CIS 168 Final

¡Supera tus tareas y exámenes ahora con Quizwiz!

Which of the following is true for Reflect XSS?

Affects the code of the client in the browser directly.

What can lead to insufficient logging and monitoring?

All of the above.

What is considered a best practice when identifying components with known vulnerabilities?

All of the above.

How is insecure serialization used?

All of the answers provided

Why is it so hard to implement access controls properly in the first place?

All of these answers.

Which of the following can lead to sensitive data exposure?

Both are correct.

What is the best source to identify vulnerabilities?

CVE from Mitre

What does it mean to "harden" a software environment?

Change default configurations to more secure settings.

What tool is recommended for XSS Protection?

Content Security Policy

What is Serialization?

Converting an object into a byte stream (data).

What is Deserialization?

Converting data to an object.

What type of attack depends on entering JavaScript into a text area that is intended for users to enter text that will be viewed by other users?

Cross-site scripting

What are the two types of XXE?

Direct and Indirect

What is the best way to defend against XXE?

Disable external entities in your XML parser.

What is the key to encryption, hashing, and encoding when securing your sensitive data?

Envryption can be decrypted using the right key.

What is XML?

Extensible Markup Language

Authentication and authorization both refer to the same concept--access control.

False

Deserialization is the process of converting an object into a data format, something like XML or JSON, with the intent of putting it back together later.

False

If you encrypt application data in motion, you don't need to encrypt that data at rest.

False

The damage an attacker can inflict by exploiting broken access control flaws is likely to be minimal.

False

Approximately how many entries does the US National Vulnerability Database contain?

More than 120,000

Which of the following is true about Stored XSS?

Most difficult to detect

Which of the following is true about DOM-based XSS?

Never requires interaction with the server

Which of the following is not an XSS attack category?

OS-based

What is an Indirect XXE?

Results of some forms of requests where the server generates an XML object.

How is XML similiar to HTML?

Tag-based syntax is used.

Which of the following is not a type of cross-site scripting (XSS) flaw?

Transparent

By uploading an XML file that contains hostile content, an attacker could potentially launch multiple attacks from the XML processor that handles the file.

True

Security misconfiguration weaknesses extend beyond the application.

True

Security tools can be used to help assess configurations automatically.

True

The OWASP Top 10 Project is the most mature, most popular project in the OWASP project library.

True

The best way to protect your apps from components with known vulnerabilities is to remove everything you don't need.

True

The ideal setting to test for insufficient logging and monitoring vulnerabilities is a white box testing scenario.

True

What is Direct XXE?

XML object sent to the server with an external entity flag.

It's not enough to simply identify the standards that should be applied in order to harden your software environments. You also have to _____.

ensure those hardening standards are applied each and every time.


Conjuntos de estudio relacionados

FUNDAMENTAL SKILLS: Safety and Infection

View Set

PSY 251: Chapter 1 (Introduction) Notes

View Set

Mastering Environmental Science Ch. 24

View Set

Financial Accounting Midterm (Chapters 1-7)

View Set

U3L1: Basics of Hypothesis Testing (Using a Critical Value or P-value to Assess the Test Statistic)

View Set