Practice Exam 6 Flashcards
PE6.1 In nmap, the http-methods script can be used to test for potentially risky HTTP options supported by a target. Which of the following methods would be considered risky per the script?
A. CONNECT
B. GET
C. POST
D. HEAD
A
A. The http-methods script usage syntax is nmap –script http-methods , where is the IP of the system you’re after. Per nmap’s support pages (https://nmap.org/nsedoc/scripts/http-methods.html), this script “finds out what options are supported by an HTTP server by sending an OPTIONS request and lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is not in the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure.” You can also use additional parameters, such as url-path, to further hone your results. For example, output from the preceding syntax showing PUT as a risky method might look like this:
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-methods
|_ Supported Methods: GET PUT HEAD POST OPTIONS
Quite obviously, there is a lot of information tested in this one question—and many, many ways you might see it on the exam. The HTTP options themselves will show up somewhere, so knowing the difference, for example, between HTTP POST (submits data to be processed, normally allowable) and HTTP PUT (allows a client to upload new files on the web server, which normally shouldn’t be allowed) will become very important to your success. From OWASP (https://www.owasp.org/index.php/Test_HTTP_Methods_%28OTG-CONFIG-006%29), the following options are important to know:
•PUTThis method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files (for example, an .asp file that executes commands by invoking cmd.exe) or by simply using the victim’s server as a file repository.
•DELETEThis method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a website or to mount a DoS attack.
• CONNECT This method could allow a client to use the web server as a proxy.
•TRACEThis method simply echoes back to the client whatever string has been sent to the server, and it’s used mainly for debugging purposes. This method, originally assumed harmless, can be used to mount an attack known as cross-site tracing.
B, C, and D are incorrect because these are not considered “risky” options.
PE6.2 OWASP, an international organization focused on improving the security of software, produces a list called “OWASP Top 10 Most Critical Web Application Security Risks” for web applications. Which item is the primary concern on the list?
A. XSS
B. Injection Flaws
C. Insufficient Logging and Monitoring
D. Broken Authentication and Session Management
B
B. I know you’re thinking there is no way something this specific and picky will be on the exam, but I promise you will see something like this on your exam (not verbatim, of course, but you get my drift). The most current version (as of this writing) of OWASP’s Top 10 Most Critical Web Application Security Risks can be found on the OWASP site (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), and ECC loves it. If nothing else, memorize the top five items on the list:
-A1 – Injection FlawsInjection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. (Position on previous/last year’s list: #1.) -A2 – Broken Authentication and Session ManagementApplication functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. (Position on previous/last year’s list: #2.)
-A3 – Sensitive Data ExposureMany web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection, such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. (Position on previous/last year’s list: #6.)
-A4 – XML External Entities (XXE)A new addition for the 2017 list. Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies, or integrations. By default, many older XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. These flaws can be used to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, as well as execute other attacks.
-A5 – Broken Access ControlA new addition for the 2017 list. Exploitation of access control is a core skill of attackers. SAST and DAST tools can detect the absence of access control but cannot verify if it is functional when it is present. Access control is detectable using manual means, or possibly through automation for the absence of access controls in certain frameworks. Access control weaknesses are common due to the lack of automated detection and the lack of effective functional testing by application developers. Access control detection is not typically amenable to automated static or dynamic testing. Manual testing is the best way to detect missing or ineffective access control, including HTTP method (GET vs. PUT and so on), controller, direct object references, and so on.
A is incorrect because XSS is currently number 7 on the list.
C is incorrect because Insufficient Logging and Monitoring comes in at number 10.
D is incorrect because Broken Authentication and Session Management is number 2 on the list.
PE6.3
A web application developer wants to test a new application for security flaws. Which of the following is a method of testing input variations by using randomly generated invalid input in an attempt to crash the program?
A. Insploit
B. Finglonger
C. Metasplation
D. Fuzzing.
PE 6.3
D. Even if you didn’t know what “fuzzing” meant, you probably could’ve whittled this down by eliminating the known wrong answers. Per OWASP (https://www.owasp.org/index.php/Fuzzing), “Fuzz testing or fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.” In other words, fuzzing sends tons of weird inputs into fields to see what the application will do. As an aside, you would find fuzzing in the Verification phase of
Microsoft’s Security Development Lifecycle (SDL). The entire SDL consists of training, requirements, design, implementation, verification, release, and response.
A, B, and C are incorrect because none of these are legitimate terms as far as testing is concerned. Insploit and Metasplation are not real terms. Finglonger isn’t either, but it did make an appearance in a fantastic episode of Futurama.
PE6.4
Which of the following uses HTML entities properly to represent ?
A. <script>
B. (script)
C. &script&
D. "script"
PE 6.4
A. Cross-site scripting generally relies on web pages not properly validating user input, and HTML entities can be used to take the place of certain characters. In this case, the less-than sign () surround the word script. Respectively, the appropriate HTML entities are < and > (the lt and gt should give this away).
B is incorrect because ( and ) stand for the open and close parentheses, respectively. For example, (hello) would read (hello) using HTML entities.
C is incorrect because & stands for the ampersand character (&).
D is incorrect because “ stands for the quote character (“).
PE6.5
An attacker tricks a user into visiting a malicious website via a phishing e-mail. The user clicks the e-mail link and visits the malicious website while maintaining an active, authenticated session with his bank. The attacker, through the malicious website, then instructs the user’s web browser to send requests to the bank website. Which of the following best describes this attack?
A. CSPP
B. XSS
C. CSRF
D. Hidden form field
PE 6.5
C. There are few truisms in life, but here’s one: you will definitely be asked about CSRF on your exam. Cross-site request forgery (CSRF) attacks are exactly what’s being described here—an attacker takes advantage of an open, active, authenticated session between the victim and a trusted site, sending message requests to the trusted site as if they are from the victim’s own browser. Usually this involves phishing, or maybe an advertisement, but the principle is always the same. CSRF attacks can be prevented by configuring random challenge tokens, which allow the server to verify user requests. As an aside, a similar attack is known as session fixation. The attacker logs in to a legitimate site, pulls a session ID, and then sends an e-mail with a link containing the fix session ID. When the user clicks it and logs in to the same legitimate site, the hacker then logs in and runs with the user’s credentials.
A is incorrect because this does not describe a CSPP attack. A connection string parameter pollution attack exploits web applications that use semicolons to separate parameters during communications.
B is incorrect because this does not describe a cross-site scripting attack. An XSS attack attempts to interject a script into input fields.
D is incorrect because a hidden form field attack occurs when an attacker manipulates the values of a hidden form field and resubmits to the server.
PE6.6
Which of the following is used by SOAP services to format information?
A. Unicode
B. HTML entities
C. NTFS
D. XML
PE 6.6
D. Simple Object Access Protocol (SOAP) is a protocol designed for exchanging structured information within web services across multiple variant systems. In other words, it’s a way for a program running in one kind of operating system (let’s say Windows Server 2008) to communicate with a program on another (such as Linux). It uses HTTP and XML to exchange information and specifies how to encode HTTP headers and XML files so that applications can talk to each other. One great advantage to this is also a great detriment, security-wise: because HTTP is generally allowed through most firewalls, applications using SOAP can generally communicate at will throughout networks. SOAP injection attacks allow you to inject malicious query strings (much like SQL injection, as a matter of fact) that might give you the means to bypass authentication and access databases behind the scenes. SOAP is compatible with HTTP and SMTP, and messages are typically one-way in nature.
A is incorrect because Unicode is not used by SOAP in this manner. It’s a standard for representing text in computing.
B is incorrect because HTML entities are not used by SOAP in this manner. They’re used to represent characters in HTML code.
C is incorrect because NTFS is a file system and has nothing to do with SOAP.
PE6.7 A web application developer is discussing security flaws discovered in a new application prior to production release. He suggests to the team that they modify the software to ensure users are not allowed to enter HTML as input into the application. Which of the following is most likely the vulnerability the developer is attempting to mitigate against?
A. Cross-site scripting
B. Cross-site request forgery
C. Connection string parameter pollution
D. Phishing
A
A. XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. The basics of this attack revolve around website design (or web application design on that site), dynamic content, and invalidated input data. Usually when a web form pops up, the user inputs something, and then some script dynamically changes the appearance or behavior of the website based on what has been entered. XSS occurs when the bad guys take advantage of that scripting (Java, for instance) and have it perform something other than the intended response. For example, suppose instead of entering what you’re supposed to enter in a form field, you enter an actual script. The server then does what it’s supposed to—it processes the code sent from an authorized user. The best defense against this is proper design and good input validation before the app ever sees production in the first place.
B is incorrect because the fix action being suggested would not necessarily affect CSRF attacks. In CSRF, an attacker takes advantage of an open, active, authenticated session between the victim and a trusted site, sending message requests to the trusted site as if they are from the victim’s own browser.
C is incorrect because the fix action being suggested would not necessarily affect CSPP attacks. A connection string parameter pollution attack exploits web applications that use semicolons to separate parameters during communications.
D is incorrect because the fix action being recommended would not necessarily affect any social engineering effort.
PE6.8 Which of the following is a common SOA vulnerability?
A. SQL injection
B. XSS
C. XML denial of service
D. CGI manipulation
C
C. Service-oriented architecture (SOA) is a software design idea that is based on specific pieces of software providing functionality as services between applications. The idea is to define how two applications can interact so that one can perform a piece of work for the other (better said, on behalf of the other). Each interaction is independent of any other and is self-contained. SOA programmers make extensive use of XML to carry all this out, and that leaves the application vulnerable to crafty XML tampering. If an attacker can somehow pass an XML message with a large payload, or any of a number of other bad content, they can perform an XML denial-of-service attack on an SOA application. This isn’t to imply it’s the only type of DoS available or that SOA is uniquely vulnerable (for instance, the only thing a specifically crafted XML attack can affect). It’s just a question, so don’t read too much into it.
A, B, and D are incorrect because these attacks don’t necessarily apply with SOA in this context.
PE6.9 The source code of software used by your client seems to have a large number of gets() alongside sparsely used fgets(). What kind of attack is this software potentially susceptible to?
A. SQL injection
B. Buffer overflow
C. Parameter tampering
D. Cookie manipulation
B
B. A buffer overflow is an attempt to write more data into an application’s prebuilt buffer area in order to overwrite adjacent memory, execute code, or crash a system (application). By inputting more data than the buffer is allocated to hold, you may be able to crash the application or machine or alter the application’s data pointers. gets() is a common source of buffer overflow vulnerabilities because it reads a line from standard input into a buffer until a terminating EOF is found. It performs no check for buffer overrun and is largely replaced by fgets().
A is incorrect because SQL injection has nothing to do with this scenario. No evidence is presented that this software even interacts with a database.
C is incorrect because parameter tampering deals with manipulating a URL.
D is incorrect because cookie manipulation has nothing to do with this software. A cookie is a small file used to provide a more consistent web experience for a web visitor. Because it holds various information, though, it can be manipulated for nefarious purposes (using the Firefox add-on Cookie Editor, for instance).
PE6.10 Which of the following would be the best choice in the prevention of XSS?
A. Challenge tokens
B. Memory use controls
C. HttpOnly flag in cookies
D. Removing hidden form fields
C. In addition to input validation controls (always good for bunches of vulnerability mitigations), setting the HttpOnly flag in cookies can be used in mitigation against some XSS attacks. Cross-site scripting occurs when an attacker interjects code into a web page form field that does not have appropriate input validation configured. The HttpOnly cookie flag can stop any injected code from being accessible by a client-side script. Per OWASP, if the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed through client-side script. As a result, even if a cross-site scripting flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.
A is incorrect because challenge tokens are used in mitigation of CSRF.
B is incorrect because memory use control configurations wouldn’t necessarily affect XSS vulnerabilities at all.
D is incorrect because removing hidden form fields would not necessarily do anything to mitigate XSS.
PE6.11 You are examining log files and come across this URL:
http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f%70%61%73%73%77%64
Which of the following best describes this potential attack?
A.This is not an attack but a return of SSL handshakes.
B. An attacker appears to be using Unicode.
C.This appears to be a buffer overflow attempt.
D. This appears to be an XSS attempt.
B
B. Unicode is just another way to represent text, so why not use it to try to get past an IDS? Of course, in the real world every IDS would probably be looking for weird Unicode requests anyway (it isn’t ciphered or encrypted and really does nothing more than provide a cursory obfuscation), but let’s just stick with EC-Council and the CEH exam here for now. This request appears to be attempting a grab of some passwords:
%2e%2e%2e%2e%2e%2f%2e%2f = ../../../ %65%74%63 = etc %2f = / %70%61%73%73%77%64 = passwd
A, C, and D are all incorrect because this URL does not necessarily indicate any of these attacks and is quite clearly a Unicode attempt.
PE6.12 Which MSFconsole command allows you to connect to a host from within the console?
A. pivot
B. connect
C. get
D. route
B
B. Questions on Metasploit can be very generalized or—like this question—pretty darn specific. MSFconsole, opened with the msfconsole command, is a common method of interfacing with Metasploit. As put by Offensive Security, it provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the MSF, and is the only supported way to access most of the features within Metasploit. Commands used in the interface are listed and discussed pretty well on Offensive Security’s site (https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/). The connect command acts like a miniature netcat clone, supporting SSL, proxies, pivoting, and file sends. By issuing the connect command with an IP address and port number, you can connect to a remote host from within MSFconsole the same as you would with netcat or telnet. In addition to MSFconsole, you should also know that the Metasploit architecture holds five modules: Exploits, Payloads, Encoders, NOPS, and Auxiliary. Exploits is the basic module, used to encapsulate (and configure behaviors for) an exploit. Payloads establishes a communication channel between Metasploit and the target. Auxiliary is used to run things like port scanning and fuzzing.
A is incorrect because there is no pivot command in MSFconsole. Pivoting does refer to connecting to other machines from a compromised system, but is not accomplished with a pivot command.
C is incorrect because the get command gets the value of a context-specific variable.
D is incorrect because the route command is used to route traffic through a session (and is generally seen, question-wise, in regard to pivoting).
PE6.13 . Which character is your best option in testing for SQL injection vulnerability ?
A . The @ symbol
B . A double dash
C . The + sign
D . A single quote 
D . SQL injection is all about entering queries and commands into a form field ( or URL ) to elicit a response , gain information , or manipulate data . On a web page , many times entries into a form field are inserted into a SQL command . When you enter your username and information into the fields and click the button , the SQL command in the background might read something like this : SELECT OrderID , FirstName , Lastname FROM Orders In SQL , a single quote is used to indicate an upcoming character string . Once SQL sees that open quote , it starts parsing everything after it as string input . If there’s no close quote , an error occurs because SQL doesn’t know what to do with the submitted characters . If the web page is configured poorly , that error will return to you and let you know it’s time to start injecting SQL commands . 
A , B , and C are incorrect characters to use as part of a SQL injection test . The @ symbol is used to designate a variable in SQL ( you’ll need to define the variable , of course ) . The + sign is used to combine strings ( as in Matt + Walker ) . A double dash indicates an upcoming comment in the line .
PE6.14 . An angry former employee of the organization discovers a web form vulnerable to SQL injection . Using the injection string SELECT * FROM Orders_Pend WHERE Location_City = ‘ Orlando ‘ , he is able to see all pending orders from Orlando . If he wanted to delete the Orders_Pend table altogether , which SQL injection string should be used ?
A . SELECT * FROM Orders_Pend WHERE Location_City = Orlando ‘ ; DROP TABLE Orders_Pend - -
B . SELECT * FROM Orders_Pend WHERE ‘ Orlando ‘ ; DROP_TABLE - -
C . DROP TABLE Orders_Pend WHERE ‘ Orlando = 1 ‘ - -
D . WHERE Location_City = Orlando ‘ 1 = 1 ‘ : DROP_TABLE - - 
A . SQL queries usually read pretty straightforward , although they can get complicated rather quickly . In this case , you’re telling the database , “ Can you check the table Orders_Pend and see whether there’s a city called Orlando ? Oh , by the way , since you’re executing any command I send anyway , just go ahead and drop the table called Orders_Pend while you’re at it . ” The only thing missing from SQL queries is a thank - you at the end . As an aside , you can easily restrict which SQL verbs any user can make use of ( through DDL and DMAL statements ) , and you should . Allowing all users to drop tables and the like is akin to making your standard user a domain administrator ; it’s a rather dumb idea ! 
B , C , and D are incorrect because they do not have proper syntax .
PE6.15 . Efforts to gain information from a target website have produced the following error message :
Microsoft OLE DB Provider for OBDC Drivers error ‘80040e08’
[Microsoft] {PBDC SQL Server Driver}
Which of the following best describes the error message ?
A . The site may be vulnerable to XSS .
B . The site may be vulnerable to buffer overflow .
C . The site may be vulnerable to SQL injection .
D . The site may be vulnerable to a malware injection . 
C . Once again , you will get a few “ gimme ” questions on the exam . The error message clearly displays a SQL error , telling us there’s an underlying SQL database to contend with and it’s most likely not configured correctly ( or we wouldn’t be getting an error message like this — through a web interface and telling us exactly what’s there — in the first place ) . 
A , B , and D are all incorrect for the same reason : the error message simply doesn’t provide enough information to make these leaps . There is nothing here indicating cross - site scripting or buffer overflow on either side of the ledger . Although it’s true the error may indicate which kinds of malware may increase your odds of success , there’s nothing there to indicate , by itself , that the site is vulnerable .