Tag: security

Questions Related to security

Web Service interfaces are prone to which of the following standard web application attacks ?
technology security

  1. SQL Injection

  2. Denial of Service

  3. XML Injection

  4. All of the above

Show answer
Correct Option: D
Explanation:

To answer this question, the user needs to have knowledge of common web application attacks and their impact on web services.

Now, let's go through each option and explain whether it is right or wrong:

A. SQL Injection: This type of attack targets the database layer of the application and is not specific to web service interfaces. However, if a web service is accessing a database and is not properly secured against SQL injection attacks, then the web service can be compromised. Therefore, SQL injection can be a threat to web services but is not specific to them.

B. Denial of Service: This type of attack floods the target with traffic or requests, making it unavailable to legitimate users. Web services are often targeted by denial of service attacks because they are critical components of many applications. Therefore, denial of service attacks are a threat to web services.

C. XML Injection: This type of attack exploits vulnerabilities in the way XML data is processed by an application. Although web services often use XML to exchange data, XML injection is not specific to web services. However, if a web service is not properly secured against XML injection attacks, then it can be compromised. Therefore, XML injection can be a threat to web services but is not specific to them.

D. All of the above: This option is correct because all of the attacks listed (SQL injection, denial of service, and XML injection) can be a threat to web services. Web service interfaces are exposed to the same attacks as other web applications and must be secured accordingly.

The Answer is: D

Which of the following method would be proper to use when encrypting personal information
technology security

  1. XOR'ing with a cryptographically secure random number

  2. Triple DES

  3. DES-CBC 56bits

  4. Salted hash with a cryptographically secure random number

Show answer
Correct Option: B

A race condition in a web server can cause …
technology security

  1. Resources to become unavailable to legitimate users

  2. Cross Site Tracing

  3. Server Instability

  4. Both A and B

Show answer
Correct Option: C

In which type of language can Buffer over flows occur?

technology security

  1. Pure C++

  2. Any file type on a web server

  3. Pure C#

  4. Pure Java

Show answer
Correct Option: A

Cross Site Scripting is an attack against
technology security

  1. Client (Browser)

  2. Database

  3. Web Application

  4. Web Server

Show answer
Correct Option: A

Which cookie flag, when set, will prevent their transmission over non secure channel?
technology security

  1. Secure

  2. Domain

  3. Expires

  4. Static

Show answer
Correct Option: A
Explanation:

To solve this question, the user needs to know the purpose of cookie flags and how they are used to control cookie behavior.

A. Secure: This option is correct. When the "Secure" flag is set for a cookie, it instructs the browser to only send the cookie over a secure (HTTPS) connection. This prevents the cookie from being transmitted over an insecure (HTTP) channel where it could potentially be intercepted by an attacker.

B. Domain: This option is incorrect. The "Domain" flag is used to specify the domain(s) to which the cookie should be sent. It does not affect whether or not the cookie is transmitted over a secure channel.

C. Expires: This option is incorrect. The "Expires" flag is used to set an expiration date/time for the cookie. It does not affect whether or not the cookie is transmitted over a secure channel.

D. Static: This option is incorrect. There is no "Static" flag for cookies.

Therefore, the answer is: A. Secure

The main risk to a web application in a cross site scripting attack is …
technology security

  1. Compromise of users

  2. Loss of data integrity

  3. Destruction of data

  4. None of the above

Show answer
Correct Option: A

Out of the following which can be considered as user input for which validation is not required

technology security

  1. Host Header

  2. Cookie

  3. Referrer Header

  4. None of the above

Show answer
Correct Option: D

AI Explanation

To answer this question, we need to understand the concept of user input and validation.

User input refers to any data or information provided by a user through various means, such as form inputs, headers, or cookies. Validation, on the other hand, is the process of ensuring that user input meets certain criteria or constraints, such as data type, length, format, or range.

Now, let's go through each option to determine if validation is required or not:

Option A) Host Header - The Host header is part of the HTTP request and contains the domain name of the server the request is sent to. Although the Host header is typically used for routing requests, it can also be manipulated by users. Therefore, validation may be required to ensure that the Host header contains a valid domain name and is not being used for malicious purposes.

Option B) Cookie - Cookies are small pieces of data stored on the user's computer by a website. They can contain various types of information, such as user preferences or session identifiers. Since cookies can be manipulated by users or intercepted by attackers, it is important to validate the contents of cookies to ensure their integrity and prevent security vulnerabilities.

Option C) Referrer Header - The Referrer header is part of the HTTP request and contains the URL of the webpage that referred the user to the current page. While the Referrer header can provide useful information for analytics or tracking purposes, it can also be manipulated by users or attackers. Therefore, validation may be required to ensure that the Referrer header is not being abused or used for malicious activities.

Based on the explanations above, none of the options (A, B, or C) can be considered as user input for which validation is not required. Therefore, the correct answer is D) None of the above.

It is a leading practice to suppress detailed errors in the following places:

technology security

  1. Web Server configuration files

  2. Application configuration files

  3. Application error handlers

  4. All of the above

Show answer
Correct Option: D

Which of the following is true regarding reverse engineering of compiled Java code
technology security

  1. Java sand box environment provides protection against decompilation

  2. Java is compiled into ELF binaries and cannot be decompiled

  3. Java byte code can always be decompiled, code obfuscators can make the reverse engineering process more time confusing but cannot prevent it

  4. Java is difficult to decompile because the Just-In-Time compiler automatically perform string encryption by default

Show answer
Correct Option: C