Question 1

A variant where the attacker includes malicious script content in data supplied to a site is the __________ vulnerability.

Accepted Answer

The answer of A variant where the attacker includes malicious...

Question 2

The process of transforming input data that involves replacing alternate, equivalent encodings by one common value is called _________.

Accepted Answer

The answer of The process of transforming input data that...

Question 3

__________ attacks are vulnerabilities involving the inclusion of script code in the HTML content of a Web page displayed by a user's browser.
A) PHP file inclusion
B) Mail injection
C) Code injection
D) Cross-site scripting

Accepted Answer

Cross-site scripting (XSS) attacks involve injecting script code into a web page viewed by a user's browser. This can be done through various means, such as input fields or URLs, and can allow an attacker to execute malicious scripts or steal user information. PHP file inclusion, mail injection, and code injection all involve different vulnerabilities related to the inclusion or execution of code, but are not specific to HTML content displayed by a user's browser.

Question 4

In the ________ attack the user supplied input is used to construct a SQL request to retrieve information from a database.

Accepted Answer

The answer of In the ________ attack the user supplied...

Question 5

A _______ attack is where the input includes code that is then executed by the attacked system.
A) SQL injection
B) cross-site scripting
C) code injection
D) interpreter injection

Accepted Answer

A code injection attack is when an attacker inserts their own code into an application or system, which is then executed by the system. SQL injection and cross-site scripting attacks are both types of code injection attacks, but they target specific vulnerabilities in web applications rather than being generic attacks like code injection. Interpreter injection is not a common type of attack.

Question 6

_________ attacks are most commonly seen in scripted Web applications.

Accepted Answer

The answer of _________ attacks are most commonly seen in...

Question 7

Program input data may be broadly classified as textual or ______.

Accepted Answer

The answer of Program input data may be broadly classified...

Question 8

Blocking assignment of form field values to global variables is one of the defenses available to prevent a __________ attack.
A) PHP remote code injection
B) mail injection
C) command injection
D) SQL injection

Accepted Answer

Blocking assignment of form field values to global variables can help prevent PHP remote code injection by limiting the ability of attackers to manipulate global variables that could be used in malicious code execution.

Question 9

The most common variant of injecting malicious script content into pages returned to users by the targeted sites is the _________ vulnerability.
A) XSS reflection
B) chroot jail
C) atomic bomb
D) PHP file inclusion

Accepted Answer

XSS (cross-site scripting) reflection vulnerability is the most common way to inject malicious script content into web pages returned to users by the targeted site. This type of attack works by injecting script code into a URL that is then reflected back to the user in the page's HTML, allowing the attacker to execute arbitrary scripts on the user's computer. The other options listed (chroot jail, atomic bomb, PHP file inclusion) are not relevant to this type of vulnerability.

Question 10

The most common technique for using an appropriate synchronization mechanism to serialize the accesses to prevent errors is to acquire a _______ on the shared file, ensuring that each process has appropriate access in turn.
A) lock
B) code injection
C) chroot jail
D) privilege escalation

Accepted Answer

The most common technique for synchronizing access to shared resources is to use locks to prevent simultaneous access by multiple processes. By acquiring a lock on the shared file, the access is serialized, ensuring that each process has appropriate access in turn. Code injection, chroot jail, and privilege escalation are not relevant to this scenario.

Question 11

Two key areas of concern for any input are the _______ of the input and the meaning and interpretation of the input.

Accepted Answer

The answer of Two key areas of concern for any...

Question 12

The intent of ________ is to determine whether the program or function correctly handles all abnormal inputs or whether it crashes or otherwise fails to respond appropriately.
A) shell scripting
B) fuzzing
C) canonicalization
D) deadlocking

Accepted Answer

The intent described in the question is best associated with fuzzing, which involves feeding unexpected and abnormal inputs to a program to test its robustness and ability to handle errors without crashing or failing. Shell scripting involves automating repetitive tasks using shell commands, canonicalization involves ensuring that input data is in a standardized format, and deadlocking refers to a scenario where multiple processes are blocked and unable to proceed due to resource allocation issues. None of these options relate directly to the intent described in the question.

Question 13

A number of widely used standard C _________ compound the problem of buffer overflow by not providing any means of limiting the amount of data transferred to the space available in the buffer.

Accepted Answer

The answer of A number of widely used standard C...

Question 14

_________ are a collection of string values inherited by each process from its parent that can affect the way a running process behaves.
A) Deadlocks
B) Privileges
C) Environment variables
D) Race conditions

Accepted Answer

Environment variables are a collection of string values inherited by each process from its parent that can affect the way a running process behaves. These variables provide a way to communicate information between processes and allow customization of behavior without the need to modify code. Deadlocks, privileges, and race conditions are all different concepts related to concurrency and operating systems but are not directly related to environment variables.

Question 15

"Failure to Preserve SQL Query Structure" is in the __________ CWE/SANS software error category.

Accepted Answer

The answer of "Failure to Preserve SQL Query Structure" is...

Question 16

__________ programming is a form of design intended to ensure the continuing function of a piece of software despite unforeseeable usage of the software.

Accepted Answer

The answer of __________ programming is a form of design...

Question 17

A ________ is a pattern composed of a sequence of characters that describe allowable input variants.
A) canonicalization
B) race condition
C) regular expression
D) shell script

Accepted Answer

A regular expression is a pattern composed of a sequence of characters that describe allowable input variants. It is commonly used in programming to validate input, search for and replace text, and other text-processing tasks. A regular expression can also be referred to as a regex or regexp.

Question 18

A _________ attack occurs when the input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server.
A) command injection
B) SQL injection
C) code injection
D) PHP remote code injection

Accepted Answer

Command injection occurs when an attacker injects malicious code into a command that is executed by the system. This can allow the attacker to execute unauthorized commands and gain access to sensitive data or take control of the system. SQL injection and code injection are also types of injection attacks, but they are not specific to commands executed by web servers. PHP remote code injection is a specific type of code injection that targets PHP web applications.

Question 19

Program _______ refers to any source of data that originates outside the program and whose value is not explicitly known by the programmer when the code was written.

Accepted Answer

The answer of Program _______ refers to any source of...

Question 20

A stead reduction in memory available on the heap to the point where it is completely exhausted is known as a ________.
A) fuzzing
B) deadlock
C) memory injection
D) memory leak

Accepted Answer

A memory leak is a situation where a program dynamically allocates memory from the heap, but fails to release it back to the operating system when it is no longer needed. As a result, the amount of available memory on the heap steadily decreases until it is completely exhausted, leading to a crash or system failure. Fuzzing is a technique used to discover vulnerabilities by feeding inputs to a program in an automated and randomized way. Deadlock occurs when two or more processes are unable to continue execution because they are waiting for each other to release resources. Memory injection is a technique used to modify the behavior of a program by injecting code or data into its memory space. While memory injection can be used to trigger memory leaks, it is not a specific term for a gradual loss of memory on the heap.

Quiz 11: Software Security

A variant where the attacker includes malicious script content in data supplied to a site is the __________ vulnerability.

The process of transforming input data that involves replacing alternate, equivalent encodings by one common value is called _________.

__________ attacks are vulnerabilities involving the inclusion of script code in the HTML content of a Web page displayed by a user's browser.

In the ________ attack the user supplied input is used to construct a SQL request to retrieve information from a database.

A _______ attack is where the input includes code that is then executed by the attacked system.

_________ attacks are most commonly seen in scripted Web applications.

Program input data may be broadly classified as textual or ______.

Blocking assignment of form field values to global variables is one of the defenses available to prevent a __________ attack.

The most common variant of injecting malicious script content into pages returned to users by the targeted sites is the _________ vulnerability.

The most common technique for using an appropriate synchronization mechanism to serialize the accesses to prevent errors is to acquire a _______ on the shared file, ensuring that each process has appropriate access in turn.

Two key areas of concern for any input are the _______ of the input and the meaning and interpretation of the input.

The intent of ________ is to determine whether the program or function correctly handles all abnormal inputs or whether it crashes or otherwise fails to respond appropriately.

A number of widely used standard C _________ compound the problem of buffer overflow by not providing any means of limiting the amount of data transferred to the space available in the buffer.

_________ are a collection of string values inherited by each process from its parent that can affect the way a running process behaves.

"Failure to Preserve SQL Query Structure" is in the __________ CWE/SANS software error category.

__________ programming is a form of design intended to ensure the continuing function of a piece of software despite unforeseeable usage of the software.

A ________ is a pattern composed of a sequence of characters that describe allowable input variants.

A _________ attack occurs when the input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server.

Program _______ refers to any source of data that originates outside the program and whose value is not explicitly known by the programmer when the code was written.

A stead reduction in memory available on the heap to the point where it is completely exhausted is known as a ________.