Chapter 6: Secure Coding

Ace your homework & exams now with Quizwiz!

The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have? De-referencing A race condition An insecure function Improper error handling

A race condition

Which one of the following software development models focuses on the early and continuous delivery of software? Waterfall Agile Spiral Butterfly

Agile

Frank is investigating a security incident where the attacker entered a very long string into an input field, which was followed by a system command. What type of attack likely took place? Cross-site request forgery Server-side request forgery Command injection Buffer overflow

Buffer Overflow

Tom is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance? Code signing Code endorsement Code encryption Code obfuscation

Code Signing

Every time Susan checks code into her organization's code repository, it is tested and validated, and then if accepted, it is immediately put into production. What is the term for this? Continuous integration Continuous delivery A security nightmare Agile development

Continuous Delivery

Tim is working on a change to a web application used by his organization to fix a known bug. What environment should he be working in? Test Development Staging Production

Development

Joe's adventures in web server log analysis are not yet complete. As he continues to review the logs, he finds the request http://www.mycompany.com/../../../etc/passwd What type of attack was most likely attempted? -SQL injection -Session hijacking -Directory traversal -File upload

Directory transversal

What type of cross-site scripting attack would not be visible to a security professional inspecting the HTML source code in a browser? Reflected XSS Stored XSS Persistent XSS DOM-based XSS

Dom-Based XSS

Kevin would like to ensure that his software runs on a platform that is able to expand and contract as needs change. Which one of the following terms best describes his goal? Scalability Elasticity Cost effectiveness Agility

Elasticity

During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report? Improper error handling Code exposure SQL injection A default configuration issue

Improper handling because it exposed data to users

Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples: http://www.mycompany.com/servicestatus.php?serviceID=1 http://www.mycompany.com/servicestatus.php?serviceID=2 http://www.mycompany.com/servicestatus.php?serviceID=3 http://www.mycompany.com/servicestatus.php?serviceID=4 http://www.mycompany.com/servicestatus.php?serviceID=5 http://www.mycompany.com/servicestatus.php?serviceID=6 What type of vulnerability was the attacker likely trying to exploit? -Insecure direct object reference -File upload -Unvalidated redirect -Session hijacking

Insecure direct object reference

What type of attack places an attacker in the position to eavesdrop on communications between a user and a web server? Man-in-the-middle Session hijacking Buffer overflow Meet-in-the-middle

Man-in-the-middle

Joe checks his web server logs and sees that someone sent the following query string to an application running on the server: http://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892' ; DROP TABLE Services;-- What type of attack was most likely attempted? -Cross-site scripting -Session hijacking -Parameter pollution -Man-in-the-middle

Parameter pollution

Precompiled SQL statements that only require variables to be input are an example of what type of application security control? Parameterized queries Encoding data Input validation Appropriate access controls

Parameterized queries use prebuilt SQL statement to prevent SQL attacks

Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns? - Using secure session management - Enabling logging on the database - Performing user input validation - Implementing TLS

Performing input validation

Which one of the following is not an advantage of database normalization? Preventing data inconsistencies Preventing injection attacks Reducing the need for database restructuring Making the database schema more informative

Preventing Injection Attacks

Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain if her attack will be successful? Session ticket Session cookie Username User password

Session cookie

Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting? Mutation testing Static code analysis Dynamic code analysis Fuzzing

Static Code Analysis

Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting? Timing-based SQL injection HTML injection Cross-site scripting Content-based SQL injection

Timing-based SQL injection

What data minimization technique replaces personal identifiers with unique identifiers that may be cross-referenced with a lookup table? Tokenization Hashing Salting Masking

Tokenization


Related study sets

Python Programming Unit 2 Module 2

View Set

Bacterial STDs, Sexually Transmitted Disease

View Set