Module 10: Hacking Web Servers
Why should security professionals have at least a little knowledge about the Apache Web Server?
Apache Web Server is said to run more Web servers than IIS.
What tool included with Kali Linux allows you to intercept traffic between the web browser and the server so you can inspect and manipulate requests before sending them to the server?
Burp Suite
Which of the following is the interface that determines how a Web server passes data to a Web browser?
CGI
How can developer tools be used by attackers?
Developer tools allow an attacker to tamper with and resend requests.
Which of the following application tests analyzes a running application for vulnerabilities?
Dynamic Application Security Testing
Exploits posted on the Packet Storm website and Exploit Database website are often added to which plug-ins?
Metasploit
Which of the following programming languages was originally used primarily on UNIX systems, but is used more widely now on many platforms, such as Macintosh and Windows?
PHP
Why is creating a virtual directory recommended?
Virtual directories enhance security.
To keep attackers from knowing the directory structure you create on an IIS web server, an individual should create what?
Virtual directory
How does the Wapiti vulnerability scanner work?
Wapiti uses two methods when scanning: "fuzzing" and searching for known vulnerabilities.
What type of useful tools can a security tester find available in both Firefox and Chrome Web browsers?
developer tools
Which JavaScript function is a "method" or sequence of statements that perform a routine or task?
getElementById()
What element is used in an HTML document to allow customers to submit information to the web server?
<form>
How do CGI and ASP.NET differ?
CGI can be implemented with a scripting language such as Perl to create dynamic webpages.
When an application needs to undergo troubleshooting, developers can enable debugging, which provides rich logging information helpful to diagnose issues. Which statement about the debugging mode is true?
No information or only a generic message should be displayed to users in error cases that require debugging.