IAW302 - MULTIPLE CHOICES, Exams of Advanced Education

IAW302 - MULTIPLE CHOICES STUDY GUIDE

Typology: Exams

2024/2025

Available from 11/20/2024

LectNexus
LectNexus 🇿🇦

1.8K documents

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
IAW302 - MULTIPLE CHOICES
1) Which of the following consequences are most likely to occur due to an injection
attack? (Choose two.)
A. Spoofing
B. Data loss
C. Denial of service
D. Insecure direct object references - B,C
3) Which of the following scenarios are most likely to cause an injection attack?
(Choose two.)
A. Unvalidated input is embedded in an instruction stream.
B. Unvalidated input cannot be distinguished from valid instructions.
C. A Web application does not validate a client's access to a resource.
D. A Web action performs an operation on behalf of the user without checking a shared
secret. - A,B
5) Which of the following are the best ways to protect against injection attacks? (Choose
three.)
A. Block list
B. Allow list
C. Escaping
D. Memory size checks
E. Validate integer values before referencing arrays - A,B,C
6) Which of the following are most vulnerable to injection attacks? (Choose two.)
A. Session IDs
B. Registry keys
C. Regular expressions
D. SQL queries based on user input - C,D
8) Which mitigation techniques when used in combination can help you strictly define
valid input? (Choose two.)
A. Allow list
B. Block list
C. Table indirection
D. Escaping - A,B
pf3
pf4
pf5

Partial preview of the text

Download IAW302 - MULTIPLE CHOICES and more Exams Advanced Education in PDF only on Docsity!

IAW302 - MULTIPLE CHOICES

  1. Which of the following consequences are most likely to occur due to an injection attack? (Choose two.) A. Spoofing B. Data loss C. Denial of service D. Insecure direct object references - B,C
  2. Which of the following scenarios are most likely to cause an injection attack? (Choose two.) A. Unvalidated input is embedded in an instruction stream. B. Unvalidated input cannot be distinguished from valid instructions. C. A Web application does not validate a client's access to a resource. D. A Web action performs an operation on behalf of the user without checking a shared secret. - A,B
  3. Which of the following are the best ways to protect against injection attacks? (Choose three.) A. Block list B. Allow list C. Escaping D. Memory size checks E. Validate integer values before referencing arrays - A,B,C
  4. Which of the following are most vulnerable to injection attacks? (Choose two.) A. Session IDs B. Registry keys C. Regular expressions D. SQL queries based on user input - C,D
  5. Which mitigation techniques when used in combination can help you strictly define valid input? (Choose two.) A. Allow list B. Block list C. Table indirection D. Escaping - A,B
  1. Which of the following architecture-level techniques are the best approaches to prevent attacks based on malicious input? (Choose two.) A. Allow list B. Table indirection C. Escaping D. Object class for user input - B,D
  2. Which of the following languages are the primary targets of cross-site scripting? (Choose two.) A. HTML B. SQL C. XSLT D. JavaScript - A,D
  3. Which of the following are the best ways to prevent malicious input exploiting your application? (Choose three.) A. Using allow List B. Using block list C. Using escaping D. Using encryption E. Using table indirection - A,B,C
  4. Which of the following input sources can be directly controlled by a malicious user? (Choose two.) A. Window.location B. GET/POST parameters C. Server configuration files D. Ports and network resources - A,B
  5. Which of the following scenarios are most likely to result in broken authentication and session management vulnerabilities? (Choose two.) A. Poorly implemented custom code is used. B. Misconfigured off-the-shelf code is used. C. Unused and unnecessary services, code, and DLLs are disabled. D. The HttpOnly flag is set in cookies. - A,B
  6. Which of the following actions should you take before implementing a custom authentication and session management system? (Choose two.) A. Find out if a suitable framework component already exists.

D. GET/POST parameters - A,B

  1. Which of the following vulnerabilities are most likely to occur due to an insecure direct object reference attack? (Choose two.) A. Executing commands on the server. B. Impersonating any user on the system. C. Modifying SQL data pointed to by the query. D. Modifying data without authorization. E. Accessing a resource without authorization. - D,E
  2. Which of the following are the best ways to mitigate the threat of an insecure direct object reference attack? (Choose two.) A. Use session-based indirection. B. Use POST parameters instead of GET parameters. C. Perform an access check each time a resource identifier arrives as input. D. Send successful logins to a well-known location instead of automatic redirection. - A,C
  3. Which of the following threats are most likely to be caused by poor input validation? (Choose three.) A. Injection Correct B. Cross-site scripting C. Insecure direct object reference D. Insecure cryptographic storage E. Insufficient transport layer protection - A,B,C
  4. Which of the following are the most common results of a cross-site request forgery? (Choose three.) A. Elevation of privilege B. Denial of service C. Spoofing and tampering D. Enabling of IPSec E. Misconfigured or disabled security features - A,B,C
  5. Which of the following are most often associated with a security misconfiguration threat? (Choose two.) A. Unused services B. Default accounts C. Bad cryptography D. Unsafe key storage - A,B
  1. Which of the following are the best ways to reevaluate your environment and address new threats? (Choose two.) A. Add or remove network segments. B. Apply the latest service packs, patches, hotfixes, and updates. C. Use custom cryptographic algorithms. D. Use your browser to forge unauthorized requests. - A,B
  2. Which of the following procedures are involved in the hardening process? (Choose two.) A. Disable unnecessary features. B. Review all settings/configurations. C. Repeat the process at random intervals. D. Update the environment with changes only when needed.
    • A,B
  1. Which of the following consequences are most likely to result if your production environment does not match your development, testing, and staging environments? (Choose two.) A. Your application may not work as expected. B. Your application may not authenticate users as expected. C. Your application may be expensive to administer. D. Your application may have too many configuration files. - A,B
  2. Which of the following can result in insecure cryptography? (Choose two.) A. Unsalted hash B. Unused services C. Default accounts D. Failure to rotate keys - A,D
  3. Which of the following are most likely to result in insecure cryptography? (Choose two.) A. Custom cryptographic algorithms B. Unsalted hash C. New products D. Missing patches - A,B
  4. Which of the following may result in cryptographic weakness? (Choose three.) A. Poor/weak algorithm choice B. Custom cryptographic algorithms

A. Install IDS B. Enable SSL C. Set the HttpOnly flag on session ID cookies D. Enable IPSec - B,D

  1. Which of the following are the best ways to protect a Web application from unvalidated redirects and forwards? (Choose two.) A. Validate the referrer header B. Use extended validation certificates C. Validate all input from the client D. Disallow requests to unauthorized file types - A,C
  2. In which of the following scenarios should you use the escaping technique? (Choose two.) A. When user input is echoed back to the user in HTML B. When you need to validate any input as valid input C. When you are trying to protect against regular expression injection D. When you need to tell the interpreter that input is data and not code - A,D
  3. Which of the following are the best ways to prevent unvalidated redirect and forwards vulnerabilities? (Choose two.) A. Use an allow list, such as table indirection. B. Use client-side validation. C. Allow only relative redirects. D. Use session-based indirection. - A,C