Ch.3

Question 1

ActiveX

Answer 1

a set of rules for how applications under the Microsoft Windows operating system should share information.

• is not a programming language but a set of rules for how applications under the Microsoft Windows OS should share information
• attackers can take advantage of vulnerabilities to perform malicious attacks on a computer

Question 2

ActiveX control

Answer 2

a specific way of implementing ActiveX that runs through the web browser and functions like a miniature application

• represent specific way of implementing ActiveX and are sometimes called ActiveX Applications
• can be invoked from webpages through the use of a scripting language or directly by an HTML command
• can delete files or reformat a hard drive

Question 3

add-on

Answer 3

program that provides additional functionality to web browsers. also called EXTENSION

add-ons can:

• create additional web browser toolbars
• change browser menus
• be aware of other tabs open in the same browser process
• process the content of every webpage that is loaded

Question 4

Address Resolution Protocol (ARP)

Answer 4

part of the TCP/IP protocol for determining the MAC address based on the IP address

-if the IP address for a device is known but the MAC address is not, the sending computer sends an ARP packet to all computers on the network that in effect says, “If this is your IP address, send me back your MAC address.” The computer with that IP address sends back a packet with the MAC address so the packet can be stored in ARP cache for future reference. In addition, all other computers that hear the ARP reply also cache that data

Question 5

arbitrary/remote code execution

Answer 5

an attack that allows an attacker to run programs and execute commands on a different computer

• HEAP SPRAY is targeted and inserts data only in certain parts of memory. Often used in an arbitrary/remote code execution attack
• gains control of the victim’s computer to execute the attacker’s commands; turns it into his own remote computer
• gaining control of the victim’s computer can virtually perform any command for example; access the computer’s files, displaying objectionable content on the screen, erasing the entire contents of the hard drive
• this attack often takes advantage of malicious attachments. If a user opens a specially crafted file, such as a Microsoft Visio file or a PDF file, the attacker can gain the same user rights as the current user who is logged on

p109

Question 6

ARP poisoning

Answer 6

an attack that corrupts the ARP cache

• attacker can modify the MAC address in the ARP cache so that the corresponding IP address points to a different computer
• Man-in- the- middle attack using ARP poisoning requires sending malicious ARP reply messages and using IP forwarding. However, many automated attack software tools will easily perform ARP POISONING

Example of ARP poisoning:

Attack: Steal data
Description: attacker can substitute her own MAC address and steal data intended for another device

Attack: Prevent internet access
Description: attacker can substitute an invalid MAC address for the network gateway so that no users can access external networks

Attack: Man-in-the-middle
Description: man-in-the middle device can be set to receive all communications by substituting that MAC address

Attack: Dos attack
Description: the valid IP address of the DoS target can be substituted with an invalid MAC address, causing all traffic destined for the target to fail

p114

Question 7

attachment

Answer 7

a file that coupled to an email message and often carries malware

• commonly used to spread viruses, trojans, and other malware when they are opened
• most users are unaware of the danger of attachments and routinely open any email attachment that they receive, even if it is from an unknown sender
• attackers include information in the subject line that entices even reluctant users to open the attachment, such as a current event (i.e. Check out this info about yesterday’s hurricane) or information about the recipient (i.e. Is this really you in this picture?)
• Email-distributed malware frequently takes advantage of personal

Question 8

buffer overflow attack

Answer 8

an attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer

• the extra data overflows into the adjacent memory locations (a buffer overflow). the storage buffer typically contains the “return address” memory location, an attacker can overflow the buffer with a new address pointing to the attacker’s malware code
• The “return address” is not the only element that can be altered in a buffer overflow attack, but it is one of the most commonly altered elements

Question 9

client-side attack

Answer 9

an attack that targets vulnerabilities in client applications that interact with a compromised server or process malicious data

• this happens when the client initiates the connection with the server and results in an attack
• client-side attacks are not limited to the web: they can occur on any client/server pair, such as email, File Transfer Protocol (FTP), instant messaging (IM) or multimedia streaming
• user’s computer can become compromised just by VIEWING a webpage and not even clicking on any content. Known as (DRIVE-BY DOWNLOAD).
• attackers first identify a vulnerable web server and inject content by exploiting the server through vulnerable scripting applications
• attackers avoid visual detection by often crafting a ZERO-PIXEL IFRAME (Inline Frame). This is an HTML element that allows for embedding another HTML document inside the main document. This is invisible to the naked eye. The browsers download the initial exploit script that targets a vulnerability in the browser through an IFrame. This will instruct the browser to connect to the attackers’s web server to download malware, which is then automatically installed and executed on the client
• DRIVE-BY DOWNLOADS sites target older web browsers; these attacks often are noT as effective against new browsers

Question 10

command injection

Answer 10

injecting and executing commands to execute on a server

• attack can be launched through a vulnerability in the web application program that accepts user input, a vulnerability in the web server operating system software, or a security misconfiguration on the server itself
• long string of characters may be entered such as http://../../../../../../../../ where ../ traverses up one directory level. if user input were permitted and not properly validated, the attacker could create the input http://www.server.net/dnamic.asp?view=../../../../../TopSecret.docx which could display the contents of a document

pg100

Question 11

cookie

Answer 11

a file on a local computer in which a web server stores user-specific information

• the server can store user-specific information in a file on the user’s local computer and then retrieve it later
• cookies can store any personally identifiable information (name, email address, work address, telephone number, and so on). however, a website cannot gain access to private information stored on the local computer.
• once a cookie is created on a client computer, only the website that created that cookie can read it

Several different types of cookies exist:

• First-Party cookie
• Third-Party cookie
• Session cookie
• Persistent cookie
• Locally shared objects (LSO)

-cookies can pose both security and privacy risks. FIRST-PARTY COOKIES can be stolen and used to impersonate the user. THIRD-PARTY COOKIES can be used to track the browsing or buying habits of a user. This will allow organizations know which pages are being viewed, how often they are viewed, and the IP address of the viewing computer. This information can be used to infer what items the user may be interested in, and to target advertising to the user

p104

Question 12

cross-site scripting (XSS)

Answer 12

an attack that injects scripts into a web application server to direct attacks at clients

• refers to an attack using scripting that originates on one site (the web server) to impact another site (the user’s computer)
• XSS is like a phishing attack but without needing to trick the user into visiting a malicious website. Instead, the user starts at a legitimate website and XSS automatically directs her to the malicious site
• an XSS attack requires a website that meets two criteria: it accepts user input without validating it, and it uses that input in a response

Question 13

denial of service (DoS)

Answer 13

an attack that attempts to prevent a system from performing its normal functions by overwhelming the system with requests

• a deliberate attempt to prevent authorized users from accessing a system by overwhelming that system with requests
• most DoS attacks today are actually DISTRIBUTED DENIAL OF SERVICE (DDoS). instead of just one computer, a DDoS may used hundreds or thousands of zombie computers in a botnet to flood a device with requests

3 different types of DoS attacks:

• ping flood
• smurf attack (spoofing)
• SYN flood attack

Question 14

directory traversal

Answer 14

an attack that takes advantage of a vulnerability so that a user can move from the root directory to restricted directories

-once the attacker has accessed a restricted directory, she can enter (inject) commands to execute on a server (called COMMAND INJECTION) or view confidential files

Question 15

distributed denial of service (DDoS)

Answer 15

an attack that uses many computers to perform a DoS attack

-this is to overwhelm a network

Question 16

DNS poisoning

Answer 16

an attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker’s device

-predecessor to today’s Internet was a network known as ARPAnet. Network was completed in 1969 and linked together single computers located at each of four different sites. was trying to type the word LOGIN, but failed at letter G. the system crashed

Question 17

Domain Name System (DNS)

Answer 17

a hierarchical name system for translating domain names to IP addresses

-When TCP/IP was developed, the host table concept was expanded to hierarchical name system for matching computer names and numbers known as DOMAIN NAME SYSTEM

Question 18

extension

Answer 18

another name for ADD-ON

-add-ons/extensions can do the following:
create additional web browser toolbars
change browser menus
be aware of other tabs open in the same browser process
process the content of every webpage that is loaded

Question 19

first-party cookie

Answer 19

a cookie that is created from the website currently being viewed

-example:
When viewing the website www.cengage.com, the cookie CENGAGE could be created and saved on the user’s hard drive. Whenever the user returns to this site, that cookie would be used by the site to view the user’s preferences and better customize the browsing experience

Question 20

Flash cookie

Answer 20

another name for LOCALLY SHARED OBJECT (LSO)

• named after the Adobe Flash player
• they can store data more complex than the simple text that is typically found in a regular cookie
• can store up to 100 KB of data from a website, about 25 times as much as a regular cookie

Question 21

a list of the mappings of host names to IP addresses

Answer 21

host table

-created in the early 1970s

Question 22

part of HTTP that is comprised of fields that contain the different characteristics of the data that is being transmitted

Answer 22

HTTP header

This is comprised of:

• field name
• a colon
• field value
  (i. e. Content-length:49)
• core set of fields has been standardized by the Internet Engineering Task Force (IETF)
• HTTP headers are the result of an HTTP request by a web browser to a web server or the response back to the browser by the web server. Usually HTTP headers are used only by the web browser and the web server software because many web applications choose to ignore them

p102

Question 23

modifying HTTP headers to create an attack

Answer 23

HTTP header manipulation

-not an actual attack, but rather the vehicle through which other attacks, such as XSS, can be launched

Examples of HTTP header attacks:

-REFERER-
some websites check the Referer field to ensure that the request came from a page generated by that site, an attacker can bypass this security by modifying the Referer field to hide the fact that it came from another site

-Accept-Language-
some web applications pass the contents of this field directly to the database. An attacker can inject an SQL command by modifying this header. an attacker could generate a directory traversal attack

-Respnonse splitting-
client computer must allow input that contains CARRIAGE RETURN (CR using %0d or \r) and line feed (LF using %0a, or \a). these characters can not only give attackers control of the remaining HTTP headers and body of the response but also allow them to create additional responoses via HTTP headers that are entirely under their control

p103

Question 24

an attack that is the result of an attacker changing the value of a variable to something outside the range that the programmer had intended

Answer 24

integer overflow attack

-when this integer overflow occurs, the interpreted value then wraps around from the maximum value to the minimum value

The attack used in situations-
-used to create a buffer overflow situations. if introduced during the calculations for the length of a buffer when a copy is occurring, it could result in a buffer that is too small to hold the data. attack could then use this to create her buffer overflow attack

• a program that calculates the total cost of items purchased would use the number of units sold times the cost per unit.it could result in a negative value and a resulting negative total cost, indicating that a refund is due the customer
• a large positive value in a bank transfer could be wrapped around by an integer overflow attack to become a negative value, which could then reverse the flow of money. instead of adding this amount to the victim’s account, it could withdraw that amount and later transfer it to the attacker’s account

Question 25

a cookie that is significantly different in size and location from regular cookies, and can store more complex data. also called FLASH COOKIE

Answer 25

locally shared object (LSO) - named after the Adobe Flash player - they can store data more complex than the simple text that is typically found in a regular cookie - can store up to 100 KB of data from a website, about 25 times as much as a regular cookie

Question 26

an attack that intercepts legitimate communication and forges a fictitious response to the sender

Answer 26

man-in-the -middle - this attack is conducted on networks - appears that 2 computers are communicating with each other. however, the communication is going to the computer between them - attack can be active or passive - -passive attack: attacker captures the data that is being transmitted, records it , and then sends it on to the original recipient without the attacker's presence being detected - -active attack: contents are intercepted and altered before they are sent on to the recipient

Question 27

a cookie that is recorded on the hard drive of the computer and does not expire when the browser closes

Answer 27

persistent cookie -also known as TRACKING COOKIE

Question 28

a utility that sends an ICMP (Internet Control Message Proocol) echo request message to host echo request message to a host

Answer 28

ping -normally used by network diagnostic tasks, such as determining if a hot system is active or finding the path used by a packet to reach the host

Question 29

ping flood

Answer 29

an attack that uses the Internet Control Message Protocol (ICMP) to flood a victim with packets

Question 30

a third-party library that attaches to a web browser and can be embedded inside a webpage

Answer 30

plug-in - adds new functionality to the page being viewed so that users can play music and other multimedia content within the browser or view special graphical images that normally browser could not play or display - most widely used plug-ins for web browsers are JAVA, Adobe Flash player, Apple QuickTime, and Adobe Acrobat Reader - Plug-ins can be added to a webpage using the HTML tag or an tag p106

Question 31

an attack that exploits a vulnerability in software to gain access to resources that the user normally would be restricted from accessing

Answer 31

privilege escalation 2 types of privilege escalation: -VERTICAL PRIVILEGE ESCALATION- user with lower privilege uses privilege escalation to grant herself access functions reserved for higher-privilege users -HORIZONTAL PRIVILEGE ESCALATION- user with restricted privileges accesses the different restricted functions of a similar user

Question 32

an attack that makes a copy of the transmission before sending it to the recipient

Answer 32

replay - captured credentials can later be used - an attacker can capture the message sent from the network device to the server. Later, the attacker can send the original message to the server, and the server may respond, thinking it came from the valid device

Question 33

a cookie that is stored in Random Access Memory (RAM) instead of on the hard drive and only lasts only for the duration of a visit to a website

Answer 33

session cookie - stored in RANDOM ACCESS MEMORY (RAM), instead of on the hard drive, and lasts only for the duration of the visit to the website - session cookie expires when the user closes the browser or has not interacted with the site after set period of time

Question 34

an attack in the which an attacker attempts to impersonate the user by using the user's session token

Answer 34

session hijacking - most common methods is to use XSS or other attacks to steal the session token cookie from the victim's computer and then use it to impersonate the victim - other ways include eavesdropping on the transmission or guessing the session token. - attacker can accumulate multiple session tokens and then make a guess at the next session token number ***Considered as an APPLICATION ATTACK and not a network-based attack

Question 35

a form of verification used when accessing a secure web application

Answer 35

session token - random string assigned to that interaction between the user and the web application currently being accessed (a session) - can be transmitted in different ways: in the URL, in the header of the HTTP requisition, or in the body of the HTTP

Question 36

an attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim

Answer 36

smurf attack -the impersonation is called SPOOFING

Question 37

impersonating another computer or device

Answer 37

spoofing -this is due to the SMURF ATTACK

Question 38

an attack that targets SQL(STRUCTURED QUERY LANGUAGE) servers by injecting commands to be manipulated by the database

Answer 38

SQL injection - STRUCTURED QUERY LANGUAGE used to view and manipulate data that is stored in a relational database - targets SQL servers - if the email address entered by the user into the form is stored in the variable $EMAIL, then the underlying SQL statement to retrieve the stored email address from the database would be similar to: SELECT fieldlist FROM table WHERE field = '$EMAIL' -if the message E-mail Address Unknown is displayed, it indicates that user input is being properly filtered and an SQL attack cannot be rendered on the site. - - 'whatever'. this can be anything meaningless - - or. The SQL OR means that s long as either of the conditions are true, the entire statement is true and will be executed - -'a'='a'. This is a statement that will always be true SQL INJECTION STATEMENT TABLE SQL INJECTION: whatever' AND email IS NULL;-- RESULT: Determine the names of different fields in the database SQL INJECTION: whatever' AND 1=(SELECT COUNT(*) FROM tabname);-- RESULT: Discover the name of the table SQL INJECTION: whatever' OR full_name LIKE'%Mia%' RESULT: Find specific users SQL INJECTION: whatever'; DROP TABLE members; -- RESULT: Erase the database table SQL INJECTION: whatever'; UPDATE members SET email = 'attacker-email@evil.net' WHERE email = 'Mia@good.com'; RESULT: Mail password to attacker's email account

Question 39

an attack that takes advantage of the procedures for initiating a TCP/IP session

Answer 39

SYN flood attack - This request uses a control message, called a SYNCHRONIZE MESSAGE or SYN, to initialize the connection. Server responds with its own SYN along with an ACKNOWLEDGMENT (ACK) that it received the initial request, called a SYN+ACK. The server then waits for a reply ACK from the device indicating that it received the server's SYN - attacker sends SYN segments in IP packets to the server. server "hold the line open" and wait for a response (which is not coming) while receiving more false requests and keeping more lines open for responses. p111

Question 40

a cookie that was created by a third party that is different from the primary website

Answer 40

third-party cookie - some websites attempt to place additional cookies on the local hard drive - intended to tailor advertising to that user

Question 41

an attack that exploits the trust relationship between three parties

Answer 41

transitive access - System 1 can access System 2, and because System 2 can access System 3, then System 1 can access System 3

Question 42

a markup language that is designed to CARRY data, in contrast to HTML, which indicates how to DISPLAY data

Answer 42

XML (Extensible Markup Language) - XML does not have a predefined set of tags; instead, users define their own tags - differ from HTML because XML is designed to CARRY data instead of indicating how to display it - XML is for the transport and storage of data, with the focus on what the data is

Question 43

an attack that injects XML tags and data into a database

Answer 43

XML injection - like SQL injection, an attacker who discovers a website that does not filter input user data can inject XML tags and data into the database - XPath injection attempts to exploit the XML Path Language (XPath) queries that are built from user input

Question 44

attack that exploits previously unknown vulnerabilities, so victims have no time (zero days) to prepare for a or defend against the attack

Answer 44

zero-day attack

Question 45

Which of these is NOT a reason why securing server-side web applications is difficult? a. Although traditional network security devices can block traditional network attacks, they cannot always block web application attacks b. The processors on clients are smaller than on web servers and thus they are easier to defend. c. Many web application attacks exploit previously unknown vulnerabilities d. By design dynamic server-side web applications accept user input that can contain malicious code

Answer 45

b

Question 46

Which of these is not an HTTP header attack? a. Accept-Language b. Referer c Response splitting d. Content-length

Answer 46

d

Question 47

What is another name for a locally shared object? a. Flash cookie b. session cookie c. Ram cookie d. secure cookie

Answer 47

a

Question 48

Browser plug-ins _______. a. only function on web servers b. can be embedded inside a webpage but add-ons cannot c. have additional functionality to the entire browser d. have been replaced by browser extensions

Answer 48

b

Question 49

An attacker who manipulates the maximum size of an integer type would be performing what kind of attack? a. buffer overflow b. real number c. heap size d. integer overflow

Answer 49

d

Question 50

What kind of attack is performed by an attacker who takes advantage of the inadvertent and unauthorized access built through three succeeding systems that all trust one another? a. privilege rights b. heap spray c. transitive d. vertical escalation

Answer 50

c

Question 51

Which statement is correct regarding why traditional network security devices cannot be used to block web application attacks? a. Traditional network security devices ignore the content of HTTP traffic, which is the vehicle of web application attacks. b. Web application attacks use web browsers that cannot be controlled on a local computer. c. network security devices cannot prevent attacks from web resources. d. the complex nature of TCP/IP allows for too many ping sweeps to be blocked

Answer 51

a

Question 52

What do attackers use buffer overflows to do? a. erase buffer overflow signature files b. corrupt the kernel so the computer cannot reboot c. point to another area in data memory that contains the attacker;s malware code d. place a virus into the kernel

Answer 52

c

Question 53

What is unique about a cross-site scripting (XSS) attack compared to other injection attacks? a. SQL code is used in an XSS attack b. XSS requires the use of a browser c. XSS does not attack the web application server to steal or corrupt its information d. XSS attacks are rarely used anymore compared to other injection attacks

Answer 53

c

Question 54

What is a cookie that was not created by the website being viewed called? a. first-party cookie b. second-party cookie c. third-party cookie d. fourth-party cookie

Answer 54

c

Question 55

What is the basis of an SQL injection attack? a. to have the SQL server attack client web browsers b. to inject SQL statements through unfiltered user input c. to expose SQL code so that it can be examined d. to link SQL servers into a botnet

Answer 55

b

Question 56

Which action cannot be performed through a successful SQL injection attack? a. reformat the web application server's hard drive b. display a list of customer telephone numbers c. discover the names of different fields in a table d. erase a database table

Answer 56

d

Question 57

Which markup language is designed to carry data? a. ICMP b. HTTP c. HTML d. XML

Answer 57

d

Question 58

What type of attack involves an attacker accessing files in directories other than the root directory? a. SQL injection b. command injection c. XML injection d. directory traversal

Answer 58

d

Question 59

Which type of attack modifies the fields that contain the different characteristics of the data that is being transmitted? a. XML manipulation b. HTML packet c. SQL injection d. HTTP header

Answer 59

d

Question 60

What is a session token? a. XML code used in an XML injection b. a random string assigned by a web server c. another name for a third-party cookie d. a unique identifier that includes the user's email address

Answer 60

b

Question 61

Which of these is NOT a Dos attack? a. SYN flood b. ping flood c. smurf d. push flood

Answer 61

d

Question 62

What type of attack intercepts legitimate communication and forges a fictitious response to the sender? a. SIDS b. interceptor c. man-in-the-middle d. SQL intrusion

Answer 62

c

Question 63

A replay attack ______. a. is considered to be a type of Dos attack b. makes a copy of the transmission for use at a later time c. can be prevented by patching the web browser d. replays the attack over and over to flood the server

Answer 63

b

Question 64

DNS poisoning ______. a. floods a DNS server with requests until it can no longer respond b. is rarely found today due to the use of host tables c. substitutes DNS addresses so that the computer is automatically redirected to another device d. is the same as ARP poisoning

Answer 64

c