An application developer has coded a new application with a module to examine all user entries for the graphical user interface. The module verifies that user entries match the allowed types for each field and that OS and database commands are rejected before entries are sent for further processing within the application. These are example of:
A. Input validation B. SQL injection C. Application whitelisting D. Error handling
An application developer needs to allow employees to use their network credentials to access a new application being developed. Which of the following should be configured in the new application to enable this functionality?
A. LDAP B. ACLs C. SNMP D. IPSec
Joe an application developer is building an external facing marketing site. There is an area on the page where clients may submit their feedback to articles that are posted. Joe filters client-side JAVA input. Which of the following is Joe attempting to prevent?
A. SQL injections B. Watering holes C. Cross site scripting D. Pharming
A new client application developer wants to ensure that the encrypted passwords that are stored in their database are secure from cracking attempts. To implement this, the developer implements a function on the client application that hashes passwords thousands of times prior to being sent to the database. Which of the following did the developer MOST likely implement?
A. RIPEMD B. PBKDF2 C. HMAC D. ECDHE
Correct Answer: B Section: Cryptography
Password-Based Key Derivation Function 2 (PBKDF2) makes use of a hashing operation, an encryption cipher function, or an HMAC operation) on the input password, which is
combined with a salt and is repeated thousands of times.
A: RIPEMD is a hashing function, but does not hash passwords thousands of times sending it to the database.
C: HMAC (Hash-Based Message Authentication Code) uses a hashing algorithm along with a symmetric key. It does not, however, hash passwords thousands of times sending it to
D: ECDHE provides both CRC integrity checks and RCA encryption.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 249, 254, 260, 343
An application developer has tested some of the known exploits within a new application. Which of the following should the administrator utilize to test for unidentified faults or memory leaks?
A. XSRF Attacks B. Fuzzing C. Input Validations D. SQL Injections
Correct Answer: B Section: Application, Data and Host Security
Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions
such as crashes, or failed validation, or memory leaks.
A: XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web application’s trust of a user who known or is supposed to have been
authenticated. This is often accomplished without the user’s knowledge.
C: Input validation is a defensive technique intended to mitigate against possible user input attacks, such as buffer overflows and fuzzing. Input validation checks every user input
submitted to the application before processing that input. The check could be a length, a character type, a language type, or a domain.
D: SQL injection attacks use unexpected input to a web application to gain access to the database used by web application. You can protect a web application against SQL injection by
implementing input validation and by limiting database account privileges for the account used by the web server and the web application.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 195, 229, 230, 230-231
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 335, 340-341
Sara, an application developer, implemented error and exception handling alongside input validation. Which of the following does this help prevent?
A. Buffer overflow B. Pop-up blockers C. Cross-site scripting D. Fuzzing
Correct Answer: A Section: Application, Data and Host Security
Buffer overflow is an exploit at programming error, bugs and flaws. It occurs when an application is fed more input data than it is programmed to handle. This may cause the
application to terminate or to write data beyond the end of the allocated space in memory. The termination of the application may cause the system to send the data with temporary
access to privileged levels in the system, while overwriting can cause important data to be lost. Proper error and exception handling and input validation will help prevent Buffer
B: Pop-up blockers prevent websites from opening new browser windows without the users consent. These are often used for advertisements but can also be used to distribute
malicious code. This does not entail error and exception handling alongside input validation.
C: Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be
mitigated by implementing patch management on the web server, using firewalls, and auditing for suspicious activity.
D: Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for
exceptions such as crashes, or failed validation, or memory leaks.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 338, 218
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 192, 197, 229, 246