IS3445 CHAP 7 INTRODUCING THE WEB APPLICATION SECURITY CONSORTIUM (WASC) Flashcards
___ is the process of securing applications in use on a network.
Application hardening
___ identifies all of the files within a given directory on a Web server if the base file is not found.
Automatic directory listing
___ is a practice to define what is unacceptable, excluding all other input as acceptable.
Blacklist
___ is an attack that attempts to crack a cryptographic key.
Brute-force attack
___ occurs in an application when more information is stored in the buffer than the space reserved for it.
Buffer overflow
___ mechanisms used to protect against automated attacks. The function is to provide a challenge/response mechanism to help ensure that a Web form is being filled out by a human and not an automated process.
(CAPTCHA) Completely Automated Public Turing test to tell Computers and Humans Apart
___creates a fake Web site or Web application and and fools victims into thinking it is a legitimate one.
Content spoofing
___ is the confidential component of a cryptographic system. It defines how the cryptographic algorithm converts plaintext to encrypted text and back.
Cryptographic key
___ is a set of rules for encoding documents electronically. It was chosen as the standard message format because of its wide spread use and open source development efforts.
(XML) Extensible Markup Language
___ from a Web site or Web application perspective, an attacker’s attempt to use the session credentials of a valid user.
Impersonation
___ is a TCP/IP protocol designed for downloading, or pulling, email from a mail server. It is used because although the mail is transported around the network via SMTP, users cannot always read it immediately, so it must be sorted in a central location. From this location, it needs to be downloaded, which is what it allows you to do.
(IMAP) Internet Message Access Protocol
___ A protocol that provides a mechanism to access and query directory services systems.
(LDAP) Lightweight Directory Access Protocol
___ is an attack that relies on eavesdropping between the sender and receiver. Attackers use their position to listen and perhaps redirect or alter communication.
Man-on-the-middle attack
___ is the way applications control their output data. This data from an application may take the form of logging printing, coding, error messages, or raw data to be passed on to another application.
Output handling
___ is an attack in which the attacker attempts to circumvent acceptable file and directory areas to access files, directories, and data located elsewhere on the server. This is accomplished by changing the URL to point to other areas on the server.
Path traversal attack
___ is the concept of providing users with as few privileges as possible, just enough to fulfill their network needs. It is a security measure that ensures users are not granted more permissions than needed.
Principle of least privilege
___ is the correct sequence of steps in a transaction or online process.
Process validation
___ is a form of man-on-the-middle attack in which an intermediary attacker reroutes data to an alternate location.
Routing detour attack
___ is inspection of user input for potentially harmful code and modifying the code according to predetermined guidelines. It often involves identifying and disallowing specific characters and syntax sequences.
Sanitization
____ is an injection attack that occurs on the server and not on the client system. In this attack, malicious code is placed in a Web application that is then stored on the server. When the Web application is executed locally on the Web server, the malicious code carries out it function.
(SSI) Server-side include injection
___ identifies previous previous users to a Web site and stores user specific information about a session.
Session ID
___ as the successor to Secure Socket Layer, this provides secure communications at the Transport layer from end to end.
(TLS) Transport Layer Security
___ is a nonprofit group dedicated to improving application security practices.
(WADC) Web Application Security Consortium
___ is used for navigating XML documents and for retrieving data from within them. User input and queries are used with SPath to access XML information.
(XPATH) XML Path language