Chapter 14: Summarizing Secure Application Concepts
Which phase occurs immediately following the transition phase in the Agile model of a Software Development Lifecycle (SDLC). A.) Production B.) Inception C,) Iteration D.) Retirement
A
This is a means of testing that an application's input validation routines work well. The test, or vulnerability scanner, generates large amounts of deliberately invalid and random input and records the application's responses.
Fuzzing
This exploits vulnerabilities on the server-side script and is one of the most powerful input validation exploits. It involves a trusted site, a client browsing the trusted site, and the attacker's site.
Reflected attack
This is a design flaw that can cause the application security system to be circumvented, or will cause the application to crash.
Vulnerability
This occurs through the use of a block of code from elsewhere in the same application, or from another application, to perform a different function.
Code Reuse
In this environment, (test) code from multiple developers is merged to a single master copy and subjected to several basic unit and functional tests. These tests aim to ensure the code builds correctly and fulfills the functions according to design requirements.
Integration environment
An employee is attempting to install new software they believe will help them perform their duties faster. When the employee tries to install the software, an error message is received, stating they are not authorized to install the software. The employee calls the help desk for assistance. Evaluate the principles of execution control to conclude what has most likely occurred in this scenario. A.) The company is utilizing allow list control, and the software is included in the list. B.) The software is malicious, and execution control has identified the virus and is blocking the installation. C.) The company is utilizing allow list control, and the software is not included in the list. D.) The company is utilizing block list control, and the software is not included in the list.
C
Identify the type of attack that occurs when the outcome from execution process are directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.\ A.) Stack overflow B.) Heap overflow C.) Race conditions D.) Dynamic Link Library (DLL) injection
C
Which cookie attribute can a security admin configure to help mitigate a request forgery attack? A.) Secure B.) HttpOnly C.) SameSite D.) Cache-Control
C
This divides the creation and maintenance of software into discrete phases. There are two principal SDLCs: the waterfall model and Agile development
Software Development Lifecycle (SDLC)
Code developers de-conflict coding with one another during which phase of the software development life cycle (SDLC)? A.) Continuous integration B.) Continuous delivery C.) Continuous validation D.) Continuous monitoring
D
Evaluate the phases of the waterfall model to determine which statement is demonstrating the maintenance phase. A.) The tasks a software must perform are captured. B.) A software's architecture and structure are designed. C.) A software is checked for compliance against the goals. D.) A software is deployed in the target environment.
D
This is not a vulnerability of an application but of the way the operating system allows one process to attach to another and then force it to load a malicious link library.
Dynamic Link Library (DLL) injection
This tests the application under "real world" conditions using a staging environment.
Dynamic analysis
This is an area of memory allocated by the application. This overflow can overwrite variables stored in the heap with unexpected effects.
Heap Overflow
Malware running with system or root level privilege is referred to as a ____________, which gives an attacker unrestricted access to everything from the root of the file system down.
rootkit
This is the principal means of proving the authenticity and integrity of code.
Code signing
This modify the content and layout of a web page and exploits client-side scripts
Document Object Model (DOM)
This forces a browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping. Cache-control sets whether the browser can cache responses.
HTTP Strict Transport Security (HSTS)
This attack passes invalid data to the application. Since the input handling on the routine is inadequate, it causes the application or even the operating system, to behave in an unexpected way.
Input Validation Attack
This ensures that an application can appropriately handle the data entered into a field or variable in the application.It occurs when a script takes data passed to it by some other process. Client-side code, server-side code, or both, can perform input validation.
Input validation
This attack causes the target software to calculate a value that exceeds bounds that are set by the software.
Integer overflow
This phase of the waterfall model includes deploying the system to the target environment and ensuring that it is operating correctl
Maintenance Phase
In this environment, the application is released to end users.
Production environment
Which of the following statements differentiates between input validation and output encoding? A.) Input validation ensures that data input into an application is in a compatible format for the application, while output encoding re-encodes data that transfers between scripts. B.) Input validation is a server-side validation method, while output encoding is a client-side validation method. C.) Output encoding is a server-side validation method, while input validation encoding is a client-side validation method. D.) Input validation forces the browser to connect using HTTPS only, while output encoding sets whether the browser can cache responses.
A
Which method might an attacker use to redirect login via information gained by implementing JavaScript on a webpage the user believes is legitimate? A.) Man-in-the-Browser (MitB) B.) Confused deputy C.) Reflected D.) Clickjacking
D
This is a rogue WAP masquerading as a legitimate one. It can capture user logon attempts, allow man-in-the-middle attacks, and allow access to private information.
Evil twin
Set the _____________ attribute to make the cookie inaccessible to document object model/client-side scripting
HttpOnly
This is a general purpose scripting language used to create and control dynamic website content.
JavaScript
These attacks occur when the web browser is compromised by installing malicious plugins or scripts or intercepting API calls between the browser process and a Dynamic Link Library (DLL).
Man-in-the-Browser (MitB)
This attack compromises the web browser. An attacker may be able to inspect session cookies, certificates, and data, change browser settings, perform redirection, and inject code.
Man-in-the-Browser (MitB)
This means that a string is stripped of illegal characters or substrings, and converted to the accepted character set. This ensures that the string is in a format that can process correctly by the input validation routines. An attacker may use a canonicalization attack to disguise the nature of malicious input.
Normalization
This encoding occurs when a script passes data to another script. It ensures it is not passing any malicious "script" contents.
Output encoding
This is the preferred method of performing Windows administration tasks, which also makes it a go-to toolkit for hackers. Most usage is founded on cmdlets. A cmdlet is a compiled library that exposes some configuration or administrative task.
PowerShell
This is a popular language for implementing a variety of development projects, including automation tools and security tools, as well as malicious scripts.
Python
This occur when the outcome from executive processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
Race conditions
This phase of the waterfall model includes capturing everything that the system must do and the levels to which it must perform
Requirement Phase
This is a common attack vector against a Linux host, where a victim host opens a connection to the attacking host through a maliciously spawned remote command shell
Reverse shell
In this attack, the attacker modifies basic SQL functions by adding code to some input the app accepts, causing it to execute the attacker's SQL queries or parameters.
SQL injection
Cookies can be a vector for session hijacking and data exposure if not configured correctly. Use the _______________ attribute to control where a cookie may be sent, mitigating request forgery attacks.
SameSite
Both reflected and stored Cross-Site Scripting (XSS) attacks exploit __________________ scripts
Server-side
This involves replaying a web application cookie in some way. Attackers can sniff network traffic to obtain session cookies sent over an unsecured network.
Session hijacking
This is an area of memory used by a program subroutine. It includes a return address which is the location of the program that called the subroutine. An attacker could use a buffer overflow to change the return address.
Stack Overflow
In this environment, a mirror of the production environment is used, but may only use test or sample data with additional access controls, so it is only accessible to test users.
Staging environment
This phase of the waterfall model ensures the implementation meets the requirements and design goals.
Verification phase
This can be designed to perform code execution and input validation. An example is a document object model (DOM) script to render the page using dynamic elements from user input.
Web Application
This is a vulnerability that is exploited before the developer knows about it or can release a patch to address it. These can be extremely destructive as it can take the vendor a lot of time to develop a patch.
Zero-day Exploit
Data submitted via ___________________________________ with no encryption or input validation is vulnerable to spoofing, request forgery, and injection of arbitrary data or code
extensible markup language (XML)
This is one means of engineering a null pointer dereference exception
race condition
This list is a default-deny policy that means only running authorized processes and script
Allow list
A network user calls the help desk after receiving an error message. The caller complains that the error message does not indicate whether the username or password input was incorrect but simply states there was an authentication error. What does this situation illustrate? A.) Effective exception handling B.) Dynamic code analysis C.) Minimizing data exposure D.) Web application validation
A
A system administrator is working to restore a system affected by a stack overflow. Analyze the given choices and determine which overflow vulnerability the attacker creates. A.) An attacker changes the return address of an area of memory used by a program subroutine. B.) An attacker overwrites an area of memory allocated by an application to store variables. C.) An attacker exploits unsecure code with more values than an array expects. D.) An attacker causes the target software to calculate a value that exceeds the set bounds.
A
All of the following scripting languages are procedural, EXCEPT: A.) regex B.) PowerShell C.) JavaScript D.) Python
A
An attacker finds a way to exploit a vulnerability in a target application that allows the attacker to bypass a password requirement. Which method did the attacker most likely use? A.) The attacker added LDAP filters as unsanitized input by creating a condition that is always true. B.) The attacker inserted code into a back-end database by submitting a post to a bulletin board with a malicious script embedded in the message. C.) The attacker embedded a request for a local resource via XML with no encryption. D.) The attacker modified a basic SQL function, adding code to some input that an app accepts, causing it to execute the attacker's query.
A
Analyze the following statements and select the statement which correctly explains the difference between cross-site scripting (XSS) and cross-site request forgery (XSRF). A.) XSRF spoofs a specific request against the web application, while XSS is a means of running any arbitrary code. B.) XSS is not an attack vector, but the means by which an attacker can perform XSRF, the attack vector. C.) XSRF requires a user to click an embedded malicious link, whereas the attacker embeds an XSS attack in the document object module (DOM) script. D.) XSRF is a server-side exploit, while XSS is a client-side exploit.
A
This is a type of variable designed to store multiple values. It is possible to create an array index overflow by exploiting unsecure code to load the array with more values than it expects.
An array
A hacker compromises a web browser and uses access to harvest credentials users input when logging in to banking websites. What type of attack has occurred? A.) Evil twin B.) Man-in-the-Browser C.) Session hijacking D.) Clickjacking
B
An attacker compromises a Linux host, installing a web shell as a backdoor. If the attacker gained access to the host through a connection the host established, what type of attack has occurred? A.) Man-in-the-Browser (MitB) B.) Reverse shell C.) Rootkit D.) Session hijacking
B
Analyze types of vulnerabilities and summarize a zero-day exploit. A.) A design flaw that can cause the application security system to be circumvented. B) A vulnerability that is capitalized on before the developer knows about it. C.) An attack that passes invalid data to an application. D.) An attack that passes data to deliberately overflow the buffer, that the application reserves to store the expected data.
B
Compare and contrast the types of Cross-Site Scripting (XSS) attacks, and select the option that accurately distinguishes between them. A.) Reflected and stored XSS attacks exploit client-side scripts, while the DOM is used to exploit vulnerabilities in server-side scripts. B.) Reflected and stored XSS attacks exploit server-side scripts, while the DOM is used to exploit vulnerabilities in client-side scripts. C.) Reflected and DOM attacks exploit server-side scripts, while a stored attack exploits vulnerabilities in client-side scripts. D.) Nonpersistent and persistent attacks exploit client-side scripts, while the DOM is used to exploit vulnerabilities in server-side scripts.
B
Which scenario simulates code in the test environment? A.) A developer checks out a portion of code for editing on a local machine. B.) Code from multiple developers is merged to a single master copy. C.) The code is utilized on a mirror of the production environment. D.) The application is released to end users.
B
Which type of attack disguises the nature of malicious input, preventing normalization from stripping illegal characters? A.) Fuzzing B.) Canonicalization C.) Code reuse D.) Code signing
B
This list is a default-allow policy that prevents the execution of listed processes and scripts. It is vulnerable to software exploits not previously labeled as malicious.
Black list
In this vulnerability, the attacker passes data to deliberately overfill the buffer that the application reserves to store the expected data.
Buffer Overflow
A threat actor programs an attack designed to invalidate memory locations to crash target systems. Which statement best describes the nature of this attack? A.) The attacker created a null pointer file to conduct a dereferencing attack. B.) The attacker programmed a dereferencing attack. C.) The attacker programmed a null pointer dereferencing exception. D.) The attacker created a race condition to perform a null pointer dereferencing attack.
C
Evaluate the phases of the Agile model within a Software Development Lifecycle (SDLC) to determine which statement demonstrates the production phase. A.) Devising an application's initial scope and vision for the project. B.) Prioritizing the requirements and work through the cycles of designing, developing and testing. C.) Testing an application to ensure the solution operates effectively. D.) Perform the final integration and testing of the solution.
C
This is an attack characterized as a difference between what a user sees and trusts as a web application with a login page or form, and the reality of the page or form containing a malicious layer or invisible iFrame, allowing an attacker to intercept or redirect user input.
Clickjacking
In this attack, the user sees and trusts as a web application with a login page or form that contains a malicious layer or invisible iFrame that allows an attacker to intercept or redirect user input.
Clickjacking attack
Examine each of the following statements and determine which most accurately compares an allow and block list control practices. A.) An allow list depends on security clearance levels, while a block list depends on the primacy of the resource owner. B.) A block list operates on a default-deny policy, while an allow list is a default-allow policy. C.) A block list depends on the primacy of the resource owner, while an allow list depends on security clearance levels. D.) An allow list operates on a default-deny policy, while a block list is a default-allow policy.
D
Identify the type of attack that causes an application to behave in an unexpected way, as a result of passing invalid data to the application. A.) Buffer overflow B.) Race conditions C.) Zero-day exploit D.) Input Validation
D
Select the correct simulation of the testing phase in terms of secure software development. A.) A security analyst determines the security needs. B.) A systems engineer identifies threats and controls. C.) A software developer performs a white box analysis. D.) A security expert performs a gray box analysis.
D
This is a fault that allows privileged information (such as a token, password, or personal data) to be read without being subject to the appropriate access controls.
Data exposure
This occurs when a pointer variable stores a memory location, which is attempting to read or write that memory address via the pointer. If the memory location is invalid or null, this creates a null pointer dereference type of exception and the process may crash.
Dereferencing
This phase of the waterfall model includes developing a system architecture and unit structure that fulfills the requirements.
Design phase
In this environment the code is hosted on a secure server. Each developer checks out a portion of code for editing on a local machine. The local machine will normally be configured with a sandbox for local testing.
Development environment,
Set the _____________________ attribute to prevent a cookie from being sent over unencrypted HTTP.
Secure