Web Application Attacks and Countermeasures Flashcards
Edward, a professional hacker, targeted an organization’s official web page to damage the company’s reputation. He employed the SQL injection technique to access the targeted web page, applied unauthorized modifications to change its visual appearance, and displayed another page containing its own messages.
Identify the attack technique utilized by Edward in the above scenario.
Website Defacement: Attackers can completely change the appearance of a website by replacing its original data. They deface the target website by changing the visuals and displaying different pages with messages of their own.
Which of the following countermeasures helps administrators defend against web server attacks?
Screen and filter incoming traffic requests
Which of the following layers of the web application architecture includes all physical devices on the client-side, such as laptops, smartphones, and computers?
Presentation layer
Which of the following application security risks occurs when untrusted data is sent to an interpreter as part of a command or query, according to the OWASP?
A1 – Injection: Injection flaws, such as SQL, command injection, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Which of the following countermeasures helps security teams prevent sensitive data from being exposed?
Use AES encryption for stored data and use TLS with HSTS for incoming traffic
Samuel, a professional hacker, targeted an organization’s database server to manipulate its content. To accomplish his goal, Samuel intentionally started inserting bad input queries through an application and analyzed the error messages from the database to gather specific information from each query. He constructed a specially designed SQL query to compromise the data security and manipulated the stored content using the obtained information.
Identify the type of SQL injection performed by Samuel in the above scenario.
In-band SQL Injection: In-band attacks are commonly used and easy-to-exploit SQL injection attacks. The most commonly used in-band SQL injection attacks are error-based SQL injection and UNION SQL injection.
Which of the following countermeasures help developers prevent applications from becoming vulnerable to SQL injection attacks?
Design the code such that it traps and handles exceptions appropriately
Which of the following web-server components facilitates storage on another machine or disk if the original disk becomes full, in addition to providing object-level security?
Virtual Document Tree: A virtual document tree provides storage on a different machine or disk after the original disk becomes full.
Which of the following web application vulnerabilities allow untrusted data to be interpreted and executed as part of a command or query?
Injection flaws, such as SQL, command injection, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query.
In which of the following attacks does an attacker inject an additional malicious query into an original query to make a DBMS execute multiple SQL queries?
Piggybacked query: In a piggybacked SQL injection attack, an attacker injects an additional malicious query into the original query.
