ITN 260- Chapter 3
A web browser makes a request for a web page using the ________________.
Hypertext Transfer Protocol (HTTP)
A TCP/IP communication begins with a control message, known as a ________________, to initialize the connection.
SYN
The default root directory of the Microsoft Internet Information Services (IIS) Web server is located at which directory below?
C:\Inetpub\ wwwroot
When TCP/IP was developed, the host table concept was expanded into a hierarchical name system for matching computer names and numbers using this service:
DNS
XSS attacks occur when an attacker takes advantage of web applications that accept user input without validating it and then present it back to the user.
True
Select below the string of characters that can be used to traverse up one directory level from the root directory:
../
A- An attack that uses the Internet Control Message Protocol (ICMP) to flood a victim with packets. B- Injecting and executing commands to execute on a server C- An attack that corrupts the ARP cache D- A form of verification used when accessing a secure web application E- An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer F- An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim. G- Another name for locally shared object (LSO) H- Part of the TCP/IP protocol for determining the MAC address based on the IP address. I- An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device. J- An attack that injects scripts into a web application server to direct attacks at clients.
A- Ping Flood B- Command Injection C- ARP Poisoning D- Session Token E- Buffer Overflow Attack F- Smurf Attack G- Flash Cookie H- Address Resolution Protocol (ARP) I- DNS Poisoning J- Cross-site scripting (XSS)
The predecessor to today's Internet was a network known as ____________________.
ARPAnet
How can an attacker substitute a DNS address so that a computer is automatically redirected to another device?
DNS poisoning
A user has become compromised as a result of visiting a specific web page, without clicking on any kind of content. What type of attack has occurred?
Drive-by-Download
Because of the minor role it plays, DNS is never the focus of attacks.
False
Because the XSS is a widely known attack, the number of Web sites that are vulnerable is very small.
False
What language below is designed to display data, with a primary focus on how the data looks?
HTML
What portion of the HTTP packet consists of fields that contain information about the characteristics of the data being transmitted?
HTTP header
On a compromised computer, you have found that a user without administrative privileges was able to perform a task limited to only administrative accounts. What type of exploit has occurred?
Privilege Escalation
Which type of attack below is similar to a passive man-in-the-middle attack?
Replay
To what specific directory are users generally restricted to on a web server?
Root
Attacks that take place against web based services are considered to be what type of attack?
Server-side
An attack in which the attacker attempts to impersonate the user by using his or her session token is known as:
Session Hijacking
HTML uses which option below within embedded brackets (< >) causing a web browser to display text in a specific format?
Tags
ARP poisoning is successful because there are no authentication procedures to verify ARP requests and replies.
True
Although traditional network security devices can block traditional network attacks, they cannot always block Web application attacks.
True
What language below is for the transport and storage of data, with the focus on what the data is?
XML
The exchange of information among DNS servers regarding configured zones is known as:
Zone Transfer
Which SQL injection statement example below could be used to discover the name of the table?
whatever' AND 1=(SELECT COUNT(*) FROM tabname); --
Which SQL statement represents a SQL injection attempt to determine the names of different fields in a database?
whatever' AND email IS NULL; --
Choose the SQL injection statement example below that could be used to find specific users:
whatever' OR full_name LIKE '%Mia%'
