FINAL EXAM

Question 1

What is a common pattern observed in Business Logic Vulnerabilities (BLVs)?

Answer 1

Exploiting functionality not originally designed to be secure

Question 2

Name three architectural mitigations for Business Logic Vulnerabilities (BLVs).

Answer 2

• Use worst-case scenario planning during design phases
• Collaborate with stakeholders to anticipate abusive user behavior
• Avoid assumptions about user intent or benign interaction

Question 3

How can statistical modeling and monitoring help detect Business Logic Vulnerabilities (BLVs)?

Answer 3

• Collect and analyze user interaction data
• Model user inputs and expected outcomes to detect anomalies
• Use behavior analytics to flag deviations from standard use cases

Question 4

Describe Prototype Pollution as a client-side attack.

Answer 4

__PROTO__ can be altered, to override built-in functions, often used to escalate privileges.

Question 5

What is Clickjacking and how is it typically achieved?

Answer 5

Clickjacking involves tricking users into clicking hidden or disguised UI elements. This is often done via iframes and CSS opacity manipulation, such as using a malicious overlay that submits a hidden form

Question 6

What is the primary security risk associated with accepting user input into a website?

Answer 6

cross-site scripting (XSS) and SQL injection

Question 7

What are some general guidelines and practices for handling user input securely?

Answer 7

• Do not rely solely on client-side validation
• Ensure server-side validation
• Use whitelisting and blacklisting
• Assume all input is malicious
• Sanitize your input

Question 8

What is an RFC (Request for Comments)?

Answer 8

Document that describes acceptable syntax for various inputs like email addresses, URLs, and XML

Question 9

Name the key technologies and systems commonly used to build a functional website.

Answer 9

HTML, CGI scripts, JavaScript, and a SQL database back-end

Question 10

What is a major security concern with HTML, and how can it be exploited by malicious users?

Answer 10

HTML was not created with security in mind. Malicious users can insert their own <form> tags to create fake forms to steal data or run malicious scripts

Question 11

How can you help prevent attacks leveraging HTML vulnerabilities?

Answer 11

• Monitor discussion groups to identify untrustworthy data input
• Ensure input is validated
• Check HTML code periodically for malicious code
• Verify the size of the file, as a change in size can indicate a problem

Question 12

What is the purpose of Common Gateway Interface (CGI), and how can it be secured?

Answer 12

CGI defines how a web server interacts with databases/documents/programs. To secure it:
• Program CGI with security in mind
• Research known vulnerabilities
• Review programs and patch as needed
• Validate and sanitize user input

Question 13

While JavaScript can execute arbitrary code when a page loads, what are some built-in security features it provides regarding the client computer’s file system?

Answer 13

JavaScript cannot write/delete files or directories on a client computer. There is no file object or file access function for JavaScript

Question 14

What types of attacks are common against a SQL database back-end, and what is a common mitigation approach?

Answer 14

Common attacks: SQL injection, brute-force attacks. Mitigations: access control, encryption, role-based authentication, integrity verification

Question 15

What is the difference between the Software Development Life Cycle (SDLC) and the Secure Software Development Life Cycle (SSDLC)?

Answer 15

SDLC focuses on functionality and performance; SSDLC includes security at every phase of development

Question 16

Name some key security considerations to incorporate during the ‘Systems analysis’ and ‘Designing’ stages of the SDLC.

Answer 16

Systems analysis: identify potential threats (e.g., injection, overflow)
Designing: establish a secure foundation with threat assessment and mitigation

Question 17

What are key security practices developers should incorporate during the ‘Implementation’ stage of the SDLC?

Answer 17

Input validation, strong encryption, secure data handling, authentication, error handling

Question 18

What types of security testing are performed during the ‘Testing’ stage of the SDLC?

Answer 18

Testing for privilege, injection, error handling, directory traversal, and penetration testing

Question 19

Why is HTTPS preferred over HTTP for sensitive web communications?

Answer 19

HTTPS uses SSL/TLS to encrypt and authenticate communications, protecting against interception

Question 20

In the context of SSL/TLS, what is the purpose of hashing algorithms? Name two significant hashing algorithms mentioned.

Answer 20

Hashing ensures data integrity. Examples: SHA1, MD5 (MD5 has known vulnerabilities)

Question 21

What is access control in web applications, and what criteria can it be based on?

Answer 21

Access control regulates user access based on factors like IP, time of day, or browser; uses authentication and authorization

Question 22

Name some causes of information disclosure in web applications.

Answer 22

Hardcoded API keys, visible internal content, insecure configs, design flaws causing error messages

Question 23

How can the impact of information disclosure be assessed, and what is more important to focus on?

Answer 23

Focus on how leaked data can be used; assess risk by potential impact, not just presence

Question 24

Name four methods to prevent information disclosure.

Answer 24

• Review third-party tools
• Awareness training
• Generic error messages
• Secure configurations
• QA code audits

Question 25

What is the main purpose of general data privacy laws for websites?

Answer 25

To regulate how personal data is collected, stored, and used, and define compliance responsibilities

Question 26

According to GDPR, what are some key rights users must have regarding their personal data collected by a website?

Answer 26

• Consent and retraction • Access to data • Breach notification within 72 hours

Question 27

Name three 'lawful basis' reasons defined by GDPR for collecting, processing, or storing a user's personal information.

Answer 27

Consent, Legal obligation, Legitimate interest

Question 28

What information must a website's privacy policy provide according to the California Privacy Rights Act (CPRA)?

Answer 28

• Data collected • Who has access • Access/modify rights • DNT requests • Policy updates and revision history

Question 29

What is required regarding terms and conditions for e-commerce websites?

Answer 29

Must formalize interaction between user and site, become binding once notified, outline mutual rights

Question 30

What is the Payment Card Industry Data Security Standard (PCI DSS)? Is it a law?

Answer 30

A security standard for cardholder data. Not a law but required for merchants to process cards

Question 31

What is Strong Customer Authentication (SCA), required by PSD2 for transactions in the European Economic Area (EEA)?

Answer 31

Requires two-factor authentication for online payments to enhance security and reduce fraud

Question 32

Name three common types of malware mentioned in the sources.

Answer 32

Viruses, Worms, Trojans, Rootkits, Spyware, Ransomware

Question 33

What are some technical methods for preventing email attacks?

Answer 33

Email tracking, filtering, disclaimers, blocking, message archiving

Question 34

Name three best practices for mitigating online risks and threats when connecting to the internet.

Answer 34

Update systems, use antivirus, encrypt data

Question 35

What are the three main areas often targeted by hackers looking for web application vulnerabilities?

Answer 35

Authentication, Input validation, Session management

Question 36

According to the CERT top 10 tips for secure coding, what is a key principle regarding default access?

Answer 36

Deny access by default

Question 37

What principle should be used when designing or writing with JavaScript to provide a secure environment for executing mobile code?

Answer 37

Prefer to have obviously no flaws than no obvious flaws

Question 38

What is Software Configuration Management (SCM), and what are some of its advantages?

Answer 38

SCM tracks software changes. Advantages: prevent unauthorized changes, control, quality assurance

Question 39

Name three threats listed in the OWASP Top 10 Threats.

Answer 39

Broken access control, Injection, Security misconfiguration (others include cryptographic failure, SSRF)

Question 40

What is the mitigation strategy for Broken Access Control vulnerabilities according to OWASP?

Answer 40

Principle of least privilege

Question 41

What OWASP Top 10 threat is also known as sensitive data exposure, and what is a key mitigation strategy?

Answer 41

Cryptographic failures. Mitigation: encrypt sensitive data, use secure protocols, avoid outdated crypto

Question 42

What type of attack is a common example of an Injection flaw, and what is its mitigation?

Answer 42

SQL Injection. Mitigation: least privilege and input validation

Question 43

How can security misconfigurations lead to vulnerabilities, and what are some mitigations?

Answer 43

Admins may misuse defaults or misconfigure systems. Mitigations: audits, product training, lifecycle reviews

Question 44

What are some indicators of vulnerable and outdated components, and how can this threat be mitigated?

Answer 44

Missing patches, unmanaged software. Mitigation: inventory, patching, CVE tracking

Question 45

What are some common causes for Security Logging and Monitoring failures?

Answer 45

Missing logs, no central log system, no alerts, failure to escalate issues

Question 46

What is Server-Side Request Forgery (SSRF), and what is a key mitigation strategy?

Answer 46

SSRF tricks server to fetch internal URLs. Mitigation: deny by default, firewall rules, validate input

Question 47

What is the first step in performing a website vulnerability and security assessment (discovery activity)?

Answer 47

Identify components and perform fingerprinting/enumeration

Question 48

What information is typically sought during the initial discovery (fingerprinting/enumeration) phase of a website assessment?

Answer 48

IP addresses, running services, OS types, known vulnerabilities

Question 49

What is a Ping Sweep, and what are some utilities used for it?

Answer 49

Ping across IP ranges to find live hosts. Tools: Nmap, Hping, SuperScan

Question 50

When assessing the web server OS, besides identifying the OS type and version, what are some other important items to look for?

Answer 50

Service packs, active services, remote access (Telnet, SSH), known vulnerabilities

Question 51

What types of tools are recommended for assessing web server applications, and what are they used to look for?

Answer 51

Nessus, Metasploit, AppScan. Look for code issues, injection, bypassing auth

Question 52

When assessing the website front-end, what utility can be used to crawl pages for hidden fields and directory structures?

Answer 52

HTTrack Website Copier

Question 53

What are planned attacks (also called penetration testing or pen testing) used for in a website assessment?

Answer 53

Identify vulnerabilities through controlled simulated attacks

Question 54

In penetration testing, what is privilege escalation? Name the two types mentioned.

Answer 54

Exploiting flaws to gain access. Types: vertical (admin), horizontal (peer access)

Question 55

What is SQL injection, and how can an attacker attempt it manually?

Answer 55

Inject SQL commands in forms or URLs to manipulate DBs. Example: '; exec...

Question 56

What is the general structure for a website vulnerability and security assessment report?

Answer 56

Executive summary, Findings, Assessment details, Recommended remediations

Question 57

In the Executive Summary of a vulnerability assessment report, what type of findings should be focused on?

Answer 57

Critical/high vulnerabilities and compliance-affecting issues

Question 58

Name three types of testing strategies mentioned for websites and web applications.

Answer 58

First Impressions, Functional Testing, Security Testing, Mobile Testing

Question 59

How can you test the security of a website, particularly regarding personal data?

Answer 59

Enter user data, verify encryption and security, include testing in all dev phases

Question 60

What are the four steps to take when mitigating a vulnerability or other security flaw?

Answer 60

Verify, Analyze/Prioritize, Mitigate, Retest

Question 61

What are some specific tests for websites designed for mobile devices?

Answer 61

OS compatibility, load time, button size, image sizing, dial-out functions

Question 62

What are some essential pre-launch tasks before releasing a website?

Answer 62

Review content/media, test compatibility, check licensing, begin marketing

Question 63

What is the purpose of website diagnostics immediately before launching?

Answer 63

Find static issues like broken links, unreachable elements, code errors

Question 64

What is XSS (Cross-Site Scripting), and what are key mitigation practices?

Answer 64

XSS allows script injection. Mitigation: sanitize input, encode output, follow best practices