EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 321:

  Bill successfully executed a buffer overflow against a Windows IIS web server. He has been able to spawn in interactive shell and plans to deface the main web page. He fist attempts to use the "Echo" command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tires to overwrite it with another page in which also he remains unsuccessful. What is the probable cause of Bill's problem?

  A. The system is a honeypot

  B. The HTML file has permissions of read only

  C. You can't use a buffer overflow to deface a web page

  D. There is a problem with the shell and he needs to run the attack again

  Correct Answer: B

  A honeypot has no interest in stopping an intruder from altering the "target" files. A buffer overflow is a way to gain access to the target computer. Once he has spawned a shell it is unlikely that it will not work as intended, but the user context that the shell is spawned in might stop him from altering the index.html file incase he doesn't have sufficient rights.

• Question 322:

  Bill has successfully executed a buffer overflow against a Windows IIS web server. He has been able to spawn an interactive shell and plans to deface the main web page. He first attempts to use the "echo" command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tries to overwrite it with another page in which also he remains unsuccessful. What is the probable cause of Bill's problem?

  A. You cannot use a buffer overflow to deface a web page

  B. There is a problem with the shell and he needs to run the attack again

  C. The HTML file has permissions of read only

  D. The system is a honeypot

  Correct Answer: C

• Question 323:

  Kevin sends an email invite to Chris to visit a forum for security professionals. Chris clicks on the link in the email message and is taken to a web based bulletin board. Unknown to Chris, certain functions are executed on his local system under his privileges, which allow Kevin access to information used on the BBS. However, no executables are downloaded and run on the local system. What would you term this attack?

  A. Phishing

  B. Denial of Service

  C. Cross Site Scripting

  D. Backdoor installation

  Correct Answer: C

  This is a typical Type-1 Cross Site Scripting attack. This kind of cross-site scripting hole is also referred to as a non-persistent or reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.

• Question 324:

  What are the differences between SSL and S-HTTP?

  A. SSL operates at the network layer and S-HTTP operates at the application layer

  B. SSL operates at the application layer and S-HTTP operates at the network layer

  C. SSL operates at the transport layer and S-HTTP operates at the application layer

  D. SSL operates at the application layer and S-HTTP operates at the transport layer

  Correct Answer: C

  The main difference between the protocols is the layer at which they operate. SSL operates at the transport layer and mimics the "socket library," while S-HTTP operates at the application layer. Encryption of the transport layer allows SSL to be application-independent, while S-HTTP is limited to the specific software implementing it. The protocols adopt different philosophies towards encryption as well, with SSL encrypting the entire communications channel and S-HTTP encrypting each message independently.

• Question 325:

  Dan is conducting a penetration testing and has found a vulnerability in a Web Application which gave him the sessionID token via a cross site scripting vulnerability. Dan wants to replay this token. However, the session ID manager (on the

  server) checks the originating IP address as well. Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might not be able to get an interactive session?

  A. Dan cannot spoof his IP address over TCP network

  B. The server will send replies back to the spoofed IP address

  C. Dan can establish an interactive session only if he uses a NAT

  D. The scenario is incorrect as Dan can spoof his IP and get responses

  Correct Answer: B

  Spoofing your IP address is only effective when there is no need to establish a two way connection as all traffic meant to go to the attacker will end up at the place of the spoofed address.

• Question 326:

  An attacker has been successfully modifying the purchase price of items purchased at a web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the IDS logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the price?

  A. By using SQL injection

  B. By using cross site scripting

  C. By changing hidden form values in a local copy of the web page

  D. There is no way the attacker could do this without directly compromising either the web server or the database

  Correct Answer: C

  Changing hidden form values is possible when a web site is poorly built and is trusting the visitors computer to submit vital data, like the price of a product, to the database.

• Question 327:

  Take a look at the following attack on a Web Server using obstructed URL: http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f %70%61%73%73%77%64

  The request is made up of:

  How would you protect information systems from these attacks?

  A. Configure Web Server to deny requests involving Unicode characters.

  B. Create rules in IDS to alert on strange Unicode requests.

  C. Use SSL authentication on Web Servers.

  D. Enable Active Scripts Detection at the firewall and routers.

  Correct Answer: B

  This is a typical Unicode attack. By configuring your IDS to trigger on strange Unicode requests you can protect your web-server from this type of attacks.

• Question 328:

  Bubba has just accessed he preferred ecommerce web site and has spotted an item that he would like to buy. Bubba considers the price a bit too steep. He looks at the source code of the webpage and decides to save the page locally, so that he can modify the page variables. In the context of web application security, what do you think Bubba has changes?

  A. A hidden form field value.

  B. A hidden price value.

  C. An integer variable.

  D. A page cannot be changed locally, as it is served by a web server.

  Correct Answer: A

• Question 329:

  ____________ will let you assume a users identity at a dynamically generated web page or site.

  A. SQL attack

  B. Injection attack

  C. Cross site scripting

  D. The shell attack

  E. Winzapper

  Correct Answer: C

  Cross site scripting is also referred to as XSS or CSS. You must know the user is online and you must scam that user into clicking on a link that you have sent in order for this hack attack to work.

• Question 330:

  What is Form Scalpel used for?

  A. Dissecting HTML Forms

  B. Dissecting SQL Forms

  C. Analysis of Access Database Forms

  D. Troubleshooting Netscape Navigator

  E. Quatro Pro Analysis Tool

  Correct Answer: A

  Form Scalpel automatically extracts forms from a given web page and splits up all fields for editing and manipulation.