Test your basic knowledge |

Comptia Security +: Domain4 Application Security

Subjects : certifications, comptia-security-+, it-skills

Instructions:

Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can study here.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.

1. Phases of threat modeling
buffer overflow
physical
security objective definition - application review - application decomposition - threat identification - vulnerability identification
persistent cookie

2. Enable the cookie secure-bit setting - avoid using cookies to hold sensitive data - block third-party cookies will prevent ______
session
application
cross-site scripting
cookie attacks

3. The application is reviewed and specific vulnerabilities are documented in this phase of threat modeling
vulnerability identification
session - persistent - tracking
P2P
stack

4. A method of code signing - allows developers to obtain digital certificate generated by a certificate authority and digitally sign ActiveX controls
data link
authenticode
misconfigured mail server
presentation

5. Phase of threat modeling that reviews application ingress and egress data flow and trust boundaries
javascript
heap
IM
application decomposition

6. Scripting languages - developed by Microsoft to allow developers to extend and reuse web functionality
ARP spoofing
stack
vbscript and jscript
transport

7. Protocols used in this layer - IP
presentation
network
buffer overflow
XSS attacks

8. Key functionality (how the application works) is identified and an application diagram developed in this phase of threat modeling
data link
session
application review
presentation

9. Security zone options offered by Internet Explorer
reflected and stored
Internet - Local Intranet - Trusted Sites - Restricted Sites
stack and heap
cookie hijacking

10. Have a timeout value - are not deleted when the user closes their web brower - used to store user preferences and information about the use connection
persistent cookie
application gateways
threat modeling
session cookie

11. Three main cookie types
vbscript and jscript
threat identification
session - persistent - tracking
application gateways

12. OSI layer responsible for data representation and encryption (MIME
presentation
session cookie
threat identification
address resolution protocol

13. Ensure data input is validated - encode user supplied data - don't click on unknown hyperlinks - implement restrictive web browser security zones are preventative measures against
security objective definition - application review - application decomposition - threat identification - vulnerability identification
ActiveX
XSS attacks
threat identification

14. Security objectives placed on an application are identified - controlling the scope of the threat modeling process
input validation
security objective definition - application review - application decomposition - threat identification - vulnerability identification
security objective definition
open mail relay

15. OSI layer 2 - verify the connection between two devices is intact (i.e. physical addressing)
reflected XSS
data link
Internet - Local Intranet - Trusted Sites - Restricted Sites
stack

16. OSI model layers
misconfigured mail server
Application - Presentation - Session - Transport - Network - Data Link - Physical
application decomposition
address resolution protocol

17. Malicious code stored in a web application that is downloaded and executed without the user's knowledge
stored XSS
data link
Application - Presentation - Session - Transport - Network - Data Link - Physical
input validation criteria

18. P2P stands for...
bytecode verifier
session
network
peer to peer

19. Enforce application software restrictions - virus scan all files - restrict folders shared by other P2P clients are safeguards for
P2P
Internet - Local Intranet - Trusted Sites - Restricted Sites
sandboxing
security objective definition - application review - application decomposition - threat identification - vulnerability identification

20. Used by java to verify the code for a list of predetermined insecurities
sandboxing
session cookie
bytecode verifier
input validation

21. OSI layer that provides the means to transfer data between network entities and detect/correct errors that may occur in the physical layer
data link
application review
drive by download
application

22. More data is put into a buffer than it was designed to hold - can be caused deliberately by hackers to run malicious code
buffer overflow
bytecode verifier
session cookie
physical

23. A scripting language - developed by Netscape to perform client-side web development
authenticode
javascript
session
digitally signed java control

24. Enticing a user to execute malicious code stored on a web server (i.e. via hyperlink in an email)
reflected XSS
Application - Presentation - Session - Transport - Network - Data Link - Physical
address resolution protocol
misconfigured mail server

25. OSI layer that provides transparent transfer of data between end users
reflected XSS
Application - Presentation - Session - Transport - Network - Data Link - Physical
Internet - Local Intranet - Trusted Sites - Restricted Sites
transport

26. Area of the memory where function calls are stored
transport
application
stack
session

27. OSI layer that establishes - manages and terminates the connections between the local and remote application
XSS attacks
cookie leaking
session
presentation

28. This layer formats and encrypts data to be sent across a network - providing freedom from compatibility problems - sometimes called the syntax layer
presentation
reflected and stored
network
data link

29. Sensitive information stored within a cookie that is obtained by unauthorized users
Internet - Local Intranet - Trusted Sites - Restricted Sites
security objective definition - application review - application decomposition - threat identification - vulnerability identification
application gateways
cookie leaking

30. Attackers sniff network traffic and capture a cookie download or gain access to a computer and view locally stored cookie
common off the shelf
ARP spoofing
cookie hijacking
P2P

31. Used by java and javascript to isolate executing code in a reserved area of memory to limit damage of malicious code
peer to peer
threat modeling
sandboxing
application review

32. Tools used to capture packets of data off a network and allow viewing of contents
packet sniffer
bytecode verifier
P2P
session cookie

33. A microsoft created technology that enables software applications to share and reuse software components - maybe used to access files on local system or system registry
misconfigured mail server
session
ActiveX
bytecode verifier

34. Categories of XSS
transport
reflected and stored
packet sniffer
application

35. Attacks targeting buffer overflow and cross-site scripting attack this OSI layer
network
data link
application layer
P2P

36. Attack that occurs when a user navigates to a web site and hostile content is automatically downloaded and executed
input validation
session - persistent - tracking
stack and heap
drive by download

37. OSI layer that relates to the physical connection of two devices (i.e. RS-232
physical
peer to peer
peer to peer
security objective definition

38. Used to record user's web activity - may be downloaded in the background
tracking cookie
P2P
Internet - Local Intranet - Trusted Sites - Restricted Sites
data link

39. Area of the memory where dynamically allocated variables are stored
buffer overflow
heap
input validation
data link

40. OSI layer responsible for path determination and logical addressing - routers operate at this layer
java
stack and heap
network
input validation criteria

41. A named collection of Web sites that can be assigned a specific security level
vulnerability identification
digitally signed java control
packet sniffer
zones

42. ARP stands for...
address resolution protocol
stored XSS
reflected and stored
open mail relay

43. Protocols used in this layer (ARP
stack
data link
application review
IM

44. Cause of open SMTP relays
session - persistent - tracking
session cookie
cookies
misconfigured mail server

45. Server misused to forward spam - DoS conditions - damage to brand - blacklist on spam sites are risks associated with
data link
session - persistent - tracking
open mail relay
stack and heap

46. Allow an attacker to intercept and modifiy data sent between two network devices - hijacking of network communications - attacks data link layer
peer to peer
ARP spoofing
authenticode
P2P

47. Small text files downloaded and stored on a user's computer that contain information about the user's session and preferences
vbscript and jscript
misconfigured mail server
cookies
ARP spoofing

48. Can filter out most buffer overflow attacks
bytecode verifier
zones
application gateways
cookie hijacking

49. OSI layer that provides interhost communication (Named Pipes
authenticode
XSS
session
application review

50. Deleted when the user closes their web browser - can contain authentication-related information
session cookie
address resolution protocol
presentation
bytecode verifier