C836 WGU Exam with Questions and
Correct Answers GRADED A+
bounds checking - CORRECT ANSWERS to set a limit on the amount of data we
expect to receive to set aside storage for that data
*required in most programming languages
* prevents buffer overflows
race conditions - CORRECT ANSWERS A type of software development
vulnerability that occurs when multiple processes or multiple threads within a
process control or share access to a particular resource, and the correct
handling of that resource depends on the proper ordering or timing of
transactions
input validation - CORRECT ANSWERS a type of attack that can occur when we
fail to validate the input to our applications or take steps to filter out unexpected
or undesirable content
format string attack - CORRECT ANSWERS a type of input validation attacks in
which certain print functions within a programming language can be used to
manipulate or view the internal memory of an application
authentication attack - CORRECT ANSWERS A type of attack that can occur
when we fail to use strong authentication mechanisms for our applications
authorization attack - CORRECT ANSWERS A type of attack that can occur
when we fail to use authorization best practices for our applications
cryptographic attack - CORRECT ANSWERS A type of attack that can occur
when we fail to properly design our security mechanisms when implementing
cryptographic controls in our applications
client-side attack - CORRECT ANSWERS A type of attack that takes advantage
of weaknesses in the software loaded on client machines or one that uses
social engineering techniques to trick us into going along with the attack
XSS (Cross Site Scripting) - CORRECT ANSWERS an attack carried out by
placing code in the form of a scripting language into a web page or other media
that is interpreted by a client browser
XSRF (cross-site request forgery) - CORRECT ANSWERS an attack in which the
attacker places a link on a web page in such a way that it will be automatically
,executed to initiate a particular activity on another web page or application
where the user is currently authenticated
clickjacking - CORRECT ANSWERS An attack that takes advantage of the
graphical display capabilities of our browser to trick us into clicking on
something we might not otherwise
server-side attack - CORRECT ANSWERS A type of attack on the web server
that can target vulnerabilities such as lack of input validation, improper or
inadequate permissions, or extraneous files left on the server from the
development process
Protocol issues, unauthenticated access, arbitrary code execution, and
privilege escalation - CORRECT ANSWERS Name the 4 main categories of
database security issues
web application analysis tool - CORRECT ANSWERS A type of tool that
analyzes web pages or web-based applications and searches for common flaws
such as XSS or SQL injection flaws, and improperly set permissions,
extraneous files, outdated software versions, and many more such items
protocol issues - CORRECT ANSWERS unauthenticated flaws in network
protocols, authenticated flaws in network protocols, flaws in authentication
protocols
arbitrary code execution - CORRECT ANSWERS An attack that exploits an
applications vulnerability into allowing the attacker to execute commands on a
user's computer.
* arbitrary code execution in intrinsic or securable SQL elements
Privilege Escalation - CORRECT ANSWERS An attack that exploits a
vulnerability in software to gain access to resources that the user normally
would be restricted from accessing.
* via SQL injection or local issues
validating user inputs - CORRECT ANSWERS a security best practice for all
software
* the most effective way of mitigating SQL injection attacks
Nikto (and Wikto) - CORRECT ANSWERS A web server analysis tool that
performs checks for many common server-side vulnerabilities & creates an
index of all the files and directories it can see on the target web server (a
process known as spidering)
, burp suite - CORRECT ANSWERS A well-known GUI web analysis tool that
offers a free and professional version; the pro version includes advanced tools
for conducting more in-depth attacks
fuzzer - CORRECT ANSWERS A type of tool that works by bombarding our
applications with all manner of data and inputs from a wide variety of sources,
in the hope that we can cause the application to fail or to perform in unexpected
ways
MiniFuzz File Fuzzer - CORRECT ANSWERS A tool developed by Microsoft to
find flaws in file-handling source code
BinScope Binary Analyzer - CORRECT ANSWERS A tool developed by
Microsoft to examine source code for general good practices
SDL Regex Fuzzer - CORRECT ANSWERS A tool developed by Microsoft for
testing certain pattern-matching expressions for potential vulnerabilities
good sources of secure coding guidelines - CORRECT ANSWERS CERT, NIST
800, BSI, an organization's internal coding guidelines
OS hardening - CORRECT ANSWERS the process of reducing the number of
available avenues through which our OS might be attacked
attack surface - CORRECT ANSWERS The total of the areas through which our
operating system might be attacked
6 main hardening categories - CORRECT ANSWERS 1. Removing unnecessary
software
2. Removing or turning off unessential services
3. Making alterations to common accounts
4. Applying the principle of least privilege
5. Applying software updates in a timely manner
6. Making use of logging and auditing functions
Principle of Least Privilege - CORRECT ANSWERS states we should only allow
a party the absolute minimum permission needed for it to carry out its function
stuxnet - CORRECT ANSWERS A particularly complex and impactful item of
malware that targeted the Supervisory Control and Data Acquisition (SCADA)
systems that run various industrial processes; this piece of malware raised the
bar for malware from largely being a virtual-based attack to actually being
physically destructive
Correct Answers GRADED A+
bounds checking - CORRECT ANSWERS to set a limit on the amount of data we
expect to receive to set aside storage for that data
*required in most programming languages
* prevents buffer overflows
race conditions - CORRECT ANSWERS A type of software development
vulnerability that occurs when multiple processes or multiple threads within a
process control or share access to a particular resource, and the correct
handling of that resource depends on the proper ordering or timing of
transactions
input validation - CORRECT ANSWERS a type of attack that can occur when we
fail to validate the input to our applications or take steps to filter out unexpected
or undesirable content
format string attack - CORRECT ANSWERS a type of input validation attacks in
which certain print functions within a programming language can be used to
manipulate or view the internal memory of an application
authentication attack - CORRECT ANSWERS A type of attack that can occur
when we fail to use strong authentication mechanisms for our applications
authorization attack - CORRECT ANSWERS A type of attack that can occur
when we fail to use authorization best practices for our applications
cryptographic attack - CORRECT ANSWERS A type of attack that can occur
when we fail to properly design our security mechanisms when implementing
cryptographic controls in our applications
client-side attack - CORRECT ANSWERS A type of attack that takes advantage
of weaknesses in the software loaded on client machines or one that uses
social engineering techniques to trick us into going along with the attack
XSS (Cross Site Scripting) - CORRECT ANSWERS an attack carried out by
placing code in the form of a scripting language into a web page or other media
that is interpreted by a client browser
XSRF (cross-site request forgery) - CORRECT ANSWERS an attack in which the
attacker places a link on a web page in such a way that it will be automatically
,executed to initiate a particular activity on another web page or application
where the user is currently authenticated
clickjacking - CORRECT ANSWERS An attack that takes advantage of the
graphical display capabilities of our browser to trick us into clicking on
something we might not otherwise
server-side attack - CORRECT ANSWERS A type of attack on the web server
that can target vulnerabilities such as lack of input validation, improper or
inadequate permissions, or extraneous files left on the server from the
development process
Protocol issues, unauthenticated access, arbitrary code execution, and
privilege escalation - CORRECT ANSWERS Name the 4 main categories of
database security issues
web application analysis tool - CORRECT ANSWERS A type of tool that
analyzes web pages or web-based applications and searches for common flaws
such as XSS or SQL injection flaws, and improperly set permissions,
extraneous files, outdated software versions, and many more such items
protocol issues - CORRECT ANSWERS unauthenticated flaws in network
protocols, authenticated flaws in network protocols, flaws in authentication
protocols
arbitrary code execution - CORRECT ANSWERS An attack that exploits an
applications vulnerability into allowing the attacker to execute commands on a
user's computer.
* arbitrary code execution in intrinsic or securable SQL elements
Privilege Escalation - CORRECT ANSWERS An attack that exploits a
vulnerability in software to gain access to resources that the user normally
would be restricted from accessing.
* via SQL injection or local issues
validating user inputs - CORRECT ANSWERS a security best practice for all
software
* the most effective way of mitigating SQL injection attacks
Nikto (and Wikto) - CORRECT ANSWERS A web server analysis tool that
performs checks for many common server-side vulnerabilities & creates an
index of all the files and directories it can see on the target web server (a
process known as spidering)
, burp suite - CORRECT ANSWERS A well-known GUI web analysis tool that
offers a free and professional version; the pro version includes advanced tools
for conducting more in-depth attacks
fuzzer - CORRECT ANSWERS A type of tool that works by bombarding our
applications with all manner of data and inputs from a wide variety of sources,
in the hope that we can cause the application to fail or to perform in unexpected
ways
MiniFuzz File Fuzzer - CORRECT ANSWERS A tool developed by Microsoft to
find flaws in file-handling source code
BinScope Binary Analyzer - CORRECT ANSWERS A tool developed by
Microsoft to examine source code for general good practices
SDL Regex Fuzzer - CORRECT ANSWERS A tool developed by Microsoft for
testing certain pattern-matching expressions for potential vulnerabilities
good sources of secure coding guidelines - CORRECT ANSWERS CERT, NIST
800, BSI, an organization's internal coding guidelines
OS hardening - CORRECT ANSWERS the process of reducing the number of
available avenues through which our OS might be attacked
attack surface - CORRECT ANSWERS The total of the areas through which our
operating system might be attacked
6 main hardening categories - CORRECT ANSWERS 1. Removing unnecessary
software
2. Removing or turning off unessential services
3. Making alterations to common accounts
4. Applying the principle of least privilege
5. Applying software updates in a timely manner
6. Making use of logging and auditing functions
Principle of Least Privilege - CORRECT ANSWERS states we should only allow
a party the absolute minimum permission needed for it to carry out its function
stuxnet - CORRECT ANSWERS A particularly complex and impactful item of
malware that targeted the Supervisory Control and Data Acquisition (SCADA)
systems that run various industrial processes; this piece of malware raised the
bar for malware from largely being a virtual-based attack to actually being
physically destructive
