where he should have ideally used printf(?s?
Kevin has been asked to write a short program to gather user input for a web application. He likes
to keep his code neat and simple. He chooses to use printf(str) where he should have ideally used
printf(?s? str). What attack will his program expose the web application to?
what do you think Jane has changed?
Jane has just accessed her preferred e-commerce web site and she has seen an item she would
like to buy. Jane considers the price a bit too steep; she looks at the page source code and
decides to save the page locally to modify some of the page variables. In the context of web
application security, what do you think Jane has changed?
What attack is being depicted here?
Ivan is auditing a corporate website. Using Winhex, he alters a cookie as shown below.
Before Alteration: Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ;
After Alteration: Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;
What attack is being depicted here?
It secures information by assigning sensitivity labels on information and comparing this to the level of secur
_________ ensures that the enforcement of organizational security policy does not rely on
voluntary web application user compliance. It secures information by assigning sensitivity labels
on information and comparing this to the level of security a user is operating at.
Is there some way to 4go back and see the code for that error?
Say that “abigcompany.com” had a security vulnerability in the javascript on their website in the
past. They recently fixed the security vulnerability, but it had been there for many months. Is there
some way to 4go back and see the code for that error?
Select the best answer.
Which of the following is the best way an attacker can passively learn about technologies used in an organizat
Which of the following is the best way an attacker can passively learn about technologies used in
an organization?
Which of the following is most effective against passwords?
Which of the following is most effective against passwords?
What can you infer from the exploit given?
The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort
reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability
(UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to
run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious
user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS
server. He does a quick query to discover that the directory exists, and a query to msadcs.dll
shows that it is functioning correctly. The attacker makes a RDS query which results in the
commands run as shown below:
What can you infer from the exploit given?
Choose the attack type from the choices given below.
Bill is attempting a series of SQL queries in order to map out the tables within the database that he
is trying to exploit.
Choose the attack type from the choices given below.
What is the next step you should do?
Exhibit:
You are conducting pen-test against a company’s website using SQL Injection techniques. You
enter “anuthing or 1=1-“ in the username filed of an authentication form. This is the output returned
from the server.
What is the next step you should do?