IS3445 CHAP 6 MITIGATING WEB SITE RISKS, THREATS, AND VULNERABILITIES Flashcards Preview

IS3445 SEC WEB APPS > IS3445 CHAP 6 MITIGATING WEB SITE RISKS, THREATS, AND VULNERABILITIES > Flashcards

Flashcards in IS3445 CHAP 6 MITIGATING WEB SITE RISKS, THREATS, AND VULNERABILITIES Deck (29)
Loading flashcards...
1
Q

___ is a protocol primarily responsible for the authentication and integrity verification of data packets.

A

(AH) Authentication Header

2
Q

___ is the result when an attacker compromises authentication credentials, gaining access to all resources associated with those credentials.

A

Broken authentication

3
Q

___ exploits the trust a Web site has for a user’s browser. This can occur because once a visitor is authenticated and logged onto a particular Web site, that site trusts all requests that come from the browser.

A

(CSRF) Cross-site request forgery attack

4
Q

___ is a protocol that provides encryption services to network data. It can also be used for authentication and integrity services. This differs from AH authentication in the this protocol includes only the header, trailer, and payload portions of a data packet.

A

(ESP) Encapsulating Security Payload

5
Q

___ occurs when an attacker browses unprotected areas and data on a Web server. This attack is enabled by Web applications that fail to restrict vulnerabilities.

A

Failure to restrict URL access attack

6
Q

___ is the exploitation by an attacker of information found or gathered which was intended only for authorized users.

A

Information leakage

7
Q

___ enables an attacker to bypass an application’s access controls and create, change, delete, or read any data the application can access.

A

Injection flaw attack

8
Q

___ is the verification of all data that is received. This helps prevent malicious data from entering an application. This is a form of filtering in which unexpected or unwanted input is automatically rejected and the underlying database remains inaccessible.

A

Input validation

9
Q

___ is a threat that occurs when an administrator fails to secure directories and folders in a Web server. It enables an attacker to traverse through a Web server’s directories, leading to the access of sensitive resources and information leakage.

A

Insecure direct object reference vulnerability

10
Q

___ is an organization that researches and publishes known security threats to Web applications and Web services.

A

(OSWAP) Open Web Application Security Project

11
Q

___ uses social engineering to initiate an XSS attack. This uses a malicious script that is embedded in a URL link to target a single victim.

A

Reflected XSS attack

12
Q

___ is the standard security technology for establishing an encrypted link between a Web server and a Web browser. This link ensures that all data passed between the Web server and browsers remains private and intact.

A

(SSL) Secure Sockets Layer

13
Q

___ is a security agreement between two systems on a network that enables the secure exchange of data.

A

(SA) Security association

14
Q

___ is the tracking of requests and communications between a Web server and a user. Because HTML is “stateless” by design, Web applications and Web sites must create a session to pass information and authentication from page to page.

A

Session

15
Q

___ is a type of attack designed to break through database security and access the information.

A

SQL injection attack

16
Q

___ is an attack that embeds malicious script into a Web page that permits and stores user-sullied content, such as a social networking site or an online forums, where it will be accessible to multiple potential victims. The victim retrieves the malicious script from the Web server when it requests the stored information.

A

Stored XSS attack

17
Q

___ is a type of attack in which the attacker changes the appearance of a Web site. The attacker might replace a company’s home page, for example, with a Web page that displays messages from the attacker.

A

Web site defacement

18
Q

___ is an attack in which malicious scripts are saved to a Web server but run in a client browser. If the script code is executed, the attacker gains access to personal data on the Web server or the victim’s personal computer.

A

XSS attack

19
Q
  1. Reflected and stored are types of XSS attacks.

TRUE OR FALSE

A

TRUE

20
Q
  1. An attack has occurred on your network. An attacker was able to traverse several files and folders, looking for sensitive data. What type of attack has occurred?
  2. Insecure direct object reference
  3. XSS
  4. CRFS
  5. Injection flaw
A

Insecure direct object reference

21
Q
  1. AH is the protocol within IPSec used for encryption services.
    TRUE OR FALSE
A

FALSE

22
Q
  1. As network administrator, you are concerned with the plain text transmission of sensitive data on the network. Which of the following protocols are used to help secure communications? (Select three)
  2. IPSec
  3. HTTP
  4. SSL
  5. IKE
A

IPSec

SSL

IKE

23
Q
  1. To increase network security, you have decided to use HTTPS on your shopping cart site. Which of the following ports does HTTPS use?
  2. 80
  3. 53
  4. 443
  5. 51
A

443

24
Q
  1. ___ and AH are used to secure IPSec transmissions.
A

Encapsulating Security Payload or ESP

25
Q
  1. CSRF attacks exploit the trust a Web site has for a user’s Web browser.
    TRUE OR FALSE
A

TRUE

26
Q
  1. Kerberos is a(n) ___ protocol.
A

Authentication

27
Q
  1. To increase overall communication security, you decide to implement 3DES encryption. Which of the following statements is true of 3DES?
  2. Its key length is 168 bits
  3. It cannot be used in a Windows-based environment
  4. It uses 128 bit encryption
  5. It has to be used with Kerberos
A

Its key length is 168 bits

28
Q
  1. You are concerned about a cross-site forgery attack, Which of the following can you do to help prevent such an attack?
  2. Ensure antivirus protection is up to date
  3. Log out of Web sites when finished
  4. Use stronger passwords
  5. Encrypt stored passwords
A

Log out of Web sites when finished

29
Q
  1. To establish IPSec encryption, two hosts must create a shared key with each other before SA negotiations can take place.
    TRUE OR FALSE
A

FALSE