Tag: security

To answer this question, the user needs to know what cybercrime is and what activities constitute cybercrime.

Out of the given options, looting a bank is not a cybercrime. It is a traditional crime that can be committed without the use of computers or the internet.

On the other hand, looting email addresses, personal information, distributing viruses and worms are activities that can only be carried out through the use of computers and the internet, making them cybercrimes.

Stuxnet kind of attacks is a type of cybercrime which is designed to damage or destroy specific industrial equipment. Stuxnet was used to target Iran's nuclear program, and it caused physical damage to centrifuges at a uranium enrichment plant.

Therefore, the correct answer is:

The Answer is: D. Distributing virus, worms

To answer this question, the user needs to have knowledge about different types of web attacks.

The answer is D. Path Traversal Attacks.

Option A is incorrect because Cross-site scripting (XSS) attacks allow an attacker to inject malicious scripts into a web page viewed by other users. This allows the attacker to steal user information, hijack user accounts, spread malware, and perform other malicious activities.

Option B is incorrect because Command Injection Attacks occur when an attacker sends malicious input to an application, tricking it into executing unintended commands. This can allow the attacker to run arbitrary commands on the web server, potentially compromising the server and its data.

Option C is incorrect because SQL Injection attacks occur when an attacker sends malicious SQL statements to a web application database. This can allow the attacker to view or modify data in the database, or even take control of the entire database server.

Option D is the correct answer because Path Traversal Attacks occur when an attacker manipulates a URL to access files outside of the web server's root directory. This can allow the attacker to view sensitive data or execute arbitrary code on the web server.

To solve this question, the user needs to have knowledge on securing web applications against authenticated users.

Option A: Client-side data validation is not sufficient to secure web applications against authenticated users. It can be easily bypassed by attackers, and therefore this option is not recommended.

Option B: Filtering data with a default deny regular expression can help prevent malicious input from being accepted, which is a good security practice. Therefore, this option is recommended.

Option C: Running the application under least privileges necessary is a recommended security practice because it limits the damage that can be caused by a successful attack. Therefore, this option is recommended.

Option D: Using parameterized queries to access a database can help prevent SQL injection attacks, which is a good security practice. Therefore, this option is recommended.

Therefore, the option that is NOT recommended for securing web applications against authenticated users is option A: Client-side data validation.

The Answer is: A

To solve this question, the user needs to have knowledge of the basic principles of security controls for database applications.

Option A: This option is incorrect because securing a database application with username/password access controls alone is not sufficient to fully secure the application. Although username/password access control is an essential security measure, it is not sufficient in isolation.

Option B: This option is correct because username/password access controls are necessary but not sufficient to fully secure a database application. Other controls such as encryption, access control lists, monitoring, and auditing should be combined with username/password access controls for a complete security solution.

Option C: This option is incorrect because the length of the password alone does not guarantee the security of the database application. There are other factors to consider such as password complexity, password rotation, and password storage.

Option D: This option is incorrect because even if none of the users have administrative access, username/password access controls alone are still not sufficient to fully secure a database application.

Therefore, the correct answer is:

The Answer is: B. Sufficient only when combined with other controls

To improve the overall quality of web applications, developers should abide by the following rule:

B. Clean and validate all user input.

Explanation:

Option A: Trusting user-supplied data is not a good practice, as it can lead to security vulnerabilities such as injection attacks, cross-site scripting (XSS), and cross-site request forgery (CSRF).

Option B: Clean and validate all user input is a good practice that can help prevent security vulnerabilities. Input validation can help ensure that the data is in the correct format and meets the expected criteria, while input cleaning can help remove any malicious content from the user input.

Option C: Using GET instead of POST is not a rule for improving the overall quality of web applications. GET and POST are different HTTP methods used in web applications, and each has its own advantages and disadvantages. Choosing the right method depends on the requirements of the application.

Option D: Allowing the use of HIDDEN form fields is not a rule for improving the overall quality of web applications. HIDDEN form fields can be used to store data that the user cannot see or modify, but they do not provide any security benefits.

Therefore, the correct answer is:

The Answer is: B. Clean and validate all user input.