SEC+ Exam Preparation: SQL Injection and Buffer Overflow Attacks, Exams of Computer Science

A comprehensive overview of sql injection and buffer overflow attacks, two common security vulnerabilities. It explores the mechanisms behind these attacks, their potential consequences, and effective countermeasures. Multiple examples and explanations, making it a valuable resource for understanding and mitigating these threats.

Typology: Exams

2024/2025

Available from 12/21/2024

kads-mugr
kads-mugr 🇺🇸

5

(1)

1.2K documents

1 / 20

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
401 SEC+ Exam Guaranteed Pass: Expert Solutions
& Questions from World-Leading Universities for
Academic Success
Sara, a hacker, is completing a website form to request a free coupon. The site has a field
that limits the request to 3 or fewer coupons. While submitting the form, Sara runs an
application on her machine to intercept the HTTP POST command and change the field
from 3 coupons to 30.
Which of the following was used to perform this attack?
A. SQL injection
B. XML injection
C. Packet sniffer
D. Proxy - -correct ans- -Answer: B
Explanation:
When a web user takes advantage of a weakness with SQL by entering values that they
should not, it is known as a SQL injection attack. Similarly, when the user enters values
that query XML (known as XPath) with values that take advantage of exploits, it is known as
an XML injection attack. XPath works in a similar manner to SQL, except that it does not
have the same levels of access control, and taking advantage of weaknesses within can
return entire documents. The best way to prevent XML injection attacks is to filter the user's
input and sanitize it to make certain that it does not cause XPath to return more data than it
should.
A malicious individual is attempting to write too much data to an application's memory.
Which of the following describes this type of attack?
A. Zero-day
B. SQL injection
C. Buffer overflow
D. XSRF - -correct ans- -Answer: C
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14

Partial preview of the text

Download SEC+ Exam Preparation: SQL Injection and Buffer Overflow Attacks and more Exams Computer Science in PDF only on Docsity!

401 SEC+ Exam Guaranteed Pass: Expert Solutions

& Questions from World-Leading Universities for

Academic Success

Sara, a hacker, is completing a website form to request a free coupon. The site has a field that limits the request to 3 or fewer coupons. While submitting the form, Sara runs an application on her machine to intercept the HTTP POST command and change the field from 3 coupons to 30. Which of the following was used to perform this attack? A. SQL injection B. XML injection C. Packet sniffer D. Proxy - - correct ans- - Answer: B Explanation: When a web user takes advantage of a weakness with SQL by entering values that they should not, it is known as a SQL injection attack. Similarly, when the user enters values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a similar manner to SQL, except that it does not have the same levels of access control, and taking advantage of weaknesses within can return entire documents. The best way to prevent XML injection attacks is to filter the user's input and sanitize it to make certain that it does not cause XPath to return more data than it should. A malicious individual is attempting to write too much data to an application's memory. Which of the following describes this type of attack? A. Zero-day B. SQL injection C. Buffer overflow D. XSRF - - correct ans- - Answer: C

Explanation: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability Which of the following BEST describes a protective countermeasure for SQL injection? A. Eliminating cross-site scripting vulnerabilities B. Installing an IDS to monitor network traffic C. Validating user input in web applications D. Placing a firewall between the Internet and database servers - - correct ans- - Answer: C Explanation: By validating user input and preventing special characters, we can prevent the injection of clientside scripting code. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. A security administrator looking through IDS logs notices the following entry: (where [email protected] and passwd= 'or 1==1')

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. The string: ' or 1=1-- Represents which of the following? A. Bluejacking B. Rogue access point C. SQL Injection D. Client-side attacks - - correct ans- - Answer: C Explanation: The code in the question is an example of a SQL Injection attack. The code '1=1' will always provide a value of true. This can be included in statement designed to return all rows in a SQL table. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. When an order was submitted via the corporate website, an administrator noted special characters (e.g., ";--" and "or 1=1 --") were input instead of the expected letters and numbers. Which of the following is the MOST likely reason for the unusual results?

A. The user is attempting to highjack the web server session using an open-source browser. B. The user has been compromised by a cross-site scripting attack (XSS) and is part of a botnet performing DDoS attacks. C. The user is attempting to fuzz the web server by entering foreign language characters which are incompatible with the website. D. The user is sending malicious SQL injection strings in order to extract sensitive company or customer data via the website. - - correct ans- - Answer: D Explanation: The code in the question is an example of a SQL Injection attack. The code '1=1' will always provide a value of true. This can be included in statement designed to return all rows in a SQL table. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. Highly sensitive data is stored in a database and is accessed by an application on a DMZ server. The disk drives on all servers are fully encrypted. Communication between the application server and end-users is also encrypted. Network ACLs prevent any connections to the database server except from the application server. Which of the following can still result in exposure of the sensitive data in the database server? A. SQL Injection B. Theft of the physical database server C. Cookies D. Cross-site scripting - - correct ans- - Answer: A Explanation:

An attacker attempted to compromise a web form by inserting the following input into the username field: admin)(|(password=)) Which of the following types of attacks was attempted? A. SQL injection B. Cross-site scripting C. Command injection D. LDAP injection - - correct ans- - Answer: D Explanation: LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection. In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database. Insert the username The LDAP query is narrowed down for performance and the underlying code for this function might be the following: String ldapSearchQuery = "(cn=" + $userName + ")"; System.out.println(ldapSearchQuery); If the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows: If a user puts "" on box search, the system may return all the usernames on the LDAP base If a user puts "jonys) (| (password = * ) )", it will generate the code bellow revealing jonys' password ( cn = jonys ) ( | (password = * ) )

Which of the following application attacks is used against a corporate directory service where there are unknown servers on the network? A. Rogue access point B. Zero day attack C. Packet sniffing D. LDAP injection - - correct ans- - Answer: D Explanation: A directory service is accessed by using LDAP (Lightweight Directory Access Protocol). LDAP injection is an attack against a directory service. Just as SQL injection attacks take statements that are input by users and exploit weaknesses within, an LDAP injection attack exploits weaknesses in LDAP (Lightweight Directory Access Protocol) implementations. This can occur when the user's input is not properly filtered, and the result can be executed commands, modified content, or results returned to unauthorized queries. The best way to prevent LDAP injection attacks is to filter the user input and to use a validation scheme to make certain that queries do not contain exploits. One of the most common uses of LDAP is associated with user information. Numerous applications exist—such as employee directories—where users find other users by typing in a portion of their name. These queries are looking at the cn value or other fields (those defined for department, home directory, and so on). Someone attempting LDAP injection could feed unexpected values to the query to see what results are returned. All too often, finding employee information equates to finding usernames and values about those users that could be portions of their passwords. Data execution prevention is a feature in most operating systems intended to protect against which type of attack? A. Cross-site scripting B. Buffer overflow C. Header manipulation D. SQL injection - - correct ans- - Answer: B

Prevention (DEP) mode explicitly protects the pointer to the Structured Exception Handler (SEH) from being overwritten. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability. While opening an email attachment, Pete, a customer, receives an error that the application has encountered an unexpected issue and must be shut down. This could be an example of which of the following attacks? A. Cross-site scripting B. Buffer overflow C. Header manipulation D. Directory traversal - - correct ans- - Answer: B Explanation: When the user opens an attachment, the attachment is loaded into memory. The error is caused by a memory issue due to a buffer overflow attack. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential

information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability. A server administrator notes that a legacy application often stops running due to a memory error. When reviewing the debugging logs, they notice code being run calling an internal process to exploit the machine. Which of the following attacks does this describe? A. Zero-day B. Buffer overflow C. Cross site scripting D. Malicious add-on - - correct ans- - Answer: B Explanation: This question describes a buffer overflow attack. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type ofsecurity attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability. Which of the following was launched against a company based on the following IDS log? 122.41.15.252 - - [21/May/2012:00:17:20 +1200] "GET /index.php?username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A A AAA HTTP/1.1" 200 2731 "http://www.company.com/cgibin/

Explanation: Explanation The hex character 90 (x90) means NOP or No Op or No Operation. In a buffer overflow attack, the buffer can be filled and overflowed with No Op commands. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occuraccidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability. A security analyst, Ann, is reviewing an IRC channel and notices that a malicious exploit has been created for a frequently used application. She notifies the software vendor and asks them for remediation steps, but is alarmed to find that no patches are available to mitigate this vulnerability. Which of the following BEST describes this exploit? A. Malicious insider threat B. Zero-day C. Client-side attack D. Malicious add-on - - correct ans- - Answer: B Explanation: A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include

infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users. In this question, there are no patches are available to mitigate the vulnerability. This is therefore a zero-day vulnerability. Using a heuristic system to detect an anomaly in a computer's baseline, a system administrator was able to detect an attack even though the company signature based IDS and antivirus did not detect it. Further analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB port, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely occurred? A. Cookie stealing B. Zero-day C. Directory traversal D. XML injection - - correct ans- - Answer: B Explanation: The vulnerability was unknown in that the IDS and antivirus did not detect it. This is zero day vulnerability. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users An attacker used an undocumented and unknown application exploit to gain access to a file server. Which of the following BEST describes this type of attack?

infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users The security administrator is observing unusual network behavior from a workstation. The workstation is communicating with a known malicious destination over an encrypted tunnel. A full antivirus scan, with an updated antivirus definition file, does not show any signs of infection. Which of the following has happened on the workstation? A. Zero-day attack B. Known malware infection C. Session hijacking D. Cookie stealing - - correct ans- - Answer: A Explanation: The vulnerability was unknown in that the full antivirus scan did not detect it. This is zero day vulnerability. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users Which of the following types of application attacks would be used to identify malware causing security breaches that have NOT yet been identified by any trusted sources? A. Zero-day B. LDAP injection

C. XML injection D. Directory traversal - - correct ans- - Answer: A Explanation: The security breaches have NOT yet been identified. This is zero day vulnerability. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users. Which of the following may cause Jane, the security administrator, to seek an ACL work around? A. Zero day exploit B. Dumpster diving C. Virus outbreak D. Tailgating - - correct ans- - Answer: A Explanation: A zero day vulnerability is an unknown vulnerability so there is no fix or patch for it. One way to attempt to work around a zero day vulnerability would be to restrict the permissions by using an ACL (Access Control List) A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

A. XML injection B. Directory traversal C. Header manipulation D. Session hijacking - - correct ans- - Answer: D Explanation: In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. How often, at a MINIMUM, should Sara, an administrator, review the accesses and rights of the users on her system? A. Annually B. Immediately after an employee is terminated C. Every five years D. Every time they patch the server - - correct ans- - Answer: A Explanation: Reviewing the accesses and rights of the users on a system at least annually is acceptable practice. More frequently would be desirable but too frequently would be a waste of administrative time. Which of the following types of logs could provide clues that someone has been attempting to compromise the SQL Server database? A. Event

B. SQL_LOG

C. Security D. Access - - correct ans- - Answer: A Explanation: Event logs include Application logs, such as those where SQL Server would write entries. This is where you would see logs with details of someone trying to access a SQL database. Ann, the security administrator, received a report from the security technician, that an unauthorized new user account was added to the server over two weeks ago. Which of the following could have mitigated this event? A. Routine log audits B. Job rotation C. Risk likelihood assessment D. Separation of duties - - correct ans- - Answer: A Explanation: When a new user account is created, an entry is added to the Event Logs. By routinely auditing the event logs, you would know that an account has been created.