While reviewing web server logs, a security analyst notices the following code:
Which of the following would prevent this code from performing malicious actions?
(choose one and why)
The given code queries the profiles.php page with malicious script added with the id.
This would give access to the attacker, to manipulate the database at the backend. As we can see in the query string where the attacker is passing the UNION database query to get access to other elements of the database. This is a very common attack called SQL injection where the attacker passes SQL malicious code to backend database and access the database.
This should be avoided at application end only where it can validate the user input and restrict unauthorized access to the backend so that it doesn't pass any SQL injection to the database.
So to avoid this, the application requires user input validation.
Web application penetration testing, using HTTPS, and network firewall won't work in this case because the attacker is injecting SQL code in the query itself very smartly and it will go undetected in these methods.
Hence, the correct answer is:
B.Requiring the application to use input validation
This completes the requirement. Let me know if you have any queries.
Thanks!
While reviewing web server logs, a security analyst notices the following code: Which of the following...
After reviewing wireless network traffic logs a security analyst notices an unusual number of handshakes. Which of the following is MOST likely happening? a. TCP reset of connections b. Rainbow table decryption c. Forced TLS downgrading d. Forced deauthorization
web problem, JavaScript language for the Web Explain what is wrong with the following code and then fix it. [I want to submit a GET request to the server and I must send the account ID.] async function getAccountInfo () { const res = await fetch('http://example.com/account', { method: 'GET', body: JSON.stringify ({accountID: 123}), headers: {'Content-Type': 'application/json'} }); const accountInfo = await res.json (); console.log (accountInfo);
Figure 1 LAN Subnet: 192.168.40.0124 LAN Switch Internet External Firewall Internal Firewall DMZ Subnet: 192.168.10.0/24 LAN devices Web Server running on port 80 IDS (Snort VM) Remote Access Server (Nginx VM) (OpenVPN) Overview Medium to large organisations typically consist of services that are accessed/consumed from external parties for various purposes. As such, a DMZ is a suitable solution to segregate such services from internal networkis). The network diagram provided (Figure 1) illustrates the IT environment of a medium organisation, which...
A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device. Instructions: Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan. For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you...
Modify current code to complete the following: Current code: Validate a Web IP address which will accept the following positive examples: 1.1.1.1 192.0.0.255 255.255.255.255 The IP address comprises four parts each of which is one to three digits, with each part separated by a DOT or period. To match a single digit, or two digits, or three digits, you will need to use the curly braces to specify the minimum and maximum number of digits desired. digits, you will need...
ANSWER NETWORKS QUESTIONS (MCQS AND CALCULATIONS) QUESTIONS ( 11 - 20) QUESTION 11 1. Consider the following excerpt from a simple server side UDP program: Server.py from socket import * sName=’127.0.0.1’ sSocket=socket(AF_INET,SOCK_DGRAM) sSocket.bind((sName, 12005)) while True: msg, cAddr =sSocket.recvfrom(2048) newMsg = msg.decode().lower() sSocket.sendto(*********************) What code could be used to replace the **********’s in line 8? newMsg.encode(), cAddr newMsg.encode() msg.encode(), cAddr msg.encode() none of the above 1 points QUESTION 12 For a client to obtain an IP address from the local...
Solve the code below: CODE: """ Code for handling sessions in our web application """ from bottle import request, response import uuid import json import model import dbschema COOKIE_NAME = 'session' def get_or_create_session(db): """Get the current sessionid either from a cookie in the current request or by creating a new session if none are present. If a new session is created, a cookie is set in the response. Returns the session key (string) """ def add_to_cart(db, itemid, quantity): """Add an...
Risk management in Information Security today Everyday information security professionals are bombarded with marketing messages around risk and threat management, fostering an environment in which objectives seem clear: manage risk, manage threat, stop attacks, identify attackers. These objectives aren't wrong, but they are fundamentally misleading.In this session we'll examine the state of the information security industry in order to understand how the current climate fails to address the true needs of the business. We'll use those lessons as a foundation...
TRUE/FALSE QUESTIONS: Foundations of Information Security and Assurance 1. There is a problem anticipating and testing for all potential types of non-standard inputs that might be exploited by an attacker to subvert a program. 2. Without suitable synchronization of accesses it is possible that values may be corrupted, or changes lost, due to over-lapping access, use, and replacement of shared values. 3. The biggest change of the nature in Windows XP SP2 was to change all anonymous remote procedure call (RPC)...
The discussion: 150 -200 words. Auditing We know that computer security audits are important in business. However, let’s think about the types of audits that need to be performed and the frequency of these audits. Create a timeline that occurs during the fiscal year of audits that should occur and “who” should conduct the audits? Are they internal individuals, system administrators, internal accountants, external accountants, or others? Let me start you: (my timeline is wrong but you should use some...