CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 91:

  Which of the following is the BEST way to prevent Cross-Site Request Forgery (XSRF) attacks?

  A. Check the referrer field in the HTTP header

  B. Disable Flash content

  C. Use only cookies for authentication

  D. Use only HTTPS URLs

  Correct Answer: A

  XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application's trust of a user who known or is supposed to have been authenticated. This is accomplished by changing values in the HTTP header and even in the user's cookie to falsify access. It can be prevented by embedding additional authentication data into requests that allows the web application to detect requests from unauthorized locations. Examples are synchronizer token patterns, cookie-to-header tokens, and checking the HTTP Referrer header and the HTTP Origin header.

  Incorrect Answers:

  B: Flash content is not used on Cross-Site Request Forgery (XSRF) attacks. Disabling flash content would thus not prevent Cross-Site Request Forgery (XSRF) attacks.

  C: Cookies are plain-text files that a browser stores on a user's hard disk to provide a persistent, customized web experience for each visit to a web site. It typically contains information about the user but is not used for authentication.

  D: HTTP Secure (HTTPS) combines HTTP with SSL/TLS to provide encrypted communication. This does not prevent XSRF.

  References: http://en.wikipedia.org/wiki/Cross-site_request_forgery Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 75, 335, 339, 340-341

• Question 92:

  After visiting a website, a user receives an email thanking them for a purchase which they did not request. Upon investigation the security administrator sees the following source code in a pop-up window:

  Which of the following has MOST likely occurred?

  A. SQL injection

  B. Cookie stealing

  C. XSRF

  D. XSS

  Correct Answer: C

  XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application's trust of a user who known or is supposed to have been authenticated. This is often accomplished without the user's knowledge.

  Incorrect Answers:

  A:; SQL injection attacks use unexpected input to a web application to gain access to the database used by web application. SQL injection attacks typically do not open pop-up browser windows.

  B: Cookie stealing is used in session hijacking. Cookies are one of the mechanisms used to validate a web user's session. When stolen, it can be used to establish a session with a host system that thinks it is still communicating with the original user. The original user's session has been hijacked and no longer receives communication from the host system. They will thus no receive pop-up windows.

  D: Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be mitigated by implementing patch management on the web server, using firewalls, and auditing for suspicious activity.

  References: http://en.wikipedia.org/wiki/Cross-site_request_forgery Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 335, 340 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 195

• Question 93:

  The BEST methods for a web developer to prevent the website application code from being vulnerable to cross-site request forgery (XSRF) are to: (Select TWO).

  A. Permit redirection to Internet-facing web URLs.

  B. Ensure all HTML tags are enclosed in angle brackets, e.g., "<" and ">".

  C. Validate and filter input on the server side and client side.

  D. Use a web proxy to pass website requests between the user and the application.

  E. Restrict and sanitize use of special characters in input and URLs.

  Correct Answer: CE

  XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application's trust of a user who known or is supposed to have been authenticated. This is often accomplished without the user's knowledge. XSRF can be prevented by adding a randomization string (called a nonce) to each URL request and session establishment and checking the client HTTP request header referrer for spoofing.

  Incorrect Answers:

  A: Permitting redirection to Internet-facing web URLs is to do with redirecting data traffic. It is not used to prevent XSS attacks.

  B: Ensuring all HTML tags are enclosed in angle brackets is not used to prevent XSS attacks. The use of angle brackets is standard practice in HTML code. Without angle brackets, the HTML code would not work.

  D: Web proxies tend to be used for caching web page content and/or restricting access to websites to aid compliance with company Internet usage policies. Web proxies are not used to prevent XSS attacks.

  References: http://en.wikipedia.org/wiki/Cross-site_scripting http://en.wikipedia.org/wiki/Cross-site_scripting#Reducing_the_threat

• Question 94:

  Which of the following can BEST help prevent cross-site scripting attacks and buffer overflows on a production system?

  A. Input validation

  B. Network intrusion detection system

  C. Anomaly-based HIDS

  D. Peer review

  Correct Answer: A

  Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.

  Incorrect Answers:

  B: A network-based IDS (NIDS) is an intrusion detection system that scans network traffic in real time and is useful for detecting network-based attacks.

  C: A host-based IDS (HIDS) is an intrusion detection system that runs as a service on a host computer system. It is used to monitor the machine logs, system events, and application activity for signs of intrusion. It does not prevent attacks, such as cross-site scripting attacks and buffer overflows, but detects it.

  D: Peer review is the process of reviewing source code before the software is released. This is performed by a peer rather than by the programmer.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 111-112, 116-117, 257, 338 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 21,

  197, 216, 319

• Question 95:

  Without validating user input, an application becomes vulnerable to all of the following EXCEPT: A. Buffer overflow.

  B. Command injection.

  C. Spear phishing.

  D. SQL injection.

  Correct Answer: C

  Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.

  Incorrect Answers:

  A: Buffer overflow is an exploit at programming error, bugs and flaws. It occurs when an application is fed more input data than it is programmed to handle. This may cause the application to terminate or to write data beyond the end of the allocated space in memory. The termination of the application may cause the system to send the data with temporary access to privileged levels in the system, while overwriting can cause important data to be lost. Proper error and exception handling and input validation will help prevent Buffer overflow exploits.

  B: Command injection is often used to gain access to restricted directories on a web server. Proper input validation will help prevent command injection attacks.

  D: SQL injection attacks use unexpected input to a web application to gain access to the database used by web application. You can protect a web application against SQL injection by implementing input validation and by limiting database account privileges for the account used by the web server and the web application.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 257, 337, 338 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 195- 196, 197, 319

• Question 96:

  One of the most consistently reported software security vulnerabilities that leads to major exploits is:

  A. Lack of malware detection.

  B. Attack surface decrease.

  C. Inadequate network hardening.

  D. Poor input validation.

  Correct Answer: D

  D: With coding there are standards that should be observed. Of these standards the most fundamental is input validation. Attacks such as SQL injection depend on unfiltered input being sent through a web application. This makes for a software vulnerability that can be exploited. There are two primary ways to do input validation: client-side validation and server-side validation. Thus with poor input validation you increase your risk with regard to exposure to major software exploits.

  Incorrect Answers:

  A: Malware detection refers to antivirus software which purpose is to identify, prevent and eliminate viruses. This is not software vulnerability.

  B: The attack surface of an application is the area of that application that is available to users-- those who are authenticated and, more importantly, those who are not. As such, it can include the services, protocols, interfaces, and code. The

  smaller the attack surface, the less visible the application is to attack.

  C: Network hardening refers to the process of making sure that your network is as secure as it can be. This is not a software vulnerability that may lead to major exploits.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 219, 345.

• Question 97:

  Which of the following is a common coding error in which boundary checking is not performed?

  A. Input validation

  B. Fuzzing

  C. Secure coding

  D. Cross-site scripting

  Correct Answer: A

  Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.

  Incorrect Answers:

  B: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  C: Proper and secure coding can prevent many attacks, including cross-site scripting, SQL injection and buffer overflows.

  D: Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be mitigated by implementing patch management on the web server, using firewalls, and auditing for suspicious activity

  References: http://en.wikipedia.org/wiki/Fuzz_testing Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 218, 257 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 192, 229, 319

• Question 98:

  Input validation is an important security defense because it:

  A. rejects bad or malformed data.

  B. enables verbose error reporting.

  C. protects mis-configured web servers.

  D. prevents denial of service attacks.

  Correct Answer: A

  Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.

  Incorrect Answers:

  B: Error reporting is implemented through proper error and exception handling. It is not accomplished by input validation.

  C: Input validation is not a defence against a mis-configured system.

  D: Denial of Service (DoS) attacks web-based attacks that exploit flaws in the operating system, applications, services, or protocols. These attacks can be mitigated by means of firewalls, routers, and intrusion detection systems (IDSs) that detect DoS traffic, disabling echo replies on external systems, disabling broadcast features on border systems, blocking spoofed packets on the network, and proper patch management.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 257, 343 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 170- 172, 230, 319

• Question 99:

  In regards to secure coding practices, why is input validation important?

  A. It mitigates buffer overflow attacks.

  B. It makes the code more readable.

  C. It provides an application configuration baseline.

  D. It meets gray box testing standards.

  Correct Answer: A

  Buffer overflow is an exploit at programming error, bugs and flaws. It occurs when an application is fed more input data than it is programmed to handle. This may cause the application to terminate or to write data beyond the end of the allocated space in memory. The termination of the application may cause the system to send the data with temporary access to privileged levels in the system, while overwriting can cause important data to be lost. Proper error and exception handling and input validation will help prevent Buffer overflow exploits.

  Incorrect Answers:

  B: Code readability is a function of the integrated development environment (IDE) and the use of indentation and formatting. It is not a function of input validation.

  C: Application configuration baselining is the process of tuning the settings of an application to ensure it operates at its optimal value while providing security and vulnerability protection.

  D: Gray box testing is a form of penetration testing for software where the tester approaches the software from a user perspective, analyzing inputs and outputs. They do have access to the source code which they use to design their tests but they do not analyze the inner workings of the application during their testing.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 219, 338 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 197,

• Question 100:

  After Matt, a user enters his username and password at the login screen of a web enabled portal, the following appears on his screen:

  `Please only use letters and numbers on these fields'

  Which of the following is this an example of?

  A. Proper error handling

  B. Proper input validation

  C. Improper input validation

  D. Improper error handling

  Correct Answer: B

  Input validation is an aspect of secure coding and is intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that

  input. The check could be a length, a character type, a language type, or a domain.

  Incorrect Answers:

  A, D: Error handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system, and should include error and exception handling.

  C: Improper input validation would allow user input to be used as an attack vector. In such an event input would not be checked and the use would not receive a message from the system.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 257 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 319,