PrepAway - Latest Free Exam Questions & Answers

Tag: Exam 412-79v8

Exam 412-79v8: EC-Council Certified Security Analyst (ECSA) v8

What is the database name?

One comment

A Blind SQL injection is a type of SQL Injection attack that asks the database true or false
questions and determines the answer based on the application response. This attack is often
used when the web application is configured to show generic error messages, but has not
mitigated the code that is vulnerable to SQL injection.

It is performed when an error message is not received from application while trying to exploit
SQL vulnerabilities. The developer’s specific message is displayed instead of an error
message. So it is quite difficult to find SQL vulnerability in such cases.
A pen tester is trying to extract the database name by using a blind SQL injection. He tests
the database using the below query and finally finds the database name.
http://juggyboy.com/page.aspx?id=1 ; IF (LEN(DB_NAME())=4) WAITFOR DELAY
’00:00:10′–
http://juggyboy.com/page.aspx?id=1 ; IF (ASCII(lower(substring((DB_NAME()),1,1)))=97)
WAITFOR DELAY ’00:00:10′–
http://juggyboy.com/page.aspx?id=1 ; IF (ASCII(lower(substring((DB_NAME()),2,1)))=98)
WAITFOR DELAY ’00:00:10′–
http://juggyboy.com/page.aspx?id=1 ; IF (ASCII(lower(substring((DB_NAME()),3,1)))=99)
WAITFOR DELAY ’00:00:10′–
http://juggyboy.com/page.aspx?id=1 ; IF (ASCII(lower(substring((DB_NAME()),4,1)))=100)
WAITFOR DELAY ’00:00:10′–
What is the database name?

Which of the following TCP/IP layers selects the best path through the network for packets to travel?

3 comments

TCP/IP model is a framework for the Internet Protocol suite of computer network protocols
that defines the communication in an IP-based network. It provides end-to-end connectivity
specifying how data should be formatted, addressed, transmitted, routed and received at the
destination. This functionality has been organized into four abstraction layers which are used
to sort all related protocols according to the scope of networking involved.

Which of the following TCP/IP layers selects the best path through the network for packets to travel?

Which of the following ICMP messages will be generated if the destination port is not reachable?

One comment

Internet Control Message Protocol (ICMP) messages occur in many situations, such as
whenever a datagram cannot reach the destination or the gateway does not have the
buffering capacity to forward a datagram. Each ICMP message contains three fields: type,
code, and checksum. Different types of Internet Control Message Protocols (ICMPs) are
identified by a type and code field.

Which of the following ICMP messages will be generated if the destination port is not reachable?

Which of the following fuzz testing she will perform where she can supply specific data to the application to

3 comments

Fuzz testing or fuzzing is a software/application testing technique used to discover coding
errors and security loopholes in software, operating systems, or networks by inputting
massive amounts of random data, called fuzz, to the system in an attempt to make it crash.
Fuzzers work best for problems that can cause a program to crash, such as buffer overflow,
cross-site scripting, denial of service attacks, format bugs, and SQL injection. Fuzzer helps
to generate and submit a large number of inputs supplied to the application for testing it
against the inputs. This will help us to identify the SQL inputs that generate malicious output.
Suppose a pen tester knows the underlying structure of the database used by the application
(i.e., name, number of columns, etc.) that she is testing. Which of the following fuzz testing

she will perform where she can supply specific data to the application to discover
vulnerabilities?


Page 12 of 15« First...1011121314...Last »