CompTIA Security+: Injection Attacks Quiz

Questions and Answers

Structured Exception Handling provides control over what the application should do when faced with a syntax error.

False

Input validation ensures that information received from a user only matches a specific format.

True

Static Analysis involves analyzing and testing a program while it is being executed or run.

False

Dynamic Analysis occurs while a program is being executed or run.

True

Fuzzing is a method to inject randomized data into a software program in an attempt to find system failures.

True

Backdoors are considered a good coding practice and should be utilized in computer programs.

False

Directory Traversal involves accessing authorized directories by moving through the directory structure on a remote server.

False

Arbitrary Code Execution happens when an attacker can execute commands on their own computer.

False

XSRF prevention focuses on preventing Cross-Site Scripting (XSS) attacks.

False

SQL Injection is a technique used to insert malicious SQL queries into input data.

True

Study Notes

Injection Attacks

• SQL Injection: an attack consisting of the insertion or injection of an SQL query via input data from the client to a web application.
• SQL Injection can be prevented through input validation and using least privilege when accessing a database.
• OR 1=1 is a common indicator of an SQL injection.

Buffer Overflows

• A buffer overflow occurs when an attacker fills up the buffer with NOP (no operation) so that the return address may hit a NOP and continue on until it finds the attacker's code to run.
• Stack refers to a reserved area of memory where the program saves the return address when a function call instruction is received.

Address Space Layout Randomization (ASLR)

• ASLR is a method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploits.

Cross-Site Scripting (XSS)

• XSS occurs when an attacker embeds malicious scripting commands on a trusted website.
• Types of XSS include:
  • Stored/Persistent: attempts to get data provided by the attacker to be saved on the web server by the victim.
  • Reflected: attempts to have a non-persistent effect activated by a victim clicking a link on the site.
  • DOM-based: attempts to exploit the victim's web browser.
• XSS can be prevented with output encoding and proper input validation.

Cross-Site Request Forgery (XSRF/CSRF)

• XSRF occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated.
• XSRF can be prevented with tokens, encryption, XML file scanning, and cookie verification.

Input Validation

• Input validation is a process where applications verify that information received from a user matches a specific format or range of values.
• Examples of input validation include:
  • Static Analysis: reviewing the source code of an application manually or with automatic tools without running the code.
  • Dynamic Analysis: analysis and testing of a program occurs while it is being executed or run.
  • Fuzzing: injecting randomized data into a software program to find system failures, memory leaks, error handling issues, and improper input validation.

Software Vulnerabilities and Exploits

• Backdoors: code placed in computer programs to bypass normal authentication and other security mechanisms.
• Directory Traversal: a method of accessing unauthorized directories by moving through the directory structure on a remote server.
• Arbitrary Code Execution: occurs when an attacker is able to execute or run commands on a victim computer.

Description

Test your knowledge on Injection Attacks such as SQL Injection and general Injection Attacks. Learn about the insertion of code or queries through client input to applications. This quiz covers important concepts for CompTIA Security+ certification exam.