ITIS 4421 Final Review
Which of the following is NOT useful for mitigating credential exposure for cloud based applications?
Use TLS/HTTPS
What is main purpose of the certification authority in the public key infrastructure (PKI)?
Verify the real world identify of the owner of a given public key
How could an attacker obtain the session token to launch session hijacking attack?
- Path manipulation to gain access to files with current sessions - Forced browsing of logs - Use man-in-the-middle attack defeat https protection
AES RSA SHA-512 MD5
AES - Symmetric key encryption algo RSA - Public key encryption algo SHA-512 - Hashing algo MD5 - Broken hashing algo
Which of the following are related to preventing direct object reference attacks?
Assign ids to resources
When during the application development process should threat modeling be performed?
Before designing the application
According to the responsible disclosure policy, the software owner has two weeks to respond to a report of a potential vulnerability in a software product.
False
Application security risk is determined by the combination of: vulnerability, how easy to find and exploit the vulnerability.
False
CSRF attacks can be used to phish login credentials
False
CSRF attacks may be used to obtain session ids and use them in session hijacking attacks
False
Clickjacking can be used to exploit an access control vulnerability.
False
Control Flow Integrity shuffles stack addresses
False
Data Execution Prevention (DEP) is generated by compiler by default
False
Security control can be effectively placed on both client side as well as the server side of the application.
False
Session hijacking can be used to perform keylogging attacks.
False
Which of the following scenarios should be considered in identifying threat trees?
NOT THESE TWO Security risk Leakage of sensitive information
Find all steps that appear in the standard model for penetration testing.
Scanning Reconnasance Covering tracks
A sink rule in static analysis corresponds to part of
Security sensitive operations
How would an attacker launch a XSS attack?
Send JavaScript via links in email Insert malicious JavaScript into databases via SQL injection
Which of the following can lead to leakage of stored sensitive information?
Session Hijacking SQL injection Path manipulation
Which of the following attacks can be stopped by network firewall?
Session hijacking SQL injection XSS None (Correct)
Session hijacking may be used by an attacker to steal sensitive information.
True
The integrity of the stack guard is checked at run time.
True
A source rule in static analysis corresponds to part of
Trust boundary
Which of the following might be logged to monitor attacks on application?
- Password reset requests - IP addresses of incoming traffic - Successful and failed login attempts
Which statements about Address Space Layout Randomization (ASLR) is/are true?
- A given library may be at different memory locations for different applications - It makes it difficult for an attacker to write automated scripts to exploit buffer overflow vulnerabilities
Which of the following are attacks of access control?
- Access token manipulation - Direct object reference - SQL injection
Which statements about program analysis is/are true?
- Binary analysis can discover violation of using vulnerable libraries - Symbolic execution requires source code - Model checking is difficult to scale to complex applications
What are common attacks against object deseirializaiotn?
- Change access permission to gain privileged access - Command injection - XSS
What valid examples for security risks introduced by a software component?
- Component has a command interpreter leading to command injection risks - Component has a failure to sanitize data
Which of the following about access control is true?
- Compromise of access tokens, such as JWT, are often due to incorrect use of cryptography - Forced browsing is a common technique to exploit direct object reference vulnerability - Access control problem is about provisioning subjects with access rights to objects
Which of the following are best practices of with respect of using XML?
- Consider switching to JSON - Disable reading external references in XML parser
What are best practices for access control?
- Do not hard code logic for authorization in the application - Use authorization provision service that can be provisioned dynamically - Do not make sensitive web pages available to the internet, dispatch to these pages after ascertaining authorization - Use capability based authorization
What are good practices to reduce security risks introduced by using software components?
- Execute application in a contain with least privilege configuration - Disable unused functions if possible - Track vulnerabilities in components and keep up security updates
Which of the following techniques might be used to exploit an access control vulnerability?
- Forced browsing - Path manipulation
Why capability-based dynamic access provision is a preferred way to implement access control?
- Hard-coded access control policy is difficult to maintain - Access control requirements change frequently
Which of the following is/are commonly associated with a use after free vulnerability?
- Heap spray attack - Attack program written in Javascript - Attack program written in C
What suspicious events should be investigated to mitigate against attacks on applications?
- High frequency of invalid input Access of sensitive information - High frequency of denied access - Change / removal of logs
Which of the following are best practices of access control?
- Implement dynamic provisioning of access control capabilities for different subjects - Access control checks should be performed as many times as necessary without over concerns for redundancy
What are best practices to handle exceptions?
- Include a "finally" block to release unneeded resources - Do not print sensitive information, including stack traces as part of exception handler - Release resources no longer needed as part exception handeling
Which of the following is/are legitimate reason for false negatives in static analysis results
- Incomplete knowledge of source rules - Pointer aliasing - Incomplete knowledge of sink rules
In modern web-based applications, what roles does the API gateway play?
- It can store session data for applications - Providing the option of rate limiting the number of API requests for a given entity - It can be configured to provide authentication service - All access requests must be routed through the API gateway to ensure access control
Which statements about stack guard is/are true?
- It is generated by a compiler by default - Integrity of the stack guard is checked at run time - Uses a bit pattern referred to as a "digital canary"
Which statements about Control Flow Integrity (CFI) is/are true?
- It mitigates returned oriented programming (ROP) attacks - It incurs runtime overhead
Which of the following issues are relevant for cybersecurity laws and ethics in the international arena?
- Lack of boundary between cyber warfare and cyber crime - Incompatible laws and legal systems - Difference in cultural values - Internal treaties regarding proper conduct in the cyber areana
What are best practices for applying least privilege for application security?
- Least privilege for java applications can be enforced through a policy by JVM - Specify security policy for the application enforced by the container container
What are best practices for authentication?
- Multi-factor authentication - Do not set default logins - Limit unsuccessful attempts - Encourage use lengthy passphrase and emoji
Which of the following are part of the code ethics for electronic civil disobedience?
- No damage to lives and property - Take personal responsibility - Correct! Ethical motive
Which of the following about application configuration is true?
- One should provide an catch all exception handler for all unhandled exceptions in a Java program to mitigate unsecure default exception handling - One should change all default passwords upon application installation - Whenever possible, features should be turned off by default
Which of the following concepts are related to access control?
- Relationship between subject, object and access action - Defense in depth design - Authentication of subject - Default access credentials
What an attacker might be able to achieve by exploiting a buffer overflow vulnerability?
- Remote shell commend execution - Remove files from the server - Escalate privilege via remote code execution - Steel sensitive information
What attack techniques are most likely used to achieve horizontal privilege escalation?
- Replay attack - Forced browsing
What attack techniques are most likely used to achieve vertical privilege escalation?
- Replay attack - Forced browsing
Which of the following are true about the Threat Modeling process?
- Results of threat modeling can be used to develop penetration testing plans - Threat modeling should consider laws and regulations that impact the application - Context diagram, Data Flow Diagram decomposition and application architecture are often used to set the stage for threat modeling
Which statements about sandbox is/are true?
- Sandbox can be used to implement isolation of applications - Sandbox enforces access policies through the use of API hooking - Sandbox can be used enforce least privilege for an application through use of policies
Which statements is/are true?
- Static analysis cannot identify timing related vulnerabilities - Dynamic analysis is mostly agnostic to programming languages - Static analysis lead to less expensive bug fix because it detects vulnerabilities earlier in the development cycle - Both static analysis and dynamic analysis can have high false positives and false negatives
What is the difference between pattern matching based on program structure and regex string matching?
- Structural analysis can differentiate the name of a method from a constant value - t is easier to write regex than to write structural analysis rules - Structural analysis is based on program grammar
Which of the following are part of the responsible disclosure policy?
- Technology owner monitor emails reporting vulnerabilities - Security researcher should give technology owner a chance to fix vulnerabilities before publicly disclosing them - Security researcher can publicly disclose vulnerabliities if the technology owner uses auto response for the vulnerability reported. - Technology owner has five business days to respond vulnerability reports
Suppose function read_profile(userId, profileId) retrieves the user profile identified by the profileID. Which of the following access control checking must be performed
- The user represented by the userId has read access to the profile represented by the profileId - The profileID represents a profile of the user represented by userId - The userid represents a user that is authenticated
What are best practices to prevent session hijacking?
- Time out for inactive logins - Set httponly for session id - Use high quality random number generator to generate session tokens - Use HTTPS for all web traffice
Which of the following is/are legitimate reason why source code is required for static analysis
- To perform taint propagation - To identify constants - To trace control flow
Which of the following is/are legitimate reason for false positives in static analysis results
- Unreachable code for application input - Incomplete knowledge of cleansing rules
What are best practices for using good encryption methods?
- Use well established algorithms and protocols - Verify certificate principles - Use strong random number generators - Check revocation lists
Which of the following are true regarding XML external entity reference?
- XXE can be used to carry out SSRF - XXE can be used to perform reconnaissance of network targets
Which of following would enable the attacker to modify content of your database?
Clickjacking SQL injection Cross site request forgery
Which of the following is true about encryption, hashing, and encoding is true?
Encypted message can be decrypted by encyrption key, one canot recover original message from a message hash, encoding can be reversed by decoding
Match security problems to principles/categories that address them
Confidentiality violation - Disclosure of trade secret Integrity violation - Forgery of company earning report Availability violation - Denial of service attack
Match the following in the context of threat modeling
Context diagram Identify external entities that work with the application Level one Data Flow Diagram Identify high level application modules and data stores Physical architecture Identify key infrastructure components to implement the application
A cleansing rule in static analysis correspond to part of
Data sanitization
Matching security measures that can mitigate misconfigurations in cloud based applications
Default credentials Structural static analysis patterns Internet facing remote access Shodan searches Publicly accessible data storage Disable public access by default for cloud storage
Which of the following are best strategy to present your XSS finding?
Demonstrate how it can be used for phising Demonstrate how it can be used to steal password through key logging
Identify the best phases during software development where certain security vulnerabilities are best addressed.
Design vulnerabilities Application requirements Coding vulnerabilities Application development integration vulnerabilities Application integration
Which of the following are appropriate for a security researcher to resolve the above discussed ethical dilemma in conducting security research?
Educate general public of security vulnerabllities Answer Frame research activities as education Educate technology owners to fix vulnerabilities responsibly
Which of the following are common types of security vulnerabilities?
Human vulnerability Application vulnerability Configuration vulnerability
Which statements about Data Execution Prevention (DEP) is/are true?
It is enforced by the OS by default
Which of the following is/are legitimate reason for risk prioritization of static analysis results and delay fixing a vulnerability
Low business impact
What are components for a successful implementation of information security in an enterprise?
Mature process Response to successful cyber attacks Detect of attacks Technology deployment
Is the following a complete list of key justifications for digital civil disobedience: ethical cause, no harm to properties, and nonviolence?
No
In the context of Security First, which of the following is part of Reconnaissance?
Parameter manipulation
Match appropriate attack techniques that can be used to deliver XSS attack payloads,
SQL injection - Stored XSS attack Stored XSS attack - Phishing Reflective XSS attack - Phishing
Which of the following can lead to successful breach of encrypted information against websites using HTTPS?
Steal private key of the website Man-in-the-middle to defeat encryption Falsify information to obtain digital certificate from a root CA
Attackers may perform reconnaissance on your website by changing parameters using a man-in-the-middle proxy.
True
Which of the following are components of the ethical dilemma facing a security researcher?
The public good of vulnerability discovery and disclosure User agreement prohibiting pentesting
Clickjacking, coupled with social media sites, can lead to identifying users browsing anonymously.
True
Covering tracks is a step in the standard penetration testing model by an attacker
True
Cross site request forgery attack can be used to modify settings of your web account
True
Effective application security controls must be placed on the server side of the application.
True
End-to-end encryption must be used throughout a website to prevent session hijacking attacks.
True
Every known software vulnerability will eventually be assigned a CVE number
True
Programs written in Java are not susceptible to use after free attacks because Java does automatic garbage collection.
True
SQL injection vulnerability could be used to launch reflective cross site scripting attack.
True
Alice and Bob are strangers. Alice wants Bob to send her a private message A and be able to verify the integrity of the message. What should Bob do? (h() is a hash function and assume both Alice and Bob knows h()). Bob generates an encryption key k and relies on PKI to send Alice X, Y, H where Y=PubE(bob-pub,k), X=SymE(k,A), H=SymE(k, h(A)).
This does not work because Alice cannot recover the decryption key k as she does not know Bob's private key.
Alice and Bob are strangers. Alice wants Bob to send her a private message A and be able to verify the integrity of the message. What should Bob do? (h() is a hash function and assume both Alice and Bob knows h()). Bob generates an encryption key k and relies on PKI to send Alice X, Y, H where Y=PubE(bob-pri,k), X=SymE(k,A), H=PubE(alice-pub, h(A)).
This does not work because this message can be read by anyone.
Alice and Bob are strangers. Alice wants Bob to send her a private message A and be able to verify the integrity of the message. What should Bob do? (h() is a hash function and assume both Alice and Bob knows h()). Bob generates an encryption key k and relies on PKI to send Alice X, Y, H where Y=PubE(alice-pub,k), X=SymE(k,A), H=SymE(k,h(A)).
This works
A SQL vulnerability can be used to launch phishing attacks.
True
A justification for releasing information about an unpatched vulnerability is that it is the best way to educate the public, provided the software vendor has been given the chance to provide a patch.
True
A stored XSS vulnerability can be exploited to launch phishing attacks.
True
Address Space Layout Randomization (ASLR) are by default on all major operating systems
True
An attacker may be able obtain valid session ids in logs by exploiting an access control vulnerability
True
What attack techniques can be used to perform key logging?
XSS