1. You are examining connection logs from a client machine and come across this entry:
Which attack does this most likely indicate?
A. Parameter manipulation
B. XSS
C. SQL injection
D. Directory traversal
D. Sure directory traversal is an older attack (working mainly on now-outdated servers), but it’s still worth a shot and, more importantly to you dear reader, it’s going to be on your test. In this attack, the hacker attempts to access restricted directories and execute commands outside intended web server directories. Also known as the known as the dot-dot-slash attack, directory climbing, and backtracking, this attack basically sends HTTP requests asking the server to drop back to the root directory and give access to other folders. Assuming you know the folder directory structure, and the location where you want to run commands and so on, this one is easy enough to pull off.
A is incorrect because parameter manipulation (also known as parameter tampering) deals with changing portions of the URL string in hopes of modifying data or eliciting a response. An example might be changing the “orderID” portion of a URL string to see if you can peruse other users’ information.
B is incorrect because cross-site scripting (XSS) isn’t being discussed in this question. XSS is all about website design and dynamic content, passing client-side scripts into a web page viewed by a different person. In addition to simply bringing it down in a good old DoS attack, XSS can also be used to steal users’ cookies, upload malicious code to users connected to the server, and send pop-up messages to users.
C is incorrect because SQL injection is not being performed here. SQL injection involves passing SQL queries through a web front end to manipulate, display, replace, or destroy records in the underlying database.
2. A hacker is looking at a publicly facing web front end. One of the pages provides an entry box with the heading “Forgot password? Enter your email address.” In the entry, he types anything' OR '1'='1.
A message appears stating, “Your login information has been sent to [email protected].”
Which of the following is true?
A. The cross-site scripting attempt has succeeded.
B. The SQL injection attempt has succeeded.
C. The parameter tampering has succeeded.
D. The buffer overflow attempt has succeeded.
B. Any time you see ’ or 1=1, I can promise you it’s a SQL injection question. Because the hacker got a response, this site is susceptible to SQL injection. As an aside, it’s just as likely an attempt like this may fail to return an actual record, but if it does you may wind up getting valuable information anyway in the form of an error message from the underlying SQL database. Remember with SQL you’re simply trying to pass SQL queries through an entry point never made to take them (at least, not designed or thought of to do so anyway). What’s going on here, as much as we can tell from the question, is a result has been returned from the site from input designed as a SQL query, and not the designed user input (username or e-mail address).
A is incorrect because this is not an XSS attempt. Cross-site scripting would involve something like JavaScript inserting data into the page—usually to manipulate web content.
C is incorrect because parameter tampering is not in use here. Parameter tampering is inside the URL itself, manipulating parameters to change the response to something you’re looking for (changing order=13752+user=500 to order =13752+user=1 inside the URL, or something like that).
D is incorrect because buffer overflow is not in play here. Buffer overflow is an attempt to write more data into an application’s prebuilt buffer area in order to overwrite adjacent memory, execute code, or crash a system (application).
3. A pen tester is examining a web front end on a target network. The page displays a “Search” text box form entry, allowing the user to search for items on the site. Instead of entering a search text string, the tester enters <script>'It Worked'</script>. After the tester clicks the Search button beside the entry box, a pop-up appears stating, “It Worked.” Which of the following is true regarding this attempt?
A. The site is vulnerable to XSS.
B. Coding on the site is poor, and a buffer overflow attack may result in a DoS.
C. The attacker’s next entry in the Search box should be ' OR '1'='1.
D. This is expected behavior on properly configured sites.
A. A somewhat simplistic but undeniably classic example of cross-site scripting. A common cross-site scripting attempt is to insert malicious script into an input field on a site. If the site is not configured properly, it’ll become confused and execute the script instead of erroring out and telling you you’re naughty. By manipulating input fields, you can accomplish all sorts of things, such as redirecting users to an alternate site, stealing cookies or other data from users, and performing a plain-old DoS against the site/server.
B is incorrect because, although the site is undeniably configured poorly, there is no indication here a buffer overflow will work at all. It might, later, but we just can’t tell from this.
C is incorrect because there is no indication here of a SQL injection vulnerability. As before, it may very well be vulnerable, but this question doesn’t provide that information.
D is incorrect because the site is configured poorly to even allow XSS in the first place.
4. Which of the following is representative of a parameter-tampering attack?
C. Parameter tampering (a.k.a. URL tampering) is an attack where the hacker searches a URL string for parameters that can be adjusted. These entries are then manipulated within the URL string in hopes of modifying data, such as permissions and elevation of privilege, prices and quantities of goods, and credentials. In this example, you can clearly see the “price” parameter as part of the URL. Why not change price to 1 and see if you can’t get the product on the cheap? Other tampering scenarios you’ll probably see on your exam will have admin=0 or admin=no in the URL.
A is incorrect because this is a directory traversal example. Note the “../” entries, attempting to follow the directory tree back to execute a command.
B and D are incorrect, but only because of a slight delineation applicable to your test taking. It can be argued that these two are also examples of parameter manipulation, because the URL is being adjusted for a purpose. However, your exam will count these as examples of SQL injection attempts. Yes, this is normally done in a form on the page, passing commands into an entry box, but there’s no reason why you can’t try the same thing from the URL. In answer B, the attacker is attempting to update a table, whereas in answer C the standard ‘OR 1=1 has been entered to elicit a SQL response.
5. A security administrator is called for advice. The sales staff has noticed a large amount of orders being filled at prices far below those posted on the site. After some research, it does not appear that the web server or the underlying SQL database have been directly compromised. Next, the security administrator reviews IDS logs and finds nothing unusual. Additionally, the local logs on the server itself do not show anything indicating a problem. Which of the following is the most likely explanation for the false orders?
A. The website uses hidden fields for price values, which have been altered by the attacker.
B. SQL injection has been used to update pricing in the database. After the order was placed, pricing was reset to normal, to cover tracks.
C. Server-side scripting was used to alter the price.
D. A tool such as Metasploit was used to carry out the attack.
A. This is actually more common than you might think. No, I’m not advising you to go do your Christmas shopping early—that could get you in serious trouble—I’m just stating an outright fact that many websites simply don’t have their collective stuff together. If you view the source code for a site offering products for sale, many times you can find the pricing secreted away in a “hidden” field (just do a search for “hidden” on the form). If you copy that source to your computer, alter the value in the hidden field, save and launch in the browser, you can order at whatever price you set.
B and C are both incorrect for the same reason. This level of interaction would most certainly be easy to spot between the IDS and server logs. SQL injection involves passing SQL queries and commands through the interface and would be evident in the logs. SSIs (Server Side Includes) are directives placed in HTML pages and evaluated on the server while the pages are being served.
D is incorrect because there is simply no evidence any tool has been used here. Of course, this might have been a super-talented, ace hacker who jumped in and out of the site leaving absolutely no crumbs to track him down with, but it’s very unlikely.
6. A tool named StackGuard is put in place to assist in preventing buffer overflow attacks. Which of the following is used by StackGuard to accomplish this?
A. Cookies
B. Input validation
C. Canary words
D. CGI manipulation
C. Canaries or canary words are known values placed between the buffer and control data. If a buffer overflow occurs, the canary word will be altered first, triggering a halt to the system. StackGuard was released way back in 1997 as an extension for the GNU Compiler Collection (GCC), a compiler produced by the GNU Project. When it comes to buffer overflow protection and this exam, you need to know canaries, input validation, and StackGuard.
A is incorrect because cookies are not used for buffer overflow prevention. A cookie is a small, text-based file that is stored on your system for use by the web server the next time you log in, in an effort to provide a continuous, stable web view for customers, and to make things easier for return surfers. Cookies are sent in the header of an HTTP response from a web server and may or may not have an expiration date.
B is incorrect because StackGuard does not perform input validation. This is not to say that input validation is not a preventative measure against buffer overflow—it is. You just need to know that the design of StackGuard is to make use of canaries in prevention.
D is incorrect because CGI manipulation plays no role here and is included as a distractor. CGI (Common Gateway Interface) is a standard method for web servers to pass a user’s request to an application program and receive data back to forward to the user.
7. The source code of software used by your client seems to have a large number of gets() alongside sparsely used fgets().What kind of attack is this software potentially susceptible to?
A. SQL injection
B. Buffer overflow
C. Parameter tampering
D. Cookie manipulation
B. A buffer overflow is an attempt to write more data into an application’s pre-built buffer area in order to overwrite adjacent memory, execute code, or crash a system (application). By inputting more data than the buffer is allocated to hold, you may be able to crash the application or machine or alter the application’s data pointers. gets() is a common source of buffer overflow vulnerabilities because it reads a line from standard input into a buffer until a terminating EOF is found. It performs no check for buffer overrun and is largely replaced by fgets().
A is incorrect because SQL injection has nothing to do with this scenario. No evidence is presented that this software even interacts with a database.
C is incorrect because parameter tampering deals with manipulating a URL.
D is incorrect because cookie manipulation has nothing to do with this software. As covered earlier, a cookie is a small file used to provide a more consistent web experience for a web visitor. Because it holds all sorts of information, though, it can be manipulated for nefarious purposes (using the Firefox add-on Cookie Editor, for instance).
8. Which code entry will stop input at 100 characters?
A.
if (I > 100) then exit (1)
B.
if (I >= 100) then exit (1)
C.
if (I <= 100) then exit (1)
D.
if (I < 100) then exit (1)
B. There won’t be very many pure coding type questions on the exam, and when they do appear they’re pretty clear cut. Because 0 (zero) is used in counting in most computer programming code (many indeed start at 1, but the examples in your exam don’t), any value from 0 to 99 would suffice. Thus, an entry of 100 would represent the 101st character. Therefore, you can accept anything less than 100 as a character count: “I” must be less than 100 to be accepted, and if it’s 100 or above, exit and quit. So, if the character value count is equal to 100, or greater, exit the program (I >= 100).
A, C, and D are all incorrect expressions. (I > 100) indicates any entry greater than 100, which does work; however, it leaves the extra 101st entry (that is, 100) as acceptable. (I < 100) would exit on any character entry less than 100 (meaning the only acceptable entries would be 101 characters or more—the exact opposite of what we’re trying to accomplish). Finally, (I <= 100) is just as bad, for obvious reasons.
9. You are examining cookies provided from a target website and come across this sample:
Which of the following statements is true regarding this site?
A. Cookie tampering may provide additional access to information on or through the site.
B. Cookie tampering is prevented.
C. An underlying SQL database is in use on this site.
D. This is a zombie cookie.
A. Although it may fail miserably, altering a cookie might lead to additional access to information on or through the site. In the example provided, we can clearly see a portion that reads “ADMIN=NO.” Well, what would happen if you changed it to “ADMIN=YES”? Again, it may seem simplistic and may not change a thing, but editing this cookie and going back to the site may very well easily open a door for you. Cookie Editor is an add-on in Firefox for doing just this (be careful of versioning with this, though, because the original Cookie Editor add-on stopped working on Firefox 15.0).
B is incorrect because nothing in this sample indicates any sort of tamper prevention. As a matter of fact, the cookie itself is merely a text file, so there wouldn’t be any indication of tamper prevention in the first place.
C is incorrect because nothing in this cookie points to anything SQL- or database-related at all. Does the site use a backend SQL database? Maybe, but we can’t tell that from a cookie.
D is incorrect because there is no way to tell from this output whether or not the cookie is a zombie. Zombie cookies are re-created after deletion from backups stored outside your browsers’ normal cookie storage area. They are very difficult to remove, and may even install on a browser that does not receive cookies (due to where they are stored).
10. Which of the following tools can be used to clone a copy of a website to your machine, to be scrutinized later?
A. BurpSuite
B. NetCraft
C. HttpRecon
D. BlackWidow
D. BlackWidow is an easy-to-use application that can perform all sorts of things—mainly, to this question, downloading a clone of a website for scanning and vulnerability discovery at your leisure. The following is from the developer’s website (sbl.net): “Black Widow is a state-of-the-art website scanner for both experts and beginners. It can download an entire website, or download portions of a site, and can build a site structure first, then download later; you select what to download. The integrated scripting engine is an easy to learn and use programing language to facilitate scanning ‘hard to scan’ sites. It allows you to control the scan by trapping the scanner event so you can process the request yourself.”
A is incorrect because BurpSuite isn’t designed to pull an entire copy of a website externally and run through tests. The following is from the website (http://www.portswigger.net/burp/): “BurpSuite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.”
B is incorrect because NetCraft isn’t a tool to be used for this purpose. NetCraft is actually a security corporation in England that provides all sorts of security tools aimed at the web sector. They’re currently well known for their anti-phishing toolbar, which was hailed by Microsoft as being “among the most effective tools to combat phishing on the Internet.” This probably explains why Microsoft purchased licensing for NetCraft and added that functionality in Internet Explorer 7 as Microsoft Phishing Filter (also known as SmartScreen Filter in IE8).
C is incorrect because HttpRecon isn’t used in this manner. HttpRecon is known as a web server fingerprinting tool, providing “highly accurate identification of given httpd implementations” (http://www.computec.ch/projekte/httprecon/). HttpRecon uses traditional approaches, such as banner-grabbing, status code enumeration, and header ordering analysis, but also adds other analytical techniques to increase accuracy.
11. Which character is your best option in testing for SQL injection vulnerability?
A. The @ symbol
B. A double dash
C. The + sign
D. A single quote
D. SQL injection is all about entering queries and commands into a form field (or URL) to elicit a response, gain information, or manipulate data. On a web page, many times entries into a form field are inserted into a SQL command: When you enter your username and information into the fields and click the button, the SQL command in the background might read something like this:
In SQL, a single quote is used to indicate an upcoming character string. Once SQL sees that open quote, it starts parsing everything behind it as string input. If there’s no close quote, an error occurs because SQL doesn’t know what to do with it. If the web page is configured poorly, that error will return to you and let you know it’s time to start injecting SQL commands.
A, B, and C are incorrect characters to use as part of a SQL injection test. The @ symbol is used to designate a variable in SQL (you’ll need to define the variable, of course). The + sign is used to combine strings together (as in Matt+Walker). A double dash indicates an upcoming comment in the line.
12. A web administrator asks you for a recommendation on a vulnerability scanner for his server. Which of the following are appropriate choices? (Choose all that apply.)
A. NetCat
B. Nessus
C. Nikto
D. Nmap
B and C. Both Nessus and Nikto are well-known vulnerability scanners. Nessus has been around seemingly forever, and is a de facto choice for many folks in the security field. The following is from the Tenable Network Security site: “Nessus® is the world’s most widely-deployed vulnerability and configuration assessment product with more than five million downloads to date. Nessus 5 features high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration, and vulnerability analysis of your security posture with features that enhance usability, effectiveness, efficiency, and communication with all parts of your organization.” Nikto is an open source scanner that’s more web server centric in its vulnerability assessment efforts. From the Nikto site (http://cirt.net/nikto2): “Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.” Keep in mind that neither tool is designed for stealth. These are security tools designed for security professionals to discover problems before the bad guys do. If you aim these tools at a site, you will be noticed.
A is incorrect because Netcat is not a vulnerability assessment tool. Sometimes referred to as a Swiss Army Knife for TCP/IP hacking, it is a utility that reads and writes data across network connections. The following is from the GNU Netcat project home page (http://netcat.sourceforge.net/): “It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.”
D is incorrect because nmap is not a vulnerability scanning tool. It is an open source utility for network discovery and security auditing. Per the website (http://nmap.org/): “Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.”
13. Efforts to gain information from a target website have produced the following error message:
Which of the following best describes the error message?
A. The site is may be vulnerable to XSS.
B. The site may be vulnerable to buffer overflow.
C. The site may be vulnerable to SQL injection.
D. The site may be vulnerable to a malware injection.
C. Once again, you will get a few “gimme” questions on the exam. The error message clearly displays a SQL error, telling us (1) there’s an underlying SQL database to contend with and (2) it’s most likely not configured correctly (or we wouldn’t be getting an error message like this—through a web interface and telling us exactly what’s there—in the first place).
A, B and D are all incorrect for the same reason: The error message simply doesn’t provide enough information to make those leaps. There is nothing here indicating cross-site scripting or buffer overflow on either side of the ledger. Although it’s true the error may be an indication as to which kinds of malware may increase your odds of success, there’s nothing there to indicate, by itself, that the site is vulnerable.
14. Which buffer overflow attack is designed to make use of memory that remains in use while a program is running?
A. Stack
B. Heap
C. Active
D. Permanent
B. Granted, this is a little bit of a picky question, but you’ll definitely see something like this on your exam. Buffer overflows are all about the same thing: inputting more information into a buffer area that was designed for one action, in order to write code to a different area of memory so it can be executed. At best, the code will execute and you can do all sorts of good things. At worse, the program will reject the code and crash. A ‘heap’ buffer attack takes advantage of the memory space set aside for the program itself. Heap is the memory area immediately “on top” of the program and is not temporary (it’s supposed to remain in use as long as the application is running). Pages in the heap can be read from and written to, which is what the attacker will be trying to exploit.
A is incorrect only because of the actual buffer area being exploited. Whereas heap is memory set aside in the application and is not “temporary,” the stack is designed that way: Each task is added on top of the previous tasks and is executed in order. Overflow the buffer, and you can affect which area executes.
C and D are incorrect because neither is a buffer overflow attack type. These are added as distractors.
15. Which of the following is a standard method for web servers to pass a user’s request to an application program and receive data back to forward to the user?
A. SSI
B. SSL
C. CGI
D. CSI
C. Common Gateway Interface (CGI) is a standardized method for transferring information between a web server and an executable (a CGI script designed to perform some task with the data). CGI is considered a server-side solution because processing is done on the web server and not the client. Because CGI scripts can run essentially arbitrary commands on your system with the permissions of the web server user, and because they are almost always wrapped so that a script will execute as the owner of the script, they can be extremely dangerous if not carefully checked. Additionally, all CGI scripts on the server will run as the same user, so they have the potential to conflict (accidentally or deliberately) with other scripts (an attacker could, for example, write a CGI script to destroy all other CGI databases).
A is incorrect because SSIs (Server Side Includes) are directives placed in HTML pages and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program or other dynamic technology.
B and D are incorrect because both are included as distractors. By now you’re certainly familiar with Secure Sockets Layer (SSL) and its value as an encryption method. CSI? Well, that’s just good television. Or used to be, anyway.
16. Which of the following are true given the following URL? (Choose all that apply.)
A. The attacker is attempting a buffer overflow.
B. The attacker is attempting directory traversal.
C. The attacker is using SQL code.
D. The attacker is using Unicode.
B and D. Directory traversal is easy enough to spot when it’s spelled out in readable format. The “dot-dot-slash” attack is designed to have older servers climb up and back down their directory tree to execute commands. One way to obfuscate this attempt is to make use of Unicode characters. Per the Unicode.org website, it “provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language.” Unicode was invented because no single encoding method could contain enough characters (the example from the site included the European Union alone requiring several different encodings to cover all its languages). Unicode provided the standard for ensuring consistent encoding and text representation, and also succeeded in providing one more avenue for attackers to use.
A is incorrect because this is not a buffer overflow attempt.
C is incorrect because no SQL code is shown in the URL.
17. Which of the following can be used for remote password cracking of web servers? (Choose all that apply.)
A. Brutus
B. Nikto
C. THC-Hydra
D. Nessus
A and C. Brutus is a fast, flexible remote password cracker. According to the tool’s website (www.hoobie.net/brutus/), it was originally invented to help its creator check routers and network devices for default and common passwords. It has since grown and evolved to much more and is among the more popular security tools available for remote password cracking. THC-Hydra (www.thc.org/thc-hydra/) is another remote password cracker. It’s a “parallelized login cracker” that provides the ability to attack over multiple protocols.
B is incorrect because Nikto is not a remote password cracker. It’s an open source web-server-centric vulnerability scanner that performs comprehensive tests against web servers for multiple items.
D is incorrect because Nessus is not a remote password cracker—it’s a vulnerability assessment tool.
18. An attacker is attempting to elevate privileges on a machine by using Java or other functions, through nonvalidated input, to cause the server to execute a malicious piece of code and provide command-line access. Which of the following best describes this action?
A. Shell injection
B. File injection
C. SQL injection
D. URL injection
A. When it comes to web application attacks, there are many vectors and avenues to take. One of the more common is injecting something into an input string to exploit poor code. The EC Council defines these attacks in many ways. Shell injection is defined as an attempt to gain shell access using Java or other functions. In short, the attacker will pass commands through a form input (or other avenue) in order to elevate privileges and open a shell for further naughtiness. Also known as command injection, this occurs when commands are entered into form fields instead of the expected entry.
B is incorrect because the EC Council defines a file injection attack as one where the attacker injects a pointer in the web form input to an exploit hosted on a remote site. Sure, this may accomplish the same thing, but it’s not the best choice in this case.
C is incorrect because SQL injection attacks involve using SQL queries and commands to elicit a response or action.
D is incorrect because URL injection is not an attack type, and is included here as a distractor.
19. Which Windows-based web security scanner is known for its fuzzy logic code checking?
A. Nessus
B. Nikto
C. Wikto
D. Sandcat
C. I’ve read the following on several sites about the tool, so I feel confident in repeating it here: Wikto is Nikto for Windows, with a little more added. The development website notes that in addition to everything Nikto offers, Wikto adds extra features such as fuzzy logic error code checking, a backend miner, Google-assisted directory mining, and real-time HTTP request/ response monitoring (http://www.sensepost.com/labs/tools/pentest/wikto).
A is incorrect because Nessus isn’t a “fuzzy logic” scanner and isn’t designed solely for web server efforts. It is one of the most popular vulnerability assessment scanners available and will work well in defining vulnerabilities that may have been overlooked, however.
B is incorrect because Nikto is a Linux/Unix-based web security scanning tool, and doesn’t hold the “fuzzy logic” features of Wikto.
D is incorrect because the Sandcat is a pen-test-oriented web browser that’s part of Syhunt’s tool collection (http://www.syhunt.com/). Sandcat Browser includes the following pen-test-oriented features: Live HTTP Headers, Request Editor extension, Fuzzer extension with multiple modes and support for filters, JavaScript Executor extension, Lua Executor extension, SyhuntGelo, PageInfo extension (for viewing page headers and JavaScript objects), Tor extension (for Anonymity), HTTP Brute Force, CGI Scanner scripts, Encoders/Decoders, and more. It’s also freeware and portable, so feel free to play!
20. HTML forms include several methods for transferring data back and forth. Inside a form, which of the following encodes the input into the Uniform Resource Identifier (URI)?
A. HEAD
B. PUT
C. GET
D. POST
C. An HTTP GET is a method for returning data from a form that “encodes” the form data to the end of the URI (a character string that identifies a resource on the Web, such as a page of text, a video clip, an image, or an application). Generally speaking, a POST is “more secure” than a GET, although they both have their uses. If you’re wondering when a GET should be used as opposed to a POST, the answer has to do with a vocabulary lesson: defining the term idempotent. Thrown about with HTTP GET, idempotent is a mathematical concept about an operation property: If the operation can be performed without changing results, even if it is run multiple times, it’s considered idempotent. So, if the input return is assured of having no lasting effect on the state of the form in total, then using a GET is perfectly reasonable. Also, a GET can usually only transfer up to 8Kb, whereas a POST can usually handle up to 2GB. However, keep in mind it may wind up including sensitive information in that URI. Suppose your form returns a credit card number and a bad guy is logging URIs: If HTTP GET is in place, the attacker may be able to derive the information.
A is incorrect because although HEAD and GET are similar, HEAD is not used in forms. It’s usually used to pull header information from a web server (remember your banner grabbing from earlier?) and to test links.
B is incorrect because HTTP PUT is not used in forms. It’s used to transfer files to a web server.
D is incorrect because POST does not include the form data in the URI request. According to the World Wide Web Consortium (http://www.w3.org/), HTML specifications define the difference between GET and POST so that GET means that form data will be encoded by a browser into a URL, whereas POST means the form data is to appear within the message body. In short, a GET can be used for basic, simple retrieval of data, and a POST should be used for most everything else (such as sending an e-mail, updating data on a database, and ordering an item).
21. An attacker is looking at a target website and is viewing an account from the store on URL http://www.anybiz.com/store.php?id=2. He next enters the following URL:
The web page loads normally. He then enters the following URL:
A generic page noting “An error has occurred” appears.
Which of the following is a correct statement concerning these actions?
A. The site is vulnerable to cross site scripting.
B. The site is vulnerable to blind SQL injection.
C. The site is vulnerable to buffer overflows.
D. The site is not vulnerable to SQL injection.
B. The URLs shown here are attempting to pass a SQL query through to see what may be going on in the background. Notice the first URL entered added and 1=1. Because this was a true statement, the page loaded without problem. However, changing that to a false statement—and 1=2—caused the database to return an error. This would now be considered “blind” SQL injection because the actual error was not returned to the attacker (instead, he got a generic page most likely configured by the dB administrator). As an aside, sometimes the attacker won’t receive the error message or error page at all, but the site will be displayed differently—images out of place, text messed up, and so on—which also indicates blind SQL may be in order.
A and C are incorrect because neither this attack nor the results has anything to do with cross-site scripting or buffer overflows.
D is incorrect because the results indicate SQL injection is possible. Granted, it will take longer, because we can’t see error messaging, and will require lots of guesswork and trial and error, but it is susceptible.
22. Which of the following are valid methods to harden a web server? (Choose all that apply.)
A. Ensure patching is kept up to date.
B. Remove nonessential applications.
C. Remove or disable nonessential ports and protocols.
D. Allow remote access via Telnet.
E. Keep web applications and scripts on the same partition as the operating system.
F. Use secure coding techniques.
A, B, C, and F. “Hardening” anything—whether a server, end-client machine, network device, or even a printer—is usually a matter of common sense. Keeping patching, hotfixes, and service packs up to date is a no-brainer (being sure to appropriately test before installing, of course). Removing unused applications and disabling ports and protocols clearly reduces your vulnerability footprint. Some items to look at deleting include but are not limited to unnecessary services, files (header files, archives, old text documents), directories, ISAPI filters, user accounts, and protocols.
D is incorrect because Telnet passes everything in the clear, so if you’re going to allow remote access at all, SSH is a better, more secure method.
E is incorrect because keeping these in the same location as the operating system makes no sense at all. The opposite is true—don’t allow a problem or vulnerability with a script or application to corrupt your OS.
23. An attacker is viewing a blog entry showing a news story and asking for comments. In the comment field, the attacker enters the following:
What is the attacker attempting to perform?
A. A SQL injection attack against the blog’s underlying database
B. A cross-site scripting attack
C. A buffer overflow DoS attack
D. A file injection DoS attack
B. This is a classic (an overly simplified, but classic nonetheless) example of cross-site scripting. In a blog, the post entry field is intended to take text entry from a visitor and copy it to a database in the background. What’s being attempted here is to have more than just the text copied—the <script> indicator is adding a nice little pointer to a naughty website. If it works, the next visitor to the site who clicks that news story will see the bad site pop up.
A, C, and D are all incorrect because this example contains nothing to indicate a SQL injection or a buffer overflow. Additionally, the idea here is not to perform a denial of service. Actually, it’s quite the opposite: The attacker wants the site up and operational so more and more users can be sent to badsite.com.
24. An attacker attempts to manipulate an application by advancing the instruction pointer with a long run of instructions containing no action. What is this attack called?
A. File injection
B. Stack flipping
C. NOP sled
D. Heap based
C. Computer languages usually contain a command most CPUs will recognize as “do nothing.” This No Operation (NOP) instruction serves to advance an instruction pointer to a known memory area. The idea behind it is to provide time for unknown activities to occur until it’s time to execute the main code (avoiding an exception code and a halt to the system or application). For a ridiculously over-simplified example, if you were “coding” a human’s morning routine and wanted them to brush their teeth, you might provide a whole bunch of “do nothing’s” in front and behind the “pick up toothbrush, put toothpaste on brush, and so on” steps—to provide space for things you may not be aware of.
When it comes to attacks, hackers will send tons of NOP instructions in an effort to move the pointer to an area they control—and to execute the naughty payload there. This “NOP sled” is relatively easy to see in action, and all IDSs will pick it up.
A is incorrect because file injection occurs when the attacker injects a pointer in a web form input to an exploit hosted on a remote site. There is no file injection occurring in this example.
B is incorrect because the term stack flipping is not a recognized term on the CEH exam and is included here as a distractor.
D is incorrect because a heap-based buffer overflow deals with a buffer overflow specifically aimed at the lower part of the heap, to overwrite dynamic content there.
25. You are examining website files and find the following text file:
Which of the following is a true statement concerning this file?
A. All web crawlers are prevented from indexing the listing.html page.
B. All web crawlers are prevented from indexing all pages on the site.
C. The Googlebot crawler is allowed to index pages starting with /tmp/.
D. The Googlebot crawler can access and index everything on the site except for pages starting with /tmp/.
D. The robots.txt file was created to allow web designers to control index access to their sites. There are a couple of things you need to know about this file—for your exam and the real world. The first is, no matter what the robots.txt file says, attackers using a crawler to index your site are going to ignore it anyway: It’s only valid for “good-guy” crawlers. After that, the rest is easy: robots.txt is stored on the root, is available to anyone (by design), and is read in order from top to bottom, much like an ACL on a router. The format is simple: Define the crawler (User-agent :name_of_crawler), then define what it does not have access to. Most robot.txt files will make use of the “*” variable to signify all crawlers, but you can certainly get specific with who is allowed in and what they can see.
In this example, from top to bottom, the Googlebot crawler is defined and restricted from seeing /tmp/ pages—no other restrictions are listed. After that, all other crawlers (User-agent: *) are restricted from seeing any page (Disallow: /). The last two lines are truly irrelevant because the condition to ignore all pages has been read.
For additional information here, if you think about what a robots.txt file does, you could consider it a pointer to pages you, as an attacker, really want to see. After all, if the security person on the site didn’t want Google indexing it, useful information probably resides there. On the flip side, a security-minded person may get a little snippy with it and have a little fun, sending you to some truly terrible Internet locations should you try to access one of the pages listed there.
A and B are incorrect because the Googlebot crawler is allowed to crawl the site.
C is incorrect because Googlebot is instructed to ignore all /tmp/ pages.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.