Chapter 7 Practice Questions
An attacker enters a string of data in a web application's input form and crashes it. What type of attack is this? A. DoS B. DDoS C. Man-in-the-middle D. Header manipulation
A. DoS The question describes a buffer overflow attack, which can be used as a denial-of-service (DoS) attack. A DDoS attack comes from multiple computers. A man-in-the-middle attack can interrupt network traffic and insert malicious code into a session, but it doesn't attack applications. A header manipulation manipulates flags and data in packets.
An attacker is entering incorrect data into a form on a web page. The result shows the attacker the type of database used by the website and provides hints on what SQL statements the database accepts. What can prevent this? A. Error handling B. Antivirus software C. Anti-spam software D. Flood guards
A. Error handling Error handling will return a generic error web page rather than a detailed error that can provide an attacker with valuable information to launch a SQL injection attack. Antivirus software can detect malware, such as viruses and worms, and prevent it from running on a computer. Anti-spam software can filter out unwanted or unsolicited e-mail (also called spam). Flood guards can prevent SYN flood attacks.
What can a header manipulation attack modify? A. Flags B. Buffers C. Databases D. Signature definitions
A. Flags A header manipulation modifies flags and data in a packet and can launch a session hijacking attack. Buffer overflow attacks can modify memory buffers. SQL injection attacks can modify databases. Antivirus software requires up-to-date signature definitions, but header manipulation does not modify these.
Your organization hosts several websites accessible on the Internet and is conducting a security review of these sites. Of the following choices, what is the most common security issue for web-based applications? A. Input validation B. Phishing C. Whaling D. Social engineering
A. Input validation Input validation checks input data, but because so many sites do not use it, they are vulnerable to buffer overflow, SQL injection, and cross-site scripting attacks. Phishing is the practice of sending e-mail to users with the purpose of tricking them into revealing personal information (such as bank account information). Whaling is a phishing attack that targets high-level executives. Social engineering is the practice of using social tactics to encourage a person to do something or reveal some piece of information.
A web developer wants to prevent cross-site scripting. What should the developer do? A. Use input validation to remove hypertext B. Use input validation to remove cookies C. Use input validation to SQL statements D. Use input validation to overflow buffers
A. Use input validation to remove hypertext Web developers reduce cross-site scripting attacks with input validation and filter out hypertext and JavaScript tags (using < and > characters). Cookies are text files used by the website. SQL injection attacks use SQL statements and input validation helps prevent SQL injection attacks. Input validation can prevent buffer overflows, reducing buffer overflow attacks.
An attacker is sending false hardware address updates to a system, causing the system to redirect traffic to an attacker. What type of attack is this? A. IRC B. ARP poisoning C. Xmas attack D. DNS poisoning
B. ARP poisoning Hardware addresses are MAC addresses, and an ARP poisoning attack misleads computers or switches about the actual MAC address of a system and can redirect traffic. Botnets sometimes communicate via IRC channels, but IRC channels don't send false updates to a switch. An Xmas attack is a port scan where an attacker attempts to detect the operating system of the scanned system. DNS poisoning attacks corrupt name resolution data used to resolve names to IP addresses.
You manage a server hosting a third-party database application. You want to ensure that the application is secure and all unnecessary services are disabled. What should you perform? A. Secure code review B. Application hardening C. White box testing D. Black box testing
B. Application hardening Application hardening ensures that a system is secure and includes basics such as disabling unnecessary services and checking vendor documentation. The developer should perform secure code reviews and test the application before releasing it, but these aren't steps for the customer of the application. In other words, the developer should have already performed these steps. Applications developed in-house (not third-party applications) require secure code reviews, and third party black box testing is the most effective method of application testing.
A web-based application expects a user to enter eight characters into a text box. However, the application allows a user to copy more than eight characters into the text box. What is a potential vulnerability for this application? A. Input validation B. Buffer overflow C. SYN flood D. Flood guard
B. Buffer overflow A buffer overflow occurs when an application receives more data than it expects and can expose system memory. Input validation checks input data and can help mitigate buffer overflow, SQL injection, and cross-site scripting attacks. A SYN flood attack withholds the third packet in a TCP handshake, and a flood guard is a security control that protects against SYN flood attacks.
A website prevents users from using the less-than character (<) when entering data into forms. What is it trying to prevent? A. Logic bomb B. Cross-site scripting C. Fuzzing D. SQL injection
B. Cross-site scripting Web developers reduce cross-site scripting attacks with input validation and filtering out hypertext and JavaScript tags (using < and > characters). A logic bomb is a program or code snippet that executes in response to an event, such as a specific time or date. Fuzzing sends pseudo-random data as input to an application in an attempt to crash or confuse it. Input validation blocks SQL injection attacks but SQL statements aren't blocked by blocking the < character.
Of the following choices, what is a step used to harden a database application? A. Enabling all services B. Disabling default accounts and changing default passwords C. Disabling SQL D. Disabling stored procedures
B. Disabling default accounts and changing default passwords Application hardening (including hardening database applications) includes disabling default accounts and changing default passwords. Application hardening includes disabling unnecessary services, not enabling all of them. SQL is the language used to communicate with most databases, so it shouldn't be disabled in a database application. Stored procedures increase performance, can help prevent SQL injection attacks, and shouldn't be disabled.
What can an administrator use to detect a DDoS attack? A. Privilege escalation B. Performance baseline C. Web form sanitization D. Antivirus software
B. Performance baseline A performance baseline can help detect a distributed denial-of-service (DDoS) by showing differences in performance. Malware uses privilege escalation to gain more rights and permissions after compromising a system. Web form sanitization (or input validation) can prevent injection attacks, but won't detect a DDoS attack. Antivirus software can detect viruses, worms, and Trojan horses, but not DDoS attacks.
A computer is regularly communicating with an unknown IRC server and sending traffic without user interaction. What is likely causing this? A. Buffer overflow B. Cross-site scripting C. Botnet D. Rootkit
C. Botnet Botnets control computers in the botnet and can use Internet Relay Chat (IRC) messages. A buffer overflow occurs when a system receives unexpected data, such as a string of NOOP instructions. Cross-site scripting allows an attacker to inject malicious code into a website's HTML pages. Rootkits provide attackers with system level access and can modify file system operations, but don't use IRC.
An organization develops its own software. Of the following choices, what is a security practice that should be included in the process? A. Check vendor documentation B. SDLC Waterfall model C. Code review D. Enabling command injection
C. Code review Secure software development includes security at each stage of development, including code reviews for security. Vendor documentation for purchased software is an important application-hardening step, but inhouse developed software wouldn't have vendor documentation during development. Using an SDLC model helps an organization manage the development process, but there is nothing in the question to indicate that the Waterfall model should be used. Attacks use command injection, and applications should block command injection.
While analyzing an application log, you discover several entries where a user has entered the following command into a web-based form: ../etc/passwd. What does this indicate? A. Fuzzing B. Kiting C. Command injection attack D. DoS
C. Command injection attack A command injection attack is any attempt to inject commands into an application such as a webbased form, and, in this case, the attack is attempting to retrieve password information with directory traversal. Fuzzing, or fuzz testing, sends invalid, unexpected, or random data to a system and can detect buffer overflow vulnerabilities. Kiting is the practice of repeatedly reserving domain names without paying for them. A DDoS attack is launched from multiple computers and results in loss of services.
What will protect against a SYN attack? A. Input validation B. Error handling C. Flood guard D. Cross-site scripting
C. Flood guard Flood guards help protect against SYN flood attacks. Input validation checks input data and can help mitigate buffer overflow, SQL injection, and cross-site scripting attacks. Error handling routines are a part of input validation and can prevent application failures and many application attacks. Cross-site scripting is an attack that uses HTML or JavaScript tags.
Of the following choices, what can help prevent SQL injection attacks? A. Output validation B. NOOP sleds C. Stored procedures D. Antivirus software
C. Stored procedures Stored procedures help prevent SQL injection attacks by interpreting and validating inputted data rather than just using it in a SQL statement. Input validation (not output validation) is another method used to prevent SQL injection attacks. Many buffer overflow attacks use a string of no-operation commands (NOOP sled). Antivirus software protects against malware but not SQL injection attacks.
Of the following choices, what uses a command and control server? A. DoS attacks B. Trojans C. Man-in-the-middle attacks D. Botnet
D. Botnet Criminals control botnets through command and control software running on Internet servers. Botnets frequently launch DDoS attacks from each system, but not DoS attacks from a single system. A Trojan is malware that appears to be something useful but instead includes something malicious. A man-in-the-middle attack can intercept traffic and insert malicious code but it doesn't use a command and control server.
An IDS detected a NOOP sled. What kind of attack does this indicate? A. Input validation B. SQL injection C. Cross-site scripting D. Buffer overflow
D. Buffer overflow Many buffer overflow attacks use a string of no-operation commands as a NOOP sled, and while input validation prevents a buffer overflow attack, an intrusion detection system (IDS) can detect them. Input validation checks input data and can help mitigate buffer overflow, SQL injection, and cross-site scripting attacks. SQL injection attacks use SQL statements. Cross-site scripting attacks use HTML or JavaScript tags.
Of the following choices, what type of attack can intercept traffic and insert malicious code into a network conversation? A. Spim B. Xmas attack C. LDAP injection D. Man-in-the-middle
D. Man-in-the-middle A man-in-the-middle attack can intercept traffic and insert malicious code, but Kerberos helps prevent man-in-the-middle attacks with mutual authentication. Spim attacks send messages over instant messaging channels but can't intercept traffic. A Xmas attack is a port scan attack where an attacker attempts to detect the operating system of the scanned system. LDAP injection is an attack used against Active Directory based systems.
A user browsing the Internet notices erratic behavior right before the user's system crashes. After rebooting, the system is slow, and the user detects hundreds of outbound connections. What likely occurred? A. The system has become a botnet B. The system is hosting a botnet C. The system is spamming other users D. The system has joined a botnet
D. The system has joined a botnet This describes a drive by download that downloads malware onto a user's system after visiting a web site, and joins it to a botnet (indicated by the hundreds of outbound connections). A botnet is composed of multiple systems, not a single system and criminals (known as bot herders) control the systems in the botnet. Botnets members can spam (and attack) others but the symptoms don't indicate that this what is happening.
What can mitigate ARP poisoning attacks in a network? A. Disable unused ports on a switch B. Man-in-the-middle C. DMZ D. VLAN segregation
D. VLAN segregation Address Resolution Protocol (ARP) poisoning attacks modify the hardware addresses in ARP cache to redirect traffic, and virtual local area network (VLAN) segregation can limit the scope of these attacks. Disabling unused physical ports on a switch is a good security practice, but it doesn't prevent ARP poisoning attacks. A man-in-the middle attack can interrupt traffic and insert malicious code, and ARP poisoning is one way to launch a man-in-the middle attack. A DMZ provides access to services from Internet clients while segmenting access to an internal network.