1.
Below are the properties of a Good Cryptosystem. EXCEPT;
Correct Answer
C. Produce plaintext from cipHertext without the key
Explanation
The given answer "Produce plaintext from ciphertext without the key" is the correct answer because it goes against one of the properties of a good cryptosystem. A good cryptosystem should not allow anyone to produce plaintext from ciphertext without the key. This property ensures the confidentiality of the encrypted data and prevents unauthorized access to the original message.
2.
What type of algorithm is used to ensure file integrity?
Correct Answer
D. Hash Function
Explanation
A hash function is used to ensure file integrity by generating a unique hash value for a file. This hash value acts as a digital fingerprint for the file, and any changes made to the file will result in a different hash value. By comparing the original hash value with the recalculated hash value, one can determine if the file has been tampered with or corrupted. Therefore, a hash function is an essential tool in ensuring the integrity and authenticity of files.
3.
There are three known types of XSS flaws: ___________, __________, and _____________.
Correct Answer
A. Stored, reflected and DOM Based XSS
Explanation
The correct answer is "stored, reflected and DOM Based XSS." XSS stands for Cross-Site Scripting, which is a type of security vulnerability in web applications. Stored XSS occurs when malicious code is permanently stored on a target website and executed whenever a user accesses the affected page. Reflected XSS involves injecting malicious code into a URL, which is then reflected back to the user and executed. DOM Based XSS exploits vulnerabilities in the Document Object Model (DOM) of a web page to inject and execute malicious code.
4.
________________is the process of examining a user submitted HTML document fragment and producing a new HTML document that preserves only whatever tags are designated "safe".
Correct Answer
B. HTML sanitization
Explanation
HTML sanitization is the process of examining a user-submitted HTML document fragment and producing a new HTML document that preserves only whatever tags are designated "safe". This means that any potentially harmful or malicious code is removed or neutralized, ensuring that the resulting HTML document is safe to display and cannot execute any harmful actions.
5.
Input validation should be based on...
Correct Answer
A. Whitelisting
Explanation
Input validation should be based on whitelisting because it is a security measure that allows only pre-approved or trusted inputs to be accepted, while rejecting all others. This approach ensures that only known and safe inputs are processed, reducing the risk of malicious or unexpected inputs causing harm or compromising the system. Whitelisting is considered more secure than blacklisting, which involves specifying what inputs to reject, as it is easier to overlook potential threats when trying to identify and block all possible malicious inputs. Authorization and authentication are related to access control and user identification, but they are not directly related to input validation.
6.
An e-commerce shopping site uses hidden fields to refer to its items, as follows:
<input type=”hidden” id=”1008” name=”cost” value=”70.00”>
In the above example, what is true?
Correct Answer
C. “value” can be modified to lower its cost.
Explanation
The given answer is correct because hidden fields are not visible to the user and can be easily modified by manipulating the HTML code. In this case, the "value" attribute of the hidden field can be changed to a lower cost, allowing the user to potentially purchase the item at a discounted price.
7.
What is the impact of an access control failure? (multi)
A. Loss of accountability
B. Loss of reputation
C. Disclosure of confidential data
D. Data tampering
Correct Answer
E. All of above
Explanation
An access control failure can have multiple impacts, including loss of accountability, loss of reputation, disclosure of confidential data, and data tampering. When access controls fail, it becomes difficult to track and assign responsibility for actions taken within a system, leading to a loss of accountability. This can damage the reputation of the organization or system involved, resulting in a loss of trust from customers or stakeholders. Additionally, access control failures can lead to the unauthorized disclosure of confidential data, compromising privacy and potentially causing harm. Lastly, data tampering can occur when access controls are not properly enforced, allowing unauthorized individuals to modify or manipulate data, leading to potential misinformation or malicious activities.
8.
What describes the best practice of "code to the permission"?
Correct Answer
B. Verify access to activities for enforcement points in code
Explanation
"Code to the permission" refers to the practice of verifying access to activities for enforcement points in the code. This means that the code should include checks to ensure that only authorized users have access to certain activities or functionalities. By embedding these checks in the code, it helps to enforce proper access control and prevent unauthorized actions. This practice ensures that permissions are properly implemented and enforced at the code level.
9.
What is the best defense for SQL Injection protection?
Correct Answer
A. Query Parameterization
Explanation
Query parameterization is the best defense for SQL Injection protection because it involves using parameterized queries, which allow the database engine to distinguish between code and data. This prevents malicious SQL code from being injected into the query by treating user input as data rather than executable code. By parameterizing queries, it becomes much more difficult for attackers to manipulate the query structure and execute unauthorized commands. This approach helps to ensure the security and integrity of the database by effectively mitigating the risk of SQL Injection attacks.
10.
An ______________ attack occurs when an attacker attempts to execute system level commands through a vulnerable application.
Correct Answer
A. OS command injection
Explanation
OS command injection occurs when an attacker tries to execute system level commands through a vulnerable application. This type of attack takes advantage of the application's insufficient input validation, allowing the attacker to inject malicious commands that can be executed by the underlying operating system. This can lead to unauthorized access, data leakage, or even complete control over the targeted system.
11.
What is the theory behind good password storage?
Correct Answer
C. Verifiable but not reversible
Explanation
The theory behind good password storage is that passwords should be verifiable but not reversible. This means that the system should be able to verify if a user enters the correct password, but it should not be able to retrieve the original password from the stored data. This is important for security purposes, as it ensures that even if the stored password data is compromised, the attacker cannot easily access the actual passwords.
12.
Which of the following will help stop session fixation?
Correct Answer
D. Discard current session and create a new on at login
Explanation
Discarding the current session and creating a new one at login helps stop session fixation. This is because session fixation is an attack where an attacker fixes or sets the session ID of a user before they authenticate. By discarding the current session and creating a new one at login, the attacker's fixed session ID becomes invalid, preventing them from accessing the user's session. This helps protect the user's session from unauthorized access and ensures a more secure login process.
13.
What is Cross-Site Request Forgery?
Correct Answer
A. When users are tricked into executing authenticated actions
Explanation
Cross-Site Request Forgery (CSRF) occurs when users are tricked into unknowingly performing actions on a website that they are authenticated on. This can happen by exploiting the trust between the user and the website, where the attacker tricks the user into clicking on a malicious link or visiting a compromised webpage. By doing so, the attacker can perform actions on behalf of the user without their consent or knowledge, potentially leading to unauthorized changes or data theft.
14.
There are Four Defense Patterns to Stop Cross-Site Request Forgery (CSRF). Which answer below is not one of the four defense patterns?
Correct Answer
D. Output Encoding
Explanation
Output Encoding is not one of the four defense patterns to stop Cross-Site Request Forgery (CSRF). The other three defense patterns mentioned, namely Challenge Response, Synchronizer Token Pattern, and Check Referrer Header, are commonly used techniques to prevent CSRF attacks. Output Encoding, on the other hand, is a technique used to prevent other types of vulnerabilities, such as Cross-Site Scripting (XSS), by encoding user input before it is displayed on a web page.
15.
Name the best way to validate XML for web services?
Correct Answer
C. XML Schema Validation
Explanation
XML Schema Validation is the best way to validate XML for web services. XML Schema is a language used to define the structure and data types of XML documents. It provides a set of rules that the XML document must follow in order to be considered valid. By validating XML against an XML Schema, we can ensure that the XML document conforms to the specified structure and data types, making it suitable for use in web services. Regular Expressions and XML DTD Validation are not specifically designed for XML validation in the same way as XML Schema Validation, making them less suitable options.
16.
How do you ensure a JSON object fits a specific policy for your application?
Correct Answer
A. JSON-Schema
Explanation
JSON-Schema is a tool that allows you to define a specific policy for your JSON object. It provides a way to validate and enforce the structure, data types, and constraints of the JSON object. By using JSON-Schema, you can ensure that the JSON object adheres to the required format and rules set by your application. This helps in maintaining data integrity and preventing any unexpected errors or issues while working with the JSON object.