THE P.T. 7: ( ex.15 )

48問 • 6ヶ月前

問題一覧

Which of the following secure coding best practices ensures special characters like , /, and ‘ are not accepted from the user via a web form?

- Input validation

This implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session I.D.

- Session management

This involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page.

- Output encoding

This can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker.

- Error handling

An organization wants to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. Which of the following protocols should they choose?

- Kerberos

This is a networking protocol that provides centralized AAA management for users who connect and use a network service. It operates on a client-server model, where network access servers (NAS), like Wi-Fi access points or VPN concentrators, act as RADIUS clients and forward authentication requests to a central RADIUS server.

- RADIUS

This is an enhanced and proprietary version of the original TACACS protocol, primarily developed by Cisco. It is a robust network security protocol that provides centralized AAA services for network devices, offering significantly more granular control and enhanced security features.

- TACACS+

This protocol, developed in 1984, was a network protocol primarily used for communicating with an authentication server, common in older UNIX networks. It also provides centralized AAA services.

- TACACS

Also known as the Bash bug, is a critical vulnerability that was discovered in 2014. It affected the Bash shell, a widely used command-line interface in Unix-based systems, and allowed attackers to execute arbitrary commands remotely, posing a severe risk to the security and integrity of affected systems.

- Shell-shock

This was a critical security vulnerability discovered in 2015 that affected the Android operating system. It allowed attackers to exploit vulnerabilities in the multimedia messaging system, enabling remote execution of malicious code through a multimedia message (MMS).

- Stagefright

This is a security vulnerability that was discovered in 2015, affecting the Diffie-Hellman key exchange protocol used in TLS encryption. It allowed attackers to downgrade encrypted connections to weaker key sizes, making it easier to decrypt and intercept secure communications.

- Logjam

Drupalgeddon refers to a highly critical vulnerability discovered in the Drupal content management system in 2014. The vulnerability allowed remote code execution, enabling attackers to gain unauthorized access to Drupal-based websites and potentially compromise sensitive data.

- Drupalgeddon

An analyst suspects that a trojan has victimized a Linux system. Which command should be run to determine where the current bash shell is being executed from on the system?

- which bash

This command will list the current directory and show any files or folders named bash.

- ls bash

This command is used to list the contents of a directory, much like ls does.

- dir bash

This command would print the value of the specified environment variable specified, bash in this example.

- printenv bash

DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as?

- Static code analyzer

This is a testing technique that aids in understanding how a system behaves when stressed in unusual ways.

- Fault injector

This is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully.

- Decompiler

This is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through a fuzzer.

- Fuzzer

H.T.T.P. Codes - Indicates a successful GET or POST request (OK)

- Code 200

H.T.T.P. Codes - Indicates where a PUT request has succeeded in creating a resource

- Code 201

H.T.T.P. Codes - Any code in this range indicates that a redirect has occurred by the server.

- Code 3.x.x.

H.T.T.P. Codes - Any code in this range indicates an error in the client request.

- Code 4.x.x.

H.T.T.P. Codes - Indicates that a request could not be parsed by the server.

- Code 400

H.T.T.P. Codes - Indicates that a request did not supply authentication credentials.

- Code 401

H.T.T.P. Codes - Indicates that a request did not have sufficient permissions.

- Code 403

H.T.T.P. Codes - Indicates that a client is requested a non-existent resource.

- Code 404

H.T.T.P. Codes - Any code in this range indicates a server-side issue.

- Code 5.x.x.

H.T.T.P. Codes - Indicates a general error on the server-side of the application.

- Code 500

H.T.T.P. Codes - Indicates a bad gateway has occurred when the server is acting as a proxy.

- Code 502

H.T.T.P. Codes - Indicates an overloading of the server is causing service unavailability.

- Code 503

H.T.T.P. Codes - Indicates a gateway timeout means an issue with the upstream server

- Code 504

S.M.T.P. Status Codes - indicates the server is ready.

- Code 220

S.M.T.P. Status Codes - indicates the message is accepted.

- Code 250

S.M.T.P. Status Codes - indicates the service is not available.

- Code 421

S.M.T.P. Status Codes - indicates that the server cannot access the mailbox to deliver a message.

- Code 450

S.M.T.P. Status Codes - indicates the local server aborted the action due to a processing error.

- Code 451

S.M.T.P. Status Codes - indicates the local server has insufficient storage space available.

- Code 452

Commonly used elements: Matches a single instance of a character within the brackets, such as [a-z], [A-Z], [0-9], [azA-Z0-9], [\s] (white space), or [\d] (single digit)

- [...]

Commonly used elements: Matches one or more occurrences and is called a quantifier, such as \d+ matching one or more digits.

- +

Commonly used elements: Matches zero or more occurrences, such as \d* matching zero or more digits

- *

Commonly used elements: Matches one or none times, such as \d? matching zero or one digits

- ?

Commonly used elements: Matches the number of times within the curly braces, such as \d{3} matching three digits or \d{7-10} matching seven to ten digits

- {}

Commonly used elements: Defines a matching group with a regex sequence placed within the parentheses, and then each group can subsequently be referred to by \1 for the first group, \2 for the second, and so on

- (...)

Commonly used elements: The OR logical operator to match conditions as “this or that”

- |

Commonly used elements: The regex will only match at the start of a line when searching

- ^

Commonly used elements: The regex will only match at the end of a line when searching

- $