SDLC Flashcards
What is the order of the Waterfall-Model, SDLC phases?
Planning and Analysis Software/Systems Design Implementation Testing Integration Deployment Maintenance
Which SDLC model uses time-boxing or small increments?
Agile
What is a runtime error?
When the software encounters an error when running.
What is a syntax error?
When the code has mistakes with its coding.
What is structured exception handling (SEH)?
It allows you to have control over what the application should do when faced with a syntax or runtime error.
Is fuzzing conducted during static or dynamic code analysis?
Dynamic
What other situations you can use fuzzing?
You can also use fuzzing to stress test networks
When you see a question on the test involving (dot dot slash), what is this answer of the question most likely to be?
https://www.jennyisaho/../../../etc
Directory traversal
When an attacker is able to execute code or run commands on a victim computer, what is it called?
This is when your friend gets on your computer at work and runs something on your computer.
Arbitrary code execution
What is arbitrary code execution called when its done remotely?
Remote code execution
This is considered to be one of the worst types of exploits in the security world. Any type of vulnerability that allows an RCE exploit is considered to be critical in the CVSS.
What is a way programmers help prevent buffer overflow attacks?
Address space layout randomization
What is cross-site scripting?
When an attacker embeds a malicious scripting command on a trusted website.
The victim is the user, not the server.
What are the three types of CSS attacks?
Stored/Persistent
Reflected
DOM-based
What is the stored/persistent attack?
Attempts to get data provided by the attacker to be saved on the web server. Later this malicious code is served to other users.
What is the reflected attack?
Attempts to have a non-persistent effect activated by a victim by clicking a link on the site.
What is the DOM (Document Object Model) based attack?
Attempts to exploit the victim’s web browser.
The DOM is a part of the users web browser.
How do you stop CSS?
Output encoding and good input validation
Output encoding is to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser.
The user can disable scripting languages in their browser and increasing the security settings for their cookie storage.
What is Cross-Site Request Forgery (CSRF/XSRF)?
When the attacker forces a user to execute actions on a web server that they are authenticated on.
This exploits the trust the server has on the user. This is the attack where the user is authenticated to a bank and the attacker uses a forged request to make it look like it came from the user.
How do you prevent CSRF?
Programmers can use:
Special tokens on web pages that contain forms such as CAPTCHA’s
Special encryption techniques
XML file scanning
Cookie verification.
What does SQL do?
It’s how a web app to talks to a database
How do you stop SQL injections?
Input Validation and least privilege
For the exam, any question that has 1=1 or 999=999 etc, will be an SQL injection.
What are the most common injection vectors?
SQL, HTML, XML, LDAP
SQL being the most targeted by far
What is XML vulnerable to?
XML data submitted w/o encryption or input validation is vulnerable to:
Spoofing
Request forgery
Code injection
