quiz 10

Question 1

OLE DB relies on connection strings that enable the application to access the data stored on an external device.

Answer 1

True

Question 2

In Windows, IIS stands for _____

Answer 2

nternet Information Services

Question 3

__ is the interface that describes how a Web server passes data to a Web browser.

Answer 3

CGI

Question 4

___ represent(s) a comment in SQL.

Answer 4

Double hyphens (–)

Question 5

Connecting to a VSAM database with OLE DB requires using ____ as the provider.

Answer 5

SNAOLEDB

Question 6

Dynamic Web pages need special components for displaying information that changes depending on user input or information obtained from a back-end server. What kind of components can Web pages use to achieve this?

Answer 6

To do this, dynamic Web pages can use the tag, Common Gateway Interface (CGI), Active Server Pages (ASP), PHP, ColdFusion, JavaScript, and database connector strings, such as Open Database Connector (ODBC).

Question 7

foundation of most Web applications

Answer 7

HTML

Question 8

main role is passing data between a Web server and Web browser

Answer 8

CGI

Question 9

language developed by Microsoft

Answer 9

JScript

Question 10

keeps attackers from knowing the directory structure on an IIS Web server

Answer 10

virtual directory

Question 11

a Web server

Answer 11

Apache

Question 12

stands for cross-site scripting flaw

Answer 12

XSS

Question 13

helps beginning Web application security testers gain a better understanding of the areas covered in the OWASP top ten Web applications vulnerability list

Answer 13

WebGoat

Question 14

tool for searching Web sites for CGI scripts that can be exploited

Answer 14

Cgi Scanner v1.4

Question 15

GUI tool that can be downloaded free from Microsoft and is included in the IIS Resource Kit

Answer 15

Wfetch

Question 16

JavaScript is a server-side scripting language that is embedded in an HTML Web page.

Answer 16

False

Question 17

One of the best Web sites to find tools for hacking Web applications is ___

Answer 17

http://packetstormsecurity.org

Question 18

Web applications written in CFML can also contain other client-side technologies, such as HTML and JavaScript.

Answer 18

True

Question 19

__ is one of the best tools for scanning the Web for systems with CGI vulnerabilities.

Answer 19

Cgiscan.c

Question 20

SQL ____ involves the attacker supplying SQL commands when prompted to fill in a Web application field.

Answer 20

injection

Question 21

A user can view the source code of a PHP file by using the browser’s “View Source” option.

Answer 21

False

Question 22

CGI programs can be written in many different programming and scripting languages, such as C/C++, Perl, UNIX shells, Visual Basic, and FORTRAN.

Answer 22

True

Question 23

CFML stands for _______________

Answer 23

ColdFusion Markup Language

Question 24

What is OWASP?

Answer 24

Much like ISECOM, Open Web Application Security Project (OWASP) is an open, not-for-profit foundation dedicated to finding and fighting the causes of software vulnerabilities. OWASP (www.owasp.org) publishes the Ten Most Critical Web Application Security Vulnerabilities paper that has been built into the Payment Card Industry (PCI) Data Security Standard.

Question 25

Connecting to an MS SQL Server database with OLE DB requires using ____ as the provider.

Answer 25

SQLOLEDB

Question 26

__, developed by Microsoft, is a set of interfaces that enable applications to access data stored in a database management system

Answer 26

OLE DB

Question 27

What is the main difference between HTML pages and Active Server Pages (ASP)?

Answer 27

The main difference between HTML pages and Active Server Pages (ASP) is that with ASP, developers can display HTML documents to users on the fly. That is, when a user requests a Web page, one is created at that time.

Question 28

In a(n) ____ flaw, a Web browser might carry out code sent from a Web site.

Answer 28

cross-site scripting

Question 29

ColdFusion uses its own proprietary tags written in ____

Answer 29

CFML

Question 30

The column tag in CFML is ____

Question 31

Why should security professionals have at least a little knowledge about the Apache Web Server?

Answer 31

Apache Web Server is said to run on more than twice as many Web servers as IIS, so some familiarity with this Web server can be helpful in the security-testing profession. Apache has important advantages over the competition: It works in just about any *nix platform as well as in Windows, and it’s free.

Question 32

What is VBScript?

Answer 32

Visual Basic Script (VBScript) is a scripting language developed by Microsoft. You can insert VBScript into your HTML Web pages to convert static Web pages into dynamic Web pages. The biggest advantage of using a scripting language is that you have the features of powerful programming languages at your disposal. For those who have programming experience, you can start writing VBScript faster than a dual-processor 3 GHz computer.

Question 33

The JavaScript getElementByld() function is a method defined by the ____ Document Object Model (DOM).

Answer 33

W3C

Question 34

All CFML tags begin with “___

Answer 34

CF

Question 35

What is ActiveX Data Objects (ADO)?

Answer 35

ActiveX Data Objects (ADO) is a programming interface for connecting a Web application to a database. ActiveX defines technologies that allow applications, such as Word or Excel, to interact with the Web. For example, you can place an Excel spreadsheet in a Web page.

Question 36

Web servers use the ____ element in an HTML document to allow customers to submit information to the Web server.

Question 37

What is ColdFusion?

Answer 37

ColdFusion is a server-side scripting language used to develop dynamic Web pages. Created by Allaire Corporation, it’s now owned by Adobe Systems, Inc., ColdFusion it integrates Web browser, Web server, and database technologies. It uses its proprietary tags written in ColdFusion Markup Language (CFML), and Web applications written in CFML can contain other client technologies, such as HTML and JavaScript.

Question 38

Visual Basic Script (VBScript) is a scripting language developed by __

Answer 38

Microsoft

Question 39

What can an attacker do after gaining control of a Web server?

Answer 39

After an attacker gains control of a Web server, he or she could do the following:

• Deface the Web site
• Destroy the company’s database or offer to sell its contents
• Gain control of user accounts
• Perform secondary attacks from the Web site
• Gain root access to other application servers that are part of network infrastructure

Question 40

As a security professional, what should you do after identifying that a Web server you are testing is using PHP?

Answer 40

After you have identified the Web server as using PHP, you should use the methods you have learned in the book to investigate further for specific vulnerabilities. For example, several versions of PHP running on Linux can be exploited because of a line in the Php.ini file: The line file_uploads=on permits file uploads; however, this setting might allow a remote attacker to run arbitrary code with elevated privileges. The best solution is to upgrade to the latest version of PHP, but if that’s not possible, change the line to file_uploads=off.

Question 41

___ was originally used primarily on UNIX systems, but is used more widely now on many platforms, such as Macintosh and Windows

Answer 41

PHP

Question 42

Connecting to a MySQL database with OLE DB requires using ____ as the provider.

Answer 42

MySQLProv

Question 43

What is JavaScript?

Answer 43

A popular scripting language used to create dynamic HTML Web pages is JavaScript. JavaScript also has the power of a programming language. As with VBScript, you can branch, loop, test, and create functions and procedures within your HTML Web pages.

Question 44

What is ODBC used for?

Answer 44

The ODBC interface allows an application to access data stored in a database management system (DBMS), such as Microsoft SQL, Oracle, or any system that can recognize and issue ODBC commands. Interoperability between back-end database management systems is a key feature of the ODBC interface, allowing application developers to focus on the application without worrying about any specific DBMS.

Question 45

__________________ Web pages display the same information regardless of the time of day or the user who activates the page.

Answer 45

Static