Computer Security Chapter 11

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

A variant where the attacker includes malicious script content in data supplied to a site is the __________ vulnerability.

XSS reflection

In the ________ attack the user supplied input is used to construct a SQL request to retrieve information from a database.

SQL injection

True or False? Cross-site scripting attacks attempt to bypass the browser's security checks to gain elevated access privileges to sensitive data belonging to another site.

True

True or False? Defensive programming requires a changed mindset to traditional programming practices.

True

UNIX related systems provide the chroot system function to limit a program's view of the file system to just one carefully configured section that is known as a ________.v

chroot jail

A ________ is a pattern composed of a sequence of characters that describe allowable input variants. A. canonicalization B. race condition C. regular expression D. shell script

regular expression

_________ attacks are most commonly seen in scripted Web applications.

Cross-site scripting

__________ attacks are vulnerabilities involving the inclusion of script code in the HTML content of a Web page displayed by a user's browser. A. PHP file inclusion B. Mail injection C. Code injection D. Cross-site scripting

Cross-site scripting

True or False? A difference between defensive programming and normal practices is that everything is assumed.

False

True or False? An ASCII character can be encoded as a 1 to 4 byte sequence using the UTF-8 encoding.

False

True or False? Security flaws occur as a consequence of sufficient checking and validation of data and error codes in programs.

False

True or False? The correct implementation in the case of an atomic operation is to test separately for the presence of the lockfile and to not always attempt to create it.

False

True or False? To counter XSS attacks a defensive programmer needs to explicitly identify any assumptions as to the form of input and to verify that any input data conform to those assumptions before any use of the data.

False

The intent of ________ is to determine whether the program or function correctly handles all abnormal inputs or whether it crashes or otherwise fails to respond appropriately. A. shell scripting B. fuzzing C. canonicalization D. deadlocking

fuzzing

_________ are a collection of string values inherited by each process from its parent that can affect the way a running process behaves. A. Deadlocks B. Privileges C. Environment variables D. Race conditions

Environment variables

__________ programming is a form of design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of the software.

Defensive

True or False? Injection attacks variants can occur whenever one program invokes the services of another program, service, or function and passes to it externally sourced, potentially untrusted information without sufficient inspection and validation of it.

True

True or False? Key issues from a software security perspective are whether the implemented algorithm correctly solves the specified problem, whether the machine instructions executed correctly represent the high level algorithm specification, and whether the manipulation of data values in variables is valid and meaningful.

True

True or False? Many computer security vulnerabilities result from poor programming practices.

True

True or False? Programmers often make assumptions about the type of inputs a program will receive.

True

True or False? Software security is closely related to software quality and reliability.

True

True or False? There is a problem anticipating and testing for all potential types of non-standard inputs that might be exploited by an attacker to subvert a program.

True

True or False? To prevent XSS attacks any user supplied input should be examined and any dangerous code removed or escaped to block its execution.

True

True or False? Without suitable synchronization of accesses it is possible that values may be corrupted, or changes lost, due to over-lapping access, use, and replacement of shared values.

True

Program input data may be broadly classified as textual or ______.

binary

The process of transforming input data that involves replacing alternate, equivalent encodings by one common value is called _________.

canonicalization

A _______ attack is where the input includes code that is then executed by the attacked system. A. SQL injection B. cross-site scripting C. code injection D. interpreter injection

code injection

A _________ attack occurs when the input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server. A. command injection B. SQL injection C. code injection D. PHP remote code injection

command injection

The most common technique for using an appropriate synchronization mechanism to serialize the accesses to prevent errors is to acquire a _______ on the shared file, ensuring that each process has appropriate access in turn. A. lock B. code injection C. chroot jail D. privilege escalation

lock

The principle of ________ strongly suggests that programs should execute with the least amount of privileges needed to complete their function.

least privilege

A number of widely used standard C _________ compound the problem of buffer overflow by not providing any means of limiting the amount of data transferred to the space available in the buffer.

library routines

A stead reduction in memory available on the heap to the point where it is completely exhausted is known as a ________. A. fuzzing B. deadlock C. memory injection D. memory leak

memory leak

Two key areas of concern for any input are the _______ of the input and the meaning and interpretation of the input.

size

_________ is a program flaw that occurs when program input data can accidentally or deliberately influence the flow of execution of the program. A. PHP attack B. Format string injection attack C. XSS attack D. Injection attack

Injection attack

"Failure to Preserve SQL Query Structure" is in the __________ CWE/SANS software error category.

Insecure Interaction Between Components

Blocking assignment of form field values to global variables is one of the defenses available to prevent a __________ attack. A. PHP remote code injection B. mail injection C. command injection D. SQL injection

PHP remote code injection

"Improper Access Control (Authorization)" is in the _________ software error category. A. Porous Defenses B. Allocation of Resources C. Risky Resource Management D. Insecure Interaction Between Components

Porous Defenses

"Incorrect Calculation of Buffer Size" is in the __________ software error category. A. Porous Defenses B. Allocation of Resources C. Risky Resource Management D. Insecure Interaction Between Components

Risky Resource Management

The most common variant of injecting malicious script content into pages returned to users by the targeted sites is the _________ vulnerability. A. XSS reflection B. chroot jail C. atomic bomb D. PHP file inclusion

XSS reflection

The major advantage of ________ is its simplicity and its freedom from assumptions about the expected input to any program, service, or function.

fuzzing

Incorrect handling of program _______ is one of the most common failings in software security. A. lines B. input C. output D. disciplines

input

Program _______ refers to any source of data that originates outside the program and whose value is not explicitly known by the programmer when the code was written.

input

If privileges are greater than those already available to the attacker the result is a _________.

privilege escalation

A ________ occurs when multiple processes and threads compete to gain uncontrolled access to some resource.

race condition

Defensive programming is sometimes referred to as _________. A. variable programming B. secure programming C. interpretive programming D. chroot programming

secure programming


Kaugnay na mga set ng pag-aaral

chapters 9 -16 da comm 322 final

View Set

6.6 thyroxin, leptin and melatonin

View Set

الخلافة الراشدة والأموية

View Set

Accounting 352-Chapter 3 Quiz, AC 352 Final Exam All Quizzes

View Set

Course Point Prep U Questions- Exam 4

View Set