Practice Exam 6

Question 1

PE6.1 In nmap, the http-methods script can be used to test for potentially risky HTTP options supported by a target. Which of the following methods would be considered risky per the script?

A. CONNECT
B. GET
C. POST
D. HEAD

Answer 1

A
A. The http-methods script usage syntax is nmap –script http-methods , where is the IP of the system you’re after. Per nmap’s support pages (https://nmap.org/nsedoc/scripts/http-methods.html), this script “finds out what options are supported by an HTTP server by sending an OPTIONS request and lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is not in the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure.” You can also use additional parameters, such as url-path, to further hone your results. For example, output from the preceding syntax showing PUT as a risky method might look like this:

PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-methods
|_ Supported Methods: GET PUT HEAD POST OPTIONS

Quite obviously, there is a lot of information tested in this one question—and many, many ways you might see it on the exam. The HTTP options themselves will show up somewhere, so knowing the difference, for example, between HTTP POST (submits data to be processed, normally allowable) and HTTP PUT (allows a client to upload new files on the web server, which normally shouldn’t be allowed) will become very important to your success. From OWASP (https://www.owasp.org/index.php/Test_HTTP_Methods_%28OTG-CONFIG-006%29), the following options are important to know:
•PUTThis method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files (for example, an .asp file that executes commands by invoking cmd.exe) or by simply using the victim’s server as a file repository.
•DELETEThis method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a website or to mount a DoS attack.
• CONNECT This method could allow a client to use the web server as a proxy.
•TRACEThis method simply echoes back to the client whatever string has been sent to the server, and it’s used mainly for debugging purposes. This method, originally assumed harmless, can be used to mount an attack known as cross-site tracing.

B, C, and D are incorrect because these are not considered “risky” options.

Question 2

PE6.2 OWASP, an international organization focused on improving the security of software, produces a list called “OWASP Top 10 Most Critical Web Application Security Risks” for web applications. Which item is the primary concern on the list?

A. XSS
B. Injection Flaws
C. Insufficient Logging and Monitoring
D. Broken Authentication and Session Management

Answer 2

B
B. I know you’re thinking there is no way something this specific and picky will be on the exam, but I promise you will see something like this on your exam (not verbatim, of course, but you get my drift). The most current version (as of this writing) of OWASP’s Top 10 Most Critical Web Application Security Risks can be found on the OWASP site (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), and ECC loves it. If nothing else, memorize the top five items on the list:
-A1 – Injection FlawsInjection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. (Position on previous/last year’s list: #1.) -A2 – Broken Authentication and Session ManagementApplication functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. (Position on previous/last year’s list: #2.)
-A3 – Sensitive Data ExposureMany web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection, such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. (Position on previous/last year’s list: #6.)
-A4 – XML External Entities (XXE)A new addition for the 2017 list. Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies, or integrations. By default, many older XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. These flaws can be used to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks.
-A5 – Broken Access ControlA new addition for the 2017 list. Exploitation of access control is a core skill of attackers. SAST and DAST tools can detect the absence of access control but cannot verify if it is functional when it is present. Access control is detectable using manual means, or possibly through automation for the absence of access controls in certain frameworks. Access control weaknesses are common due to the lack of automated detection and the lack of effective functional testing by application developers. Access control detection is not typically amenable to automated static or dynamic testing. Manual testing is the best way to detect missing or ineffective access control, including HTTP method (GET vs. PUT and so on), controller, direct object references, and so on.

A is incorrect because XSS is currently number 7 on the list.

C is incorrect because Insufficient Logging and Monitoring comes in at number 10.

D is incorrect because Broken Authentication and Session Management is number 2 on the list.

Question 3

PE6.3
A web application developer wants to test a new application for security flaws. Which of the following is a method of testing input variations by using randomly generated invalid input in an attempt to crash the program?

A. Insploit
B. Finglonger
C. Metasplation
D. Fuzzing.

Answer 3

PE 6.3
D. Even if you didn’t know what “fuzzing” meant, you probably could’ve whittled this down by eliminating the known wrong answers. Per OWASP (https://www.owasp.org/index.php/Fuzzing), “Fuzz testing or fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.” In other words, fuzzing sends tons of weird inputs into fields to see what the application will do. As an aside, you would find fuzzing in the Verification phase of

Microsoft’s Security Development Lifecycle (SDL). The entire SDL consists of training, requirements, design, implementation, verification, release, and response.

A, B, and C are incorrect because none of these are legitimate terms as far as testing is concerned. Insploit and Metasplation are not real terms. Finglonger isn’t either, but it did make an appearance in a fantastic episode of Futurama.

Question 4

PE6.4
Which of the following uses HTML entities properly to represent ?

A. <script>
B. (script)
C. &script&
D. "script"

Answer 4

PE 6.4
A. Cross-site scripting generally relies on web pages not properly validating user input, and HTML entities can be used to take the place of certain characters. In this case, the less-than sign () surround the word script. Respectively, the appropriate HTML entities are < and > (the lt and gt should give this away).

B is incorrect because ( and ) stand for the open and close parentheses, respectively. For example, (hello) would read (hello) using HTML entities.
C is incorrect because & stands for the ampersand character (&).

D is incorrect because “ stands for the quote character (“).

Question 5

PE6.5
An attacker tricks a user into visiting a malicious website via a phishing e-mail. The user clicks the e-mail link and visits the malicious website while maintaining an active, authenticated session with his bank. The attacker, through the malicious website, then instructs the user’s web browser to send requests to the bank website. Which of the following best describes this attack?

A. CSPP
B. XSS
C. CSRF
D. Hidden form field

Answer 5

PE 6.5
C. There are few truisms in life, but here’s one: you will definitely be asked about CSRF on your exam. Cross-site request forgery (CSRF) attacks are exactly what’s being described here—an attacker takes advantage of an open, active, authenticated session between the victim and a trusted site, sending message requests to the trusted site as if they are from the victim’s own browser. Usually this involves phishing, or maybe an advertisement, but the principle is always the same. CSRF attacks can be prevented by configuring random challenge tokens, which allow the server to verify user requests. As an aside, a similar attack is known as session fixation. The attacker logs in to a legitimate site, pulls a session ID, and then sends an e-mail with a link containing the fix session ID. When the user clicks it and logs in to the same legitimate site, the hacker then logs in and runs with the user’s credentials.

A is incorrect because this does not describe a CSPP attack. A connection string parameter pollution attack exploits web applications that use semicolons to separate parameters during communications.

B is incorrect because this does not describe a cross-site scripting attack. An XSS attack attempts to interject a script into input fields.

D is incorrect because a hidden form field attack occurs when an attacker manipulates the values of a hidden form field and resubmits to the server.

Question 6

PE6.6
Which of the following is used by SOAP services to format information?

A. Unicode
B. HTML entities
C. NTFS
D. XML

Answer 6

PE 6.6
D. Simple Object Access Protocol (SOAP) is a protocol designed for exchanging structured information within web services across multiple variant systems. In other words, it’s a way for a program running in one kind of operating system (let’s say Windows Server 2008) to communicate with a program on another (such as Linux). It uses HTTP and XML to exchange information and specifies how to encode HTTP headers and XML files so that applications can talk to each other. One great advantage to this is also a great detriment, security-wise: because HTTP is generally allowed through most firewalls, applications using SOAP can generally communicate at will throughout networks. SOAP injection attacks allow you to inject malicious query strings (much like SQL injection, as a matter of fact) that might give you the means to bypass authentication and access databases behind the scenes. SOAP is compatible with HTTP and SMTP, and messages are typically one-way in nature.

A is incorrect because Unicode is not used by SOAP in this manner. It’s a standard for representing text in computing.

B is incorrect because HTML entities are not used by SOAP in this manner. They’re used to represent characters in HTML code.

C is incorrect because NTFS is a file system and has nothing to do with SOAP.

Question 7

PE6.7 A web application developer is discussing security flaws discovered in a new application prior to production release. He suggests to the team that they modify the software to ensure users are not allowed to enter HTML as input into the application. Which of the following is most likely the vulnerability the developer is attempting to mitigate against?

A. Cross-site scripting
B. Cross-site request forgery
C. Connection string parameter pollution
D. Phishing

Answer 7

A
A. XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. The basics of this attack revolve around website design (or web application design on that site), dynamic content, and invalidated input data. Usually when a web form pops up, the user inputs something, and then some script dynamically changes the appearance or behavior of the website based on what has been entered. XSS occurs when the bad guys take advantage of that scripting (Java, for instance) and have it perform something other than the intended response. For example, suppose instead of entering what you’re supposed to enter in a form field, you enter an actual script. The server then does what it’s supposed to—it processes the code sent from an authorized user. The best defense against this is proper design and good input validation before the app ever sees production in the first place.

B is incorrect because the fix action being suggested would not necessarily affect CSRF attacks. In CSRF, an attacker takes advantage of an open, active, authenticated session between the victim and a trusted site, sending message requests to the trusted site as if they are from the victim’s own browser.

C is incorrect because the fix action being suggested would not necessarily affect CSPP attacks. A connection string parameter pollution attack exploits web applications that use semicolons to separate parameters during communications.

D is incorrect because the fix action being recommended would not necessarily affect any social engineering effort.

Question 8

PE6.8 Which of the following is a common SOA vulnerability?

A. SQL injection
B. XSS
C. XML denial of service
D. CGI manipulation

Answer 8

C
C. Service-oriented architecture (SOA) is a software design idea that is based on specific pieces of software providing functionality as services between applications. The idea is to define how two applications can interact so that one can perform a piece of work for the other (better said, on behalf of the other). Each interaction is independent of any other and is self-contained. SOA programmers make extensive use of XML to carry all this out, and that leaves the application vulnerable to crafty XML tampering. If an attacker can somehow pass an XML message with a large payload, or any of a number of other bad content, they can perform an XML denial-of-service attack on an SOA application. This isn’t to imply it’s the only type of DoS available or that SOA is uniquely vulnerable (for instance, the only thing a specifically crafted XML attack can affect). It’s just a question, so don’t read too much into it.

A, B, and D are incorrect because these attacks don’t necessarily apply with SOA in this context.

Question 9

PE6.9 The source code of software used by your client seems to have a large number of gets() alongside sparsely used fgets(). What kind of attack is this software potentially susceptible to?

A. SQL injection
B. Buffer overflow
C. Parameter tampering
D. Cookie manipulation

Answer 9

B
B. A buffer overflow is an attempt to write more data into an application’s prebuilt buffer area in order to overwrite adjacent memory, execute code, or crash a system (application). By inputting more data than the buffer is allocated to hold, you may be able to crash the application or machine or alter the application’s data pointers. gets() is a common source of buffer overflow vulnerabilities because it reads a line from standard input into a buffer until a terminating EOF is found. It performs no check for buffer overrun and is largely replaced by fgets().

A is incorrect because SQL injection has nothing to do with this scenario. No evidence is presented that this software even interacts with a database.

C is incorrect because parameter tampering deals with manipulating a URL.

D is incorrect because cookie manipulation has nothing to do with this software. A cookie is a small file used to provide a more consistent web experience for a web visitor. Because it holds various information, though, it can be manipulated for nefarious purposes (using the Firefox add-on Cookie Editor, for instance).

Question 10

PE6.10 Which of the following would be the best choice in the prevention of XSS?

A. Challenge tokens
B. Memory use controls
C. HttpOnly flag in cookies
D. Removing hidden form fields

Answer 10

C. In addition to input validation controls (always good for bunches of vulnerability mitigations), setting the HttpOnly flag in cookies can be used in mitigation against some XSS attacks. Cross-site scripting occurs when an attacker interjects code into a web page form field that does not have appropriate input validation configured. The HttpOnly cookie flag can stop any injected code from being accessible by a client-side script. Per OWASP, if the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed through client-side script. As a result, even if a cross-site scripting flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

A is incorrect because challenge tokens are used in mitigation of CSRF.

B is incorrect because memory use control configurations wouldn’t necessarily affect XSS vulnerabilities at all.

D is incorrect because removing hidden form fields would not necessarily do anything to mitigate XSS.

Question 11

PE6.11 You are examining log files and come across this URL:

http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f%70%61%73%73%77%64

Which of the following best describes this potential attack?

A.This is not an attack but a return of SSL handshakes.
B. An attacker appears to be using Unicode.
C.This appears to be a buffer overflow attempt.
D. This appears to be an XSS attempt.

Answer 11

B
B. Unicode is just another way to represent text, so why not use it to try to get past an IDS? Of course, in the real world every IDS would probably be looking for weird Unicode requests anyway (it isn’t ciphered or encrypted and really does nothing more than provide a cursory obfuscation), but let’s just stick with EC-Council and the CEH exam here for now. This request appears to be attempting a grab of some passwords:

%2e%2e%2e%2e%2e%2f%2e%2f = ../../../
%65%74%63 = etc
%2f = /
%70%61%73%73%77%64  = passwd

A, C, and D are all incorrect because this URL does not necessarily indicate any of these attacks and is quite clearly a Unicode attempt.

Question 12

PE6.12 Which MSFconsole command allows you to connect to a host from within the console?

A. pivot
B. connect
C. get
D. route

Answer 12

B
B. Questions on Metasploit can be very generalized or—like this question—pretty darn specific. MSFconsole, opened with the msfconsole command, is a common method of interfacing with Metasploit. As put by Offensive Security, it provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the MSF, and is the only supported way to access most of the features within Metasploit. Commands used in the interface are listed and discussed pretty well on Offensive Security’s site (https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/). The connect command acts like a miniature netcat clone, supporting SSL, proxies, pivoting, and file sends. By issuing the connect command with an IP address and port number, you can connect to a remote host from within MSFconsole the same as you would with netcat or telnet. In addition to MSFconsole, you should also know that the Metasploit architecture holds five modules: Exploits, Payloads, Encoders, NOPS, and Auxiliary. Exploits is the basic module, used to encapsulate (and configure behaviors for) an exploit. Payloads establishes a communication channel between Metasploit and the target. Auxiliary is used to run things like port scanning and fuzzing.

A is incorrect because there is no pivot command in MSFconsole. Pivoting does refer to connecting to other machines from a compromised system, but is not accomplished with a pivot command.

C is incorrect because the get command gets the value of a context-specific variable.

D is incorrect because the route command is used to route traffic through a session (and is generally seen, question-wise, in regard to pivoting).

Question 13

PE6.13 . Which character is your best option in testing for SQL injection vulnerability ?

A . The @ symbol
B . A double dash
C . The + sign
D . A single quote 

Answer 13

D . SQL injection is all about entering queries and commands into a form field ( or URL ) to elicit a response , gain information , or manipulate data . On a web page , many times entries into a form field are inserted into a SQL command . When you enter your username and information into the fields and click the button , the SQL command in the background might read something like this : SELECT OrderID , FirstName , Lastname FROM Orders In SQL , a single quote is used to indicate an upcoming character string . Once SQL sees that open quote , it starts parsing everything after it as string input . If there’s no close quote , an error occurs because SQL doesn’t know what to do with the submitted characters . If the web page is configured poorly , that error will return to you and let you know it’s time to start injecting SQL commands . 

A , B , and C are incorrect characters to use as part of a SQL injection test . The @ symbol is used to designate a variable in SQL ( you’ll need to define the variable , of course ) . The + sign is used to combine strings ( as in Matt + Walker ) . A double dash indicates an upcoming comment in the line .

Question 14

PE6.14 . An angry former employee of the organization discovers a web form vulnerable to SQL injection . Using the injection string SELECT * FROM Orders_Pend WHERE Location_City = ‘ Orlando ‘ , he is able to see all pending orders from Orlando . If he wanted to delete the Orders_Pend table altogether , which SQL injection string should be used ?

A . SELECT * FROM Orders_Pend WHERE Location_City = Orlando ‘ ; DROP TABLE Orders_Pend - -

B . SELECT * FROM Orders_Pend WHERE ‘ Orlando ‘ ; DROP_TABLE - -

C . DROP TABLE Orders_Pend WHERE ‘ Orlando = 1 ‘ - -

D . WHERE Location_City = Orlando ‘ 1 = 1 ‘ : DROP_TABLE - - 

Answer 14

A . SQL queries usually read pretty straightforward , although they can get complicated rather quickly . In this case , you’re telling the database , “ Can you check the table Orders_Pend and see whether there’s a city called Orlando ? Oh , by the way , since you’re executing any command I send anyway , just go ahead and drop the table called Orders_Pend while you’re at it . ” The only thing missing from SQL queries is a thank - you at the end . As an aside , you can easily restrict which SQL verbs any user can make use of ( through DDL and DMAL statements ) , and you should . Allowing all users to drop tables and the like is akin to making your standard user a domain administrator ; it’s a rather dumb idea ! 

B , C , and D are incorrect because they do not have proper syntax .

Question 15

PE6.15 . Efforts to gain information from a target website have produced the following error message :

Microsoft OLE DB Provider for OBDC Drivers error ‘80040e08’
[Microsoft] {PBDC SQL Server Driver}

Which of the following best describes the error message ?

A . The site may be vulnerable to XSS .
B . The site may be vulnerable to buffer overflow .
C . The site may be vulnerable to SQL injection .
D . The site may be vulnerable to a malware injection . 

Answer 15

C . Once again , you will get a few “ gimme ” questions on the exam . The error message clearly displays a SQL error , telling us there’s an underlying SQL database to contend with and it’s most likely not configured correctly ( or we wouldn’t be getting an error message like this — through a web interface and telling us exactly what’s there — in the first place ) . 
A , B , and D are all incorrect for the same reason : the error message simply doesn’t provide enough information to make these leaps . There is nothing here indicating cross - site scripting or buffer overflow on either side of the ledger . Although it’s true the error may indicate which kinds of malware may increase your odds of success , there’s nothing there to indicate , by itself , that the site is vulnerable .

Question 16

PE6.16 . An attacker discovers a legitimate username ( user1 ) and enters the following into a web form authentication window : Which of the following attacks is most likely being attempted ?

A . SQL injection
B . LDAP injection
C . URL tampering
D . DHCP amplification

Answer 16

B . LDAP injection works a lot like SQL injection — you enter code that is passed by the application to something behind it for processing . With LDAP injection , if the input is not validated , you can enter direct LDAP queries into the form and watch for results . In this case , the attacker logs in without any password .

The actual LDAP query from a legitimate login would have appeared like this : ( & ( user = user1 ) ( password = meh ) ) . The addition of the ) ( & ) characters turns the expression to ( & ( user = user1 ) ( & ) ) ( password = meh ) ) , which processes only the username portion of the query . And since that’s always true , the attacker is in . LDAP injection questions may also center on the Boolean operators used in syntax .

The operators to remember are summarized in the following table : 
A is incorrect because this does not indicate a SQL injection attack . SQL injection attempts make use of the open quote and SQL statements — for example , test ‘ ) ; DROP TABLE Users ; - - . 

C is incorrect because this does not show a URL tampering attack . 

D is incorrect because this does not show a DHCP amplification attack .

Question 17

PE6.Which of the following is a standard method for web servers to pass a user’s request to an application and receive data back to forward to the user ?

A . SSI
B . SSL
C . CGI
D . CSI 

Answer 17

C . Common Gateway Interface ( CGI ) is a standardized method for transferring information between a web server and an executable ( a CGI script is designed to perform some task with the data ) . CGI is considered a server - side solution because processing is done on the web server and not the client . Because CGI scripts can run essentially arbitrary commands on your system with the permissions of the web server user and because they are almost always wrapped so that a script will execute as the owner of the script , they can be extremely dangerous if not carefully checked . Additionally , all CGI scripts on the server will run as the same user , so they have the potential to conflict ( accidentally or deliberately ) with other scripts ( an attacker could , for example , write a CGI script to destroy all other attached databases ) . 

A is incorrect because server - side includes ( SSIs ) are directives placed in HTML pages and evaluated on the server while the pages are being served . They let you add dynamically generated content to an existing HTML page , without having to serve the entire page via a CGI program or other dynamic technology . 

B and D are incorrect because both are included as distractors . By now you’re certainly familiar with Secure Sockets Layer ( SSL ) and its value as an encryption method . CSI ? Well , that’s just good television . Or it used to be , anyway .

Question 18

PE6.18 . An attacker performs a SQL injection attack but receives nothing in return . She then proceeds to send multiple SQL queries , soliciting TRUE or FALSE responses . Which attack is being carried out ?

A . Blind SQL injection
B . SQL denial of service
C . SQL code manipulation
D . SQL replay

Answer 18

A . Blind SQL injection is really kinda neat , even if you’re not a nerd . Sometimes a security admin does just enough to frustrate efforts , and you don’t receive the error messages or returned information you originally counted on . So , to pull out the info you want , you start asking it ( the SQL database ) a lot of true or false questions . For example , you could ask the database , “ True or false — you have a table called USERS ? ” If you get a TRUE , then you know the table name and can start asking questions about it . For example , “ Hey , database , got an entry in your USERS table named admin ? ” ( SELECT * from USERS where name = ‘ admin ‘ and 1 = 1 ; # ‘ ; ) . Blind SQL injection is a long , laborious effort , but it can be done . 

B , C , and D are all incorrect because , so far as I know , none of them is a recognized attack by EC - Council . I’m sure you can find ways to perform a DoS on a SQL database , and we’re manipulating SQL all over the place in these injection attacks , but these terms just aren’t recognized on your exam and are here solely as distractors .

Question 19

PE6.19 . A tester is attempting a CSPP attack . Which of the following is she most likely to use in conjunction with the attack ? 
A . ; 
B . : 
C . ‘ 
D . “ 
E . - - D . ~ 

no “F”– perhaps the D.~ was supposed to be F.~

Answer 19

A . CSPP ( connection string parameter pollution attack ) is another form of injection attack . In many web applications , communications with back - end databases make use of the semicolon to separate parameter requests . Much as with URL tampering , in CSPP you just change the communication string and see what happens : add a semicolon , type in your request , and watch to see if it was successful . 

B , C , D , E , and F are incorrect because these characters do not correspond to a CSPP attack . The single quote is most often tied to a SQL injection attempt . The other characters may show up in scripts strings and whatnot , but don’t let them fool you — they’re simply distractors .

Question 20

PE6.20 . An attacker is attempting to elevate privileges on a machine by using Java or other functions , through nonvalidated input , to cause the server to execute a malicious piece of code and provide command - line access . Which of the following best describes this action ?

A . Shell injection
B . File injection
C . SQL injection
D . URL injection 

Answer 20

A . When it comes to web application attacks , there are many vectors and avenues to take . One of the more common is injecting something into an input string to exploit poor code . EC - Council defines these attacks in many ways . Also known as command injection , shell injection is defined as an attempt to gain shell access using Java or other functions . In short , the attacker will pass commands through a form input ( or other avenue ) in order to elevate privileges and open a shell for further malicious actions . It occurs when commands are entered into form fields instead of the expected entry . 

B is incorrect because the EC - Council defines a file injection attack as one where the attacker injects a pointer in the web form input to an exploit hosted on a remote site . Sure , this may accomplish the same thing , but it’s not the best choice in this case . 

C is incorrect because SQL injection attacks involve using SQL queries and commands to elicit a response or action . 

D is incorrect because URL injection is not an attack type and is included here as a distractor .

Question 21

PE6.21 . An attacker is successful in using a cookie , stolen during an XSS attack , during an invalid session on the server by forcing a web application to act on the cookie’s contents . How is this possible ?

A . A cookie can be replayed at any time , no matter the circumstances .
B . Encryption was accomplished at the Application layer , using a single key .
C . Authentication was accomplished using XML .
D . Encryption was accomplished at the Network layer .

Answer 21

B . Cookies can be used for many things . If you can grab all user cookies , you can see what they visited and sometimes even how long they’ve been there . Cookies can also hold passwords — and because most people use the same password on multiple sites , this can be a gold mine for the attacker . In this scenario , the cookie is being replayed by an attacker to gain access . If a single key is used in encryption , a replay attack is possible , because cookie authentication is carried out at the Application layer . It is for this reason some organizations require browsers to automatically delete cookies on termination . 

A is incorrect because a replay attack of anything — cookie , stolen authentication stream , and so on — can’t necessarily be carried out at any time . Replay attacks require planning and proper setup . 

C is incorrect because XML has nothing to do with this . 

D is incorrect because encryption is not carried out at the Network layer in this case .

Question 22

PE6.22 . HTML forms include several methods for transferring data back and forth . Inside a form , which of the following encodes the input into the Uniform Resource Identifier ( URI ) ?

A . HEAD
B . PUT
C . GET
D . POST

Answer 22

C . An HTTP GET is a method for returning data from a form that “ encodes ” the form data to the end of the URI ( a character string that identifies a resource on the Web , such as a page of text , a video clip , an image , or an application ) . For example , if you were to enter a credit card number in a form using GET , the resulting URL might look something like https : / / somesite.com / creditcard.asp ? c # = 4013229567852219 , where the long number is obviously a credit card number just sitting there waiting for anyone to use . Generally speaking , a POST is “ more secure ” than a GET , although they both have their uses . If you’re wondering when a GET should be used as opposed to a POST , the answer has to do with a vocabulary lesson : defining the term idempotent . Thrown about with HTTP GET , idempotent is a mathematical concept about an operation property : if the operation can be performed without changing results , even if it is run multiple times , it’s considered idempotent . Therefore , if the input return is assured of having no lasting effect on the state of the form in total , then using a GET is perfectly reasonable . Also , a GET can usually transfer only up to 8KB , whereas a POST can usually handle up to 2GB .

However , keep in mind it may wind up including sensitive information in that URI . Suppose your form returns a credit card number and a bad guy is logging URIs : if HTTP GET is in place , the attacker may be able to derive the information . In short , users can manipulate both GET and POST , but GET is simply more visible because of its reliance on something that browsers render to the screen in an editable field . A POST is meant for pushing data directly , and a GET is used when the server is expected to pull something from the data submitted in the URL . 

A is incorrect because , although HEAD and GET are similar , HEAD is not used in forms . It’s usually used to pull header information from a web server ( for example , banner grabbing ) and to test links . 

B is incorrect because HTTP PUT is not used in forms . It’s used to transfer files to a web server . 

D is incorrect because POST does not include the form data in the URI request . According to the World Wide Web Consortium ( www.w3 . org / ) , HTML specifications define the difference between GET and POST . GET means that form data will be encoded by a browser into a URL , whereas POST means the form data is to appear within the message body . In short , a GET can be used for basic , simple retrieval of data , and a POST should be used for most everything else ( such as sending an e - mail , updating data on a database , and ordering an item ) .

Question 23

PE6.23 . An attacker is looking at a target website and is viewing an account from the store on URL http : / / www.anybiz.com / store.php ? id = 2 . He next enters the following URL : http : / / www.anybiz.com / store.php ? id = 2 and 1 = 1 The web page loads normally . He then enters the following URL : http : / / www.anybiz.com / store.php ? id = 2 and 1 = 2 A generic page noting “ An error has occurred ” appears . Which of the following is a correct statement concerning these actions ?

A . The site is vulnerable to cross - site scripting .
B . The site is vulnerable to blind SQL injection .
C . The site is vulnerable to buffer overflows
D . The site is not vulnerable to SQL injection .

Answer 23

B . The URLs shown here are attempting to pass a SQL query through to see what may be going on in the background . Notice the first URL entered added and 1 = 1 . Because this was a true statement , the page loaded without problem . However , changing that to a false statement ( and 1 = 2 ) caused the database to return an error . This would now be considered “ blind ” SQL injection because the actual error was not returned to the attacker ( instead , he got a generic page most likely configured by the database administrator ) . As an aside , sometimes the attacker won’t receive the error message or error page at all , but the site will be displayed differently — images out of place , text messed up , and so on — which also indicates blind SQL may be in order . 

A and C are incorrect because neither this attack nor the results have anything to do with cross - site scripting or buffer overflows . 

D is incorrect because the results indicate SQL injection is possible . Granted , it will take longer , because the attacker can’t see error messaging , and will require lots of guesswork and trial and error , but the site is susceptible .

Question 24

PE6.24 Which of the following statements is not true regarding WebGoat?

A.WebGoat is maintained and made available by OWASP.
B.WebGoat can be installed on Windows systems only.
C.WebGoat is based on a black-box testing mentality.
D.WebGoat can use Java or .NET.

Answer 24

B. WebGoat, now in version 7 (https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project), is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. It’s designed to teach from a black-box mentality (that is, learners aren’t provided with all information up front and must discover what they need to know to figure out each…

Question 25

PE6.25 An attacker is viewing a blog entry showing a news story and asking for comments. In the comment field, the attacker enters the following:

Nice post and a fun read
onload=window.location=’http://www.badsite.com’

What is the attacker attempting to perform?

A.A SQL injection attack against the blog’s underlying database
B.A cross-site scripting attack
C.A buffer overflow DoS attack
D.A file injection DoS attack

Answer 25

B. This is a classic (albeit overly simplified) example of cross-site scripting. In a blog, the post entry field is intended to take text entry from a visitor and copy it to a database in the background. What’s being attempted here is to have more than just the text copied—the indicator is adding a nice little pointer to a malicious website. If it works, the next visitor to the site who clicks that news story will be redirected to the bad site location.

A, C, and D are all incorrect because this example contains nothing…

Question 26

PE6.26 Which of the following is one of the most common methods for an attacker to exploit the Shellshock vulnerability?

A.SSH brute force
B.CSRF
C.Form field entry manipulation
D.Through web servers utilizing CGI (Common Gateway Interface)

Answer 26

D. I would bet very large sums of cash you will see Shellshock on your exam—maybe even a couple of times. Shellshock (also known as Bashdoor) exploits a feature in the bash shell designed to allow environmental variable setting configuration. Basically, someone was playing around in bash back in 2014 and figured out they could add arbitrary commands to environmental variable configuration command-line submissions. If an attacker input something like:

env val=’() [ :;}; echo BADCOMMAND’ bash -c “echo REALCOMMAND”

on a vulnerable system, BADCOMMAND would be executed before the real command.

Per Symantec (www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability), “The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked on to it.” Other avenues for Shellshock exploitation include the following: 
•OpenSSHThe “force command” function (where a fixed command is run when a user logs on, even if the user requested a different command) can be exploited in Shellshock. 
•DHCPSome DHCP clients have the capability of passing commands to the bash shell—for example, during connection to a Wi-Fi network. This can be exploited in Shellshock.…

Question 27

PE6.27 You are examining website files and find the following text file:

# robots.txt for http://www.anybiz.com
Eser-agent: google.bot
DisallowL: /tmp/
User-agent: *
Disallow: /
Disallow: /private.php
Disallow: /listing.html 

Which of the following is a true statement concerning this file?

A.All web crawlers are prevented from indexing the listing.html page.
B.All web crawlers are prevented from indexing all pages on the site.
C.The Googlebot crawler is allowed to index pages starting with /tmp/.
D.The Googlebot crawler can access and index everything on the site except for pages starting with /tmp/.

Answer 27

D. The robots.txt file was created to allow web designers to control index access to their sites. There are a couple of things you need to know about this file—for your exam and the real world. The first is, no matter what the robots.txt file says, attackers using a crawler to index your site are going to ignore it anyway: it’s valid only for “good-guy” crawlers. After that, the rest is easy: robots.txt is stored on the root, is available to anyone (by design), and is read in order from top to bottom, much like an ACL on a router. The format is simple: define the crawler (User-agent :name_of_crawler) and then define what it does not have access to. Most robot.txt files will make use of the * variable to signify all crawlers, but you can certainly get specific with who is allowed in and what they can see.

In this example, from top to bottom, the Googlebot crawler is defined and restricted from seeing /tmp/ pages—no other restrictions are listed. After that, all other crawlers (User-agent: *) are restricted from seeing any page (Disallow: /). The last two lines are truly irrelevant because the condition to ignore all pages has been read.
For additional information here, if you think about what a robots.txt file does, you could consider it a pointer to pages you, as an attacker, really want to see. After all, if the security person on…