IAW-P2

Ace your homework & exams now with Quizwiz!

B. Registry keys

36) Which of the following objects is most susceptible to an insecure direct object reference attack? A. Nonpersistent cookies B. Registry keys C. Conditional constructs D. GET/POST parameters

D. Accessing a resource without authorization.

37) Which of the following vulnerabilities is most likely to occur due to an insecure direct object reference attack? A. Executing commands on the server. B. Impersonating any user on the system. C. Modifying SQL data pointed to by the query. D. Accessing a resource without authorization.

A. Use session-based indirection.

38) Which of the following is the best way to mitigate the threat of an insecure direct object reference attack? A. Use session-based indirection. B. Use POST parameters instead of GET parameters. C. Use a regular expression. D. Send successful logins to a well-known location instead of automatic redirection.

A. True

39) State whether the following statement is True or False. Time of Check Time of Use (TOCTOU) occurs if the authorization check is performed on one page of a Web site and the resource is used on a different page. A. True B. False

B. Insecure direct object reference

40) Your Web application stores information about many accounts. Which threat is your Web application susceptible to if you can manipulate the URL of an account page to access all accounts? A. Cross-site request forgery B. Insecure direct object reference C. Cross-site scripting D. Injection

B. Insecure direct object reference

41) Which of the following threats is most likely to be caused by poor input validation? A. Enabling of IPSec B. Insecure direct object reference C. Insecure cryptographic storage D. Insufficient transport layer protection

A. Cross-site request forgery

42) Which threat is most likely to occur when a POST parameter performs an operation on behalf of a user without checking a shared secret? A. Cross-site request forgery B. Insecure direct object reference C. Cross-site scripting D. Injection

A. Elevation of privilege

43) Which of the following is the most common result of a cross-site request forgery? A. Elevation of privilege B. Disabled security features C. Enabling of IPSec D. Misconfigured security features

D. Cross-site request forgery

44) An attacker lures a victim to malicious content on a Web site. A request is automatically sent to the vulnerable site which includes victim's credentials. Which attack is most likely to occur in this scenario? A. Injection B. Cross-site scripting C. Insecure direct object reference D. Cross-site request forgery

B. False

45) State whether the following statement is True or False. The downside of a nonce is that it needs to be stored on the client. A. True B. False

D. Timestamp

46) What should you add to an HMAC to ensure that the secret value is unique for each request? A. Salt B. Nonce C. Session ID D. Timestamp

C. Don't include secrets in the URL.

47) Which of the following practices should you observe in order to implement defense-in-depth techniques against CSRF attacks? A. Use GET parameters B. Use automatic redirection. C. Don't include secrets in the URL. D. Resubmit POST parameters during redirection.

B. False

48) State whether the following statement is True or False. HTTP GET parameters limit the types of manipulation a malicious user can perform on the victim to forge a request. A. True B. False

B. Failure to disable default accounts

49) Which of the following mistakes is most often associated with a security misconfiguration threat? A. Cross-site request forgery B. Failure to disable default accounts C. Bad cryptography D. Unsafe key storage

B. Security misconfiguration

50) You have not yet applied some recent service packs and updates to your Web application. Which of the following threats is your Web server susceptible to? A. Injection B. Security misconfiguration C. Insecure cryptographic storage D. Cross-site request forgery

A. Add or remove network segments.

51) Which of the following is the best way to reevaluate your environment and address new threats? A. Add or remove network segments. B. Use the white-list validation of allowed input technique. C. Use custom cryptographic algorithms. D. Use your browser to forge unauthorized requests.

A. Disable unnecessary features.

52) Which of the following procedures are involved in the hardening process? A. Disable unnecessary features. B. Resubmit POST parameters during redirection. C. Repeat the process at random intervals. D. Update the environment with changes only when needed.

A. Your application may not work as expected.

53) Which of the following consequence is most likely to result if your production environment does not match your development, testing, and staging environments? A. Your application may not work as expected. B. Testing your application may take a long time. C. Your application may be expensive to administer. D. Your application may have too many configuration files.

A. Unsalted hash

54) Which of the following can result in insecure cryptography? A. Unsalted hash B. Unused services C. Default accounts D. Rotating keys frequently

B. Unsalted hash

55) Which of the following is most likely to result in insecure cryptography? A. Unused services B. Unsalted hash C. New products D. Missing patches

B. Insufficient cryptographic protocols

56) Which of the following may result in cryptographic weakness? A. Failure to restrict URL access B. Insufficient cryptographic protocols C. Missing patches D. Unnecessary/unused services or features

C. IPSec

57) Which of the following protocols is a network layer encryption protocol? A. HTTP B. EFS C. IPSec D. Kerberos

A. Complexity

58) Which of the following factors helps you secure keys? A. Complexity B. Session-based indirection C. Escaping D. Encryption

B. Digital signature

59) Which of the following combines public-key cryptography with a cryptographic hash? A. Nonce B. Digital signature C. SSL D. Salt

C. Attackers invoke functions and services they have no authorization for

60) hich of the following depicts the typical impact of failure to restrict URL access? A. Attackers perform man-in-the-middle attacks. B. Attackers impersonate any user on the system. C. Attackers invoke functions and services they have no authorization for D. Attackers perform all actions that the victims themselves have permission to perform.

D. Use your browser to forge unauthorized requests

61) Which of the following actions should you take to test the security of your Web application? A. Use policy mechanisms. B. Use a simple and positive model at every layer. C. Set the secure flag on session ID cookies. D. Use your browser to forge unauthorized requests

B. SSL

62) Which of the following should you use to protect the connections between the physical tiers of your application? A. EFS B. SSL C. HTTP D. Kerberos

B. Enable SSL

63) Which of the following is the best way to implement transport layer protection? A. Install IDS B. Enable SSL C. Set the HttpOnly flag on session ID cookies D. Perform client-side validation.

D. Bypassed authorization checks

64) Which of the following is most likely to result from unvalidated redirects and forwards? A. Brute force attack B. Network sniffing C. Man-in-the-middle attack D. Bypassed authorization checks

A. Validate the referrer header.

65) Which of the following is the best way to protect a Web application from unvalidated redirects and forwards? A. Validate the referrer header. B. Use extended validation certificates. C. Use the escaping technique. D. Disallow requests to unauthorized file types.

C. Use weblogs to identify redirects and forwards

66) Which of the following is the best way to detect unvalidated redirects and forwards? A. Use internal transfers without authorizing the user for target URL B. Use your browser to forge unauthorized requests C. Use weblogs to identify redirects and forwards D. Use policy mechanisms

A. True

67) State whether the following statement is True or False. Most security issues are related to input and a user's ability to interact with and control input. A. True B. False

A. True

68) State whether the following statement is True or False. If user input can be confused for instructions in the language or the way the language is applied, then the language is vulnerable to an injection attack. A. True B. False

A. When user input is echoed back to the user in HTML

69) In which of the following scenarios should you use the escaping technique? A. When user input is echoed back to the user in HTML B. When you need to validate any input as valid input C. When you are trying to protect against regular expression injection D. When you need to tell the interpreter that input is code

A. Use an allow list, such as table indirection.

70) Which of the following is the best way to prevent unvalidated redirect and forwards vulnerabilities? A. Use an allow list, such as table indirection. B. Use client-side validation. C. Allow only absolute redirects. D. Use session-based indirection.


Related study sets

BIS 101 Mutations and Mutagenesis (Ch12) final

View Set

Les demoiselles D'Avignon - Picasso

View Set

HESI Exit Practice Questions and Rationale

View Set

SAD chapters online A 1-6 excluding five and online B

View Set

Unité 0 - Leçon 2 - Comprendre la méthode 2/2

View Set

Lewis Chapter 14: Infection and HIV

View Set

Glencoe American Vision, Unit 2, Section 4-1 and 4-2

View Set

Final Exam Multiple Choice Questions

View Set