Chapter 8: Web-Based Hacking: Servers and Applications

1. You are examining log files and notice several connection attempts to a hosted web server. Several attempts appear as such:

http://www.example.com/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows\system32\cmd.exe

What type of attack is in use?

A. SQL injection

B. Unicode parameter tampering

C. Directory traversal

D. Cross-site scripting

C. This connection is attempting to traverse the directory from the Inetpub folders to a command shell for the attacker. Unicode is used in this example to bypass potential IDS signatures.

2. The accounting department of a business notices several orders that seem

to have been made erroneously. In researching the concern, you discover it

appears the price of items on several web orders do not match the listed price

on the public site. You verify the web server and the ordering database do not

seem to have been compromised. Additionally, no alerts have displayed in the

Snort logs concerning a possible attack on the web application. Which of the

following might explain the attack in play?

A. The attacker has copied the source code to his machine and altered hidden

fields to modify the purchase price of the items.

B. The attacker has used SQL injection to update the database to reflect new

prices for the items.

C. The attacker has taken advantage of a Server Side Include that altered the

price.

D. The attacker used Metasploit to take control of the web application.

A. In this case, because the logs and IDSs show no direct attack, it’s most likely the attacker has copied the source code directly to his machine and altered the hidden “price” fields on the order form. All other types of attack would have, in some form or fashion, shown themselves easily.

3. Which of the following would best represent a parameter-tampering attack?

A. http://example.com/add.asp?ItemID=513&Qty=1&Price=15

B. http://www.example.com/search.asp?lname=walker%27%update%20usertable%20%20set%3d%23hAxor%27

C. http://www.example.com/../../../../../../windows\system32\cmd.exe

D. http://www.example.com/?login=‘OR 1=1-

A. Parameter tampering is fairly easy to identify when the URL contains a price, access permissions, or account information identified by an integer. Answers B and D are obviously SQL injection attempts, and answer C is directory traversal.

4. You are examining IDS logs and come across the following entry:

Mar 30 10:31:07 [1123}: IDS1661/NOPS-x86: 64.118.55.64:1146-> 192.168.119.56:53

What can you infer from this log entry?

A. The attacker, using address 192.168.119.56, is attempting to connect to

64.118.55.64 using a DNS port.

B. The attacker, using address 64.118.55.64, is attempting a directory traversal

attack.

C. The attacker is attempting a known SQL attack against 192.168.119.56.

D. The attacker is attempting a buffer overflow against 192.168.119.56

D. The log file shows that the NOP sled signature is being used against 192.168.119.56. There is no indication in the log file about SQL or directory traversal.

5. A junior security employee tells you a web application has halted. An

examination of the syslog shows an entry from the web application, indicating

the canary word has been altered. What does this message indicate?

A. The NIDS has blocked an attempted attack.

B. The firewall has failed in protecting the subnet.

C. A buffer overflow attack has been successful.

D. A buffer overflow was attempted, but failed

D. A canary word is created specifically to look for and indicate buffer overflow attacks. The fact that the application stopped processing immediately indicates the attack was logged but was not successful.

6. A pen-test member is experimenting with a web form on a target website and

receives the following error message:

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e08’ [Microsoft]

{OBDC SQL Server Driver}

What might this error indicate?

A. The application may be vulnerable to directory traversal.

B. The application may be vulnerable to SQL injection.

C. The application may be vulnerable to buffer overflow.

D. None of the above.

B. The error message blatantly states a Microsoft SQL Server instance is answering the bogus request, thus indicating a possible SQL injection target.

7. Which character is the best choice to start an SQL injection attempt?

A. Colon

B. Semicolon

C. Double quote

D. Single quote

D. The single quote should begin SQL injection attempts.

8. Jim has been hired to manage a web server. He wants to examine the server

for vulnerabilities as a first step to plan his hardening efforts. Which of the

following tools would be the best choice for this situation?

A. BlackWidow

B. HTTrack

C. Burp Suite

D. Nessus

D. Nessus is a vulnerability scanner that can be used against a variety of systems, including web servers.

9. A member of the pen test team examines a cookie he received from a live

session on the target’s web server. Here’s a portion of the cookie text:

lang=en-us; ADMIN=no; y=1; time=13:27GMT;

Which of the following should he infer regarding this information?

A. The site is most likely vulnerable to SQL injection.

B. The site is not likely to be vulnerable to SQL injection.

C. The site is vulnerable to parameter tampering.

D. None of the above

C. The text of the cookie reading “ADMIN=no” is of special significance.

An attacker using a tool such as Cookie Editor might change it to read

“ADMIN=yes” to elevate privileges for further attacks.

10. An attacker inputs the following into the Search text box on an entry form:

<script>'It Worked'</script>. The attacker then clicks the Search button and a

pop-up appears stating “It Worked.” What can you infer from this?

A. The site is vulnerable to buffer overflow.

B. The site is vulnerable to SQL injection.

C. The site is vulnerable to parameter tampering.

D. The site is vulnerable to XSS

D. This indicates a cross-site scripting vulnerability.