FISS Lab 8 Assessment
Which of the following becomes possible when a web form allows HTML or JavaScript code as valid input? a. Cross-site scripting (XSS) b. Phishing attacks c. Penetration testing d. SQL Injection
Cross-site scripting (XSS)
When is the company under additional compliance laws and standards to ensure the confidentiality of customer data? a. During a SQL injection attack on the web application. b. If e-commerce or privacy data is entered into the web application. c. During penetration testing of the web application. d. If there is cross-site scripting in the web application.
If e-commerce or privacy data is entered into the web application.
Which of the following is a security countermeasure that could be used to protect your production SQL databases against injection attacks? a. Avoid encrypting the data elements that reside in long-term storage of the SQL database. b. Avoid writing scripts for SNMP network management alerts. c. Ignore error messages that do not clear the User ID box. d. Monitor your SQL databases for unauthorized or abnormal SQL injections.
Monitor your SQL databases for unauthorized or abnormal SQL injections.
Which type of attack is triggered by the victim? a. Persistent cross-site scripting attack b. Non-persistent cross-site scripting attack c. Dan vulnerable cross-site scripting attack d. Reflected cross-site scripting atack
Persistent cross-site scripting attack
Which of the following allows valid SQL commands to run within a web form? a. SQL Injection b. Cross-site scripting (XSS) c. JavaScript coding d. HTML coding
SQL Injection
Which Web application attack is more likely to extract privacy data elements out of a database? a. SQL Injection attack b. Non-persistent cross-site scripting attack c. Persistent cross-site scripting attack d. Damn vulnerable attack
SQL Injection attack
In the lab, what did you do before attempting the script tests that exposed the vulnerabilities? a. Set the security level of DVWA to low. b. Set the security level of Damn Vulnerable Web Application (DVWA) to high. c. Set the security level of penetration testing to low. d. Set the security level of penetration testing to high.
Set the security level of DVWA to low.
Web application developers and software developers are responsible for: a. ensuring regular backups of the database are performed. b. The secure coding and testing of their application. c. regular penetration testing d. developing industry standards and compliance regulations.
The secure coding and testing of their application.
Which of the following statements is true regarding SQL Injection attacks? a. They are one of the rarest type of web attacks. b. Their likelihood can be reduced through regular testing. c. Their likelihood cannot be reduced through secure software development practices. d. They are extremely difficult to prevent.
Their likelihood can be reduced through regular testing.
Which of the following statements is true regarding cross-site scripting (XSS) attacks? a. Their likelihood cannot be reduced through secure software development practices. b. They are extremely difficult to prevent. c. Their likelihood cannot be reduced through regular testing. d. They are one of the most common web attacks.
They are one of the most common web attacks.
Database developers and administrators are responsible for: a. the secure coding and testing of their application b. regular penetration testing c. ensuring regular backups of the database are performed. d. developing industry standards and compliance regulations.
ensuring regular backups of the database are performed.
Often hackers will use ____________ to make the scripts even harder to detect. a. cross-site scripting b. cleartext c. SQL Injection d. hexadecimal character strings
hexadecimal character strings
In a ___________ attack, the attacker attempts to use scripting commands in the URL itself, or through a device, such as a web form, to gain administrator, or some other elevated level of user privileges in an attempt to force the victim's server to display the desired data on-screen. a. stored cross-site scripting b. persistent cross-site scripting c. non-persistent cross-site scripting d. damn vulnerable cross-site scripting
non-persistent cross-site scripting
No production web application, whether it resides inside or outside the firewall, should be implemented without: a. Cross-site scripting and security hardening. b. SQL injection and security hardening c. JavaScript testing and security hardening. d. penetration testing and security hardening.
penetration testing and security hardening.
In a _____________ attack, data that can modify how applications or services operate is downloaded (stored) onto the targeted server. a. damn vulnerable cross-site scripting b. persistent cross-site scripting c. non-persistent cross-site scripting d. reflected cross-site scripting
persistent cross-site scripting