SEC542 - Web App Penetration Testing Intro

Questions and Answers

What are the reasons why people are taking this course? (Select all that apply)

Attacking web applications is fun (correct)

The authors have a unique perspective on web security.

Web applications are often neglected in favor of systems and network security initiatives. (correct)

Web applications are becoming increasingly vital to business operations and often hold sensitive information. (correct)

Web applications are frequently targeted by adversaries for data exfiltration. (correct)

What is the primary use-case of the Sequencer tool?

To determine from which origins and endpoints the browser is allowed to load and execute active code.

To ensure data is transmitted securely over the network.

To determine whether users can access information they are not authorized to access.

To identify the current location of the user-agent when a link is followed.

To test whether an application's session-generation algorithm is predictable. (correct)

Which of the following are the advantages of the Static Application Security Testing (SAST) method? (Select all that apply)

It can miss issues in compiled libraries.

It identifies security deficiencies that are not easily apparent in the deployed application. (correct)

It requires high-level security skills to identify vulnerabilities.

It's often the quickest way to find vulnerabilities.

The SAST method is a fully knowledge testing technique because it requires access to source code. (correct)

Which of the following are the disadvantages of the Dynamic Application Security Testing (DAST) method? (Select all that apply)

It only tests the code that is actually being exposed.

The 'Content-Security-Policy' response header is primarily used to identify potential XSS attack vectors.

True

Why is the "Target - Scope" tab in Burp Suite important? (Select all that apply)

It helps prevent accidental overlooking of relevant resources.

What are the purposes of using the "Proxy Intercept" feature in Burp? (Select all that apply)

To review and edit incoming requests before sending them to the server.

Which of these are the primary responsibilities of a Certificate Authority (CA)?

To generate certificates to ensure the correct public key is shared.

What are the advantages of using the "Intruder" functionality within Burp Suite Pro? (Select all that apply)

It requires little to no scripting skill.

Which of the following are among the goals for the Information Gathering section of the WSTG? (Select all that apply)

To understand the application’s functionality and its impact on the web server.

The OWASP Web Security Testing Guide suggests that security testers should prioritize security controls and vulnerabilities testing for high-risk functions, such as wire transfers.

True

What is the primary use-case of the ‘Content Discovery - Spidering’ technique? (One word)

Exploration

A common practice is to use the robots.txt file to hide sensitive content from pentesters.

False

What are the advantages of manual spidering? (Select all that apply)

It provides a more complete and detailed overview of the web application.

Automated spidering is the most efficient way to find vulnerabilities in a large web application.

False

Which of the following tools can be used to discover web server components? (Select all that apply)

Nmap

It is generally considered acceptable to use the LinkedIn Open Network (LION) to connect with individuals that are not directly related to you, but are connected to individuals connected to you, in order to gain access to information that you cannot access unless you are friends with them.

True

What are the primary sources of information collected by theHarvester tool?

Threat intelligence feeds.

Which of the following are the reasons why it is often difficult to use OSINT tools to gather information about systems that are managed by third-party vendors? (Select all that apply)

These systems may require a login and authentication.

The search operator 'site:example.com' in Google is used to limit the search results to the specified website.

True

What are the primary use cases of 'dorks' (also known as 'googledorks')? (Select all that apply)

To identify specific server details as part of a penetration test.

What are the advantages of using an OSINT Suite for penetration testing? (Select all that apply)

It provides numerous valuable public APIs.

The popularity and relevance of ‘dorks’ is diminishing today, due to the widespread adoption of new, more secure technologies and frameworks.

False

The OWASP Web Security Testing Guide (v4.2) is known as the OWASP Testing Guide (OTG) in versions prior to 4.2.

True

Which of the following are the common ways to discover web server components? (Select all that apply)

Searching for administrative webpages.

A webserver is expected to support GET and HEAD methods, while support for other methods is considered optional.

True

What is the purpose of using the -t any option in dig command?

To retrieve all record types for a specific domain.

It is generally considered safe to use the nslookup command when attempting to confirm blind command injection?

True

The 'dnsrecon' tool can be used to perform both brute force and reverse DNS scans.

True

Which of the following are common use cases of the 'Shodan' tool? (Select all that apply)

To discover information about the target organization's internal systems.

The 'gowitness' tool is a powerful alternative to the 'Eyewitness' tool and is written in a different language.

True

What are the key considerations for defining the scope of an application assessment? (Select all that apply)

To prevent accidental overlooking of relevant resources.

The 'Site Map' feature within Burp is often overlooked by new users.

True

The 'Filter' feature within Burp Suite is used to remove data from the session and prevent further transmission.

False

What are the key considerations for choosing a browser to use while conducting web application pen testing? (Select all that apply)

Ensure it has a user-agent that does not interfere with the testing.

The -X PUT option in the curl command is used to send a PUT request to the server.

True

The -i option in the curl command is used to display the response headers.

True

What are the key considerations for testing HTTP methods? (Select all that apply)

To discover the impact of the HTTP methods on the web application's functionality.

The Allow response header indicates the HTTP methods that are supported by the target web application.

True

What is the primary purpose of the HTTP Referer header? (Select all that apply)

To provide information about the previous web page that the user was viewing.

The 'SameSite' attribute is designed to prevent Cross-Site Request Forgery (CSRF) attacks.

True

Which of the following are the valid values for the 'SameSite' attribute?

lax

What are the purposes of using the 'Secure' attribute for cookies? (Select all that apply)

To ensure that the cookie is only transmitted over a secure channel, such as HTTPS.

The ‘HttpOnly’ attribute ensures that the cookie cannot be accessed by client-side scripting languages, effectively preventing XSS attacks from successfully stealing cookies.

True

The ‘Cache-Control’ header is a unidirectional directive, meaning that a directive set in the ‘Request’ header does not necessarily imply that the same directive will be set in the ‘Response’ header.

True

Which of the following are the key functions of using the 'X-Frame-Options' response header? (Select all that apply)

To prevent framing of the page and protect against Clickjacking attacks.

What are the key principles behind the 'HTTP Strict Transport Security (HSTS)' mechanism? (Select all that apply)

It ensures that web pages are accessed over an HTTPS connection.

Why is understanding the latest SSL/TLS versions and cipher suites crucial for conducting web application pen testing?

To ensure that the communication between the client and server is secure.

The 'ssl-enum-ciphers' Nmap script can be used to identify the cipher suites supported by an HTTPS server.

True

What are the key functions of the HTTP 'X-Frame-Options' response header? (Select all that apply)

To protect against Clickjacking attacks.

The ‘SameSite’ attribute is designed to prevent Cross-Site Scripting (XSS) attacks.

False

Which of the following are common methods or techniques for information gathering during a penetration test? (Select all that apply)

Using search engines

What are the core functionalities of a web application pen-tester's toolkit? (Select all that apply)

Attack platform

Study Notes

SEC542 - Web Application Penetration Testing and Ethical Hacking

• This course covers GIAC Web Application Penetration Tester (GWAPT)
• The material covers introduction and information gathering for web application penetration testing.
• The course emphasizes the importance of understanding web applications and how to test their security.
• Many organizations do not prioritize application security, which creates opportunities for attackers.
• Attacking web applications is considered intellectually rewarding and a valuable skill.
• Current web application security testing often focuses only on functionality, not security.
• Multiple tools are available to facilitate web application assessments, including penetration testing.
• The NIST National Vulnerability Database (NVD) shows that web applications are a frequent target for attackers
• The Exploit Database (EDB) details many vulnerabilities for web applications.

Topic 1: Introduction and Information Gathering

• The course begins with an introduction to web applications.
• Key concepts related to the web's structure and functionality are discussed.
• Information gathering is highlighted as critical in a penetration test, including methods like virtual host discovery.
• The course uses the OWASP methodology and test techniques.
• The process of gathering information, including methods like DNS discovery, is emphasized.
• Methods like website spidering, using tools like Wget, are explained.
• The course then covers the use of interception proxies, like ZAP and Burp Suite, for a more structured approach to analysis.

Topic 2: Fuzzing, Scanning, Authentication, and Session Testing

• Techniques for fuzzing, scanning, authentication, and session testing are covered in detail
• The different methodologies and techniques are described in this section
• Automated scanning tools as well as manual techniques are covered

Topic 3: Injection

• This section covers various injection techniques used in web application attacks.
• The different types of injection attacks and their implications are detailed.

Topic 4: XSS, SSRF, and XXE

• This section covers Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), and XML External Entity (XXE) attacks
• The different types of attacks and their implications are detailed.

Topic 5: CSRF, Logic Flaws, and Advanced Tools

• Exploiting CSRF, Logic Flaws, and advanced technologies used by attackers.
• Different attack types and remediation concepts are explained

Topic 6: Capture the Flag (CTF)

• CTF exercises and demonstrations are typically included to reinforce practical application of learned material.
• Many CTF challenges and demonstrations are available to aid understanding and solidify knowledge acquisition.

Additional Topics

• Threat Modeling: Methods for analyzing potential vulnerabilities in web applications.
• Code Review: Techniques used to identify vulnerabilities directly from source code.
• Static Application Security Testing (SAST): Automated static analysis methods for vulnerabilities.
• Dynamic Application Security Testing (DAST): Automated testing of running applications.
• Interactive Application Security Testing (IAST): Techniques for security assessment during runtime
• Out-of-band Application Security Testing (OAST): Special testing approaches
• OWASP Top 10: A list of frequent web application vulnerabilities and security risks
• Open Source Intelligence (OSINT): Gathering information about targets from publicly available sources. 
• Nmap and other scanning tools: Tools that collect web application data for a deeper and broader analysis. 
• The Google Hacking Database (GHDB): Contains many unique search strings (dorks) for finding potential vulnerabilities.
• HTTP: Key functionalities of HTTP requests and responses.
• HTTPS: Details of TLS/SSL and cryptographic concepts that secure HTTP traffic, including handshakes, and cipher suites to assess their strength. 
• HTTP headers: User-Agent, Referer, Cookie and other relevant HTTP headers
• DNS: Domain Name System for domain and IP address resolution
• Additional tools: Testssl.sh, etc.

Description

This quiz focuses on the introduction and information gathering aspects of web application penetration testing as covered in the SEC542 course. Learn about the significance of testing web applications' security and the tools available for effective assessments. This foundational knowledge is critical for aspiring penetration testers.