SUBJECTS
|
BROWSE
|
CAREER CENTER
|
POPULAR
|
JOIN
|
LOGIN
Business Skills
|
Soft Skills
|
Basic Literacy
|
Certifications
About
|
Help
|
Privacy
|
Terms
|
Email
Search
Test your basic knowledge |
Comptia Security +: Domain4 Application Security
Start Test
Study First
Subjects
:
certifications
,
comptia-security-+
,
it-skills
Instructions:
Answer 50 questions in 15 minutes.
If you are not ready to take this test, you can
study here
.
Match each statement with the correct term.
Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.
This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. The unauthorized modification of the data stored within a cookie
session - persistent - tracking
cookie poisoning
javascript
physical
2. An attack that occurs when malicious code is injected into a web site - where it is downloaded and executed by other users
network
XSS
zones
stack and heap
3. IP address exposure - download of worm/viruses circumventing the firewall - no way to track improper communication - messages in clear text are risks associated with
ActiveX
IM
cookie hijacking
data link
4. Can filter out most buffer overflow attacks
vulnerability identification
stored XSS
application gateways
application layer
5. Allow an attacker to intercept and modifiy data sent between two network devices - hijacking of network communications - attacks data link layer
stack
P2P
ARP spoofing
network
6. A named collection of Web sites that can be assigned a specific security level
heap
stored XSS
session cookie
zones
7. Phase of threat modeling that reviews application ingress and egress data flow and trust boundaries
application decomposition
stack and heap
ActiveX
IM
8. Security objectives placed on an application are identified - controlling the scope of the threat modeling process
stack
threat modeling
security objective definition
drive by download
9. Number one safeguard against buffer overflow - XSS - data injection - and DoS attacks
data link
input validation
data link
session
10. OSI layer 2 - verify the connection between two devices is intact (i.e. physical addressing)
data link
physical
threat modeling
peer to peer
11. OSI model layers
misconfigured mail server
Application - Presentation - Session - Transport - Network - Data Link - Physical
java
physical
12. Three main cookie types
session - persistent - tracking
input validation criteria
cross-site scripting
ActiveX
13. ARP stands for...
address resolution protocol
zones
common off the shelf
P2P
14. The application is reviewed and specific vulnerabilities are documented in this phase of threat modeling
cross-site scripting
physical
vulnerability identification
cookie poisoning
15. OSI layer responsible for path determination and logical addressing - routers operate at this layer
cookie attacks
physical
XSS attacks
network
16. Categories of XSS
digitally signed java control
reflected and stored
XSS attacks
XSS
17. Two types of buffer overflows
ARP spoofing
application
peer to peer
stack and heap
18. P2P stands for...
transport
application
peer to peer
cookies
19. Each client is a peer and serves each other client on the network - requires client application and appropriate open network ports to operate
persistent cookie
tracking cookie
input validation criteria
peer to peer
20. OSI layer responsible for data representation and encryption (MIME
presentation
tracking cookie
reflected XSS
IM
21. Enable the cookie secure-bit setting - avoid using cookies to hold sensitive data - block third-party cookies will prevent ______
java
cookie attacks
cookie hijacking
session - persistent - tracking
22. OSI layer responsible for network processes to application
reflected and stored
security objective definition
application
cookie attacks
23. Malicious code stored in a web application that is downloaded and executed without the user's knowledge
session
application decomposition
stored XSS
network
24. Key functionality (how the application works) is identified and an application diagram developed in this phase of threat modeling
input validation criteria
zones
network
application review
25. A scripting language - developed by Netscape to perform client-side web development
Internet - Local Intranet - Trusted Sites - Restricted Sites
javascript
data link
application
26. Security zone options offered by Internet Explorer
Internet - Local Intranet - Trusted Sites - Restricted Sites
cookies
application
address resolution protocol
27. Area of the memory where dynamically allocated variables are stored
input validation criteria
heap
data link
Internet - Local Intranet - Trusted Sites - Restricted Sites
28. OSI layer responsible for end-to-end connections and reliability (i.e. TCP
java
transport
cookie poisoning
authenticode
29. Protocols used in this layer - IP
heap
network
address resolution protocol
application decomposition
30. A method of code signing - allows developers to obtain digital certificate generated by a certificate authority and digitally sign ActiveX controls
authenticode
threat identification
application
session
31. Used by java and javascript to isolate executing code in a reserved area of memory to limit damage of malicious code
sandboxing
security objective definition
common off the shelf
presentation
32. Cause of open SMTP relays
misconfigured mail server
application layer
sandboxing
digitally signed java control
33. Sensitive information stored within a cookie that is obtained by unauthorized users
input validation criteria
peer to peer
cookie leaking
sandboxing
34. Ensure data input is validated - encode user supplied data - don't click on unknown hyperlinks - implement restrictive web browser security zones are preventative measures against
javascript
input validation
IM
XSS attacks
35. Attack that occurs when a user navigates to a web site and hostile content is automatically downloaded and executed
application layer
drive by download
threat modeling
P2P
36. Type - length - format - range
input validation criteria
tracking cookie
drive by download
security objective definition
37. A programming language - developed by Sun - used to make small applications (applets) for the Internet and stand alone programs
cookie attacks
stack
open mail relay
java
38. Target for trojans and viruses - used to transfer stolen/pirated data - unintentional disclosure of data are risks associated with
P2P
open mail relay
physical
session
39. More data is put into a buffer than it was designed to hold - can be caused deliberately by hackers to run malicious code
stack and heap
buffer overflow
peer to peer
cookie hijacking
40. Protocols used in this layer (ARP
stored XSS
cookie poisoning
data link
input validation
41. OSI layer that relates to the physical connection of two devices (i.e. RS-232
application
common off the shelf
physical
data link
42. Used by java to verify the code for a list of predetermined insecurities
bytecode verifier
network
Application - Presentation - Session - Transport - Network - Data Link - Physical
input validation criteria
43. Can leave the sandbox and obtain access to client resources
digitally signed java control
java
common off the shelf
misconfigured mail server
44. OSI layer that provides interhost communication (Named Pipes
buffer overflow
ARP spoofing
session
cookie attacks
45. Area of the memory where function calls are stored
application
stack
physical
ActiveX
46. Have a timeout value - are not deleted when the user closes their web brower - used to store user preferences and information about the use connection
session cookie
persistent cookie
presentation
data link
47. Small text files downloaded and stored on a user's computer that contain information about the user's session and preferences
sandboxing
authenticode
cookies
session cookie
48. Tools used to capture packets of data off a network and allow viewing of contents
packet sniffer
session
stack
vulnerability identification
49. Threats to defined security objects are identified using knowledge gained during application decomposition in this phase of threat modeling
stored XSS
threat identification
input validation criteria
XSS
50. Scripting languages - developed by Microsoft to allow developers to extend and reuse web functionality
ActiveX
XSS attacks
peer to peer
vbscript and jscript