EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 341:

  You have successfully run a buffer overflow attack against a default IIS installation running on a Windows 2000 Server. The server allows you to spawn a shell. In order to perform the actions you intend to do, you need elevated permission. You need to know what your current privileges are within the shell. Which of the following options would be your current privileges?

  A. Administrator

  B. IUSR_COMPUTERNAME

  C. LOCAL_SYSTEM

  D. Whatever account IIS was installed with

  Correct Answer: C

  If you manage to get the system to start a shell for you, that shell will be running as LOCAL_SYSTEM.

• Question 342:

  Sara is making use of Digest Authentication for her Web site. Why is this considered to be more secure than Basic authentication?

  A. Basic authentication is broken

  B. The password is never sent in clear text over the network

  C. The password sent in clear text over the network is never reused.

  D. It is based on Kerberos authentication protocol

  Correct Answer: B

  Digest access authentication is one of the agreed methods a web page can use to negotiate credentials with a web user (using the HTTP protocol). This method builds upon (and obsoletes) the basic authentication scheme, allowing user identity to be established without having to send a password in plaintext over the network.

• Question 343:

  Consider the following code:

  

  If an attacker can trick a victim user to click a link like this and the web application does not validate input, then the victim's browser will pop up an alert showing the users current set of cookies. An attacker can do much more damage, including stealing passwords, resetting your home page or redirecting the user to another web site.

  What is the countermeasure against XSS scripting?

  A. Create an IP access list and restrict connections based on port number

  B. Replace "<" and ">" characters with ?lt; and ?gt; using server scripts

  C. Disable Javascript in IE and Firefox browsers

  D. Connect to the server using HTTPS protocol instead of HTTP

  Correct Answer: B

  The correct answer contains a string which is an HTML-quoted version of the original script. The quoted versions of these characters will appear as literals in a browser, rather than with their special meaning as HTML tags. This prevents any script from being injected into HTML output, but it also prevents any user- supplied input from being formatted with benign HTML.

• Question 344:

  Annie has just succeeded is stealing a secure cookie via a XSS attack. She is able to replay the cookie even while the session is valid on the server. Why do you think this is possible?

  A. Any Cookie can be replayed irrespective of the session status

  B. The scenario is invalid as a secure cookie can't be replayed

  C. It works because encryption is performed at the network layer (layer 1 encryption)

  D. It works because encryption is performed at the application layer (Single Encryption Key)

  Correct Answer: D

  Single key encryption (conventional cryptography) uses a single word or phrase as the key. The same key is used by the sender to encrypt and the receiver to decrypt. Sender and receiver initially need to have a secure way of passing the key from one to the other. With TLS or SSL this would not be possible.

• Question 345:

  

  What attack is being depicted here?

  A. Cookie Stealing

  B. Session Hijacking

  C. Cross Site scripting

  D. Parameter Manipulation

  Correct Answer: D

  Manipulating the data sent between the browser and the web application to an attacker's advantage has long been a simple but effective way to make applications do things in a way the user often shouldn't be able to. In a badly designed and developed web application, malicious users can modify things like prices in web carts, session tokens or values stored in cookies and even HTTP headers. In this case the user has elevated his rights.

• Question 346:

  The GET method should never be used when sensitive data such as credit is being sent to a CGI program. This is because any GET command will appear in the URL and will be logged by any servers. For example, let's say that you've

  entered your credit card information into a form that uses the GET method. The URL may appear like this:

  https://www.xsecurity-bank.com/creditcard.asp?cardnumber=454543433532234 The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this information.

  How would you protect from this type of attack?

  A. Replace the GET with POST method when sending data

  B. Never include sensitive information in a script

  C. Use HTTOS SSLV3 to send the data instead of plain HTTPS

  D. Encrypt the data before you send using GET method

  Correct Answer: A

  If the method is "get", the user agent takes the value of action, appends a ? to it, then appends the form data set, encoded using the application/x-www-form- urlencoded content type. The user agent then traverses the link to this URI. If the method is "post" --, the user agent conducts an HTTP post transaction using the value of the action attribute and a message created according to the content type specified by the enctype attribute.

• Question 347:

  Say that "abigcompany.com" had a security vulnerability in the javascript on their website in the past. They recently fixed the security vulnerability, but it had been there for many months. Is there some way to 4go back and see the code for that error? Select the best answer.

  A. archive.org

  B. There is no way to get the changed webpage unless you contact someone at the company

  C. Usenet

  D. Javascript would not be in their html so a service like usenet or archive wouldn't help you

  Correct Answer: A

  Archive.org is a website that periodically archives internet content. They have archives of websites over many years. It could be used to go back and look at the javascript as javascript would be in the HTML code.

• Question 348:

  _____ ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. It secures information by assigning sensitivity labels on information and comparing this to the level of security a user is operating at.

  A. Mandatory Access Control

  B. Authorized Access Control

  C. Role-based Access Control

  D. Discretionary Access Control

  Correct Answer: A

  In computer security, mandatory access control (MAC) is a kind of access control, defined by the TCSEC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity."

• Question 349:

  Ivan is auditing a corporate website. Using Winhex, he alters a cookie as shown below.

  Before Alteration: Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ;

  After Alteration: Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;

  What attack is being depicted here?

  A. Cookie Stealing

  B. Session Hijacking

  C. Cross Site Scripting

  D. Parameter Manipulation

  Correct Answer: D

  Cookies are the preferred method to maintain state in the stateless HTTP protocol. They are however also used as a convenient mechanism to store user preferences and other data including session tokens. Both persistent and non-persistent cookies, secure or insecure can be modified by the client and sent to the server with URL requests. Therefore any malicious user can modify cookie content to his advantage. There is a popular misconception that non-persistent cookies cannot be modified but this is not true; tools like Winhex are freely available. SSL also only protects the cookie in transit.

• Question 350:

  Jane has just accessed her preferred e-commerce web site and she has seen an item she would like to buy. Jane considers the price a bit too steep; she looks at the page source code and decides to save the page locally to modify some of the page variables. In the context of web application security, what do you think Jane has changed?

  A. An integer variable

  B. A 'hidden' price value

  C. A 'hidden' form field value

  D. A page cannot be changed locally; it can only be served by a web server

  Correct Answer: C

  Changing hidden form values is possible when a web site is poorly built and is trusting the visitors computer to submit vital data, like the price of a product, to the database.