WGU C836 WITH COMPLETE SOLUTIONS 100% VERIFIED!!
bounds checking ANSWER>>to set a limit on the amount of data we expect to receive
to set aside storage for that data
*required in most programming languages
* prevents buffer overflows
race conditions A software development vulnerability which involves multiple
processes, or threads within a process that controls or shares access to a particular
resource where the correct handling of that resource depends on proper ordering or
timing of transactions
input validation - ANSWER>> A type of attack that can happen when we don't validate
the input against our applications or failing to filter unexpected or undesirable content.
format string attack - ANSWER>> A class of input validation attacks where a variety of
print functions inside of a programming language can be leveraged to exploit or view the
internal memory of an application
Authentication attack - ANSWER>>A type of attack that may happen when we fail to use
strong authentication mechanisms for our applications
Authorization attack - ANSWER>>A type of attack that may happen when we fail to use
authorization best practices for our applications
Cryptographic attack - ANSWER>>A type of attack that may happen when we fail to
properly design our security mechanisms while implementing cryptographic controls in
our applications
client-side attack An attack that exploits vulnerabilities in the software loaded on client
machines or one that relies on social engineering to convince us to collaborate in the
,attack
XSS (Cross Site Scripting) an attack that consists of embedding code, typically in the
form of a scripting language, in a web page or other media that will be interpreted by a
client browser
XSRF (cross-site request forgery)- ANSWER>>an attack in which an attacker places on a
web page in such a way that its execution is launched automatically, without the
knowledge and/or consent of that user, but with the possibility of initiating a certain type
of activity to another web or application where the user was currently authenticated
clickjacking - ANSWER>>An attack that leverages the graphical display capabilities of
our browser in order to dupe us into clicking on something we would not normally do.
server-side attack - ANSWER>>A form of attack targeting the web server, for example:
not validating input or using improper or inadequate permissions, or files left on from
the development process
Database security issues include protocol issues, unauthenticated access, arbitrary
code execution and privilege escalation - ANSWER>>Name the 4 main categories of
database security issues
web application analysis tool - ANSWER>>A type of tool that analyzes web pages or
web-based applications and searches for common flaws such as XSS or SQL injection
flaws, and improperly set permissions, extraneous files, outdated software versions,
and many more such items
protocol flaws. ANSWER>>unauthenticated network protocol vulnerabilities,
authenticated network protocol vulnerabilities, authentication protocol weaknesses
arbitrary code execution ANSWER>>An attack, which exploits a vulnerability in the
application that can allow the attacker to run malicious commands in customer
computer.
, * arbitrary code execution in intrinsic or securable SQL elements
Privilege Escalation - ANSWER>> an attack that exploits a software vulnerability to
obtain access to resources that would normally be protected from the user
* via SQL injection or local issues
validating user inputs - ANSWER>>a software security best practice
* as a rule of thumb, this would be the best way of ensuring SQL injection may be
minimized or avoided completely
Nikto (and Wikto) a web server analysis tool that performs checks for many common
server-side vulnerabilities & creates an index of all the files and directories it can see on
the target web server-a process known as spidering.
Burp Suite a great GUI web analysis tool and this has a free and pro version; the pro
version contains advanced tools to conduct more in-depth attacks.
fuzzer - ANSWER>>A type of tool that works by bombarding our applications with all
manner of data and inputs from a wide variety of sources, in the hope that we can cause
the application to fail or to perform in unexpected ways
MiniFuzz File Fuzzer - ANSWER>>A tool developed by Microsoft to find flaws in
file-handling source code
BinScope Binary Analyzer - ANSWER>>A tool provided by Microsoft to analyze source
code for general good practices
SDL Regex Fuzzer - ANSWER>>A tool provided by Microsoft for fuzz-testing certain
pattern-matching expressions for possible vulnerabilities
good sources of secure coding guidelines - ANSWER>>CERT, NIST 800, BSI, an
organization's internal coding guidelines
bounds checking ANSWER>>to set a limit on the amount of data we expect to receive
to set aside storage for that data
*required in most programming languages
* prevents buffer overflows
race conditions A software development vulnerability which involves multiple
processes, or threads within a process that controls or shares access to a particular
resource where the correct handling of that resource depends on proper ordering or
timing of transactions
input validation - ANSWER>> A type of attack that can happen when we don't validate
the input against our applications or failing to filter unexpected or undesirable content.
format string attack - ANSWER>> A class of input validation attacks where a variety of
print functions inside of a programming language can be leveraged to exploit or view the
internal memory of an application
Authentication attack - ANSWER>>A type of attack that may happen when we fail to use
strong authentication mechanisms for our applications
Authorization attack - ANSWER>>A type of attack that may happen when we fail to use
authorization best practices for our applications
Cryptographic attack - ANSWER>>A type of attack that may happen when we fail to
properly design our security mechanisms while implementing cryptographic controls in
our applications
client-side attack An attack that exploits vulnerabilities in the software loaded on client
machines or one that relies on social engineering to convince us to collaborate in the
,attack
XSS (Cross Site Scripting) an attack that consists of embedding code, typically in the
form of a scripting language, in a web page or other media that will be interpreted by a
client browser
XSRF (cross-site request forgery)- ANSWER>>an attack in which an attacker places on a
web page in such a way that its execution is launched automatically, without the
knowledge and/or consent of that user, but with the possibility of initiating a certain type
of activity to another web or application where the user was currently authenticated
clickjacking - ANSWER>>An attack that leverages the graphical display capabilities of
our browser in order to dupe us into clicking on something we would not normally do.
server-side attack - ANSWER>>A form of attack targeting the web server, for example:
not validating input or using improper or inadequate permissions, or files left on from
the development process
Database security issues include protocol issues, unauthenticated access, arbitrary
code execution and privilege escalation - ANSWER>>Name the 4 main categories of
database security issues
web application analysis tool - ANSWER>>A type of tool that analyzes web pages or
web-based applications and searches for common flaws such as XSS or SQL injection
flaws, and improperly set permissions, extraneous files, outdated software versions,
and many more such items
protocol flaws. ANSWER>>unauthenticated network protocol vulnerabilities,
authenticated network protocol vulnerabilities, authentication protocol weaknesses
arbitrary code execution ANSWER>>An attack, which exploits a vulnerability in the
application that can allow the attacker to run malicious commands in customer
computer.
, * arbitrary code execution in intrinsic or securable SQL elements
Privilege Escalation - ANSWER>> an attack that exploits a software vulnerability to
obtain access to resources that would normally be protected from the user
* via SQL injection or local issues
validating user inputs - ANSWER>>a software security best practice
* as a rule of thumb, this would be the best way of ensuring SQL injection may be
minimized or avoided completely
Nikto (and Wikto) a web server analysis tool that performs checks for many common
server-side vulnerabilities & creates an index of all the files and directories it can see on
the target web server-a process known as spidering.
Burp Suite a great GUI web analysis tool and this has a free and pro version; the pro
version contains advanced tools to conduct more in-depth attacks.
fuzzer - ANSWER>>A type of tool that works by bombarding our applications with all
manner of data and inputs from a wide variety of sources, in the hope that we can cause
the application to fail or to perform in unexpected ways
MiniFuzz File Fuzzer - ANSWER>>A tool developed by Microsoft to find flaws in
file-handling source code
BinScope Binary Analyzer - ANSWER>>A tool provided by Microsoft to analyze source
code for general good practices
SDL Regex Fuzzer - ANSWER>>A tool provided by Microsoft for fuzz-testing certain
pattern-matching expressions for possible vulnerabilities
good sources of secure coding guidelines - ANSWER>>CERT, NIST 800, BSI, an
organization's internal coding guidelines
