Web and Database Attacks

Question 1

What types of attacks are typically found where there are insecure user-controlled values?

Answer 1

Injection attacks

Question 2

What kind of attack often involves abuse of application programming interfaces (API) functions with names like exec, eval, cmd, or system?

Answer 2

Command Injection

Question 3

What are some common commands used when performing a command injection attack?

Answer 3

whoami, ls, dir

Question 4

Name some remediation methods for Command Injection attacks

Answer 4

1. Avoid having the application call commands directly in the OS
2. Use programming options to escape the command for the underlaying OS before sending the command
3. Parameterize and perform input validation by using an allowlist for characters
4. Run applications at the lowest possible privilege

Question 5

What are two common methods to troubleshoot queries in a blind SQLi?

Answer 5

1) Boolean-based and 2) time-based

Question 6

What are the two types of time-based searches in a blind SQLi?

Answer 6

Linear search and Binary search

Question 7

What is sqlmap?

Answer 7

A penetration testing tool for SQL injection (SQLi). It automates the detection and exploitation of SQLi flaws and database server hijacking

Question 8

What type of SQL attack builds two or more SELECT() statements that already exist within an application to create a single result in the application response? To be successful, both queries must return the same number of columns and the data types in each column have to match.

Answer 8

Union Query SQL Injection

Question 9

What kind of SQL attack works by terminating the original query and then executing another query?

Answer 9

Stacked Queries SQL Injection

Question 10

What are some remediation techniques against SQL attacks?

Answer 10

1. Parameterize queries and perform input validation by using an allowlist for characters
2. Use stored procedures
3. Escape all user input

Question 11

What kind of attack often involves an ou, cn, or dc, and can be distinguished by looking for key-value pairs in injeccted filters using parentheses and comparison characters?

Answer 11

LDAP Injection

Question 12

What are some ways to remediate against LDAP Injection attacks?

Answer 12

1. Escape all variables using LDAP encoding functions
2. Use language-specific built-in safe frameworks for interacting with LDAP
3. Run applications at the lowest possible privilege

Question 13

What type of attack involves attackers injecting client-side scripts or HTML code into other web pages to steal information or bypass authentication?

Answer 13

Cross-site Scripting (XSS)

Question 14

What are the three types of XSS (Cross-site Scripting) attacks?

Answer 14

1. Reflect
2. Stored
3. DOM-based

Question 15

What is a browser extension in Mozilla-based browsers that can help block unwanted scripts from executing in your browser and limit execution to only trusted websites?

Answer 15

NoScript

Question 16

How can you recognize XSS (Cross-site Scripting) attacks?

Answer 16

They typically involve HTML tags, with symbols such as <, >, =, and quotes.

Question 17

What kind of client-side injection attack involves a user performing an action they do not intend against a trusted website?

Answer 17

Cross-site Request Forgery (CSRF)

Question 18

What is the free software that runs like a web application and is susceptible to many kinds of web-based attacks?

Answer 18

DVWA (Damn Vulnerable Web Application)

Question 19

What is a common tool used for web and web application penetration testing?

Answer 19

Burp Suite Pro

Question 20

Session-based authentication for most web frameworks are stateful. What does this mean?

Answer 20

This means each that the server and the client both keep a record of the session.

Question 21

What are some Set-Cookie attributes that can be included in a response header from a server to a client’s browser?

Answer 21

1. HTTPOnly - The cookie cannot be accessed via JavaScript, such as cookie theft through XSS attacks
2. Path - This defines the URL where the cookie is valid
3. Domain - Defines the domain where the cookie is valid
4. Expires - This tells the browser to save the cookie locally for persistent storage and that it will be used by the browser for future requests until the expiration date
5. Secure - This is used to ensure the cookie never makes its way over a nonencrypted connection, like HTTP

Question 22

What are two ways to protect against Session Hijack attacks?

Answer 22

1. invalidate a session as soon as user logs out 2. Web applications should assign a new session ID upon authentication

Question 23

What is a well-known open-source product used for hosting and deploying Java-based web applications?

Answer 23

Apache Tomcat

Question 24

What policy defines the requirement for how access to a resource should be managed and controlled based on the rule of least privilege?

Answer 24

Access Control Policy

Question 25

Sensitive data exposure can come in the form of an error message or a reference to an internal function that inadvertently reveals the true nature of the request. An example would be exposing a database record as a referenced object within a web parameter or URL. What is this called?

Answer 25

An insecure direct object reference (IDOR)

Question 26

what kind of attacks are a form of injection that enables a malicious actor to access content that would not normally be available by using shortcuts to browse outside of the web server’s root folder?

Answer 26

Directory and path traversal attacks

Question 27

What is the difference between file inclusion vulnerability and a path or directory traversal attack?

Answer 27

With a traversal attack, you only have the ability to read the contents of a local resource, but with file inclusion the resource can be loaded and executed within the context of the application (providing code execution)

Question 28

What kind of web or database attack is characterized by the ability to load arbitrary content within a web page?

Answer 28

Inclusion attack

Question 29

What are the two types of file inclusion attacks?

Answer 29

LFI (Local File Inclusion) - includes files outside the web root and renders the contents of local operating system files to the browser window, such as the password fle.
RFI (Remote File Inclusion) - allows files or even whole pages to be displayed inside the vulnerable web page.

Question 30

How can you mitigate against file inclusion attacks like LFI and RFI?

Answer 30

Input validation

Question 31

What is it called when two or more application logic components have co-dependent data, do not have appropriate concurrency protections, and execute simultaneously?

Answer 31

Race condition

Question 32

What is the purpose of the Document Object Model (DOM) within a user’s web browser?

Answer 32

During runtime, the application will pass the DOM to help structure content within the browser. DOM modules may include JavaScript code that can execute locally within the user’s browser.