• security Online Quiz - 13
Back
0

security Online Quiz - 13

Description: security Online Quiz - 13
Number of Questions: 20
Created by:
Tags: security
Start the Quiz
Attempted 0/20 Correct 0 Score 0

ASLR(Address Space Layout Randomization) and DEP (Data Execution Prevention) can be effective countermeasures against ?

technology security

  1. Server Misconfigurations

  2. Buffer Overflow

  3. Brute Force Attacks

  4. None of the above

Show answer
Correct Option: C

AI Explanation

To answer this question, you need to understand what ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) are and what types of attacks they are effective against. Let's go through each option to understand why it is correct or incorrect:

Option A) Server Misconfigurations - ASLR and DEP are not specifically designed to counter server misconfigurations. Although they can add an extra layer of security, they are not primarily targeted at addressing misconfigurations.

Option B) Buffer Overflow - This option is incorrect. ASLR and DEP are specifically designed to counter buffer overflow attacks. ASLR randomizes the memory layout, making it difficult for an attacker to predict the location of certain functions or variables. DEP prevents the execution of code in certain regions of memory, making it harder for an attacker to exploit a buffer overflow vulnerability.

Option C) Brute Force Attacks - This option is incorrect. ASLR and DEP are not designed to counter brute force attacks. Brute force attacks involve trying all possible combinations of passwords or encryption keys until the correct one is found. ASLR and DEP do not directly address this type of attack.

Option D) None of the above - This option is incorrect. ASLR and DEP are effective countermeasures against buffer overflow attacks.

The correct answer is B) Buffer Overflow. This option is correct because ASLR and DEP are designed to counter buffer overflow attacks by randomizing memory layout and preventing the execution of code in certain regions of memory, respectively.

Tina is working on a multi threaded application.The users of the application can specify the duration for which the threads may be put to sleep.If Tina does not perform any input validation,she is most likely to expose her code to ?

technology security

  1. Session Fixation

  2. Cross Side Scripting

  3. Denial of Service

  4. SQL Injection

Show answer
Correct Option: C

AI Explanation

To answer this question, we need to understand the concept of input validation and the potential risks associated with not performing proper input validation.

Input validation is the process of verifying and validating user input to ensure that it meets certain criteria or constraints. It is an important security measure to prevent malicious or unexpected inputs from causing vulnerabilities in the code.

In this scenario, Tina is working on a multi-threaded application where users can specify the duration for which the threads may be put to sleep. If Tina does not perform any input validation, it means that she does not check or sanitize the user input for this duration.

The lack of input validation in this case can expose Tina's code to Denial of Service (DoS) attacks. A Denial of Service attack is a malicious attempt to disrupt the normal functioning of a system or network by overwhelming it with a flood of illegitimate requests or by exploiting vulnerabilities in the system.

By allowing users to specify an arbitrary duration for thread sleep without proper validation, an attacker could potentially input a very large or infinite duration, causing the threads to sleep for an extended period of time or indefinitely. This could lead to resource exhaustion, where the system becomes overwhelmed and unable to handle legitimate requests, ultimately causing a Denial of Service.

Therefore, the correct answer is C) Denial of Service.

Cross site scripting is a type of attack where:

technology security

  1. Attacker changes the privilege level through a script

  2. Attacker uploads a message that contains client side code that attacks anyone that reads it.

  3. A script is run at the attackers machine

  4. None of the above

Show answer
Correct Option: B

It is a good programming practice to prevent Caching of sensitive data at client or proxies by implementing:

technology security

  1. "Cache-Control: do not-cache, do not save"

  2. "Cache-Control: do not-save, do not store"

  3. "Cache-Control: no-cache, no store"

  4. "Cache-Control: do not cache"

Show answer
Correct Option: C
Explanation:

To solve this question, the user needs to know about caching and how to prevent sensitive data from being cached on clients or proxies.

Option A: "Cache-Control: do not-cache, do not save" - This option is not entirely correct. Although the "do not-cache" directive will prevent the client or proxy from caching the data, there is no "do not save" directive in the Cache-Control header field.

Option B: "Cache-Control: do not-save, do not store" - This option is incorrect. There is no "do not-save" or "do not store" directive in the Cache-Control header field.

Option C: "Cache-Control: no-cache, no store" - This option is correct. The "no-cache" directive indicates that the client or proxy should not use a cached copy of the data for subsequent requests, but it should revalidate the data with the origin server. The "no-store" directive indicates that the client or proxy should not store the data in any form of cache. Together, these directives ensure that sensitive data is not cached on the client or proxy.

Option D: "Cache-Control: do not cache" - This option is not entirely correct. The "do not cache" directive will prevent the client or proxy from caching the data, but it does not prevent the data from being stored in other forms of cache.

Therefore, the correct answer is:

The Answer is: C

Which is not a component of IIS application ?

technology security

  1. FTP

  2. Common files

  3. Background Intelligent Transfer Service (BITS)

  4. All of the choices are component of IIS

Show answer
Correct Option: D

AI Explanation

To answer this question, we need to understand the components of IIS (Internet Information Services). Let's go through each option:

Option A) FTP - This option is incorrect because FTP (File Transfer Protocol) is a component of IIS. It allows for the transfer of files between a client and a server.

Option B) Common files - This option is incorrect because Common files are a component of IIS. They include shared files and resources that are used by multiple websites hosted on the server.

Option C) Background Intelligent Transfer Service (BITS) - This option is incorrect because BITS is a component of IIS. It is a service that enables the transfer of files in the background, allowing for efficient use of network bandwidth.

Option D) All of the choices are components of IIS - This option is incorrect. The correct answer is that not all of the choices are components of IIS. In this case, the correct answer is that D is not a component of IIS.

The correct answer is: D.

Entry points in a software application include interfaces, protocols, code and which of the following?
technology security

  1. Error Messages

  2. Services

  3. Packaging

  4. Response Codes

Show answer
Correct Option: B

Analysis of the context of a business decision best describes which of the following?
technology security

  1. Logic Testing

  2. Stress Testing

  3. Conformance Testing

  4. Unit Testing

Show answer
Correct Option: A

Which is a countermeasure to a directory-traversal attack?
technology security

  1. Enforce permissions to folders.

  2. Allow everyone access to the default page only.

  3. Allow only registered users to access the home page of a website.

  4. Make all users log in to access folders

Show answer
Correct Option: A

If we have to check whether a software product meets the requirements of a particular specification then which one of the following should be performed?
technology security

  1. Logic Testing

  2. Stress Testing

  3. Conformance Testing

  4. Unit Testing

Show answer
Correct Option: C

If we increase the load on a software system beyond normal operating capacity then that can be called which of the following?
technology security

  1. Logic Testing

  2. Stress Testing

  3. Conformance Testing

  4. Unit Testing

Show answer
Correct Option: B

If a developer writes a code to test an individual method in the source code then this process best describes which of the following?
technology security

  1. Logic Testing

  2. Stress Testing

  3. Conformance Testing

  4. Unit Testing

Show answer
Correct Option: D

Using a custom build process to enable specific features in the Apache Web server is an example of what design principle?
technology security

  1. Least Privilege

  2. Leveraging existing components

  3. Economy of mechanism

  4. Fail safe

Show answer
Correct Option: C

Applying the most restrictive set of operating system permissions to all application files is an example of what design principle?
technology security

  1. Least common mechanism Least privilege

  2. Least Privilege

  3. Separation of duties

  4. Weakest link

Show answer
Correct Option: B
Explanation:

To solve this question, the user needs to know the different design principles used in system design.

The option that represents the design principle described in the question is:

B. Least Privilege

Explanation:

The principle of least privilege is a design principle in which users, agents, or processes are granted only the necessary permissions to perform their assigned tasks, and no more. This principle is important because it limits the potential damage of a security breach or other security incident. By applying the most restrictive set of operating system permissions to all application files, the system is designed to provide each application with the minimum level of access required to function properly, reducing the potential damage that could occur from a security breach.

Option A, Least common mechanism, is a separate design principle that states that the fewer mechanisms shared by users, the less likely those mechanisms are to be compromised.

Option C, Separation of duties, is a design principle that requires that more than one person be involved in a task to ensure that no single individual has complete control over a process.

Option D, Weakest link, is a design principle that states that security is only as strong as its weakest point. It emphasizes the need to identify and address vulnerabilities in a system to ensure that it is secure overall.

Therefore, the correct answer is:

The Answer is: B. Least Privilege

A tool that can perform ODBC commands on a SQL Server
technology security

  1. PSQL

  2. SQLCMD

  3. OSQL

  4. Postgre SQL

Show answer
Correct Option: C

As part of secure coding practices, its one of the counter measure that we take to address specific vulnerablity while attacker sending large amounts of data that exceed the quantities expected by the application within a given field.

technology security

  1. Error handling

  2. SQL Injection attack

  3. Data and Input Validation

  4. Buffer overflow attack

Show answer
Correct Option: D

AI Explanation

To answer this question, you need to understand secure coding practices and common vulnerabilities. Let's go through each option to understand why it is correct or incorrect:

Option A) Error handling - This option is incorrect because error handling is a practice used to manage and handle errors in a program, but it does not specifically address the issue of an attacker sending large amounts of data.

Option B) SQL Injection attack - This option is incorrect because SQL injection is a different type of vulnerability where an attacker can manipulate SQL queries to gain unauthorized access to a database. It is not directly related to the scenario described in the question.

Option C) Data and Input Validation - This option is incorrect because while data and input validation are important secure coding practices, they do not specifically address the issue of an attacker sending large amounts of data.

Option D) Buffer overflow attack - This option is correct because a buffer overflow attack occurs when an attacker sends more data than a program or application can handle, causing it to overwrite adjacent memory areas. This can lead to crashes, data corruption, and even the execution of malicious code.

The correct answer is D) Buffer overflow attack. This option is correct because it directly addresses the specific vulnerability described in the question.

Which of the following is not an web application vulnerability ?

technology security

  1. Invalidated input

  2. Cross site scripting (XSS)

  3. Use of firewall for content verification

  4. web sever misconfiguration

Show answer
Correct Option: C

AI Explanation

To answer this question, let's go through each option to understand why it is correct or incorrect:

Option A) Invalidated input - This option is a web application vulnerability. It refers to the failure to properly validate or sanitize user input, which can lead to various security issues such as SQL injection or command injection.

Option B) Cross-site scripting (XSS) - This option is a web application vulnerability. It occurs when an attacker is able to inject malicious scripts into web pages viewed by other users, which can lead to unauthorized access, data theft, or other malicious activities.

Option C) Use of firewall for content verification - This option is NOT a web application vulnerability. A firewall is a security measure that controls network traffic based on predetermined security rules. While a firewall can help protect against certain types of attacks, it is not specifically related to web application vulnerabilities.

Option D) Web server misconfiguration - This option is a web application vulnerability. Misconfigurations in web servers can expose sensitive information, grant unauthorized access, or enable other types of attacks.

The correct answer is C. The use of a firewall for content verification is not considered a web application vulnerability, as it is a security measure that can help protect against various types of attacks.

Which piece of information is most likely to be gleaned from html source code?

technology security

  1. Directory structures

  2. Facility security measures

  3. Alarm codes

  4. Password policy

Show answer
Correct Option: A

Web applications that handle sensitive information employ appropriate communication protocols to encrypt the data in transit. Which one of the following communication protocols encrypts data during transit

technology security

  1. HTTP 1.1

  2. HTTP 1.0

  3. SSL/TLS

  4. HTTP Keep-Alive

Show answer
Correct Option: C

Refer URL : http://www.testrun.com/login.aspx?id=' OR 1=1- . Which type of attack refered in this URL

technology security

  1. Cross Site Scripting (XSS)

  2. Buffer Overflow

  3. SQL Injection

  4. Cross Site Request Forgeries (CSRF)

Show answer
Correct Option: C

Which of the following is not a security mechanism

technology security

  1. Defence

  2. Dumpster Diving

  3. Deterrence

  4. Detection

Show answer
Correct Option: B

AI Explanation

To answer this question, we need to understand the concept of security mechanisms. Security mechanisms are measures or techniques implemented to protect computer systems and networks from unauthorized access, attacks, and other potential threats.

Let's go through each option to determine which one is not a security mechanism:

Option A) Defence - This option is a security mechanism. "Defence" refers to the implementation of various measures to protect computer systems and networks, such as firewalls, intrusion detection systems, and encryption.

Option B) Dumpster Diving - This option is not a security mechanism. "Dumpster diving" is a technique used by attackers to gather confidential or sensitive information by searching through trash or discarded materials. It is a form of social engineering and does not involve any protective measures.

Option C) Deterrence - This option is a security mechanism. "Deterrence" refers to the use of preventive measures to discourage potential attackers from targeting a system. This can include visible security cameras, warning signs, or legal consequences for unauthorized access.

Option D) Detection - This option is a security mechanism. "Detection" refers to the process of identifying and alerting about potential security breaches or attacks. This can involve the use of intrusion detection systems, antivirus software, or log monitoring.

Based on the explanations above, the correct answer is B) Dumpster Diving. This option is not a security mechanism as it is a technique used by attackers, rather than a protective measure.

- Hide questions
ADVERTISEMENT

Find more quizzes from top tags

general knowledge
3615 Quizzes
119858 Questions
 technology
307 Quizzes
36705 Questions
 sports
963 Quizzes
19148 Questions
 history
1187 Quizzes
13475 Questions
 physics
598 Quizzes
13441 Questions
 biology
1160 Quizzes
12174 Questions
 science & technology
551 Quizzes
11015 Questions
 chemistry
490 Quizzes
9892 Questions
 maths
518 Quizzes
9324 Questions
 softskills
0 Quizzes
7131 Questions