pentest+

Question 1

What is a race condition

Answer 1

occurs when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, which then failed to execute intheorder and timing intended by the developer; happens where multiple threads attempt to write to a variable or object at the same memory location

Question 2

Dereferencing

Answer 2

occurs when the code attempts to remove the relationship between a pointer and the thing it points to

Question 3

TOCTOU

Answer 3

occurs when there is a change between when an app checks a resource and when the app uses the resource

Question 4

Mutually Exclusive Flag (Mutex)

Answer 4

acts as a gatekeeper to a section of code so that only one thread can be processed at a time

Question 5

deadlock

Answer 5

occurs when a lock cannont be removed from the resource

Question 6

buffer overflow

Answer 6

when a process stores data outside the memory range allocated by the developer

Question 7

Stack

Answer 7

reserved area of memory where the program saves the return address when a function call instruction is received

Question 8

stack smashing

Answer 8

Stack smashing is a type of security vulnerability that occurs when an attacker is able to overwrite the contents of a program’s call stack; occurs when attacker fills up the buffer with NOP instructions

Question 9

Non-Operation(NOP) instruction

Answer 9

tells the system to do nothing and simply go to the next instruction; a NOP instruction is an assembly language instruction that does not perform any operation and takes up one clock cycle.

Question 10

ASLR (address space layout randomization)

Answer 10

prevents an attacker’s ability to guess where the return pointer for a non-malicious program has been set to call back to

Question 11

data execution protection (DEP)

Answer 11

blocks applications that attempt to run from protected memory locations

Question 12

integer overflow

Answer 12

occurs when a computed result from an operation is too large to fit into its assigned variable type for storage

Question 13

insecure direct object reference

Answer 13

used to manipulate URLs to gain access to a resource without requiring proper authentication

Question 14

HTTP strict transport security (HSTS)

Answer 14

allows a web server to notify web browsers to only request using HTTPs and not HTTP

Question 15

HTTP public key pinning

Answer 15

allows https websites to resist impersonation by attackers using mis-issued or fraudulent certificates

Question 16

X-frame options

Answer 16

prevents clickjacking from occurring

Question 17

X-XSS-Protection

Answer 17

enables cross-site scripting filter in the web browser

Question 18

X-Content-Type-Options

Answer 18

prevents the browser from interpreting files as something other than what they are

Question 19

Content-Security-Policy (CSP)

Answer 19

impacts how web browsers render pages

Question 20

X-Permitted-Cross-Domain-Policies

Answer 20

sends a cross-domain policy file to the web client and specifies if the browser has permission to handle data across domains

Question 21

Referrer-Policy

Answer 21

governs which referrer information should be included with requests made

Question 22

Expect-CT

Answer 22

indicates browsers to evaluate connections to the host emitting the header for Certificate Transparency compliance

Question 23

Feature-Policy

Answer 23

allows developers to selectively enable and disable use of various browser features and APIs

Question 24

Representational State Transfer (REST)

Answer 24

a client/server model for interacting with content on remote systems over HTTP

Question 25

JavaScript Object Notation (JSON)

Answer 25

a text-based message format used with RESTful web service

Question 26

Simple Object Access Protocol (SOAP)

Answer 26

used for exchanging structural information for web services ; conduct inspection and sanitization of inputs and outputs to the application

Question 27

Asynchronous JavaScript and XML (AJAX)

Answer 27

a grouping of related technologies used on the client side to create asynchronous web applications; uses same-origin policy; considered more secure than some other methods

Question 28

Bytecode

Answer 28

an intermediate form of code produced by a complier that can be translated into machine code