Lesson 6 - Exploiting Application- Based vulnerabilities

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Which of the following are examples of code injection vulnerabilities?

All of these

Which of the following is NOT an example of a vulnerable application that you can use to practice your penetration testing skills?

All of these

Which of the following statements about clickjacking are true?

All of these are correct

Which of the following is true about business logic flaws?

Business logic flaws enable an attacker to use legitimate transactions and flows of an application in a way that results in negative behavior or outcome

Which of the following is NOT true about cross-site request forgery(CSRF or XSRF) attacks?

CSRF attacks typically affect applications(or websites) that rely on digital certificates that have been expired or forged

What type of vulnerability can be exploited with the parameters used in the following URL?

CSRF or XSRF

Which of the following is a tool that can be used to enumerate directories and files in a web application?

DirBuster

What type of vulnerability or attack is demonstrated in the following URL (https://store.h4cker.org/buyme/?page-../../../../../ect/passwd)

Directory(path) traversal

What type of vulnerability can be triggered by using the parameters in the following URL? (https://store.h4cker.org/?search=cars&results=207search=bikes)

HPP

What type of vulnerability can be triggered by using the parameters in the following URL? (http://web.h4cker.org/changepassd?user=chris)

Insecure Direct Object Reference

Which of the following is NOT an example of an HTTP method?

REST

Which of the following is a type of attack that takes place when a system or an application attempts to perform two or more operations at the same time?

Race condition

LFI vulnerabilities occur when a web application allows a user to submit input into files or upload files to the server. Successful exploitation could allow an attacker to perform which of the following operations?

Read and (in some cases) execute files on the victim's system

What type of vulnerability or attack is demonstrated in the following URL?

Remote file inclusion

Which of the following is a mitigation technique for preventing clickjacking attacks?

Replacing an older X-Frame-Options or CSP frame ancestors

Consider the following string (Ben' or ' '1' = '1') This string is an example of what type of attack?

SQL injection

Which of the following is a modern framework of API documentation and development and the basis of OAS, which can be very useful in helping pen testers to get insight into an API?

Swagger

Which of the following statements is NOT true about cookie manipulation attacks?

The best practice to avoid cookie manipulation attacks is to dynamically write to cookies using data originating from untrusted sources.

Which of the following is NOT true regarding the session ID?

The session ID(or token) is temporarily equivalent to the strongest authentication method used by an application prior to authentication

Software developers should escape all characters(including spaces but excluding alphanumeric characters) with the HTML entity &#xHH; format to prevent what type of attack?

XSS

What type of vulnerability can be triggered by using the following string?

XSS


Ensembles d'études connexes

Eco Exam 2 wrong answers to study

View Set

Strategic Management Test 1 (Ch 1-7)

View Set

Calculating Z-scores for Confidence Intervals

View Set

Amazon Machine Learning (ML) and Artifical Intelligence (AI)

View Set

RN learning system medical surgical: immune and infectious practice

View Set

Introduction to Sociology Ch. 10

View Set

日本語総まとめN2第4週の語彙

View Set