Define foot printing
Find out more about structure of target
Find out individual computers of target
Involves relatively high amount of manual work
Check if target candidates are actual alive and reachable
Into which classes are instructions grouped
Load/Store
Loops
Continuation
Comparison
Arithmetic
Define a verification in reconnaissance
Define a command injection
An injection attack wherein an attacker can execute malicious SQL statements
A type of computer security vulnerability typically found in web application
An attack in which the goals is execution of arbitrary commands on the host operating system via a vulnerable application
Define OWASP
Open Web Application Security Program
Open Wide Application Security Program
Open Wide Application Security Project
Open Web Application Security Project
When command injection is possible
User input is either incorrectly filtered for string literal for escape characters embedded in SQL statement or user input is not strongly typed and unexpected executed
An application passes unsafe user supplied data (forms, cookies, HTTP headers and etc.) to a system shell
Relies on Social Engineering in order to trick the victim into executing malicious JavaScript code into their browser
How does an interpreter work?
Translate source code into some efficient intermediate representation and immediate executes this
Describes sequences of executable instructions that do not necessarily constitute an executable file
Transforms source code written in a programming language into another computer language
Parse the source code and perfom its behavior directly
Find an appropriate types of interpreters
Matlab
Bash
Ruby
Python
What does register “rip” store?
Condition flags
Program counter
Frame pointer
Stack pointer
Which of the following GDB commands puts breakpoints at the beginning of the program?
b N
b +N
b main
into break
Which of the following GDB commands puts breakpoint N lines down from the current line ?
N
fn
+N
Dissasembling
Preservers a symbol table entity
The process of recovering assembly from machine code
The process of deallocating arguments on the stack
All of the above
Callee:
all of the above
procedure invoked by another function
code that invokes a procedure
deallocates arguments on stack after return
Caller:
registers that must not be clobbered
none of the above
Give the description of Mem(rsp)?Succ(rip)
store successor
pop successor into rip
jump to address
jump to successor
Distinction between jumps and calls
there is no destinction between jumps and calls
jumps simply transfer control with no side effects, calls used to implement procedures
jumps used to implement procedures, calls simply transfer control with side effects
jumps simply transfer control with side effects, calls used to implement transfers
Distinction between direct and indirect transfers
direct transfers use relative offsets, indirect transfers are absolute
direct transfers are absolute, indirect transfers use relative offsets
direct transfers use fixed offsets, indirect transfers are not absolute
direct transfers are not absolute, indirect transfers use fixed offsets
Standards (calling conventions) exist for:
specify the caller and callee’s responsibilities
specify where arguments are passed (registers, stack)
Select all possible ways to protect the stack
stack canaries
memory safe languages, such as Java, C#
using strcpy instead of stcncpy
address space layout randomization
non-executable flag
What are requirements of stack canaries (i.e. cookies)?
Large domain
Small domain
Randomness
Replicativeness
Which one of the following is true abot UID key?
Derived from user passcode
Prevents offline attacks
Can only be used while the phone is running
Ensures passcode key is unique for different devices even if passcode is the same
What of the following is false for provisioning?
Device allows apps signed by owner’s key to run according to the installed profile
Apple signs a provisioning profile that references developer certs
Users install provisioning profile
Apple signs certificates provided by developers
Which of the following refers to Android components?
ContentProvider
Activity
Service
BroadcastReceiver
How many Android malware categories are represented?
2
3
4
5
6
Which of the following is right about mobile devices challenges?
Limited user input capabilities
Mobile devices are at lower risk of confidentiality breachesv
Difficult to perform pre-boot authentication
Difficult to lose or steal a phone than a desktop
Define PBKDF2
Password-Based Key Demonstration Function
Password-Based Key Derivation Function
Password-Based Key Derivation Formula
Password-Based Key DemonstrationFunction (реально там так)
What are the challenges that mobile devices present?
Unlimited user input capabilities
Uses touch-screen instead of keyboards
Select all of iOS Data Protection classes
File is protected, only accessible when device unlocked
File is not protected
File is protected, accessible after device unlocked
File is protected until user passcode entered
Select all libc’s unsafe function that was removed in bionic.
strcpy
strncpy
gets
strcat
When code signature of capabilities is validated in iOS?
during kill
during installation
during start up
at run time
Why do we carry about Web Applications Security? Choose all that apply.
Logs can be easily deleted
Widely deployed
Easy to detect
No encryption used
OWASP is community dedicated to enabling organizations to maintain applications that can be trusted and stands for:
Online Web Application Security Project
Online Web Application Security Principles
Open Web Application Security Principles
Open Web Application Standards Project
Application authentication functions are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
Injection
Cross-Site Request Forgery (CSRF)
Using Components with Known Vulnerabilities
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
This attack occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key.
Sensitive Data Exposure
Insecure Direct Object References
Unvalidated Redirects and Forwards
Missing Function Level Access Control
If a vulnerable library, framework, or any other software is exploited, such an attack can facilitate serious data loss or server takeover.
Using Components with known vulnerabilities
Assume that your Web application stores information about many bank accounts. Which threat is your application vulnerable to if you can manipulate the URL of an account page to access all accounts?
Insecure Direct Object Reference
Cross-site scripting
Cross-Site Request Forgery
Which of the following input sources can be directly controlled by a malicious user?
GET/POST parameters
Window.location
Server code
Server configuration files
Ports
What should you do before passing credentials over the network?
Use Secure Socket Layer Connection
Replace the credentials with a cryptographic salt and hash
Share the credentials with the client
Accept session IDs from URLs
Use persistent cookies to manage session IDs
What is an interpreter?
a computer program that compiles executions, instructions
a computer program that directly executes, i.e. performs, instructions written in a human language, without previously compiling them into a machine language program
a computer program that directly executes, performs, instructions written in a programming or scripting language, without previously compiling them into a machine language program
a computer program that directly executes, performs, instructions written in a programming or scripting language after compiling them into a machine language program
Reconnaissance methods are
Intelligence gathering
Finger printing
Verification
Banner grabbing
Which phase of reconnaissance is important so that if you make mistake in this phase you may never find vulnerable part of system
Intelligence Gathering
Fingerprinting
Footprinting
It is known that core principle of port scanning is : send packet and then check the response During SYN scan what response implies that port is open
ACK
SYN
RST
Many eCommerce businesses utilize third party payment provides to store credit card information for recurring billing. This offloads the burden of keeping credit card numbers safe. It correspond to the following rule:
Use strong approved Authenticated Encryption
Only store sensitive data that you need
Follow applicable regulation on use of cryptography
Ensure that any secret key is protected from unauthorized access
How to prevent “Sensitive Data Exposure”
Enable caching for pages that contain sensitive data
Restrict character set used for password
Enable autocomplete on forms collecting sensitive data
Don’t store sensitive data unnecessarily
Storage encryption should add additional layer of protection that will continue protecting the data even if an attacker subverts the database access control layer . It corresponds to the following rule
Ensure that the cryptographic protection remains secaure even if access control fail
What is defined by key lifecycle?
The lifecycle will specify when data must be rekeyed
The lifecycle will specify when a key should no longer be use for decryption
The lifecycle will specify when a key should no longer be use for encryption
All of them
A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitor network traffic (like an open wireless network) and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user private data. This scenario of attack belongs to
Cross-Site Request Forgery CSRF
Cross Site Scripting XSS
The password database uses unsalted hashes to store everyone’s password. A file upload flaw allows an attacker to retrieve the password file. All of the unsalted hashes can be exposed with a rainbow table of precalculated hashes. This scenario of attack belongs to
Cross Site Scripting
Web application is vulnerable to ‘Sensetive Data Exposure ’ if:
Proper key management or rotation missing
Browser security directives or headers missing when sensitive data is provided by /sent to the browser
Sensitive data transmitted in clear text, internally or externally
Which statements are the part of DML in SQL?
DELETE
INSERT
SELECT
CREATE
DROPE
what are the most popular things to attacker can do stack vulnerability ?
Change the control flow of the program
Report the bag to a developer of the program
Overflows the stack to throw segmentation fault
Rewrite the program variable values
Inject a new functionality to the program
Low level languages like C/C++ are no memory-safe .Which of the following statements is true: Programmers can directly manipulate pointers Memory accesses are not bounds-checked for validity
none of them
both of them
only 2
only 1
What are the potential targets of stack overwrite attack? User data Instruction pointers Frame pointers
all of them
only 1 and 3
only 1 and 2
What are requirements for running payload in the stack ? Payload should not contain ZEROS Stack should be non – executable Playload size should be smaller than buffer size
1, 2
1,3
1
all
What are the potential targets of stack overwrite attack ?
User data
Instration pointer
Procedure arguments
Frame pointers
What are requirements for running payload in the stack ?
Payload size should be smaller than buffer size
Stack should be non-executable
Payload should use libc library
Payload should not contain ZEROS
Which of the following does not refer to the OWASP?
Cross – Site Request Forgery
Using Unknown Vulnerable Components
Which of the following provides API for accessing browser state and frame content?
Document Object Model
Structured Query Language
JavaScript Object Notation
ActionScript
JavaScript
What are the ways insert JavaScript code into HTML page? Select all that apply
Embedded
Inline
External
What kind of protection mechanisms exist against XSS attack?
HttpOnly
Secure Socket Layer (SSL)
Output Sanitization
Firewall
Input Validation
When and by whom proposed stack cookies?
Cowan, 1996
Cowan, 1998
Vaughan, 1998
Which of the following refers to defenses for memory corruption
Stack canaries
Safer libc functions
Random canaries
Heap canaries
Which of the following properties are required in stack cookies?
Random
Sequence
If attackers cannot inject an executable exploit payload, what does one do?
Jump-oriented programming
Return-oriented programming
Reuse existing code
Return-into-libc
What is the purpose of using ASLR?
Recognize the names of the addresses
Recognize the locations of the addresses
Randomize the locations of the addresses
Randomize the names of the addresses
Define ASLR
Address security layout randomization
Address space layout randomization
Application space layer randomization
Application space layout randomization
Which of the following is true about ASLR?
Transparent to safe applications
Very little overhead
Requires program recompilation
Randomizing at process creatin
Which of the following idea about stack cookies proposed by Cowan?
Before returning, check the value against the original
Guard sensitive data, including the saved IP, with a copy of a secret value
If there is a difference, assume something bad has happened and terminate
If there is a difference, assume something good has happened and terminate
Which of the following does not refer to the cryptographic storage rules?
Store a one-way and salted value of passwords
Save all your data
How many types of XSS exist?
Which of the following type does not refer to XSS?
Reflected
Stored
MOM based
DOM based
Define reflected XSS
Attacker submits malicious code to server
Code included in page rendered by visiting link
Victim accesses page that includes stored, injected code
App (server-side) persists code
Which of the following is false about stored XSS?
Which of the following does not refer to protection against XSS attacks?
Procedure integrity
XSS Filter
HTTP Only
How many classes exist in document integrity
A direct object reference occurs when a developer exposes a reference to
Internal implementation object
File
Directory
Database key
Even “secure” websites that use SSL just accept the requests that arrive through the encrypted tunnel without security
If the parameters are under control of the user and are not properly sanitized, the user can inject its own commands in the interpreter
Injection flaws occur when an application send trusted data to an interpreter
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key
Injection flaws occur when an application send untrusted data to an interpreter
Injection flaws occur when an application send untrusted data to an compiler
Is the following statement true about Insecure Direct Object Reference “With an access control check or other protection, attackers can manipulate these references to access unauthorized data.”
Is the given statement true about Missing Function Level Access Control “Applications need to perform the same access control checks on the server when each function is accessed”
Stack grows downwards. Stack is data segment for function-local data, dynamic data and text data.
Memory can distinguish between different types of variable by using flags
Compilers translate code from a higher level to a lower level
Control transfers change control flow of programs
Marking the stack with non-executable flag prevents from all types of stack attack
Protecting stack with canary may leak sensitive information
Mobile devices are at a lower risk of confidentiality breaches
Mobile devices present unique challenges
iOS provides an API for encrypting stored files
Device ID (UID) in iphone can be used when phone is turned off.
Brute Force mitigations that are implemented on UI can not be escaped
It is possible to dynamically sign the code in IOS
When implementing an authentication or session system, you should ensure that new session IDs are not created at login
It is possible to run operating system shell command inside web site
Recursive sweep begins at an address and continues sequentially until the buffer exhausted
Developers can protect the web application by filtering out malicious input
Verification phase during reconnaissance involve high amount of manual work
Zone transfer is about copying original DNS data to different DNS Server
strcpy() performs no bounds-checking, relying instead on finding a terminating null character in the source string
If the keys are stored with the data then any compromise of the data will easily compromise the keys as well. Unencrypted keys should never reside on the same machine or cluster as the data.
SQL DML is used to manipulate with records in tables
It is possible to protect web application from SQL injection by filtering out single and double quotes
It is not possible to inject complex SQL statements as a part of an attack, except SELECT statements
NOP sled is special instruction which tells the OS that the program has payload, and it should directly run it.
It is not possible to inject new code to the stack
JavaScript use strongly type primitives to provide basic functionality
Cross Site Scripting attack is the result of running code from untrusted origin
Is the given statement true about non – executable data? If the attacker can assume control flow but cannot execute a payload, attacks become more difficult
Is the following statement true about Instruction Set Randomization? Does not require a large degree of support from underlying layers
Is the given statement true about XSS “running code from a trusted origin”
In reflected XSS the code is included as a part of malicious link
Is the given statement true about HTTPOnly attribute “Specifies that cookie should be exposed via document cookie”?
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application
Intelligence Gathering involves relatively high amount of manual work
1Which functions are mostly vulnerable to stack overflow attacks
Strcat()
Strcpy()
Gets()
Scanf()
What will be result, if we ‘print “a”x300;’ for the given code?
int main(int argc, char ** argv){ char buf[256]; strcpy(buf,argv[1]); printf(“%s\n”, buf); return 0;}
Error
0
Ax300 times
Ax256 times, 0x44 times
The consequences of arbitrary code execution
a. Nothing happens
b. Can obtain administrative privileges
c. Privilege escalation
d. The attacker is able to take control of the execution flow of a program
What is a buffer
a. A situation where a running program attempts to write data outside the memory buffer which is not intended to store this data
b. A buffer is simply a contiguous block of computer memory that holds multiple instances of the same data type
c. Portion of the memory allocated for storage programs such as variables
d. The program that wants to overwrite the memory
Why does stack overflow attack occur?
a. Programmers can directly manipulate pointers
b. Memory accesses are checked
c. Memory accesses are not bounds-checked for validity
d. Programmers cannot directly manipulate pointers
When the stack overflow attack is introduced?
1970
1980
1989
1978
Which is not going to be randomized in ASLR
a. Library
b. Text
c. Heap
d. Stack
18. Which is going to be randomized in ASLR?
Why the stack canary is the effective of protecting from overflow attack?
a. Canary stack has to check variables
b. Stack canary might be reused
c. Stack canary is the constant value
d. Canary stack corrupts the executed code, then instruction will have an ability to set to the next
How many types of attack exist?
Define an active attack?
a. The attacker can monitor and can do recognition of the target
b. The Attacker attempts to alter system resources or destroy the data
c. The Attacker attempts to gain information from the system without destroying the information
d. The Attacker can change the data
Define a passive attack
a. The Attacker attempts to gain information from the system without destroying the information
b. The Attacker can change the data
d. The Attacker attempts to alter system resources or destroy the data
c. The attacker can monitor and can do recognition of the target
Which of the following attacks refer to the active attack?
a. Overflow
DoS
b. Man in the middle attack
c. Eavesdropping
Which of the following attacks refer to the passive attack?
a. Idle attack
b. Dos
Overflow
c. Port scanner
What kind of attack is given? You would like to send some requests to kaspi.kz, here an attacker forwards your request to fake kaspi.kz
a. Dos
b. Eavesdropping
c. Address spoofing
What does an ARP Based filtering mean
a. Sniffing packets between two hosts on a switched network
b. Filtered packets by IP address
c. Sniffing packets from a user to all hosts
d. Filtered packets by MAC address
What does Public ARP Based filtering mean?
a. Sniffing packets from a user to all hosts
b. Sniffing packets between two hosts on a switched network
c. Filtered packets by IP address
Which of the following attacks refer to the passive attack?*
Port Scanner
No answer
What are the most popular things attacker can do after exploiting stack vulnerability
a. Change the control flow of the program
c. Report the bug to a developer of the program
d. Overflows the stack to throw segmentation fault
Which of the following properties are requires in stack cookies?
a. No correct answer
b. Small domain
c. Sequence
d. Random
Which of the following is false about ASLR?
a. Requires program recompilation
b. Transparent to safe applications
c. Randomizing at process creation
d. Very little overhead
Which of the following does not refer to the consequences of arbitrary code execution
a. The attacker is able to take control of the execution flow of a program
b. Nothing happens
c. Can obtain administrative privileges
d. Privilege escalation
What are the most popular things attacker can do after exploiting stack vulnerability?
a. Inject a new functionality to the program
b. Overflows the stack to throw segmentation fault
c. No correct answer
d. Report the bug to a developer of the program
e. Rewrite the program variable values
Which of the following is not a way to protect the stack
a. Address Space Layout Randomization
b. Memory safe languages, such as Java, C
c. Using strcpy instead of strncpy
d. Non-executable Flag
Which of the following idea is false about stack cookies proposed by Cowan?
a. Before returning, check the value against the original
b. If there is a difference, assume something bad has happened and terminate
c. Guard sensitive data, including the saved IP, with copy of a secret value
d. If there is a difference, assume something good has happened and terminate
Disassembling is
a. All the above
b. Preserves a symbol table entry
d. The process of deallocating arguments on the stack none of the above
c. The process of recovering assembly from machine code
Define the given attack type
Username = Emmanuel Passwords = 1234567, qwertz, asdfgh, abcd, .... [pet names], [birthdays], [car names], [dictionary]...
a. Session spotting
b. Replay attack
c. Brute force
d. Session fixation attack
What is Normal Brute Force attack?
c. For one username attackers test one password
d. For one password attackers test many user names
e. For one username attackers test many passwords
f. All the above mentioned
Define Reverse Brute Force
a. For one password attackers test many user names
b. All the above mentioned
c. For one username attackers test many passwords
d. For one username attackers test one password
Check OWASP vulnerabilities
a. Using Know Vulnerable Components
b. Missing Function Level Access Control
c. Security Misconfigurations
d. Password Management
OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted
Which of the following is true about the risks of Broken Authentication and Session Management?
a. Identity
b. Theft
c. None of them
d. Undermine authorization and accountability controls cause privacy violation
Which of the following is true about footprinting?
a. Less technical information, but important
b. Involves relatively high amount of manual work
c. Get as many plausible candidates as possible
d. NS (name server) / MX (mail exchange) records
Reconnaissance may start with just one piece of information
Which of the following approaches refer to Verification?
Application Fingerprinting
Ping Sweep
Port Scanning
OS Fingerprinting
Attacker creates a session on a web site -> Attacker sends this Session ID to the victim -> Targeted Web site receives the request from the victim
a. Brute Force Attack
b. Session Fixation Attack
c. Session Spotting
d. Replay Attack
Guessing a person username and password, credit-card number, cryptographic key refers to
a. Replay Attack
b. Brute Force Attack
c. Session Fixation Attack
1. What is verification phase in reconnaissance?
a. Check if the target candidates are actually alive and reachable
b. Find out more about structure of target
c. All the above mentioned
d. Find out individual computers of target
Which of the following is true about intelligence gathering objectives?
a. Checks if results are plausible test them
b. Less technical information, but important
c. Involves relatively high amount of manual work
d. Extends scope of security analysis, may reveal new parts of target
e. Gets as many plausible candidates as possible
Which of the following is the best of protecting from overflow attacks
a. Aslr
b. Write a code wo vulnerabilities
c. Stack canaries
d. Non executable code
What does this case mean? An attacker’s target should be accessible
a. Must be associated to target
c. Must be confidential
d. Must be able to attack it
What does this case mean? An attacker’s target should be relevant
a. Must be confidential
b. Must be associated to target
c. Must be able to attack it
d. All the above mentioned
Why stack overflow attack occurs here?
a. Strcpy() function does not perform a bounds check
b. Strcpy library is not included
c. Works correctly
d. To “source” variable copied more expected
What does it mean?
a. Buffer allocation
b. Return the value
c. Saves to rbx
d. Call the function
Which of the following vulnerabilities are NOT listed in OWASP Top 10? Choose all that apply.
Social Engineering
Unvalidating Redirects and Forwards
Security Misconfiguration
Unvalidating password difficulty
What flaws arises from session tokens having poor randomness across a range of values?
e) Session Hijacking
d) Session Replay
c) Session Fixation
b) Insecure Direct Object References
a) Forwarding system functionality
Find the best countermeasures to solve an Insecure Direct Object Reference attack. Choose all that apply.
Properly validate cookie data, URL parameters, all HTML From data
Use reasonable session timeouts
Use secure randomly generated session keys to make prediction impossible
Architect your application to check if the data is encrypted with every request
Do not expose internals to the user
Define intelligent gathering
Injection flaws occur when an application send trusted data to an compiler