ve whittled this down by eliminating the known wrong answers.
Which of the following uses HTML entities properly to represent ?
A.
B. script
C. &script&
D. "script"
A. Cross-site scripting generally relies on web pages not properly validating user input, and HTML entities can be used to take the place of certain characters. In this case, the less-than sign () surround the word script. The appropriate HTML entity for each is < and > (the lt and gt should give that one away).
An attacker tricks a user into visiting a malicious website via a phishing e-mail. The user clicks the e-mail link and visits the malicious website while maintaining an active, authenticated session with his bank. The attacker, through the malicious website, then instructs the user’s web browser to send requests to the bank website. Which of the following best describes this attack?
A. CSPP
B. XSS
C. CSRF
D. Hidden form field
C. There are few truisms in life, but here’s one: you will definitely be asked about CSRF on your exam. Cross-site request forgery (CSRF) attacks are exactly what’s being described here—an attacker takes advantage of an open, active, authenticated session between the victim and a trusted site, sending message requests to the trusted site as if they are from the victim’s own browser
Which of the following is used by SOAP services to format information?
A. Unicode
B. HTML entities
C. NTFS
D. XML
D. Simple Object Access Protocol (SOAP) is a protocol designed for exchanging structured information within web services across multiple variant systems.
A web application developer is discussing security flaws discovered in a new application prior to production release. He suggests to the team that they modify the software to ensure users are not allowed to enter HTML as input into the application. Which of the following is most likely the vulnerability the developer is attempting to mitigate against?
A. Cross-site scripting
B. Cross-site request forgery
C. Connection string parameter pollution
D. Phishing
A. XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping.
Which of the following is a common SOA vulnerability?
A. SQL injection
B. XSS
C. XML denial of service
D. CGI manipulation
C. Service-oriented architecture (SOA) is a software design idea that is based on specific pieces of software providing functionality as services between applications.
The source code of software used by your client seems to have a large number of gets() alongside sparsely used fgets(). What kind of attack is this software potentially susceptible to?
A. SQL injection
B. Buffer overflow
C. Parameter tampering
D. Cookie manipulation
B. A buffer overflow is an attempt to write more data into an application’s prebuilt buffer area in order to overwrite adjacent memory, execute code, or crash a system (application).
Which of the following would be the best choice in the prevention of XSS?
A. Challenge tokens
B. Memory use controls
C. HttpOnly flag in cookies
D. Removing hidden form fields
C. In addition to input validation controls (always good for bunches of vulnerability mitigations), setting the HttpOnly flag in cookies can be used in mitigation against some XSS attacks.
You are examining log files and come across this URL:
http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f%70%61%73%73%77%64
Which of the following best describes this potential attack?
A. This is not an attack but a return of SSL handshakes.
B. An attacker appears to be using Unicode.
C. This appears to be a buffer overflow attempt.
D. This appears to be an XSS attempt.
B. Unicode is just another way to represent text, so why not use it to try to get past an IDS?