While reviewing web server logs, a security analyst notices the following code:
Which of the following would prevent this code from performing malicious actions?
(choose one and why)
- Performing web application penetration testing
- Requiring the application to use input validation
- Disabling the use of HTTP and requiring the use of HTTPS
- Installing a network firewall in front of the application
Homework Answers
The given code queries the profiles.php page with malicious script added with the id.
This would give access to the attacker, to manipulate the database at the backend. As we can see in the query string where the attacker is passing the UNION database query to get access to other elements of the database. This is a very common attack called SQL injection where the attacker passes SQL malicious code to backend database and access the database.
This should be avoided at application end only where it can validate the user input and restrict unauthorized access to the backend so that it doesn't pass any SQL injection to the database.
So to avoid this, the application requires user input validation.
Web application penetration testing, using HTTPS, and network firewall won't work in this case because the attacker is injecting SQL code in the query itself very smartly and it will go undetected in these methods.
Hence, the correct answer is:
B.Requiring the application to use input validation
This completes the requirement. Let me know if you have any queries.
Thanks!
Add Answer to:
While reviewing web server logs, a security analyst notices the following code: Which of the following...
After reviewing wireless network traffic logs a security analyst notices an unusual number of handshakes. Which...
After reviewing wireless network traffic logs a security analyst notices an unusual number of handshakes. Which of the following is MOST likely happening? a. TCP reset of connections b. Rainbow table decryption c. Forced TLS downgrading d. Forced deauthorization
web problem, JavaScript language for the Web Explain what is wrong with the following code and...
web problem, JavaScript language for the Web
Explain what is wrong with the following code and then fix it. [I want to submit a GET request to the server and I must send the account ID.] async function getAccountInfo () { const res = await fetch('http://example.com/account', { method: 'GET', body: JSON.stringify ({accountID: 123}), headers: {'Content-Type': 'application/json'} }); const accountInfo = await res.json (); console.log (accountInfo);
Figure 1 LAN Subnet: 192.168.40.0124 LAN Switch Internet External Firewall Internal Firewall DMZ Subnet: 192.168.10.0/24 LAN devices Web Server running on port 80 IDS (Snort VM) Remote Access S...
Figure 1 LAN Subnet: 192.168.40.0124 LAN Switch Internet External Firewall Internal Firewall DMZ Subnet: 192.168.10.0/24 LAN devices Web Server running on port 80 IDS (Snort VM) Remote Access Server (Nginx VM) (OpenVPN) Overview Medium to large organisations typically consist of services that are accessed/consumed from external parties for various purposes. As such, a DMZ is a suitable solution to segregate such services from internal networkis). The network diagram provided (Figure 1) illustrates the IT environment of a medium organisation, which...
A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine...
A security analyst performs various types of vulnerability
scans. Review the vulnerability scan
results to determine the type of scan that was executed and if a
false positive
occurred for each device.
Instructions:
Select the Results Generated drop-down option to determine if the
results were generated from a credentialed
scan, non-credentialed scan, or a compliance scan.
For ONLY the credentialed and non-credentialed scans, evaluate the
results for false positives and check the
findings that display false positives. NOTE: If you...
Modify current code to complete the following: Current code: Validate a Web IP address which will...
Modify current code to complete the following:
Current code:
Validate a Web IP address which will accept the following positive examples: 1.1.1.1 192.0.0.255 255.255.255.255 The IP address comprises four parts each of which is one to three digits, with each part separated by a DOT or period. To match a single digit, or two digits, or three digits, you will need to use the curly braces to specify the minimum and maximum number of digits desired. digits, you will need...
ANSWER NETWORKS QUESTIONS (MCQS AND CALCULATIONS) QUESTIONS ( 11 - 20) QUESTION 11 1. Consider the following...
ANSWER NETWORKS QUESTIONS (MCQS AND CALCULATIONS) QUESTIONS ( 11 - 20) QUESTION 11 1. Consider the following excerpt from a simple server side UDP program: Server.py from socket import * sName=’127.0.0.1’ sSocket=socket(AF_INET,SOCK_DGRAM) sSocket.bind((sName, 12005)) while True: msg, cAddr =sSocket.recvfrom(2048) newMsg = msg.decode().lower() sSocket.sendto(*********************) What code could be used to replace the **********’s in line 8? newMsg.encode(), cAddr newMsg.encode() msg.encode(), cAddr msg.encode() none of the above 1 points QUESTION 12 For a client to obtain an IP address from the local...
Solve the code below: CODE: """ Code for handling sessions in our web application """ from bottle import request, response import uuid import json import model import dbsche...
Solve the code below:
CODE:
"""
Code for handling sessions in our web application
"""
from bottle import request, response
import uuid
import json
import model
import dbschema
COOKIE_NAME = 'session'
def get_or_create_session(db):
"""Get the current sessionid either from a
cookie in the current request or by creating a
new session if none are present.
If a new session is created, a cookie is set in the response.
Returns the session key (string)
"""
def add_to_cart(db, itemid, quantity):
"""Add an...
Risk management in Information Security today Everyday information security professionals are bombarded with marketing messages around...
Risk management in Information Security today Everyday information security professionals are bombarded with marketing messages around risk and threat management, fostering an environment in which objectives seem clear: manage risk, manage threat, stop attacks, identify attackers. These objectives aren't wrong, but they are fundamentally misleading.In this session we'll examine the state of the information security industry in order to understand how the current climate fails to address the true needs of the business. We'll use those lessons as a foundation...
TRUE/FALSE QUESTIONS: Foundations of Information Security and Assurance 1. There is a problem anticipating and testing for...
TRUE/FALSE QUESTIONS: Foundations of Information Security and Assurance 1. There is a problem anticipating and testing for all potential types of non-standard inputs that might be exploited by an attacker to subvert a program. 2. Without suitable synchronization of accesses it is possible that values may be corrupted, or changes lost, due to over-lapping access, use, and replacement of shared values. 3. The biggest change of the nature in Windows XP SP2 was to change all anonymous remote procedure call (RPC)...
The discussion: 150 -200 words. Auditing We know that computer security audits are important in business....
The discussion: 150 -200 words. Auditing We know that computer security audits are important in business. However, let’s think about the types of audits that need to be performed and the frequency of these audits. Create a timeline that occurs during the fiscal year of audits that should occur and “who” should conduct the audits? Are they internal individuals, system administrators, internal accountants, external accountants, or others? Let me start you: (my timeline is wrong but you should use some...
web problem, JavaScript language for the Web
Explain what is wrong with the following code and then fix it. [I want to submit a GET request to the server and I must send the account ID.] async function getAccountInfo () { const res = await fetch('http://example.com/account', { method: 'GET', body: JSON.stringify ({accountID: 123}), headers: {'Content-Type': 'application/json'} }); const accountInfo = await res.json (); console.log (accountInfo);
Figure 1 LAN Subnet: 192.168.40.0124 LAN Switch Internet External Firewall Internal Firewall DMZ Subnet: 192.168.10.0/24 LAN devices Web Server running on port 80 IDS (Snort VM) Remote Access Server (Nginx VM) (OpenVPN) Overview Medium to large organisations typically consist of services that are accessed/consumed from external parties for various purposes. As such, a DMZ is a suitable solution to segregate such services from internal networkis). The network diagram provided (Figure 1) illustrates the IT environment of a medium organisation, which...
A security analyst performs various types of vulnerability
scans. Review the vulnerability scan
results to determine the type of scan that was executed and if a
false positive
occurred for each device.
Instructions:
Select the Results Generated drop-down option to determine if the
results were generated from a credentialed
scan, non-credentialed scan, or a compliance scan.
For ONLY the credentialed and non-credentialed scans, evaluate the
results for false positives and check the
findings that display false positives. NOTE: If you...
Modify current code to complete the following:
Current code:
Validate a Web IP address which will accept the following positive examples: 1.1.1.1 192.0.0.255 255.255.255.255 The IP address comprises four parts each of which is one to three digits, with each part separated by a DOT or period. To match a single digit, or two digits, or three digits, you will need to use the curly braces to specify the minimum and maximum number of digits desired. digits, you will need...
Solve the code below:
CODE:
"""
Code for handling sessions in our web application
"""
from bottle import request, response
import uuid
import json
import model
import dbschema
COOKIE_NAME = 'session'
def get_or_create_session(db):
"""Get the current sessionid either from a
cookie in the current request or by creating a
new session if none are present.
If a new session is created, a cookie is set in the response.
Returns the session key (string)
"""
def add_to_cart(db, itemid, quantity):
"""Add an...
Most questions answered within 3 hours.
-
You dissolve 1.0 mole of a substance in water to a total volume
of 1,000 ml....
asked 1 minute from now -
A company's total assets at the end of last year were 500,000
and its EBIT was...
asked 3 minutes ago -
Is it redundant to say that a pure substance is homogeneous, or
can it not be...
asked 7 minutes ago -
Already famous by the time he arrived at Princeton University in
1933, Einstein had suggested a...
asked 25 minutes ago -
Suppose the average male brain weight (in grams) is estimated to
be 13201320 grams. A 1905...
asked 34 minutes ago -
For each molecular substance (a) H3PO2 and (b) C6H5NH2,
calculate its molecular mass and write a...
asked 27 minutes ago -
The inheritance of color blindness in humans is due to a
recessive gene located on the...
asked 30 minutes ago -
Aqueous sulfuric acid (H2SO4) reacts with solid sodium hydroxide
(NaOH) to produce aqueous sodium sulfate (Na2SO4)...
asked 32 minutes ago -
QUESTION 25:
Find the pure binary representation of the following decimal
value: You DO NOT need...
asked 35 minutes ago -
The English mathematician John Kerrich tossed a coin
10,000 times and obtained 5067 heads.
a. calculate...
asked 1 hour ago -
13. Use the Student's t-distribution to find the t-value for
each of the given scenarios. Round...
asked 55 minutes ago -
Explain the nutrition assessment for the lower gastrointestinal
tract, including the components of client history, anthropometric...
asked 54 minutes ago