Scribd Logo
Upload

Welcome to Scribd!

  • College of Information Technology

    Uploaded by

    Homer Antonio Vitriolo
    2 views9 pages

    Original Title

    REPORTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views9 pages

    College of Information Technology

    Uploaded by

    Homer Antonio Vitriolo

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    COLLEGE OF INFORMATION TECHNOLOGY

    CHAPTER 6 :INJECTION ATTACK

    IT – WS04
    Web System Vulnerabilities

    Name: Date:
    Section: Score:
    General Instructions:
     Read each question carefully and choose the BEST answer from the options provided.
     Use black ballpen for your answers.
     Erasure is considered as wrong.
    1. Multiple Choices:
    1. What is the primary focus of Chapter 6?
    a. Website design
    b. Injection attacks
    c. Browser security
    d. HTTP protocols
    2. What is the meaning of this "--" in sql injection query
    a. beautiful query
    b. strong query
    c. comment
    d. For faster query
    3. Which type of injection attack involves manipulating SQL statements to gain unauthorized access to a
    database?
    a. Cross-site scripting (XSS)
    b. Command injection
    c. SQL injection
    d. Remote code execution
    4. In the SQL injection attack example, what character is used to terminate the email parameter early and trick
    the database driver?
    a. !
    b. '
    c. #
    d. ;
    COLLEGE OF INFORMATION TECHNOLOGY

    5. What is the meaning of ORM


    a. Object Related Model
    b. Object Relational Mapping
    c. Only Read Memory
    d. Only Run Master

    6. Which of the following statements accurately describes the significance of SQL injection attacks on
    websites?
    a. They only affect websites with a small user base.
    b. They are limited to disrupting website design.
    c. They pose a significant risk as they can lead to unauthorized access and data manipulation.
    d. They primarily target browser vulnerabilities.
    7. What type of attack involves passing malicious code in an HTTP request to trick the server into executing the
    code?
    a. Cross-site scripting (XSS)
    b. Remote code execution
    c. Cross-site request forgery (CSRF)
    d. Command injection
    8. In the SQL databases, what is the purpose of the SQL SELECT statement?
    a. Add rows to the database
    b. Update rows in the database
    c. Read rows from the database
    d. Remove rows from the database
    9. How can a hacker exploit a vulnerable website using SQL injection beyond bypassing authentication?
    a. Execute arbitrary SQL statements
    b. Upload malicious files to the server
    c. Inject JavaScript code into web pages
    d. All of the above

    10. What is the recommended mitigation technique to protect against SQL injection attacks in web
    development?
    a. Use strong encryption for database connections.
    b. Regularly update the server's operating system.
    c. Implement input validation and sanitization.
    d. Increase the server's processing speed.
    COLLEGE OF INFORMATION TECHNOLOGY

    11. What does "Defense in Depth" in website security refer to?


    A. Checking code line by line for vulnerabilities
    B. Redundant security measures at every level of the stack
    C. Ensuring strong encryption for data transmission
    D. Implementing secure authentication only
    12. How does the "Principle of Least Privilege" contribute to mitigating injection attacks, especially in SQL
    injection?
    A. Allowing unrestricted access to database resources
    B. Granting elevated permissions to web servers
    C. Restricting processes and applications to minimal necessary permissions
    D. Avoiding authentication altogether
    13. What distinguishes blind SQL injection from nonblind SQL injection attacks?
    A. Presence of error messages
    B. Website responsiveness
    C. Attackers' knowledge of server IP
    D. Nature of injected SQL statements
    14. What is the primary risk associated with insecure command line calls in web applications?
    A. Server downtime
    B. Unauthorized database access
    C. Command injection attacks
    D. Cross-site scripting vulnerabilities
    15. In the context of command injection, what does "escaping control characters" involve?
    A. Allowing special characters in user inputs
    B. Disabling input validation
    C. Replacing sensitive control characters with safe alternatives
    D. Ignoring control characters in HTTP requests
    COLLEGE OF INFORMATION TECHNOLOGY

    16. How does the principle of least privilege apply to mitigating command injection attacks?
    A. Granting maximum permissions to web servers
    B. Limiting web server privileges to required actions
    C. Using complex command strings
    D. Disabling all command line calls
    17. What distinguishes remote code execution from SQL and command injection attacks?
    A. Nature of injected code
    B. Involvement of error messages
    C. Targeted server components
    D. Execution location of malicious code
    18. What is the role of serialization in remote code execution vulnerabilities?
    A. Preventing code execution
    B. Converting data structures to binary data
    C. Enhancing server performance
    D. Reducing network latency

    19. How can developers protect against insecure deserialization leading to remote code execution?
    A. Use less secure serialization libraries
    B. Enable active code execution features
    C. Apply relevant configuration settings to disable code execution
    D. Avoid third-party serialization libraries

    20. How does a developer, who doesn't write web server code, protect against remote code execution in their
    web stack?
    A. Write custom serialization libraries
    B. Disable all security features
    C. Stay aware of security advisories and disable active code execution
    D. Use only first-party serialization libraries
    COLLEGE OF INFORMATION TECHNOLOGY

    21. acronym : CDN


    a) content delivery network
    b) content distribution network
    c) continental delivery networking
    d) consistent delivery nertwork

    22. acronym : CIS


    a) The central for international security
    b) The center for internet security
    c) consistern internal security
    d) consistent internet security

    23. When you’re running a Python web server on Linux you can set file permissions when creating a file by
    using the ___?
    a) or module
    b) og module
    c) os module
    d) iso module

    24. PHP files are typically treated by operating systems as ___?


    a) executable file
    b) extensive file
    c) external file
    d) internal file
    COLLEGE OF INFORMATION TECHNOLOGY

    25. this are a common tool used by hackers attempting


    to compromise a web server.
    a) CMD
    b) webshield
    c) nutshell
    d) webshell

    26. The first, most important approach to securing file upload functions is
    to ensure that your web server treats uploaded files as inert rather than
    executable objects.
    a) Ensure Uploaded Files Cannot Be Executed
    b) Validate the Content of Uploaded Files
    c) Host Files on a Secure System
    d) Run Antivirus Software

    27. this is what the Websites use for a variety of purposes: letting users add images to their profile or
    posts, adding attachments to messages, submitting paperwork, sharing documents with other users, and so on.
    a) file download function
    b) file function
    c) file readable function
    d) file upload function

    28. If you’re uploading files with a known file type, consider adding some filetype checking in your code.
    a) Ensure Uploaded Files Cannot Be Executed
    b) Validate the Content of Uploaded Files
    c) Host Files on a Secure System
    d) Run Antivirus Software
    COLLEGE OF INFORMATION TECHNOLOGY

    29. the web shell is available on a _____, the attacker has


    potentially created a backdoor for executing the malicious code
    a) private URL
    b) Public URL
    c) URl
    d) webpage URL

    30. acronym : AMIs


    a) Amazon Machine Images
    b) Android Machine Images
    c) android Mechanical Images
    d) Amazon Mechanica Images
    COLLEGE OF INFORMATION TECHNOLOGY

    Answers: 1-10
    1. b. Injection attacks
    2. c. comment
    3. c. SQL injection
    4. b. '
    5. c. To securely replace input values.
    6. c. They pose a significant risk as they can lead to unauthorized access and data manipulation.
    7. b. Remote code execution
    8. c. Read rows from the database
    9. d. All of the above
    10. c. Implement input validation and sanitization.

    Answer to 11-20
    Answer: B. Redundant security measures at every level of the stack
    Answer: C. Restricting processes and applications to minimal necessary permissions
    Answer: A. Presence of error messages
    Answer: C. Command injection attacks
    Answer: C. Replacing sensitive control characters with safe alternatives
    Answer: B. Limiting web server privileges to required actions
    Answer: D. Execution location of malicious code
    Answer: A. Preventing code execution
    Answer: C. Apply relevant configuration settings to disable code execution
    Answer: C. Stay aware of security advisories and disable active code execution.
    Answer to 21-30 Members:
    1.A 5.D Kyan G. Gonzales
    2.B 6.C Ric Darrel Pajarillaga
    Erica M. Bote
    3.C 7.D Mary Jane Dela Cruz
    Hennryx Samson
    4.A 8.B
    Ivan R. Bulacan
    5.D 9.B Mc Perez
    Danica Amboy
    9.B 10.A Leonel Salvador
    COLLEGE OF INFORMATION TECHNOLOGY

    You might also like