OLE DB relies on connection strings that enable the application to access the data stored on an external device.
In Windows, IIS stands for _____
nternet Information Services
__ is the interface that describes how a Web server passes data to a Web browser.
___ represent(s) a comment in SQL.
Double hyphens (–)
Connecting to a VSAM database with OLE DB requires using ____ as the provider.
Dynamic Web pages need special components for displaying information that changes depending on user input or information obtained from a back-end server. What kind of components can Web pages use to achieve this?
foundation of most Web applications
main role is passing data between a Web server and Web browser
language developed by Microsoft
keeps attackers from knowing the directory structure on an IIS Web server
a Web server
stands for cross-site scripting flaw
helps beginning Web application security testers gain a better understanding of the areas covered in the OWASP top ten Web applications vulnerability list
tool for searching Web sites for CGI scripts that can be exploited
Cgi Scanner v1.4
GUI tool that can be downloaded free from Microsoft and is included in the IIS Resource Kit
One of the best Web sites to find tools for hacking Web applications is ___
__ is one of the best tools for scanning the Web for systems with CGI vulnerabilities.
SQL ____ involves the attacker supplying SQL commands when prompted to fill in a Web application field.
A user can view the source code of a PHP file by using the browser’s “View Source” option.
CGI programs can be written in many different programming and scripting languages, such as C/C++, Perl, UNIX shells, Visual Basic, and FORTRAN.
CFML stands for _______________
ColdFusion Markup Language
What is OWASP?
Much like ISECOM, Open Web Application Security Project (OWASP) is an open, not-for-profit foundation dedicated to finding and fighting the causes of software vulnerabilities. OWASP (www.owasp.org) publishes the Ten Most Critical Web Application Security Vulnerabilities paper that has been built into the Payment Card Industry (PCI) Data Security Standard.
Connecting to an MS SQL Server database with OLE DB requires using ____ as the provider.
__, developed by Microsoft, is a set of interfaces that enable applications to access data stored in a database management system
What is the main difference between HTML pages and Active Server Pages (ASP)?
The main difference between HTML pages and Active Server Pages (ASP) is that with ASP, developers can display HTML documents to users on the fly. That is, when a user requests a Web page, one is created at that time.
In a(n) ____ flaw, a Web browser might carry out code sent from a Web site.
ColdFusion uses its own proprietary tags written in ____
The column tag in CFML is ____
Why should security professionals have at least a little knowledge about the Apache Web Server?
Apache Web Server is said to run on more than twice as many Web servers as IIS, so some familiarity with this Web server can be helpful in the security-testing profession. Apache has important advantages over the competition: It works in just about any *nix platform as well as in Windows, and it’s free.
What is VBScript?
Visual Basic Script (VBScript) is a scripting language developed by Microsoft. You can insert VBScript into your HTML Web pages to convert static Web pages into dynamic Web pages. The biggest advantage of using a scripting language is that you have the features of powerful programming languages at your disposal. For those who have programming experience, you can start writing VBScript faster than a dual-processor 3 GHz computer.
All CFML tags begin with “___
What is ActiveX Data Objects (ADO)?
ActiveX Data Objects (ADO) is a programming interface for connecting a Web application to a database. ActiveX defines technologies that allow applications, such as Word or Excel, to interact with the Web. For example, you can place an Excel spreadsheet in a Web page.
Web servers use the ____ element in an HTML document to allow customers to submit information to the Web server.
What is ColdFusion?
Visual Basic Script (VBScript) is a scripting language developed by __
What can an attacker do after gaining control of a Web server?
After an attacker gains control of a Web server, he or she could do the following:
- Deface the Web site
- Destroy the company’s database or offer to sell its contents
- Gain control of user accounts
- Perform secondary attacks from the Web site
- Gain root access to other application servers that are part of network infrastructure
As a security professional, what should you do after identifying that a Web server you are testing is using PHP?
After you have identified the Web server as using PHP, you should use the methods you have learned in the book to investigate further for specific vulnerabilities. For example, several versions of PHP running on Linux can be exploited because of a line in the Php.ini file: The line file_uploads=on permits file uploads; however, this setting might allow a remote attacker to run arbitrary code with elevated privileges. The best solution is to upgrade to the latest version of PHP, but if that’s not possible, change the line to file_uploads=off.
___ was originally used primarily on UNIX systems, but is used more widely now on many platforms, such as Macintosh and Windows
Connecting to a MySQL database with OLE DB requires using ____ as the provider.
What is ODBC used for?
The ODBC interface allows an application to access data stored in a database management system (DBMS), such as Microsoft SQL, Oracle, or any system that can recognize and issue ODBC commands. Interoperability between back-end database management systems is a key feature of the ODBC interface, allowing application developers to focus on the application without worrying about any specific DBMS.
__________________ Web pages display the same information regardless of the time of day or the user who activates the page.