ITIS 4421 Final Review

Which of the following is NOT useful for mitigating credential exposure for cloud based applications?

Use TLS/HTTPS

What is main purpose of the certification authority in the public key infrastructure (PKI)?

Verify the real world identify of the owner of a given public key

How could an attacker obtain the session token to launch session hijacking attack?

- Path manipulation to gain access to files with current sessions - Forced browsing of logs - Use man-in-the-middle attack defeat https protection

AES RSA SHA-512 MD5

AES - Symmetric key encryption algo RSA - Public key encryption algo SHA-512 - Hashing algo MD5 - Broken hashing algo

Which of the following are related to preventing direct object reference attacks?

Assign ids to resources

When during the application development process should threat modeling be performed?

Before designing the application

According to the responsible disclosure policy, the software owner has two weeks to respond to a report of a potential vulnerability in a software product.

False

Application security risk is determined by the combination of: vulnerability, how easy to find and exploit the vulnerability.

False

CSRF attacks can be used to phish login credentials

False

CSRF attacks may be used to obtain session ids and use them in session hijacking attacks

False

Clickjacking can be used to exploit an access control vulnerability.

False

Control Flow Integrity shuffles stack addresses

False

Data Execution Prevention (DEP) is generated by compiler by default

False

Security control can be effectively placed on both client side as well as the server side of the application.

False

Session hijacking can be used to perform keylogging attacks.

False

Which of the following scenarios should be considered in identifying threat trees?

NOT THESE TWO Security risk Leakage of sensitive information

Find all steps that appear in the standard model for penetration testing.

Scanning Reconnasance Covering tracks

A sink rule in static analysis corresponds to part of

Security sensitive operations

How would an attacker launch a XSS attack?

Send JavaScript via links in email Insert malicious JavaScript into databases via SQL injection

Which of the following can lead to leakage of stored sensitive information?

Session Hijacking SQL injection Path manipulation

Which of the following attacks can be stopped by network firewall?

Session hijacking SQL injection XSS None (Correct)

Session hijacking may be used by an attacker to steal sensitive information.

True

The integrity of the stack guard is checked at run time.

True

A source rule in static analysis corresponds to part of

Trust boundary

Which of the following might be logged to monitor attacks on application?

- Password reset requests - IP addresses of incoming traffic - Successful and failed login attempts

Which statements about Address Space Layout Randomization (ASLR) is/are true?

- A given library may be at different memory locations for different applications - It makes it difficult for an attacker to write automated scripts to exploit buffer overflow vulnerabilities

Which of the following are attacks of access control?

- Access token manipulation - Direct object reference - SQL injection

Which statements about program analysis is/are true?

- Binary analysis can discover violation of using vulnerable libraries - Symbolic execution requires source code - Model checking is difficult to scale to complex applications

What are common attacks against object deseirializaiotn?

- Change access permission to gain privileged access - Command injection - XSS

What valid examples for security risks introduced by a software component?

- Component has a command interpreter leading to command injection risks - Component has a failure to sanitize data

Which of the following about access control is true?

- Compromise of access tokens, such as JWT, are often due to incorrect use of cryptography - Forced browsing is a common technique to exploit direct object reference vulnerability - Access control problem is about provisioning subjects with access rights to objects

Which of the following are best practices of with respect of using XML?

- Consider switching to JSON - Disable reading external references in XML parser

What are best practices for access control?

- Do not hard code logic for authorization in the application - Use authorization provision service that can be provisioned dynamically - Do not make sensitive web pages available to the internet, dispatch to these pages after ascertaining authorization - Use capability based authorization

What are good practices to reduce security risks introduced by using software components?

- Execute application in a contain with least privilege configuration - Disable unused functions if possible - Track vulnerabilities in components and keep up security updates

Which of the following techniques might be used to exploit an access control vulnerability?

- Forced browsing - Path manipulation

Why capability-based dynamic access provision is a preferred way to implement access control?

- Hard-coded access control policy is difficult to maintain - Access control requirements change frequently

Which of the following is/are commonly associated with a use after free vulnerability?

- Heap spray attack - Attack program written in Javascript - Attack program written in C

What suspicious events should be investigated to mitigate against attacks on applications?

- High frequency of invalid input Access of sensitive information - High frequency of denied access - Change / removal of logs

Which of the following are best practices of access control?

- Implement dynamic provisioning of access control capabilities for different subjects - Access control checks should be performed as many times as necessary without over concerns for redundancy

What are best practices to handle exceptions?

- Include a "finally" block to release unneeded resources - Do not print sensitive information, including stack traces as part of exception handler - Release resources no longer needed as part exception handeling

Which of the following is/are legitimate reason for false negatives in static analysis results

- Incomplete knowledge of source rules - Pointer aliasing - Incomplete knowledge of sink rules

In modern web-based applications, what roles does the API gateway play?

- It can store session data for applications - Providing the option of rate limiting the number of API requests for a given entity - It can be configured to provide authentication service - All access requests must be routed through the API gateway to ensure access control

Which statements about stack guard is/are true?

- It is generated by a compiler by default - Integrity of the stack guard is checked at run time - Uses a bit pattern referred to as a "digital canary"

Which statements about Control Flow Integrity (CFI) is/are true?

- It mitigates returned oriented programming (ROP) attacks - It incurs runtime overhead

Which of the following issues are relevant for cybersecurity laws and ethics in the international arena?

- Lack of boundary between cyber warfare and cyber crime - Incompatible laws and legal systems - Difference in cultural values - Internal treaties regarding proper conduct in the cyber areana

What are best practices for applying least privilege for application security?

- Least privilege for java applications can be enforced through a policy by JVM - Specify security policy for the application enforced by the container container

What are best practices for authentication?

- Multi-factor authentication - Do not set default logins - Limit unsuccessful attempts - Encourage use lengthy passphrase and emoji

Which of the following are part of the code ethics for electronic civil disobedience?

- No damage to lives and property - Take personal responsibility - Correct! Ethical motive

Which of the following about application configuration is true?

- One should provide an catch all exception handler for all unhandled exceptions in a Java program to mitigate unsecure default exception handling - One should change all default passwords upon application installation - Whenever possible, features should be turned off by default

Which of the following concepts are related to access control?

- Relationship between subject, object and access action - Defense in depth design - Authentication of subject - Default access credentials

What an attacker might be able to achieve by exploiting a buffer overflow vulnerability?

- Remote shell commend execution - Remove files from the server - Escalate privilege via remote code execution - Steel sensitive information

What attack techniques are most likely used to achieve horizontal privilege escalation?

- Replay attack - Forced browsing

What attack techniques are most likely used to achieve vertical privilege escalation?

- Replay attack - Forced browsing

Which of the following are true about the Threat Modeling process?

- Results of threat modeling can be used to develop penetration testing plans - Threat modeling should consider laws and regulations that impact the application - Context diagram, Data Flow Diagram decomposition and application architecture are often used to set the stage for threat modeling

Which statements about sandbox is/are true?

- Sandbox can be used to implement isolation of applications - Sandbox enforces access policies through the use of API hooking - Sandbox can be used enforce least privilege for an application through use of policies

Which statements is/are true?

- Static analysis cannot identify timing related vulnerabilities - Dynamic analysis is mostly agnostic to programming languages - Static analysis lead to less expensive bug fix because it detects vulnerabilities earlier in the development cycle - Both static analysis and dynamic analysis can have high false positives and false negatives

What is the difference between pattern matching based on program structure and regex string matching?

- Structural analysis can differentiate the name of a method from a constant value - t is easier to write regex than to write structural analysis rules - Structural analysis is based on program grammar

Which of the following are part of the responsible disclosure policy?

- Technology owner monitor emails reporting vulnerabilities - Security researcher should give technology owner a chance to fix vulnerabilities before publicly disclosing them - Security researcher can publicly disclose vulnerabliities if the technology owner uses auto response for the vulnerability reported. - Technology owner has five business days to respond vulnerability reports

Suppose function read_profile(userId, profileId) retrieves the user profile identified by the profileID. Which of the following access control checking must be performed

- The user represented by the userId has read access to the profile represented by the profileId - The profileID represents a profile of the user represented by userId - The userid represents a user that is authenticated

What are best practices to prevent session hijacking?

- Time out for inactive logins - Set httponly for session id - Use high quality random number generator to generate session tokens - Use HTTPS for all web traffice

Which of the following is/are legitimate reason why source code is required for static analysis

- To perform taint propagation - To identify constants - To trace control flow

Which of the following is/are legitimate reason for false positives in static analysis results

- Unreachable code for application input - Incomplete knowledge of cleansing rules

What are best practices for using good encryption methods?

- Use well established algorithms and protocols - Verify certificate principles - Use strong random number generators - Check revocation lists

Which of the following are true regarding XML external entity reference?

- XXE can be used to carry out SSRF - XXE can be used to perform reconnaissance of network targets

Which of following would enable the attacker to modify content of your database?

Clickjacking SQL injection Cross site request forgery

Which of the following is true about encryption, hashing, and encoding is true?

Encypted message can be decrypted by encyrption key, one canot recover original message from a message hash, encoding can be reversed by decoding

Match security problems to principles/categories that address them

Confidentiality violation - Disclosure of trade secret Integrity violation - Forgery of company earning report Availability violation - Denial of service attack

Match the following in the context of threat modeling

Context diagram Identify external entities that work with the application Level one Data Flow Diagram Identify high level application modules and data stores Physical architecture Identify key infrastructure components to implement the application

A cleansing rule in static analysis correspond to part of

Data sanitization

Matching security measures that can mitigate misconfigurations in cloud based applications

Default credentials Structural static analysis patterns Internet facing remote access Shodan searches Publicly accessible data storage Disable public access by default for cloud storage

Which of the following are best strategy to present your XSS finding?

Demonstrate how it can be used for phising Demonstrate how it can be used to steal password through key logging

Identify the best phases during software development where certain security vulnerabilities are best addressed.

Design vulnerabilities Application requirements Coding vulnerabilities Application development integration vulnerabilities Application integration

Which of the following are appropriate for a security researcher to resolve the above discussed ethical dilemma in conducting security research?

Educate general public of security vulnerabllities Answer Frame research activities as education Educate technology owners to fix vulnerabilities responsibly

Which of the following are common types of security vulnerabilities?

Human vulnerability Application vulnerability Configuration vulnerability

Which statements about Data Execution Prevention (DEP) is/are true?

It is enforced by the OS by default

Which of the following is/are legitimate reason for risk prioritization of static analysis results and delay fixing a vulnerability

Low business impact

What are components for a successful implementation of information security in an enterprise?

Mature process Response to successful cyber attacks Detect of attacks Technology deployment

Is the following a complete list of key justifications for digital civil disobedience: ethical cause, no harm to properties, and nonviolence?

No

In the context of Security First, which of the following is part of Reconnaissance?

Parameter manipulation

Match appropriate attack techniques that can be used to deliver XSS attack payloads,

SQL injection - Stored XSS attack Stored XSS attack - Phishing Reflective XSS attack - Phishing

Which of the following can lead to successful breach of encrypted information against websites using HTTPS?

Steal private key of the website Man-in-the-middle to defeat encryption Falsify information to obtain digital certificate from a root CA

Attackers may perform reconnaissance on your website by changing parameters using a man-in-the-middle proxy.

True

Which of the following are components of the ethical dilemma facing a security researcher?

The public good of vulnerability discovery and disclosure User agreement prohibiting pentesting

Clickjacking, coupled with social media sites, can lead to identifying users browsing anonymously.

True

Covering tracks is a step in the standard penetration testing model by an attacker

True

Cross site request forgery attack can be used to modify settings of your web account

True

Effective application security controls must be placed on the server side of the application.

True

End-to-end encryption must be used throughout a website to prevent session hijacking attacks.

True

Every known software vulnerability will eventually be assigned a CVE number

True

Programs written in Java are not susceptible to use after free attacks because Java does automatic garbage collection.

True

SQL injection vulnerability could be used to launch reflective cross site scripting attack.

True

Alice and Bob are strangers. Alice wants Bob to send her a private message A and be able to verify the integrity of the message. What should Bob do? (h() is a hash function and assume both Alice and Bob knows h()). Bob generates an encryption key k and relies on PKI to send Alice X, Y, H where Y=PubE(bob-pub,k), X=SymE(k,A), H=SymE(k, h(A)).

This does not work because Alice cannot recover the decryption key k as she does not know Bob's private key.

Alice and Bob are strangers. Alice wants Bob to send her a private message A and be able to verify the integrity of the message. What should Bob do? (h() is a hash function and assume both Alice and Bob knows h()). Bob generates an encryption key k and relies on PKI to send Alice X, Y, H where Y=PubE(bob-pri,k), X=SymE(k,A), H=PubE(alice-pub, h(A)).

This does not work because this message can be read by anyone.

Alice and Bob are strangers. Alice wants Bob to send her a private message A and be able to verify the integrity of the message. What should Bob do? (h() is a hash function and assume both Alice and Bob knows h()). Bob generates an encryption key k and relies on PKI to send Alice X, Y, H where Y=PubE(alice-pub,k), X=SymE(k,A), H=SymE(k,h(A)).

This works

A SQL vulnerability can be used to launch phishing attacks.

True

A justification for releasing information about an unpatched vulnerability is that it is the best way to educate the public, provided the software vendor has been given the chance to provide a patch.

True

A stored XSS vulnerability can be exploited to launch phishing attacks.

True

Address Space Layout Randomization (ASLR) are by default on all major operating systems

True

An attacker may be able obtain valid session ids in logs by exploiting an access control vulnerability

True

What attack techniques can be used to perform key logging?

XSS