Application Security Final

Extending Burp functionality is possible through the use of extensions. Which extension type is not supported in Burp?

.NET

Which attack commonly associated with phishing can a WAF protect against?

Cross Site Scripting

Select the technical safeguards associated with HIPAA 164 subpart C Administrative safeguards that is not a standard.

Encryption

Implementing whitelisting on the server for validation is one of the best ways to prevent XXE attacks.

False

Broken access control affects Auth-Z

True

By the year 2020 there will be more devices than people in use worldwide.

True

In XML, a Tag begins with < and ends with >

True

The parameterized query statement SqlCommand() is used to bind variables in which language?

.NET

Order the threat modeling process.

1. Draw your picture 2. List all elements 3. Ask specific questions

AWS Lambda is defined as the following:

A serverless, event-driven, computing platform that runs code in response to events

Identify all the components from which CloudWatch can consume log information:

AWS Lambda Amazon ECS Amazon EC2

PCI-DSS prohibits storage of the following data element:

CAV2/CVC2/CVV2/CID

The following Common Weakness Enumeration (CWE) listings provides the basis for broken access control?

CWE-284 Improper Access Control

Which control type do applications rely on to obfuscate or hide information from the end user?

Client-side Controls

Identify the 2nd step in integrated management:

Configuration management

WAF protection mechanisms includes the following: (select all that apply)

Cookie Protection Session Management Protection

The dynamic application trend includes the following components except:

Customer behavior is very predictable

Information in a database should be protected according to content. Which item is key to this process?

Data Classification

Select all the valid threat modeling question catagories:

Data Flow Data Stores Processes

Which SQL Injection impact is difficult to detect and posses the greatest integrity risk to the business?

Data modification

Which two of the the listed backend systems are potentially vulnerable to injection?

Database Web Server

Where should TLS be used? Select the most correct answer.

Everywhere

The increasing complexity trend includes the following components except:

Generalization in the persistence tier

Identify the proper order for the centralized logging example given in the presentation:

Identify the proper order for the centralized logging example given in the presentation:

In addition to implementing the principle of least privilege on the database, the following can serve as a checklist to secure the application server.

Implement ASVS controls

List 2 STRIDE attack types that are applicable to a TLS connection between and end user and web server. Reference examples in presentation.

Information Disclosure Tampering

Securing a Host includes the following areas except

Input Validation

What does TLS provide the user? Select three.

Integrity, Confidentiality, Authenticity

Logging without monitoring is:

Is an ineffective control due to the lack of processing and classification

XML document formats include all of the following except:

JSON

In a reflected XSS attack an attacker sends a link to the user (victim) that contains an XSS payload. Which delivery mechanism is commonly used to deliver the payload?

Phishing Email

Information Disclosure Tampering

Spoofing

What does TLS stand for?

Transport Layer Security

Billion Laughs Attack expands a 1 KB block of XML to roughly 3 GB of memory.

True

This type of query is resilient to SQL Injection

parameterized query

The Billion Laughs Attack is this type of attack:

Denial of Service

Bulletin Boards and Forums are common ways to inject a reflected XSS attack variant

False

Companies that perform monthly penetration tests should be confident their web applications are secure 24/7.

False

Which compliance standard involves the removal of personal data and is quite challenging to implement?

GDPR

The COBIT framework was created by which organization?

ISACA

A typical Cross Site Scripting (XSS) attack includes: (multiple answers)

Session Stealing Account Takeover

Select the implementation specification associated with HIPAA 164 subpart C Administrative safeguards that is not required.

Password management

Which of the following is not considered a typical development environment problem?

Platform Vulnerabilities

What types of questions should be asked? Choose four.

Process questions External Entity Questions Data flow questions Data Store questions

What are the current parts for the development of threat models? Choose three.

STRIDE Data Flow Diagrams Threats

What does SSL stand for?

Secure Sockets Layer

Automated tools contribute to an easy level of exploitability for the cross-site scripting (XSS) vulnerability

True

Insecure Direct Access References can disclose private data

True

Insecure Direct Object References represents a horizontal or lateral access control vulnerability

True

In order to assess current vulnerabilities, the following resources would be used except:

exploit-db.com website

The XML tag that enables DTD inclusion, required to execute a XXE attack is:

!DOCTYPE

The User-Agent request header provides the following information to the server Except:

Accepted Encoding type

Which of the following represents a true statement about the TLS Protocol

Both Symmetric and Asymmetric encryption are used

A WAF is implemented as a software appliance only

False

DTD stands for Data Type Definition

False

This type XSS attack variant does not persist.

Reflected

Which of the following data flows would represent the highest risk for the contents of the data store?

User <> firewall <> Web Server <> firewall <> database

Which of the OWASP Top 10 categories would the following fit into? Software is unsupported or out of date

Using components with known vulnerabilities

This WAF feature allows a customer to shorten the window of exposure while fully testing the remediation methods.

Virtual Patching

This scanner detects vulnerable javascript libraries as a command line tool or browser plug-in?

retire.js

Which of the following HTTP response codes indicates the issue is with the client request.

404 not found

An example of an application protection framework is the following:

AppSensor

A Web Application Firewall operates at which OSI Layer?

Application

Injected SQL queries run under the context of which account?

Application Account

________ is one of the main factors driving the need for Web Application Firewalls

Developers not incentivized to develop secure code

Which of the following represents the greatest impact to developer security habits and mindset?

Developers rarely receive formal security training in school or on the job

A user with administrative privileges should always use a single account for both user and administrative tasks to reduce the amount of accounts and account management tasks.

False

ASCII is designed to convert international writing systems into browser readable text

False

HTTPS should only be used on web pages that pass username and password information

False

Known vulnerabilities and corresponding fixes can be found at cve.mitre.org

False

More privileges can be revoked through the Dynamic SQL DB Query Method than the Stored Procedure DB Query Method

False

OWASP is a commercial company focused application security

False

Per OWASP, the attack vector exploitability rating for Insecure Deserialization is AVERAGE

False

SQL Injection is the only form of injection attack available to a hacker

False

Software security assurance is not practical in an agile development model

False

Symmetric Cryptography uses a public and private key to encrypt data.

False

The AWS WAF cannot be deployed with AWS CloudFront

False

The HttpOnly parameter for the set-cookies header tells the browser to allow the use of client side JavaScript to send the cookie

False

User IDs are case sensitive according to authentication guidelines.

False

When patching a development stack like LAMP it is not important to consider the interdependences between the operating system, database, web server, and application platform.

False

Which of the following web application components represents optional functionality in a typical end-to-end solution?

Firewall

Industry standards based on Extensible Markup Language or XML include:

HL7

Which two previous OWASP vulnerabilities were merged to create current OWASP top ten vulnerability of Broken Access Control?

Insecure Direct Object References Missing Function Level Access Control

Which of the following challenges represents the greatest security threat to the Internet?

Internet of Things

What does HTTP Strict Transport Security provide to the user?

It forces the browser to only make HTTPS connections to the server.

Why is an accurate data flow diagram important for threat modeling?

It shows the input and output to everything that can be attacked.

Select the 2 options available within AWS to provide logging and monitoring.

Lamda Cloudwatch

Which of the following is not a Cross Site Scripting Attack Payload type?

Log deletion

The following are all examples of Insufficient Logging and Monitoring.

Logs are only stored locally Auditable events, such as failed logins, are not logged Vulnerability scanning tools do not trigger alerts

The current compliance standard governing publicly traded companies is the following:

None of the above

Open source XSS attack tools include which of the following?

Pineapple

Which SSL attack signaled the death of SSL 3.0?

Poodle

AWS WAF Managed Rules are...

Preconfigured rule sets including OWASP Top 10 available for an additional cost

Which of the following is NOT an authentication guideline for email addresses?

Requires SMTP/TLS connection

PCI-DSS includes the following goals except which of the following?

Restrict physical access to cardholder data

DTD is the oldest XML schema going back to which standard?

SGML

Which intercepting proxy functionality is not available within the Burb Community edition? (Functionality is grouped by tab in the burp user interface)

Scanner

A comprehensive data classification taxonomy represents a core requirement in defending against this vulnerability.

Sensitive Data Exposure

Which of the following components is most secure based on proximity to the "trusted" core?

Servers

Which functionality within Burp produces a site map after it is run?

Spider

According to the PCI-DSS survey in the reading material, which of the following activities put cardholder data at the highest risk?

Storage of payment card numbers

Which of the following headers is required to implement HTTP Strict Transport Security?

Strict-Transport-Security

Which attack types make up STRIDE?

Tampering Information disclosure Elevation of Privilege Spoofing Denial of Service Repudiation

API security can provide access to monitoring and transformation applications through JSON, REST, and SOAP.

True

Center for Internet Security provides over 500 security benchmarks for popular operating systems.

True

Components typically run with the same privileges as the application itself

True

DOM XSS attacks are triggered when a victim interacts with a web page without causing the page to reload.

True

HTTPS provides verification of server identity via a X.509 certificate

True

Keystroke loggers can take the form of software or a hardware device

True

Known vulnerabilities and corresponding fixes can be found at nvd.nist.gov

True

One option for certificate pinning is to carry a copy of the server's public key.

True

Parameterized Queries perform data type checking on parameter values and limits scope of user input

True

Setting the X-Frame-options header is a defensive setting to prevent Cross Site Scripting

True

Shodan is a tool for scanning Internet of Things (IoT) devices worldwide.

True

String building allows untrusted data to be inserted into a database query

True

Two behaviors that can introduce access control weakness are Specification and Enforcement

True

Using an intercepting proxy to index a web application produces a site map.

True

Utilizing an intercepting proxy like Burp provides visibility to detailed web application traffic and information not visible to the end user in the browser.

True

Web Application Firewalls use signatures to identify threats similar to malware and virus detection software.

True

When remediating source code is not an immediate option a virtual patch can be deployed to protect an application.

True

XSS Attack Payload Types include Session hijacking

True

What is the best way to discover sample or default functionality of a web server?

Use Burp Intruder and a fuzzing list such as FuzzDB.

The COBIT framework was created by which organization?

WorldCom Enron

This component is required to use an intercepting proxy successfully when interacting with secure (HTTPS) web sites.

X.509 Certificate

Select a technique that is used for discovering hidden web content in addition to using spider functionality.

burp

URLs can contain parameters that are visible in the address bar such as: http://mysite.com/listing/?type=2&location=OH Name a tool that can be used to manipulate these parameters before they are sent back to the web site.

burp

When assessing a newly released vulnerability it is most important to...

determine if the vulnerability applies to components in your environment (i.e. Apache, MySQL, etc.)

These two activities are essential to assessing current applications for vulnerabilities (SELECT TWO)

scan for vulnerabilities regularly Subscribe to security bulletins

Which HTML tag is often used to inject an XSS attack? < .... >

script