This chapter includes questions from the following topics:
• Identify features of common web server architecture
• Identify web application function and architecture points
• Describe web server and web application attacks
• Identify web server and application vulnerabilities
• Identify web application hacking tools
In the Spring of 1863, a mismatch was shaping up on the battlefield. General Robert E. Lee and Stonewall Jackson had amassed a sizeable Confederate force of around 60,000 men in and around Chancellorsville, Virginia, after the recent victory in Fredericksburg. Major General Joseph Hooker, however, commanded a Union army of around 130,000 men and was under direct orders from President Lincoln to annihilate the Confederate army. He thus decided upon a plan of action, well based in current military strategy, to apply his vastly superior forces and march against the enemy. By any measure, this was shaping up as an easy victory for the North.
General Lee, however, wasn’t well known for following strict rules of battle. While Hooker amassed forces for a front-on attack, Lee did something that, at the time, was considered either the dumbest move in history or brilliant strategy: He split his already outnumbered army into three groups. He left a paltry 10,000 men to meet the head-on charge, but sent the other 50,000 men in two groups to surround and flank the Union troops. Through a series of improbable victories on the Confederate side and utterly tentative and puzzling decision making by their Northern counterparts, the battle became a treatise on victory against all odds, and the power of mind and strategy on the battlefield.
And what is the relevance here for us, you may ask? By changing the focus of his attack, General Lee succeeded in pulling off one of the most unbelievable military victories in history. You can do the same in your pen testing by focusing your efforts on those areas the strong defenses of your target may overlook: their web applications and servers (yes, I know it’s corny, just go with it). Businesses and corporations are like that Union army, with so many defenses arrayed against you they seem impenetrable. But most of them can be outflanked, via their public-facing web fronts (which may or may not have proper security included) and their customized, internal web applications. This chapter is all about web servers and applications and how you can exploit them. After all, if the target is going to trust them, why not have a look?
STUDY TIPS Web server and web application attack questions are a little more focused, and difficult, in this version. I wish I could tell you memorization of terminology and key words would be enough to make it through them, but that’s simply not the case anymore. ECC wants to make sure you know web servers and applications pretty thoroughly, so they’ve upped the ante in question offerings. Some will be more in the form of a scenario where you may need to pull from multiple areas of study in order to derive the correct answer. A couple of very specific questions may even involve scripting and will appear really difficult; however, if you’ll simply remember protocols, ports, and basic networking, you can usually work your way through them.
Know your attacks well, including CSRF, CSPP, HTTP response splitting, and of course XSS, SQL injection, and URL tampering (among all the others). Be sure to spend some time in HTTP, and know it well. Another must-know for the exam is OWASP—know what it is, what it does, and its Top 10 lists well.
1. In nmap, the http-methods script can be used to test for potentially risky HTTP options supported by a target. Which of the following methods would be considered risky per the script?
A. CONNECT
B. GET
C. POST
D. HEAD
2. OWASP, an international organization focused on improving the security of software, produced a “Top Ten Security Priorities” for web applications. Which item is the primary concern on the list?
A. XSS
B. Injection
C. SQL injection
D. Broken authentication
3. A web application developer wishes to test a new application for security flaws. Which of the following is a method of testing input variations by using randomly generated invalid input in an attempt to crash the program?
A. Insploit
B. Finglonger
C. Metasplation
D. Fuzzing
4. Which of the following uses HTML entities properly to represent <script>?
A. <script>
B. (script)
C. &script&
D. "script"
5. An attacker tricks a user into visiting a malicious website via a phishing e-mail. The user clicks the e-mail link and visits the malicious website while maintaining an active, authenticated session with his bank. The attacker, through the malicious website, then instructs the user’s web browser to send requests to the bank website. Which of the following best describes this attack?
A. CSPP
B. XSS
C. CSRF
D. Hidden form field
6. Which of the following is used by SOAP services to format information?
A. Unicode
B. HTML entities
C. NTFS
D. XML
7. A web application developer is discussing security flaws discovered in a new application prior to production release. He suggests to the team that they modify the software to ensure users are not allowed to enter HTML as input into the application. Which of the following is most likely the vulnerability the developer is attempting to mitigate against?
A. Cross-site scripting
B. Cross-site request forgery
C. Connection string parameter pollution
D. Phishing
8. Which of the following is a common SOA vulnerability?
A. SQL injection
B. XSS
C. XML denial of service
D. CGI manipulation
9. The source code of software used by your client seems to have a large number of gets() alongside sparsely used fgets(). What kind of attack is this software potentially susceptible to?
A. SQL injection
B. Buffer overflow
C. Parameter tampering
D. Cookie manipulation
10. Which of the following would be the best choice in the prevention of XSS?
A. Challenge tokens
B. Memory use controls
C. HttpOnly flag in cookies
D. Removing hidden form fields
11. You are examining log files and come across this URL:
http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f%70%61%73%73%77%64
Which of the following best describes this potential attack?
A. This is not an attack but a return of SSL handshakes.
B. An attacker appears to be using Unicode.
C. This appears to be a buffer overflow attempt.
D. This appears to be an XSS attempt.
12. Which MSFconsole command allows you to connect to a host from within the console?
A. pivot
B. connect
C. get
D. route
13. Which character is your best option in testing for SQL injection vulnerability?
A. The @ symbol
B. A double dash
C. The + sign
D. A single quote
14. An angry former employee of the organization discovers a web form vulnerable to SQL injection. Using the injection string SELECT * FROM Orders_Pend WHERE Location_City = ’Orlando’ , he is able to see all pending orders from Orlando. If he wanted to delete the Orders_Pend table altogether, which SQL injection string should be used?
A. SELECT * FROM Orders_Pend WHERE Location_City = Orlando’;DROP TABLE Orders_Pend --
B. SELECT * FROM Orders_Pend WHERE ’Orlando’;DROP_TABLE --
C. DROP TABLE Orders_Pend WHERE ’Orlando = 1’ --
D. WHERE Location_City = Orlando’1 = 1’: DROP_TABLE --
15. Efforts to gain information from a target website have produced the following error message:
Microsoft OLE DB Provider for ODBC Drivers error ’80040e08’
[Microsoft]{OBDC SQL Server Driver}
Which of the following best describes the error message?
A. The site may be vulnerable to XSS.
B. The site may be vulnerable to buffer overflow.
C. The site may be vulnerable to SQL injection.
D. The site may be vulnerable to a malware injection.
16. An attacker discovers a legitimate username (user1) and enters the following into a web form authentication window:
Which of the following is most likely the attack being attempted?
A. SQL injection
B. LDAP injection
C. URL tampering
D. DHCP amplification
17. Which of the following is a standard method for web servers to pass a user’s request to an application and receive data back to forward to the user?
A. SSI
B. SSL
C. CGI
D. CSI
18. An attacker performs a SQL injection attack but receives nothing in return. She then proceeds to send multiple SQL queries, soliciting TRUE or FALSE responses. Which attack is being carried out?
A. Blind SQL injection
B. SQL denial of service
C. SQL code manipulation
D. SQL replay
19. A tester is attempting a CSPP attack. Which of the following is she most likely to use in conjunction with the attack?
A. ;
B. :
C. ‘
E. --
F. ~
20. An attacker is attempting to elevate privileges on a machine by using Java or other functions, through nonvalidated input, to cause the server to execute a malicious piece of code and provide command-line access. Which of the following best describes this action?
A. Shell injection
B. File injection
C. SQL injection
D. URL injection
21. An attacker is successful in using a cookie, stolen during an XSS attack, during an invalid session on the server by forcing a web application to act on the cookie’s contents. How is this possible?
A. A cookie can be replayed at any time, no matter the circumstances.
B. Encryption was accomplished at the application layer, using a single key.
C. Authentication was accomplished using XML.
D. Encryption was accomplished at the network layer.
22. HTML forms include several methods for transferring data back and forth. Inside a form, which of the following encodes the input into the Uniform Resource Identifier (URI)?
A. HEAD
B. PUT
C. GET
D. POST
23. An attacker is looking at a target website and is viewing an account from the store on URL http://www.anybiz.com/store.php?id=2 . He next enters the following URL:
http://www.anybiz.com/store.php?id=2 and 1=1
The web page loads normally. He then enters the following URL:
http://www.anybiz.com/store.php?id=2 and 1=2
A generic page noting “An error has occurred” appears.
Which of the following is a correct statement concerning these actions?
A. The site is vulnerable to cross-site scripting.
B. The site is vulnerable to blind SQL injection.
C. The site is vulnerable to buffer overflows.
D. The site is not vulnerable to SQL injection.
24. Which of the following is not true regarding WebGoat?
A. WebGoat is maintained and made available by OWASP.
B. WebGoat can be installed on Windows systems only.
C. WebGoat is based on a black-box testing mentality.
D. WebGoat can use Java or .NET.
25. An attacker is viewing a blog entry showing a news story and asking for comments. In the comment field, the attacker enters the following:
Nice post and a fun read
<script>onload=window.location='http://www.badsite.com'
What is the attacker attempting to perform?
A. A SQL injection attack against the blog’s underlying database
B. A cross-site scripting attack
C. A buffer overflow DoS attack
D. A file injection DoS attack
26. Which of the following is one of the most common methods for an attacker to exploit the Shellshock vulnerability?
A. SSH brute force
B. CSRF
C. Form field entry manipulation
D. Through web servers utilizing CGI (Common Gateway Interface)
27. You are examining website files and find the following text file:
Which of the following is a true statement concerning this file?
A. All web crawlers are prevented from indexing the listing.html page.
B. All web crawlers are prevented from indexing all pages on the site.
C. The Googlebot crawler is allowed to index pages starting with /tmp/.
D. The Googlebot crawler can access and index everything on the site except for pages starting with /tmp/.
1. A
2. B
3. D
4. A
5. C
6. D
7. A
8. C
9. B
10. C
11. B
12. B
13. D
14. A
15. C
16. B
17. C
18. A
19. A
20. A
21. B
22. C
23. B
24. B
25. B
26. D
27. D
1. In nmap, the http-methods script can be used to test for potentially risky HTTP options supported by a target. Which of the following methods would be considered risky per the script?
A. CONNECT
B. GET
C. POST
D. HEAD
A . The http-methods script usage syntax is nmap --script http-methods <target> , where <target> is the IP of the system you’re after. From nmap’s support pages (https://nmap.org/nsedoc/scripts/http-methods.html ), this script “finds out what options are supported by an HTTP server by sending an OPTIONS request and lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is not in the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method. In this script, ‘potentially risky‘ methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure.” You can also use additional parameters, such as url-path, to further hone your results. For example, output from the preceding syntax showing PUT as a risky method might look like this:
Quite obviously, there is a lot of information tested in this one question—and many, many ways you might see it on the exam. The HTTP options themselves will show up somewhere, so knowing the difference, for example, between HTTP POST (submits data to be processed, normally allowable) and HTTP PUT (allows a client to upload new files on the web server, normally shouldn’t be allowed) will become very important to your success. From OWASP (https://www.owasp.org/index.php/Test_HTTP_Methods_%28OTG-CONFIG-006%29 ), the following options are important to know:
• PUT This method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files (for example, an .asp file that executes commands by invoking cmd.exe) or by simply using the victim’s server as a file repository.
• DELETE This method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a website or to mount a DoS attack.
• CONNECT This method could allow a client to use the web server as a proxy.
• TRACE This method simply echoes back to the client whatever string has been sent to the server, and it’s used mainly for debugging purposes. This method, originally assumed harmless, can be used to mount an attack known as cross-site tracing .
B, C, and D are incorrect because these are not considered “risky” options.
2. OWASP, an international organization focused on improving the security of software, produced a “Top Ten Security Priorities” for web applications. Which item is the primary concern on the list?
A. XSS
B. Injection
C. SQL injection
D. Broken authentication
B . I know you’re thinking there is no way something this specific and picky will be on the exam, but I promise you will see something like this on your exam (not verbatim of course, but you get my drift). OWASP’s Top 10 Security Priorities was released in 2013, and ECC loves it. If nothing else, memorize the top five items on the list:
• Number 1: Injection OWASP lumps several attacks into this one (SQL injections, OS injections, LDAP injections, and so on).
• Number 2: Broken Authentication and Session Management This one deals with problems in authentication and session management (allowing attackers to compromise passwords, encryption keys, session tokens, and so on).
• Number 3: XSS Cross-site scripting (XSS) happens when an attacker injects code (a script) into the web page of a legitimate company or user—usually into input fields on a web form.
• Number 4: Insecure Direct Object References This occurs when an application references an internal object without appropriate access controls.
• Number 5: Security Misconfiguration This one is all about insecure default settings in applications and systems.
A is incorrect because XSS is number 3 on the list.
C is incorrect because SQL injection falls into the Injection topic: on its own, it’s not listed as a separate topic. Yes, technically you can argue this topic with me, and you can be as outraged as you wish, but you need to know it is not a topic on its own per the Top 10 list.
D is incorrect because Broken Authentication and Session Management is number 2 on the list.
3. A web application developer wishes to test a new application for security flaws. Which of the following is a method of testing input variations by using randomly generated invalid input in an attempt to crash the program?
A. Insploit
B. Finglonger
C. Metasplation
D. Fuzzing
D . Even if you didn’t know what “fuzzing” meant, you probably could’ve whittled this down by eliminating the known wrong answers. Per OWASP (https://www.owasp.org/index.php/Fuzzing ), “Fuzz testing or fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.” In other words, fuzzing sends tons of weird inputs into fields to see what the application will do.
As an aside, you would find fuzzing in the Verification phase of Microsoft’s Security Development Lifecycle (SDL). The entire SDL consists of Training, Requirements, Design, Implementation, Verification, Release, and Response.
A, B, and C are incorrect because none of these are legitimate terms as far as testing is concerned. Insploit and Metasplation are not real terms. Finglonger isn’t either, but it did make an appearance in a fantastic episode of Futurama .
4. Which of the following uses HTML entities properly to represent <script>?
A. <script>
B. (script)
C. &script&
D. "script"
A . Cross-site scripting generally relies on web pages not properly validating user input, and HTML entities can be used to take the place of certain characters. In this case, the less-than sign (<) and the greater-than sign (>) surround the word script . The appropriate HTML entity for each is < and > (the lt and gt should give that one away).
B is incorrect because ( and ) stand for the open and close parentheses, respectively. For example, (hello) would read (hello) using HTML entities.
C is incorrect because & stands for the ampersand character (&).
D is incorrect because " stands for the quote character (“).
5. An attacker tricks a user into visiting a malicious website via a phishing email. The user clicks the email link and visits the malicious website while maintaining an active, authenticated session with his bank. The attacker, through the malicious website, then instructs the user’s web browser to send requests to the bank website. Which of the following best describes this attack?
A. CSPP
B. XSS
C. CSRF
D. Hidden form field
C . There are few truisms in life, but here’s one: you will definitely be asked about CSRF on your exam. Cross-site request forgery (CSRF) attacks are exactly what’s being described here—an attacker takes advantage of an open, active, authenticated session between the victim and a trusted site, sending message requests to the trusted site as if they are from the victim’s own browser. Usually this involves phishing, or maybe an advertisement, but the principle is always the same. CSRF attacks can be prevented by configuring random challenge tokens, which allow the server to verify user requests.
As an aside, a similar attack is known as session fixation . The attacker logs in to a legitimate site, pulls a session ID, and then sends an e-mail with a link containing the fix session ID. When the user clicks it and logs in to the same legitimate site, the hacker now logs in and runs with the user’s credentials.
A is incorrect because this does not describe a CSPP attack. A connection string parameter pollution attack exploits web applications that use semicolons to separate parameters during communications.
B is incorrect because this does not describe a cross-site scripting attack. An XSS attack attempts to interject a script into input fields.
D is incorrect because a hidden form field attack occurs when an attacker manipulates the values of a hidden form field and resubmits to the server.
6. Which of the following is used by SOAP services to format information?
A. Unicode
B. HTML entities
C. NTFS
D. XML
D . Simple Object Access Protocol (SOAP) is a protocol designed for exchanging structured information within web services across multiple variant systems. In other words, it’s a way for a program running in one kind of operating system (let’s say Windows Server 2008) to communicate with a program on another (such as Linux). It uses HTTP and XML to exchange information and specifies how to encode HTTP headers and XML files so that applications can talk to each other. One great advantage to this is also a great detriment, security-wise: because HTTP is generally allowed through most firewalls, applications using SOAP can generally communicate at will throughout networks.
SOAP injection attacks allow you to inject malicious query strings (much like SQL injection, as a matter of fact) that might give you the means to bypass authentication and access databases behind the scenes. SOAP is compatible with HTTP and SMTP, and messages are typically one way in nature.
A is incorrect because Unicode is not used by SOAP in this manner. It’s a standard for representing text in computing.
B is incorrect because HTML entities are not used by SOAP in this manner. They’re used to represent characters in HTML code.
C is incorrect because NTFS is a file system and has nothing to do with SOAP.
7. A web application developer is discussing security flaws discovered in a new application prior to production release. He suggests to the team that they modify the software to ensure users are not allowed to enter HTML as input into the application. Which of the following is most likely the vulnerability the developer is attempting to mitigate against?
A. Cross-site scripting
B. Cross-site request forgery
C. Connection string parameter pollution
D. Phishing
A . XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. The basics of this attack revolve around website (or web application on that site) design, dynamic content, and invalidated input data. Usually when a web form pops up, the user inputs something, and then some script dynamically changes the appearance or behavior of the website based on what has been entered. XSS occurs when the bad guys take advantage of that scripting (Java, for instance) and have it perform something other than the intended response. For example, suppose instead of entering what you’re supposed to enter in a form field, you enter an actual script. The server then does what it’s supposed to—it processes the code sent from an authorized user. The best defense against this is proper design and good input validation before the app ever sees production in the first place.
B is incorrect because the fix actions being suggested would not necessarily affect CSRF attacks. In CSRF, an attacker takes advantage of an open, active, authenticated session between the victim and a trusted site, sending message requests to the trusted site as if they are from the victim’s own browser.
C is incorrect because the fix actions being suggested would not necessarily affect CSPP attacks. A connection string parameter pollution attack exploits web applications that use semicolons to separate parameters during communications.
D is incorrect because the fix action being recommended would not necessarily affect any social engineering effort.
8. Which of the following is a common SOA vulnerability?
A. SQL injection
B. XSS
C. XML denial of service
D. CGI manipulation
C . Service-oriented architecture (SOA) is a software design idea that is based on specific pieces of software providing functionality as services between applications. The idea is to define how two applications can interact so that one can perform a piece of work for the other (better said, on behalf of the other). Each interaction is independent of any other and is self-contained. SOA programmers make extensive use of XML to carry all this out, and that leaves it vulnerable to crafty XML tampering. If an attacker can somehow pass an XML message with a large payload, or any of a number of other bad content, they can DoS an SOA application. This isn’t to imply it’s the only DoS available or that SOA is uniquely vulnerable (for instance, the only thing a specifically crafted XML attack can affect). It’s just a question, so don’t read too much into it.
A , B , and D are incorrect because these attacks don’t necessarily apply here with SOA in this context.
9. The source code of software used by your client seems to have a large number of gets() alongside sparsely used fgets(). What kind of attack is this software potentially susceptible to?
A. SQL injection
B. Buffer overflow
C. Parameter tampering
D. Cookie manipulation
B. A buffer overflow is an attempt to write more data into an application’s prebuilt buffer area in order to overwrite adjacent memory, execute code, or crash a system (application). By inputting more data than the buffer is allocated to hold, you may be able to crash the application or machine or alter the application’s data pointers. gets() is a common source of buffer overflow vulnerabilities because it reads a line from standard input into a buffer until a terminating EOF is found. It performs no check for buffer overrun and is largely replaced by fgets().
A is incorrect because SQL injection has nothing to do with this scenario. No evidence is presented that this software even interacts with a database.
C is incorrect because parameter tampering deals with manipulating a URL.
D is incorrect because cookie manipulation has nothing to do with this software. A cookie is a small file used to provide a more consistent web experience for a web visitor. Because it holds all sorts of information, though, it can be manipulated for nefarious purposes (using the Firefox add-on Cookie Editor, for instance).
10. Which of the following would be the best choice in the prevention of XSS?
A. Challenge tokens
B. Memory use controls
C. HttpOnly flag in cookies
D. Removing hidden form fields
C . In addition to input validation controls (always good for bunches of vulnerability mitigations), setting the HttpOnly flag in cookies can be used in mitigation against some XSS attacks. Cross-site scripting occurs when an attacker interjects code into a web page form field that does not have appropriate input validation configured. The HttpOnly cookie flag can stop any injected code from being accessible by a client-side script.
Per OWASP, if the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed through client-side script. As a result, even if a cross-site scripting flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.
A is incorrect because challenge tokens are used in mitigation of CSRF.
B is incorrect because memory use control configurations wouldn’t necessarily affect XSS vulnerabilities at all.
D is incorrect because removing hidden form fields would not necessarily do anything to mitigate XSS.
11. You are examining log files and come across this URL:
http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63%2f%70%61%73%73%77%64
Which of the following best describes this potential attack?
A. This is not an attack but a return of SSL handshakes.
B. An attacker appears to be using Unicode.
C. This appears to be a buffer overflow attempt.
D. This appears to be an XSS attempt.
B . Unicode is just another way to represent text, so why not use it to try to get past an IDS? Of course, in the real world every IDS would probably be looking for weird Unicode requests anyway (it isn’t ciphered or encrypted and really does nothing more than provide a cursory obfuscation), but let’s just stick with EC-Council and the CEH exam here for now. This request appears to be attempting a grab of some passwords:
A , C , and D are all incorrect because this URL does not necessarily indicate any of these attacks and is quite clearly a Unicode attempt.
12. Which MSFconsole command allows you to connect to a host from within the console?
A. pivot
B. connect
C. get
D. route
B . Questions on Metasploit can be very generalized, or—like this question—pretty darn specific. MSFconsole, opened with the msfconsole command, is a common method of interfacing with Metasploit. As put by Offensive Security, it provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the MSF, and is the only supported way to access most of the features within Metasploit. Commands used in the interface are listed and discussed pretty well on Offensive Security’s site (https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/ ). The connect command acts like a miniature netcat clone, supporting SSL, proxies, pivoting, and file sends. By issuing the connect command with an IP address and port number, you can connect to a remote host from within MSFconsole the same as you would with netcat or telnet.
In addition to MSFconsole, you should also know Metasploit architecture holds five modules: Exploits, Payloads, Encoders, NOPS, and Auxiliary. Exploits is the basic module, used to encapsulate (and configure behaviors for) an exploit. Payloads establishes a communication channel between Metasploit and the target. Auxiliary is used to run things like port scanning and fuzzing.
A is incorrect because there is no pivot command in MSFconsole. Pivoting does refer to connecting to other machines from a compromised system, but is not accomplished with a pivot command.
C is incorrect because the get command gets the value of a context-specific variable.
D is incorrect because the route command is used to route traffic through a session (and is generally seen, question-wise, in regard to pivoting).
13. Which character is your best option in testing for SQL injection vulnerability?
A. The @ symbol
B. A double dash
C. The + sign
D. A single quote
D . SQL injection is all about entering queries and commands into a form field (or URL) to elicit a response, gain information, or manipulate data. On a web page, many times entries into a form field are inserted into a SQL command. When you enter your username and information into the fields and click the button, the SQL command in the background might read something like this:
SELECT OrderID, FirstName, Lastname FROM Orders
In SQL, a single quote is used to indicate an upcoming character string. Once SQL sees that open quote, it starts parsing everything behind it as string input. If there’s no close quote, an error occurs because SQL doesn’t know what to do with it. If the web page is configured poorly, that error will return to you and let you know it’s time to start injecting SQL commands.
A , B , and C are incorrect characters to use as part of a SQL injection test. The @ symbol is used to designate a variable in SQL (you’ll need to define the variable, of course). The + sign is used to combine strings (as in Matt+Walker). A double dash indicates an upcoming comment in the line.
14. An angry former employee of the organization discovers a web form vulnerable to SQL injection. Using the injection string SELECT * FROM Orders_Pend WHERE Location_City = ‘Orlando’ , he is able to see all pending orders from Orlando. If he wanted to delete the Orders_Pend table altogether, which SQL injection string should be used?
A. SELECT * FROM Orders_Pend WHERE Location_City = ‘Orlando’;DROP TABLE Orders_Pend; --
B. SELECT * FROM Orders_Pend WHERE ‘Orlando’;DROP_TABLE; --
C. DROP TABLE Orders_Pend WHERE ‘ Orlando = 1’; --
D. WHERE Location_City = Orlando’1 = 1’: DROP_TABLE; --
A . SQL queries usually read pretty straightforward, although they can get complicated pretty quickly. In this case you’re telling the database, “Can you check the table Orders_Pend and see whether there’s a city called Orlando? Oh, by the way, since you’re executing any command I send anyway, just go ahead and drop the table called Orders_Pend while you’re at it.” The only thing missing from SQL queries is a thank-you at the end.
B , C , and D are incorrect because these are not proper syntax.
15. Efforts to gain information from a target website have produced the following error message:
Which of the following best describes the error message?
A. The site may be vulnerable to XSS.
B. The site may be vulnerable to buffer overflow.
C. The site may be vulnerable to SQL injection.
D. The site may be vulnerable to a malware injection.
C . Once again, you will get a few “gimme” questions on the exam. The error message clearly displays a SQL error, telling us there’s an underlying SQL database to contend with and it’s most likely not configured correctly (or we wouldn’t be getting an error message like this—through a web interface and telling us exactly what’s there—in the first place).
A , B , and D are all incorrect for the same reason: the error message simply doesn’t provide enough information to make those leaps. There is nothing here indicating cross-site scripting or buffer overflow on either side of the ledger. Although it’s true the error may indicate which kinds of malware may increase your odds of success, there’s nothing there to indicate, by itself, that the site is vulnerable.
16. An attacker discovers a legitimate username (user1) and enters the following into a web form authentication window:
Which of the following is most likely the attack being attempted?
A. SQL injection
B. LDAP injection
C. URL tampering
D. DHCP amplification
B . LDAP injection works a lot like SQL injection—you enter code that is passed by the application to something behind it for processing. With LDAP injection, if the input is not validated, you can enter direct LDAP queries into the form and watch for results. In this case, the attacker logs in without any password. The actual LDAP query from a legitimate login would have appeared like this: (&(user=user1)(password=meh)) . The addition of the )(&) characters turns the expression to this (&(user=user1)(&))(password=meh)) , which processes only the username portion of the query. And since that’s always true, voilà —the attacker is in.
LDAP injection questions may also center on the Boolean operators used in syntax. The operators to remember are summarized in the following table:
A is incorrect because this does not indicate a SQL injection attack. SQL injection attempts make use of the open quote and SQL statements: for example, test ‘) ;DROP TABLE Users;-- .
C is incorrect because this does not show a URL tampering attack.
D is incorrect because this does not show a DHCP amplification attack.
17. Which of the following is a standard method for web servers to pass a user’s request to an application and receive data back to forward to the user?
A. SSI
B. SSL
C. CGI
D. CSI
C . Common Gateway Interface (CGI) is a standardized method for transferring information between a web server and an executable (a CGI script is designed to perform some task with the data). CGI is considered a server-side solution because processing is done on the web server and not the client. Because CGI scripts can run essentially arbitrary commands on your system with the permissions of the web server user and because they are almost always wrapped so that a script will execute as the owner of the script, they can be extremely dangerous if not carefully checked. Additionally, all CGI scripts on the server will run as the same user, so they have the potential to conflict (accidentally or deliberately) with other scripts (an attacker could, for example, write a CGI script to destroy all other CGI databases).
A is incorrect because server-side includes (SSIs) are directives placed in HTML pages and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program or other dynamic technology.
B and D are incorrect because both are included as distractors. By now you’re certainly familiar with Secure Sockets Layer (SSL) and its value as an encryption method. CSI? Well, that’s just good television. Or it used to be, anyway.
18. An attacker performs a SQL injection attack but receives nothing in return. She then proceeds to send multiple SQL queries, soliciting TRUE or FALSE responses. Which attack is being carried out?
A. Blind SQL injection
B. SQL denial of service
C. SQL code manipulation
D. SQL replay
A . Blind SQL injection is really kinda neat, even if you’re not a nerd. Sometimes a security admin does just enough to frustrate efforts, and you don’t receive the error messages or returned information you originally counted on. So, to pull out the info you want, you start asking it (the SQL database) a lot of true or false questions. For example, you could ask the database, “True or false—you have a table called USERS?” If you get a TRUE, then you know the table name and can start asking questions about it. For example, “Hey, database, got an entry in your USERS table named admin?” (SELECT * from USERS where name=‘admin’ and 1=1;#’; ). Blind SQL is a long, laborious effort, but it can be done.
B , C , and D are all incorrect because, so far as I know, none of them is a recognized attack by EC-Council. I’m sure you can find ways to perform a DoS on a SQL database, and we’re manipulating SQL all over the place in these injection attacks, but these terms just aren’t recognized on your exam and are here solely as distractors.
19. A tester is attempting a CSPP attack. Which of the following is she most likely to use in conjunction with the attack?
A. ;
B. :
C. ‘
D. “
E. --
F. ~
A . CSPP (connection string parameter attack) is another form of an injection attack. In many web applications, communications with back-end databases make use of the semicolon to separate parameter requests. Much as with URL tampering, in CSPP you just change the communication string and see what happens: add a semicolon, type in your request, and watch to see if it was successful.
B, C, D, E, and F are incorrect because these characters do not correspond to a CSPP attack. The single quote is most often tied to a SQL injection attempt. The other characters may show up in scripts strings and whatnot, but don’t let them fool you—they’re simply distractors.
20. An attacker is attempting to elevate privileges on a machine by using Java or other functions, through nonvalidated input, to cause the server to execute a malicious piece of code and provide command-line access. Which of the following best describes this action?
A. Shell injection
B. File injection
C. SQL injection
D. URL injection
A . When it comes to web application attacks, there are many vectors and avenues to take. One of the more common is injecting something into an input string to exploit poor code. EC-Council defines these attacks in many ways. Also known as command injection , shell injection is defined as an attempt to gain shell access using Java or other functions. In short, the attacker will pass commands through a form input (or other avenue) in order to elevate privileges and open a shell for further naughtiness. It occurs when commands are entered into form fields instead of the expected entry.
B is incorrect because the EC-Council defines a file injection attack as one where the attacker injects a pointer in the web form input to an exploit hosted on a remote site. Sure, this may accomplish the same thing, but it’s not the best choice in this case.
C is incorrect because SQL injection attacks involve using SQL queries and commands to elicit a response or action.
D is incorrect because URL injection is not an attack type and is included here as a distractor.
21. An attacker is successful in using a cookie, stolen during an XSS attack, during an invalid session on the server by forcing a web application to act on the cookie’s contents. How is this possible?
A. A cookie can be replayed at any time, no matter the circumstances.
B. Encryption was accomplished using a single key.
C. Authentication was accomplished using XML.
D. Encryption was accomplished at the network layer.
B . Cookies can be used for all sorts of things. If you can grab all user cookies, you can see what they visited and sometimes even how long they’ve been there. Cookies can also hold passwords—and because most people use the same password on multiple sites, this can be a gold mine for the attacker. In this scenario, the cookie is being replayed by an attacker to gain access to goodies. If a single key is used in encryption, a replay attack is possible, because cookie authentication is carried out at the application layer. It is for this reason some organization require browsers to automatically delete cookies on termination.
A is incorrect because a replay attack of anything—cookie, stolen authentication stream, and so on—can’t necessarily be carried out at any time. Replay attacks require planning and proper setup.
C is incorrect because XML has nothing to do with this.
D is incorrect because encryption is not carried out at the network layer here.
22. HTML forms include several methods for transferring data back and forth. Inside a form, which of the following encodes the input into the Uniform Resource Identifier (URI)?
A. HEAD
B. PUT
C. GET
D. POST
C . An HTTP GET is a method for returning data from a form that “encodes” the form data to the end of the URI (a character string that identifies a resource on the Web, such as a page of text, a video clip, an image, or an application). For example, if you were to enter a credit card number in a form using GET, the resulting URL might look something like https://somesite.com/creditcard.asp?c#=4013229567852219 , where the long number is obviously a credit card number just sitting there waiting for anyone to use.
Generally speaking, a POST is “more secure” than a GET, although they both have their uses. If you’re wondering when a GET should be used as opposed to a POST, the answer has to do with a vocabulary lesson: defining the term idempotent . Thrown about with HTTP GET, idempotent is a mathematical concept about an operation property: if the operation can be performed without changing results, even if it is run multiple times, it’s considered idempotent. Therefore, if the input return is assured of having no lasting effect on the state of the form in total, then using a GET is perfectly reasonable. Also, a GET can usually transfer only up to 8KB, whereas a POST can usually handle up to 2GB. However, keep in mind it may wind up including sensitive information in that URI. Suppose your form returns a credit card number and a bad guy is logging URIs: if HTTP GET is in place, the attacker may be able to derive the information. In short, users can manipulate both GET and POST, but GET is simply more visible because of its reliance on something that browsers render to the screen in an editable field. A POST is meant for pushing data directly, and a GET is used when the server is expected to pull something from the data submitted in the URL.
A is incorrect because although HEAD and GET are similar, HEAD is not used in forms. It’s usually used to pull header information from a web server (for example, banner grabbing) and to test links.
B is incorrect because HTTP PUT is not used in forms. It’s used to transfer files to a web server.
D is incorrect because POST does not include the form data in the URI request. According to the World Wide Web Consortium (http://www.w3.org/ ), HTML specifications define the difference between GET and POST so that GET means that form data will be encoded by a browser into a URL, whereas POST means the form data is to appear within the message body. In short, a GET can be used for basic, simple retrieval of data, and a POST should be used for most everything else (such as sending an e-mail, updating data on a database, and ordering an item).
23. An attacker is looking at a target website and is viewing an account from the store on URL http://www.anybiz.com/store.php?id=2 . He next enters the following URL:
http://www.anybiz.com/store.php?id=2 and 1=1
The web page loads normally. He then enters the following URL:
http://www.anybiz.com/store.php?id=2 and 1=2
A generic page noting “An error has occurred” appears.
Which of the following is a correct statement concerning these actions?
A. The site is vulnerable to cross-site scripting.
B. The site is vulnerable to blind SQL injection.
C. The site is vulnerable to buffer overflows.
D. The site is not vulnerable to SQL injection.
B . The URLs shown here are attempting to pass a SQL query through to see what may be going on in the background. Notice the first URL entered added and 1=1 . Because this was a true statement, the page loaded without problem. However, changing that to a false statement—and 1=2 —caused the database to return an error. This would now be considered “blind” SQL injection because the actual error was not returned to the attacker (instead, he got a generic page most likely configured by the database administrator). As an aside, sometimes the attacker won’t receive the error message or error page at all, but the site will be displayed differently—images out of place, text messed up, and so on—which also indicates blind SQL may be in order.
A and C are incorrect because neither this attack nor the results have anything to do with cross-site scripting or buffer overflows.
D is incorrect because the results indicate SQL injection is possible. Granted, it will take longer, because the attacker can’t see error messaging, and will require lots of guesswork and trial and error, but it is susceptible.
24. Which of the following is not true regarding WebGoat?
A. WebGoat is maintained and made available by OWASP.
B. WebGoat can be installed on Windows systems only.
C. WebGoat is based on a black-box testing mentality.
D. WebGoat can use Java or .NET.
B . WebGoat, now in version 7 (https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project ), is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. It’s designed to teach from a black-box mentality (that is, learners aren’t provided with all information up front, and must discover what they need to know to figure out each lesson, just as they’d have to do in the real world), can be installed on virtually anything, and makes use of Java and .NET.
A , C , and D are incorrect because they are true statements regarding WebGoat.
25. An attacker is viewing a blog entry showing a news story and asking for comments. In the comment field, the attacker enters the following:
Nice post and a fun read
<script>onload=window.location=’http://www.badsite.com
’</script>
What is the attacker attempting to perform?
A. A SQL injection attack against the blog’s underlying database
B. A cross-site scripting attack
C. A buffer overflow DoS attack
D. A file injection DoS attack
B . This is a classic (an overly simplified but classic nonetheless) example of cross-site scripting. In a blog, the post entry field is intended to take text entry from a visitor and copy it to a database in the background. What’s being attempted here is to have more than just the text copied—the <script> indicator is adding a nice little pointer to a naughty website. If it works, the next visitor to the site who clicks that news story will be redirected to the bad site location.
A , C , and D are all incorrect because this example contains nothing to indicate a SQL injection or a buffer overflow. Additionally, the idea here is not to perform a denial of service. Actually, it’s quite the opposite: the attacker wants the site up and operational so more and more users can be sent to badsite.com.
26. Which of the following is one of the most common methods for an attacker to exploit the Shellshock vulnerability?
A. SSH brute force
B. CSRF
C. Form field entry manipulation
D. Through web servers utilizing CGI (Common Gateway Interface)
D . I would bet very large sums of cash you will see Shellshock on your exam—maybe even a couple of times. Shellshock (also known as Bashdoor) exploits a feature in bash shell designed to allow environmental variable setting configuration. Basically someone was playing around in bash back in 2014 and figured out they could add arbitrary commands to environmental variable configuration command-line submissions. If an attacker input something like
env val=’() [ :;}; echo BADCOMMAND’ bash -c “echo REALCOMMAND”
on a vulnerable system, BADCOMMAND would be executed before the real command.
Per Symantec (http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability ), “The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked on to it.” Other avenues for Shellshock exploitation include the following:
• OpenSSH The “force command” function (where a fixed command is run when a user logs on, even if the user requested a different command) can be exploited in Shellshock.
• DHCP Some DHCP clients have the capability of passing commands to the bash shell—for example, during connection to a Wi-Fi network. This can be exploited in Shellshock.
• Qmail If bash is used to process e-mail messaging, the server processes external input in a way that can be exploited in bash.
A is incorrect because brute-forcing an SSH session login has nothing to do with Shellshock.
B is incorrect because cross-site request forgery is a different vulnerability altogether, dealing with web browser hijacking.
C is incorrect because form field manipulation has nothing to do with Shellshock.
27. You are examining website files and find the following text file:
Which of the following is a true statement concerning this file?
A. All web crawlers are prevented from indexing the listing.html page.
B. All web crawlers are prevented from indexing all pages on the site.
C. The Googlebot crawler is allowed to index pages starting with /tmp/.
D. The Googlebot crawler can access and index everything on the site except for pages starting with /tmp/.
D. The robots.txt file was created to allow web designers to control index access to their sites. There are a couple of things you need to know about this file—for your exam and the real world. The first is, no matter what the robots.txt file says, attackers using a crawler to index your site are going to ignore it anyway: it’s valid only for “good-guy” crawlers. After that, the rest is easy: robots.txt is stored on the root, is available to anyone (by design), and is read in order from top to bottom, much like an ACL on a router. The format is simple: define the crawler (User-agent :name_of_crawler ), and then define what it does not have access to. Most robot.txt files will make use of the * variable to signify all crawlers, but you can certainly get specific with who is allowed in and what they can see.
In this example, from top to bottom, the Googlebot crawler is defined and restricted from seeing /tmp/ pages—no other restrictions are listed. After that, all other crawlers (User-agent: * ) are restricted from seeing any page (Disallow: / ). The last two lines are truly irrelevant because the condition to ignore all pages has been read.
For additional information here, if you think about what a robots.txt file does, you could consider it a pointer to pages you, as an attacker, really want to see. After all, if the security person on the site didn’t want Google indexing it, useful information probably resides there. On the flip side, a security-minded person may get a little snippy with it and have a little fun, sending you to some truly terrible Internet locations should you try to access one of the pages listed there.
A and B are incorrect because the Googlebot crawler is allowed to crawl the site.
C is incorrect because Googlebot is instructed to ignore all /tmp/ pages.