1 | Page
C836 WGU Questions and Answers
bounds checking
Ans: to set a limit on the amount of data we expect to receive to set
aside storage for that data
*required in most programming languages
* prevents buffer overflows
race conditions
Ans: A type of software development vulnerability that occurs when
multiple processes or multiple threads within a process control or share
access to a particular resource, and the correct handling of that resource
depends on the proper ordering or timing of transactions
input validation
Ans: a type of attack that can occur when we fail to validate the input to
our applications or take steps to filter out unexpected or undesirable
content
format string attack
Ans: a type of input validation attacks in which certain print functions
within a programming language can be used to manipulate or view the
internal memory of an application
authentication attack
Ans: A type of attack that can occur when we fail to use strong
authentication mechanisms for our applications
authorization attack
Ans: A type of attack that can occur when we fail to use authorization
best practices for our applications
© 2025 All rights reserved
, 2 | Page
cryptographic attack
Ans: A type of attack that can occur when we fail to properly design our
security mechanisms when implementing cryptographic controls in our
applications
client-side attack
Ans: A type of attack that takes advantage of weaknesses in the software
loaded on client machines or one that uses social engineering techniques
to trick us into going along with the attack
XSS (Cross Site Scripting)
Ans: an attack carried out by placing code in the form of a scripting
language into a web page or other media that is interpreted by a client
browser
XSRF (cross-site request forgery)
Ans: an attack in which the attacker places a link on a web page in such
a way that it will be automatically executed to initiate a particular
activity on another web page or application where the user is currently
authenticated
SQL Injection Attack
Ans: Attacks against a web site that take advantage of vulnerabilities in
poorly coded SQL (a standard and common database software
application) applications in order to introduce malicious program code
into a company's systems and networks.
clickjacking
Ans: An attack that takes advantage of the graphical display capabilities
of our browser to trick us into clicking on something we might not
otherwise
server-side attack
© 2025 All rights reserved
, 3 | Page
Ans: A type of attack on the web server that can target vulnerabilities
such as lack of input validation, improper or inadequate permissions, or
extraneous files left on the server from the development process
Protocol issues, unauthenticated access, arbitrary code execution,
and privilege escalation
Ans: Name the 4 main categories of database security issues
web application analysis tool
Ans: A type of tool that analyzes web pages or web-based applications
and searches for common flaws such as XSS or SQL injection flaws, and
improperly set permissions, extraneous files, outdated software
versions, and many more such items
protocol issues
Ans: unauthenticated flaws in network protocols, authenticated flaws in
network protocols, flaws in authentication protocols
arbitrary code execution
Ans: An attack that exploits an applications vulnerability into allowing
the attacker to execute commands on a user's computer.
* arbitrary code execution in intrinsic or securable SQL elements
Privilege Escalation
Ans: An attack that exploits a vulnerability in software to gain access to
resources that the user normally would be restricted from accessing.
* via SQL injection or local issues
validating user inputs
Ans: a security best practice for all software
* the most effective way of mitigating SQL injection attacks
Nikto (and Wikto)
© 2025 All rights reserved
, 4 | Page
Ans: A web server analysis tool that performs checks for many common
server-side vulnerabilities & creates an index of all the files and
directories it can see on the target web server (a process known as
spidering)
burp suite
Ans: A well-known GUI web analysis tool that offers a free and
professional version; the pro version includes advanced tools for
conducting more in-depth attacks
fuzzer
Ans: A type of tool that works by bombarding our applications with all
manner of data and inputs from a wide variety of sources, in the hope
that we can cause the application to fail or to perform in unexpected
ways
MiniFuzz File Fuzzer
Ans: A tool developed by Microsoft to find flaws in file-handling source
code
BinScope Binary Analyzer
Ans: A tool developed by Microsoft to examine source code for general
good practices
SDL Regex Fuzzer
Ans: A tool developed by Microsoft for testing certain pattern-matching
expressions for potential vulnerabilities
good sources of secure coding guidelines
Ans: CERT, NIST 800, BSI, an organization's internal coding guidelines
OS hardening
Ans: the process of reducing the number of available avenues through
which our OS might be attacked
attack surface
© 2025 All rights reserved
C836 WGU Questions and Answers
bounds checking
Ans: to set a limit on the amount of data we expect to receive to set
aside storage for that data
*required in most programming languages
* prevents buffer overflows
race conditions
Ans: A type of software development vulnerability that occurs when
multiple processes or multiple threads within a process control or share
access to a particular resource, and the correct handling of that resource
depends on the proper ordering or timing of transactions
input validation
Ans: a type of attack that can occur when we fail to validate the input to
our applications or take steps to filter out unexpected or undesirable
content
format string attack
Ans: a type of input validation attacks in which certain print functions
within a programming language can be used to manipulate or view the
internal memory of an application
authentication attack
Ans: A type of attack that can occur when we fail to use strong
authentication mechanisms for our applications
authorization attack
Ans: A type of attack that can occur when we fail to use authorization
best practices for our applications
© 2025 All rights reserved
, 2 | Page
cryptographic attack
Ans: A type of attack that can occur when we fail to properly design our
security mechanisms when implementing cryptographic controls in our
applications
client-side attack
Ans: A type of attack that takes advantage of weaknesses in the software
loaded on client machines or one that uses social engineering techniques
to trick us into going along with the attack
XSS (Cross Site Scripting)
Ans: an attack carried out by placing code in the form of a scripting
language into a web page or other media that is interpreted by a client
browser
XSRF (cross-site request forgery)
Ans: an attack in which the attacker places a link on a web page in such
a way that it will be automatically executed to initiate a particular
activity on another web page or application where the user is currently
authenticated
SQL Injection Attack
Ans: Attacks against a web site that take advantage of vulnerabilities in
poorly coded SQL (a standard and common database software
application) applications in order to introduce malicious program code
into a company's systems and networks.
clickjacking
Ans: An attack that takes advantage of the graphical display capabilities
of our browser to trick us into clicking on something we might not
otherwise
server-side attack
© 2025 All rights reserved
, 3 | Page
Ans: A type of attack on the web server that can target vulnerabilities
such as lack of input validation, improper or inadequate permissions, or
extraneous files left on the server from the development process
Protocol issues, unauthenticated access, arbitrary code execution,
and privilege escalation
Ans: Name the 4 main categories of database security issues
web application analysis tool
Ans: A type of tool that analyzes web pages or web-based applications
and searches for common flaws such as XSS or SQL injection flaws, and
improperly set permissions, extraneous files, outdated software
versions, and many more such items
protocol issues
Ans: unauthenticated flaws in network protocols, authenticated flaws in
network protocols, flaws in authentication protocols
arbitrary code execution
Ans: An attack that exploits an applications vulnerability into allowing
the attacker to execute commands on a user's computer.
* arbitrary code execution in intrinsic or securable SQL elements
Privilege Escalation
Ans: An attack that exploits a vulnerability in software to gain access to
resources that the user normally would be restricted from accessing.
* via SQL injection or local issues
validating user inputs
Ans: a security best practice for all software
* the most effective way of mitigating SQL injection attacks
Nikto (and Wikto)
© 2025 All rights reserved
, 4 | Page
Ans: A web server analysis tool that performs checks for many common
server-side vulnerabilities & creates an index of all the files and
directories it can see on the target web server (a process known as
spidering)
burp suite
Ans: A well-known GUI web analysis tool that offers a free and
professional version; the pro version includes advanced tools for
conducting more in-depth attacks
fuzzer
Ans: A type of tool that works by bombarding our applications with all
manner of data and inputs from a wide variety of sources, in the hope
that we can cause the application to fail or to perform in unexpected
ways
MiniFuzz File Fuzzer
Ans: A tool developed by Microsoft to find flaws in file-handling source
code
BinScope Binary Analyzer
Ans: A tool developed by Microsoft to examine source code for general
good practices
SDL Regex Fuzzer
Ans: A tool developed by Microsoft for testing certain pattern-matching
expressions for potential vulnerabilities
good sources of secure coding guidelines
Ans: CERT, NIST 800, BSI, an organization's internal coding guidelines
OS hardening
Ans: the process of reducing the number of available avenues through
which our OS might be attacked
attack surface
© 2025 All rights reserved
