Chapter 7: Protecting Against Advanced Attacks
A. Input validation should be performed on the server side. Client-side validation can be combined with server-side validation, but it can be bypassed, so it should not be used alone. Boundary or limit checks are an important part of input validation. Pointer dereference techniques use references to point to values and are unrelated to input validation techniques.
A web developer is adding input validation techniques to a web site application. Which of the following should the developer implement during this process? A. Perform the validation on the server side. B. Perform the validation on the client side. C. Prevent boundary checks. D. Implement pointer dereference techniques.
C. A password salt is additional random characters added to a password before hashing the password, and it decreases the success of password attacks. Rainbow tables are used by attackers and contain precomputed hashes. Message Digest 5 (MD5) is a hashing algorithm that creates hashes, but the scenario already states that passwords are hashed. Input validation techniques verify data is valid before using it and they are unrelated to protecting hashed passwords.
An application stores user passwords in a hashed format. Which of the following can decrease the likelihood that attackers can discover these passwords? A. Rainbow tables B. MD5 C. Salt D. Input validation
B. This describes a known plaintext attack because the attacker knows some of the plaintext data used to create the encrypted data. More specifically, this is a chosen plaintext attack (but that wasn't available as an answer) because the attacker knew a portion of the plaintext. In a known ciphertext attack, the attacker doesn't have any information on the plaintext. A brute force attack attempts to guess a password. A rainbow table attack uses a table of hashes to identify a password from a matched hash.
An attacker has been analyzing encrypted data that he intercepted. He knows that the end of the data includes a template sent with all similar messages. He uses this knowledge to decrypt the message. Which of the following types of attacks BEST describes this attack? A. Known ciphertext B. Known plaintext C. Brute force D. Rainbow table
D. A rainbow table attack attempts to discover the password from the hash. However, they use rainbow tables, which are huge databases of precomputed hashes. A dictionary attack compares passwords against words in a dictionary of words, but a dictionary of words wouldn't include randomly generated passwords. A birthday attack relies on hash collisions. However, it wouldn't necessarily be effective depending on what hashing algorithm is used. A brute force attack attempts to guess all possible character combinations but is very time-consuming for each password.
An attacker has captured a database filled with hashes of randomly generated passwords. Which of the following attacks is MOST likely to crack the largest number of passwords in this database? A. Dictionary attack B. Birthday attack C. Brute force attack D. Rainbow tables
D. One type of buffer overflow attack attempts to write more data into an application's memory than it can handle. None of the other answers are directly related to overloading the application's memory. A cross-site request forgery (XSRF) attack attempts to launch attacks with HTML code. A Dynamic Link Library (DLL) injection attack injects a DLL into memory and causes it to run. A pass the hash attack attempts to discover a password.
An attacker is attempting to write more data into a web application's memory than it can handle. Which type of attack is this? A. XSRF B. DLL injection C. Pass the hash D. Buffer overflow
B. A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target's resources. A DoS attack comes from a single system and a SYN flood is an example of a DoS attack. A buffer overflow is a type of DoS attack that attempts to write data into an application's memory.
Attackers have launched an attack using multiple systems against a single target. Which type of attack is this? A. DoS B. DDoS C. SYN flood D. Buffer overflow
A. Normalization techniques organize tables and columns in a database and improve overall database performance. None of the other answers improve the database performance. Input validation techniques help prevent many types of attacks, and server-side input validation techniques are preferred over client-side techniques. Obfuscation techniques make the code more difficult to read.
Database administrators have created a database used by a web application. However, testing shows that the application is taking a significant amount of time accessing data within the database. Which of the following actions is MOST likely to improve the overall performance of a database? A. Normalization B. Client-side input validation C. Server-side input validation D. Obfuscation
A. Code signing provides a digital signature for the code and verifies the publisher of the code and verifies that it hasn't been modified since the publisher released it. None of the other answers verify the application hasn't been modified. Input validation verifies data is valid before using it. Code obfuscation makes the code more difficult to read. Stored procedures are used with SQL databases and can be used for input validation.
Developers have created an application that users can download and install on their computers. Management wants to provide users with a reliable method of verifying that the application has not been modified. Which of the following methods provides the BEST solution? A. Code signing B. Input validation C. Code obfuscation D. Stored procedures
A. A cross-site request forgery (XSRF) attack causes users to perform actions without their knowledge. This scenario indicates the user visited a web site, most likely through a malicious link, and the link initiated a purchase. None of the other attacks cause unsuspecting users to make purchases. A buffer overflow attacks a web site and attempts to access system memory. A SQL injection attack attempts to access data on a database server. Dead code is code that never executes and is unrelated to this scenario.
Homer recently received an email thanking him for a purchase that he did not make. He asked an administrator about it and the administrator noticed a pop-up window, which included the following code: A. XSRF B. Buffer overflow C. SQL injection D. Dead code
C. Attackers use the phrase (' or'1'='1'--) in SQL injection attacks to query or modify databases. A buffer overflow attack sends more data or unexpected data to an application with the goal of accessing system memory. A cross-site scripting (XSS) attack attempts to insert HTML or JavaScript code into a web site or email. A Dynamic Link Library (DLL) injection attack attempts to inject DLLs into memory, causing DLL commands to run.
Looking at logs for an online web application, you see that someone has entered the following phrase into several queries: ' or '1'='1' -- Which of the following is the MOST likely explanation for this? A. A buffer overflow attack B. An XSS attack C. A SQL injection attack D. A DLL injection attack
C. The agile software development model is flexible, ensures that personnel interact with each other throughout a project, and is the best of the available choices. The waterfall model isn't as flexible and focuses instead on completing the project in stages. Both agile and waterfall are software development life cycle (SDLC) models, which is a generic concept designed to provide structure for software development projects. Secure DevOps is an agile-aligned development methodology that focuses on security considerations throughout a project.
Management at your organization is planning to hire a development firm to create a sophisticated web application. One of their primary goals is to ensure that personnel involved with the project frequently collaborate with each other throughout the project. Which of the following is an appropriate model for this project? A. Waterfall B. SDLC C. Agile D. Secure DevOps
C. A cross-site scripting (XSS) attack can be blocked by using input validation techniques to filter special characters such as the < and > characters used in HTML code. None of the other listed attacks require the use of special characters. A man-in-the-browser attack exploits vulnerabilities in browsers to capture user data entries. An amplification attack increases the amount of data sent to a victim to overwhelm it. A domain hijacking attack changes the domain registration of a domain name without permission of the owner.
While creating a web application, a developer adds code to limit data provided by users. The code prevents users from entering special characters. Which of the following attacks will this code MOST likely prevent? A. Man-in-the-browser B. Amplification C. XSS D. Domain hijacking
B. A version control system will track all changes to a system, including who made the change and when. Change management processes (not available as a possible answer) typically provide the same solution. An agile software development life cycle (SDLC) model focuses on interaction from all players in a project, but doesn't necessarily include a version control system. Secure DevOps is an agile-aligned software development methodology that focuses on security throughout the process. Static code analysis examines the code without executing it as a method of code testing.
You are overseeing a large software development project. Ideally, developers will not add any unauthorized changes to the code. If they do, you want to ensure that it is easy to identify the developer who made the change. Which of the following provides the BEST solution for this need? A. Agile SDLC B. Version control C. Secure DevOps D. Static code analysis
D. Dynamic analysis techniques (such as fuzzing) can test the application's ability to maintain availability and data integrity for some scenarios. Fuzzing sends random data to an application to verify the random data doesn't crash the application or expose the system to a data breach. Model verification ensures that the software meets specifications and fulfills its intended purpose, but it doesn't focus on reliability or integrity. Input validation and error-handling techniques protect applications, but do not test them.
Your organization is preparing to deploy a web-based application, which will accept user input. Which of the following will BEST test the reliability of this application to maintain availability and data integrity? A. Model verification B. Input validation C. Error handling D. Dynamic analysis
D. A vendor-specific guide for the new hardware-based firewall will have the most appropriate instructions for installing it. Frameworks (regulatory or non-regulatory) provide structures that can be followed for different purposes, but they wouldn't be available for a specific firewall. A general-purpose guide will provide general instructions, but not instructions for a specific vendor's firewall.
Your organization recently purchased a new hardware-based firewall. Administrators need to install it as part of a DMZ within the network. Which of the following references will provide them with the MOST appropriate instructions to install the firewall? A. A regulatory framework B. A non-regulatory framework C. A general-purpose firewall guide D. A vendor-specific guide