Академический Документы
Профессиональный Документы
Культура Документы
Use the "view source" function on the browser to see understand what is the prob
lem with the "theSecret" parameter
5.You are trying to audit a web application. However, whenever you enter a speci
al character, a JavaScript popup stops you from doing so. What tools can be used
to bypass this type of protection?
WebScarab
BurpSuit local proxy
TamperData Firefox add-on
Sub7
W3AF
Nessus
Acunetix
6. What is the best programming language for coding a remote access tool (trojan
-like tool) used in penetration tests?
Meterpreter
Python
CSharp
VB .Net
C / C++
Batch script
Perl
7. what is the most commonly used design pattern for web application development
?
Abstract factory
Singleton
MVC (Module / View / Controller)
Builder
9. Assuming we have a web based form. Certain validation takes place on the form
(such as checking for correct email address pattern, making sure integers are e
ntered in the age field ....etc). The client requested from you (as the develope
r) both server and client side validation. What are the difference between them?
JavaScript is used for client side validation while PHP is used for server side
Both client and server side validation can be programmed with JavaScript
Client side validation is coded with JavaScript while server side is coded throu
gh AJAX
JQuery is used for server side validation and AJAX is used for client side
HTML events are used for client side validation while JavaScript is used for ser
ver side validation
ASP .Net
PHP
C++
XML
JSP
ASP
ASPX
15. Given you have a PHP page (customers.php) where the code returned is below.
With any language or scripting language of your choice, code a tool (as in write
the code below) that submits a request to
http://website.com/customers.php
And when the below response is returned, the tool will take the email addresses
only and place them in an array
<HTML>
<body>
<br />
Name: John<br />
Telephone: 05473733<br />
Fax: 6574737<br />
Email: theemail1@domain.com<br/>
<br />
<br />
Name: Jack<br />
Telephone: 4728422<br />
Fax: 53453<br />
Email: theemail2@domain.com<br/>
<br />
<br />
Name: smith<br />
Telephone: 3433433<br />
Fax: 4324324<br />
Email: theemail3@domain.com<br/>
<br />
<br />
Name: Stacy<br />
Telephone: 34322532<br />
Fax: 42342<br />
Email: theemail4@domain.com<br/>
</body>
</HTML>
______________________________
16. Which programming languages are you most familiar with?
C
ASP .Net
CSharp
VB .Net
Java
PHP
HTML
JSP
C++
ASP
Python
Perl
SQL
Other (please specify) ______________________
18. Given the following statement and assuming no input filtering is taking plac
e on the application. How can an attacker subvert the output to returning always
true
select count(*) from usrs where usrn='$usr' and psw="$psd"
Given the following statement and assuming no input filtering is taking place on
the application. How can an attacker subvert the output to returning always tru
e select count(*) from usrs where usrn='$usr' and psw="$psd" $usr parameter sh
ould be set to ' true and $psd should be set to " true
$usr parameter should be set to ' or 'a'='a and $psd should be set to " or "a"="
a
$usr parameter should be set to ' or 'a'='a and $psd should be set to ' or 'a'='
a
$usr parameter should be set to blank and $psd should be blank
19. Why is error handling important in security?
Why is error handling important in security?
ion owner trace the cause of the error
Error handling hides sensitive data that can be leaked when an error is generate
d
SMB re