SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
Comptia Security +: Domain4 Application Security
Start Test
Study First
Subjects
:
certifications
,
comptia-security-+
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. Security objectives placed on an application are identified - controlling the scope of the threat modeling process
application
address resolution protocol
security objective definition
data link
2. The application is reviewed and specific vulnerabilities are documented in this phase of threat modeling
cookie hijacking
threat identification
network
vulnerability identification
3. More data is put into a buffer than it was designed to hold - can be caused deliberately by hackers to run malicious code
XSS attacks
buffer overflow
IM
application layer
4. Used by java to verify the code for a list of predetermined insecurities
address resolution protocol
zones
bytecode verifier
data link
5. Server misused to forward spam - DoS conditions - damage to brand - blacklist on spam sites are risks associated with
bytecode verifier
P2P
transport
open mail relay
6. Each client is a peer and serves each other client on the network - requires client application and appropriate open network ports to operate
IM
transport
application
peer to peer
7. Enforce application software restrictions - virus scan all files - restrict folders shared by other P2P clients are safeguards for
P2P
sandboxing
heap
session
8. Protocols used in this layer - IP
network
XSS attacks
heap
authenticode
9. COTS stands for
input validation criteria
presentation
common off the shelf
drive by download
10. A method of code signing - allows developers to obtain digital certificate generated by a certificate authority and digitally sign ActiveX controls
authenticode
session cookie
persistent cookie
XSS
11. OSI layer responsible for end-to-end connections and reliability (i.e. TCP
transport
XSS attacks
ActiveX
stored XSS
12. An attack that occurs when malicious code is injected into a web site - where it is downloaded and executed by other users
Application - Presentation - Session - Transport - Network - Data Link - Physical
XSS
security objective definition - application review - application decomposition - threat identification - vulnerability identification
application review
13. XSS stands for
cross-site scripting
bytecode verifier
application layer
packet sniffer
14. Malicious code stored in a web application that is downloaded and executed without the user's knowledge
stored XSS
application review
persistent cookie
address resolution protocol
15. Used to record user's web activity - may be downloaded in the background
presentation
drive by download
tracking cookie
stored XSS
16. A microsoft created technology that enables software applications to share and reuse software components - maybe used to access files on local system or system registry
data link
application review
ActiveX
peer to peer
17. Threats to defined security objects are identified using knowledge gained during application decomposition in this phase of threat modeling
cookie attacks
transport
bytecode verifier
threat identification
18. Can filter out most buffer overflow attacks
application review
application gateways
cookie attacks
presentation
19. Type - length - format - range
peer to peer
reflected and stored
ActiveX
input validation criteria
20. The unauthorized modification of the data stored within a cookie
cookie poisoning
peer to peer
transport
java
21. OSI layer responsible for network processes to application
reflected and stored
application
data link
network
22. OSI layer that provides the means to transfer data between network entities and detect/correct errors that may occur in the physical layer
XSS attacks
data link
persistent cookie
presentation
23. Security zone options offered by Internet Explorer
Internet - Local Intranet - Trusted Sites - Restricted Sites
application review
packet sniffer
reflected and stored
24. OSI layer that relates to the physical connection of two devices (i.e. RS-232
presentation
transport
physical
digitally signed java control
25. Categories of XSS
stack and heap
P2P
reflected and stored
application decomposition
26. Area of the memory where function calls are stored
drive by download
application
stack
IM
27. Phase of threat modeling that reviews application ingress and egress data flow and trust boundaries
P2P
peer to peer
application decomposition
data link
28. OSI layer 2 - verify the connection between two devices is intact (i.e. physical addressing)
data link
input validation
address resolution protocol
drive by download
29. OSI layer responsible for data representation and encryption (MIME
authenticode
Application - Presentation - Session - Transport - Network - Data Link - Physical
presentation
vbscript and jscript
30. OSI model layers
network
data link
Application - Presentation - Session - Transport - Network - Data Link - Physical
session cookie
31. Enticing a user to execute malicious code stored on a web server (i.e. via hyperlink in an email)
physical
data link
reflected XSS
data link
32. Area of the memory where dynamically allocated variables are stored
buffer overflow
heap
transport
transport
33. ARP stands for...
address resolution protocol
security objective definition
application
reflected and stored
34. P2P stands for...
data link
peer to peer
cross-site scripting
application
35. This layer formats and encrypts data to be sent across a network - providing freedom from compatibility problems - sometimes called the syntax layer
java
transport
application
presentation
36. A scripting language - developed by Netscape to perform client-side web development
stack
application gateways
data link
javascript
37. Protocols used in this layer (ARP
physical
data link
Application - Presentation - Session - Transport - Network - Data Link - Physical
reflected and stored
38. Have a timeout value - are not deleted when the user closes their web brower - used to store user preferences and information about the use connection
authenticode
presentation
persistent cookie
vbscript and jscript
39. OSI layer that establishes - manages and terminates the connections between the local and remote application
session
misconfigured mail server
XSS
data link
40. Attackers sniff network traffic and capture a cookie download or gain access to a computer and view locally stored cookie
transport
cookie hijacking
ARP spoofing
buffer overflow
41. Enable the cookie secure-bit setting - avoid using cookies to hold sensitive data - block third-party cookies will prevent ______
cookie attacks
open mail relay
packet sniffer
Application - Presentation - Session - Transport - Network - Data Link - Physical
42. Key functionality (how the application works) is identified and an application diagram developed in this phase of threat modeling
Internet - Local Intranet - Trusted Sites - Restricted Sites
application review
presentation
cookie attacks
43. Allow an attacker to intercept and modifiy data sent between two network devices - hijacking of network communications - attacks data link layer
security objective definition - application review - application decomposition - threat identification - vulnerability identification
data link
ARP spoofing
network
44. Sensitive information stored within a cookie that is obtained by unauthorized users
network
common off the shelf
cookie leaking
address resolution protocol
45. Attack that occurs when a user navigates to a web site and hostile content is automatically downloaded and executed
security objective definition
physical
drive by download
input validation criteria
46. OSI layer responsible for path determination and logical addressing - routers operate at this layer
packet sniffer
security objective definition - application review - application decomposition - threat identification - vulnerability identification
physical
network
47. Phases of threat modeling
security objective definition - application review - application decomposition - threat identification - vulnerability identification
zones
data link
session
48. Ensure data input is validated - encode user supplied data - don't click on unknown hyperlinks - implement restrictive web browser security zones are preventative measures against
session
XSS attacks
bytecode verifier
packet sniffer
49. OSI layer defines the electrical / physical device specs (media - signal - and binary transmission). This includes the layout of pins - voltages - cable specifications - hubs - network adapters - host bus adapters and more.
P2P
physical
application gateways
cookies
50. Used by java and javascript to isolate executing code in a reserved area of memory to limit damage of malicious code
sandboxing
threat identification
network
threat modeling