CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 111:

  Which of the following application security principles involves inputting random data into a program?

  A. Brute force attack

  B. Sniffing

  C. Fuzzing

  D. Buffer overflow

  Correct Answer: C

  Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  Incorrect Answers:

  A: A Brute force attack consists of systematically checking all possible keys or passwords until a match is found.

  B: A sniffer is a passive network monitoring tool that provides information of network traffic in real-time. They are used for troubleshooting purposes, but can also be used by attackers to determine what protocols and systems are running on a network.

  D: Buffer overflow is an exploit at programming error, bugs and flaws. It occurs when an application receives more data than it is programmed to handle. This may cause the application to terminate or to write data beyond the end of the allocated space in memory. The termination of the application may cause the system to send the data with temporary access to privileged levels in the system, while overwriting can cause important data to be lost.

  References:

  http://en.wikipedia.org/wiki/Fuzz_testing

  http://en.wikipedia.org/wiki/Brute-force_attack

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 66, 218, 257, 338 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 18, 197, 229,

• Question 112:

  Fuzzing is a security assessment technique that allows testers to analyze the behavior of software applications under which of the following conditions?

  A. Unexpected input

  B. Invalid output

  C. Parameterized input

  D. Valid output

  Correct Answer: A

  Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  Incorrect Answers:

  B, D: Fuzzing uses invalid input and not output to test the application's response, such as crashes, or failed validation, or memory leaks, to such input.

  C: Parameterized input may be one of the invalid, unexpected, or random data that would be used in fuzz testing. Other forms of invalid data should also be tested.

  References: http://en.wikipedia.org/wiki/Fuzz_testing Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 218 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 229

• Question 113:

  A security administrator wants to test the reliability of an application which accepts user provided parameters. The administrator is concerned with data integrity and availability. Which of the following should be implemented to accomplish this task?

  A. Secure coding

  B. Fuzzing

  C. Exception handling

  D. Input validation

  Correct Answer: B

  Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  Incorrect Answers:

  A: Proper and secure coding can prevent many attacks, including cross-site scripting, SQL injection and buffer overflows.

  C: Exception handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system by the programmer, and should capture errors and exceptions so that they could be handled by the application.

  D: Input validation is an aspect of secure coding and is intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.

  References: http://en.wikipedia.org/wiki/Fuzz_testing Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 218, 257 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 229, 319, 320

• Question 114:

  Which of the following describes purposefully injecting extra input during testing, possibly causing an application to crash?

  A. Input validation

  B. Exception handling

  C. Application hardening

  D. Fuzzing

  Correct Answer: D

  Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  Incorrect Answers:

  A: Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.

  B: Exception handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system by the programmer, and should capture errors and exceptions so that they could be handled by the application.

  C: Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and features, removing unnecessary usernames or logins and disabling unnecessary services.

  References: http://en.wikipedia.org/wiki/Fuzz_testing Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 218, 257 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 229, 230, 319

• Question 115:

  Which of the following security concepts identifies input variables which are then used to perform boundary testing?

  A. Application baseline

  B. Application hardening

  C. Secure coding

  D. Fuzzing

  Correct Answer: D

  Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  Incorrect Answers:

  A: An application baseline defines the level of security that will be implemented and maintained for the application. A low baseline implements almost no security while a high baseline does not allow users to make changes to the application.

  B: Application Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and features, removing unnecessary usernames or logins and disabling unnecessary services.

  C: Proper and secure coding can prevent many attacks, including cross-site scripting, SQL injection and buffer overflows.

  References: http://en.wikipedia.org/wiki/Fuzz_testing Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 218-219, 226 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 229

• Question 116:

  Which of the following application security testing techniques is implemented when an automated system generates random input data?

  A. Fuzzing

  B. XSRF

  C. Hardening

  D. Input validation

  Correct Answer: A

  Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  Incorrect Answers:

  B: XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application's trust of a user who known or is supposed to have been authenticated. This is often accomplished without the user's knowledge.

  C: Hardening is the process of securing a system by reducing its surface of vulnerability. Reducing the surface of vulnerability typically includes removing unnecessary functions and features, removing unnecessary usernames or logins and disabling unnecessary services.

  D: Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.

  References: http://en.wikipedia.org/wiki/Fuzz_testing http://en.wikipedia.org/wiki/Cross-site_request_forgery http://en.wikipedia.org/wiki/Hardening_%28computing%29 Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 218, 335 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 229,

• Question 117:

  Methods to test the responses of software and web applications to unusual or unexpected inputs are known as:

  A. Brute force.

  B. HTML encoding.

  C. Web crawling.

  D. Fuzzing.

  Correct Answer: D

  Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed validation, or memory leaks.

  Incorrect Answers:

  A: Brute force is a type of attack that consists of systematically checking all possible keys or passwords until a match is found.

  B: HTML encoding applies to web applications only. When user input is not properly escaped and encoded it could be exploited for cross-site scripting. User input that encodes special characters without proper escaping can lead to malicious code execution in the DOM.

  C: Web Crawling applies to web application and describes the action taken by a program as it browses from page to page on a web application.

  References: http://en.wikipedia.org/wiki/Fuzz_testing http://en.wikipedia.org/wiki/Brute-force_attack

  https://blog.whitehatsec.com/tag/html-encoding/

  http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner %20Evaluation%20Criteria Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp

  218, 257 Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 229,

• Question 118:

  A software development company has hired a programmer to develop a plug-in module to an existing proprietary application. After completing the module, the developer needs to test the entire application to ensure that the module did not introduce new vulnerabilities. Which of the following is the developer performing when testing the application?

  A. Black box testing

  B. White box testing

  C. Gray box testing

  D. Design review

  Correct Answer: C

  In this question, we know the tester has some knowledge of the application because the tester developed a plug-in module for it. However, the tester does not have detailed information about the entire application. Therefore, this is a grey-box test. Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests. Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.

  Incorrect Answers:

  A: Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place. In this question, the tester has some knowledge of the application. Therefore, this answer is incorrect.

  B: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality

  (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. In this question, the tester has some knowledge of the application but not the detailed knowledge required for a white-box test. Therefore, this answer is incorrect.

  D: A design review in terms of application development is the process of reviewing the design of the modules and units used in the application. However, in this question, the application has already been developed. Furthermore, a design review does not describe the process of testing an application. Therefore, this answer is incorrect.

  References:

  http://searchsoftwarequality.techtarget.com/definition/gray-box http://en.wikipedia.org/wiki/Black-box_testing http://en.wikipedia.org/wiki/White-box_testing

• Question 119:

  An IT auditor tests an application as an authenticated user. This is an example of which of the following types of testing?

  A. Penetration

  B. White box

  C. Black box

  D. Gray box

  Correct Answer: D

  In this question, the tester is testing the application as an authenticated user. We can assume from this that the tester has at least limited knowledge of the application. This meets the criteria of a grey-box test. Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests. Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.

  Incorrect Answers:

  A: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are used to test the security controls of a system or application. They are not used specifically for general application testing. Therefore, this answer is incorrect.

  B: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality

  (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. In this question, the tester has some knowledge of the application but not the detailed knowledge required for a white-box test. Therefore, this answer is incorrect.

  C: Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place. In this question, the tester has some knowledge of the application. Therefore, this answer is incorrect.

  References: http://searchsoftwarequality.techtarget.com/definition/gray-box http://searchsoftwarequality.techtarget.com/definition/penetration-testing http://en.wikipedia.org/wiki/ White-box_testing http://en.wikipedia.org/wiki/Black-box_testing

• Question 120:

  Pete, a developer, writes an application. Jane, the security analyst, knows some things about the overall application but does not have all the details. Jane needs to review the software before it is released to production. Which of the following reviews should Jane conduct?

  A. Gray Box Testing

  B. Black Box Testing

  C. Business Impact Analysis

  D. White Box Testing

  Correct Answer: A

  Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests. Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.

  Incorrect Answers:

  B: Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit,

  integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is

  not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software

  produces the output in the first place. In this question, the tester has some knowledge of the application. Therefore, this answer is incorrect.

  C: A Business Impact Analysis is the analysis of the impact an event will have on the business. As an example in terms of IT, a Business Impact Analysis could describe the effect of a server failure. A Business Impact Analysis is not used to

  describe the testing of an application.

  Therefore, this answer is incorrect.

  D: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality

  (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate

  outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-

  box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. In this