Security Testing Theory and Practice
VerifiedAdded on 2023/06/15
|22
|5270
|250
AI Summary
This article covers topics related to security testing, including password hashing, input validation, and countermeasures against attacks like XSS and SQL injection. It also discusses popular methodologies like OSSTMM and OWASP. The content includes solved assignments and study material for students. Course code, course name, and university are not mentioned.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: SECURITY TESTING THEORY AND PRACTICE
Security Testing Theory and Practice
Name of the Student
Name of the University
Author’s Note:
Security Testing Theory and Practice
Name of the Student
Name of the University
Author’s Note:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1
SECURITY TESTING THEORY AND PRACTICE
Table of Contents
Year: 2013..................................................................................................................................2
Year 2014...................................................................................................................................6
Year 2015...................................................................................................................................9
Year 2016.................................................................................................................................13
Year 2017.................................................................................................................................16
Bibliography.............................................................................................................................21
SECURITY TESTING THEORY AND PRACTICE
Table of Contents
Year: 2013..................................................................................................................................2
Year 2014...................................................................................................................................6
Year 2015...................................................................................................................................9
Year 2016.................................................................................................................................13
Year 2017.................................................................................................................................16
Bibliography.............................................................................................................................21
2
SECURITY TESTING THEORY AND PRACTICE
Year: 2013
Question 1
a) Answer: The main differences between real time brute force password recovery
attacks and table based pre computation password recovery attacks are as follows:
i) Brute force password recovery attack is extremely easy to crack and also takes up
lower time whereas the pre-computation password recovery attack could not be cracked
easily and takes up longer time.
ii) Brute force password recovery attack is utilized for checking weak passwords and
it is completely opposite for pre-computation password recovery attack.
b) Answer: The three best practice approaches for designing the schemes of password
hashing are Lookup Tables, Reverse Lookup Tables and Rainbow Tables.
i) Lookup Tables are the most effective ways for cracking all hashes of same type
extremely fast.
ii) The Reverse Lookup Tables helps to create a particular lookup table, which
eventually maps a password hash from the database of a user. The attacker then hashes the
password guess and utilizes the lookup table for getting the user’s list of guessed password.
iii) The Rainbow Tables can be defined as the techniques of time memory trade off.
c) Answer: i) Brute Force Password Recovery Attacks: This type of attack enables the
attacker in applying the attack to several hashes simultaneously, without pre-computing the
reverse lookup table. It does affect the complexity of brute force attack. The second approach
that affects the complexity of brute force attack is rainbow table. They help to sacrifice he
speed of hash cracking.
SECURITY TESTING THEORY AND PRACTICE
Year: 2013
Question 1
a) Answer: The main differences between real time brute force password recovery
attacks and table based pre computation password recovery attacks are as follows:
i) Brute force password recovery attack is extremely easy to crack and also takes up
lower time whereas the pre-computation password recovery attack could not be cracked
easily and takes up longer time.
ii) Brute force password recovery attack is utilized for checking weak passwords and
it is completely opposite for pre-computation password recovery attack.
b) Answer: The three best practice approaches for designing the schemes of password
hashing are Lookup Tables, Reverse Lookup Tables and Rainbow Tables.
i) Lookup Tables are the most effective ways for cracking all hashes of same type
extremely fast.
ii) The Reverse Lookup Tables helps to create a particular lookup table, which
eventually maps a password hash from the database of a user. The attacker then hashes the
password guess and utilizes the lookup table for getting the user’s list of guessed password.
iii) The Rainbow Tables can be defined as the techniques of time memory trade off.
c) Answer: i) Brute Force Password Recovery Attacks: This type of attack enables the
attacker in applying the attack to several hashes simultaneously, without pre-computing the
reverse lookup table. It does affect the complexity of brute force attack. The second approach
that affects the complexity of brute force attack is rainbow table. They help to sacrifice he
speed of hash cracking.
3
SECURITY TESTING THEORY AND PRACTICE
ii) Pre-Computation Password Recovery Attack: The lookup tables are extremely
effective for the complexities of this type of attack. The main advantage of this type of attack
is that it saves computation time and makes running less stressful.
d) Answer: In UNIX systems, the user passwords are protected in the password files
known as /etc/password, which is world readable. Later it is moved to /etc/shadow and then
backed up in /etc/shadow-. This is read by root and the passwords are hashed and salted.
e) Answer: Pre-computed hash tables or rainbow tables are utilized for cracking
password hashes. It eventually reversed the functions of cryptographic hash. The plaintext
password can be recovered up to a specific length that comprises of a restricted character
collection. Rainbow tables are defined as the time memory trade off techniques and are
extremely effective in increasing the effectiveness of password cracking tools.
Question 2
a) Answer: The three steps of XSS attack are as follows:
i) Searching for the Vulnerable Website: The hackers utilize google dork for
searching any vulnerable site and thus target the users.
ii) Testing the Vulnerability: The vulnerability of the site needs to be tested by
injecting the own script.
iii) Exploiting the Vulnerability: The third step is to exploit the vulnerability of the
targeted website.
b) Answer: The differences between reflected and stored XSS attacks are as follows:
Reflected attacks are those attacks where an injected script is solely reflected from the
web server like the search result, error message or other responses. It includes most of the
SECURITY TESTING THEORY AND PRACTICE
ii) Pre-Computation Password Recovery Attack: The lookup tables are extremely
effective for the complexities of this type of attack. The main advantage of this type of attack
is that it saves computation time and makes running less stressful.
d) Answer: In UNIX systems, the user passwords are protected in the password files
known as /etc/password, which is world readable. Later it is moved to /etc/shadow and then
backed up in /etc/shadow-. This is read by root and the passwords are hashed and salted.
e) Answer: Pre-computed hash tables or rainbow tables are utilized for cracking
password hashes. It eventually reversed the functions of cryptographic hash. The plaintext
password can be recovered up to a specific length that comprises of a restricted character
collection. Rainbow tables are defined as the time memory trade off techniques and are
extremely effective in increasing the effectiveness of password cracking tools.
Question 2
a) Answer: The three steps of XSS attack are as follows:
i) Searching for the Vulnerable Website: The hackers utilize google dork for
searching any vulnerable site and thus target the users.
ii) Testing the Vulnerability: The vulnerability of the site needs to be tested by
injecting the own script.
iii) Exploiting the Vulnerability: The third step is to exploit the vulnerability of the
targeted website.
b) Answer: The differences between reflected and stored XSS attacks are as follows:
Reflected attacks are those attacks where an injected script is solely reflected from the
web server like the search result, error message or other responses. It includes most of the
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4
SECURITY TESTING THEORY AND PRACTICE
input that is sent to the server as a request. When the user is tricked into clicking on any
malicious link, the injected code enters into the website that reflects back the attack in the
browser of the user. This is also known Non Persistent or Type II XSS.
Stored XSS attacks are those particular attacks where the script that is injected can be
stored permanently on the targeted servers like in a visitor log, database, and comment field
and message forum. The victim eventually retrieves the infected script from server when the
stored information is requested. This type of attack is also known as Persistent or Type I
XSS.
c) Answer: Poor data or input validation can be defined as the data is not strongly
typed, improper syntax or does not contain permitted characters within ranged boundaries.
Two significant examples of such poor data validation are as follows:
i) While entering month number, when user gives input as number 13, it is wrong.
ii) When user wrongly puts name in place of address, it is poor data validation.
d) Answer: The sanitization approach helps to accept the user data. There is a broad
range of acceptable input.
For example, when there is a form filed like <input type="text" id="title"
name="title" />
The data could be sanitized with sanitize_text_field() function.
It is extremely useful for protecting against the XSS attacks as it helps to secure the
output. The option is known as escaping.
e) Answer: The differences between XSRF and XSS attacks are as follows:
SECURITY TESTING THEORY AND PRACTICE
input that is sent to the server as a request. When the user is tricked into clicking on any
malicious link, the injected code enters into the website that reflects back the attack in the
browser of the user. This is also known Non Persistent or Type II XSS.
Stored XSS attacks are those particular attacks where the script that is injected can be
stored permanently on the targeted servers like in a visitor log, database, and comment field
and message forum. The victim eventually retrieves the infected script from server when the
stored information is requested. This type of attack is also known as Persistent or Type I
XSS.
c) Answer: Poor data or input validation can be defined as the data is not strongly
typed, improper syntax or does not contain permitted characters within ranged boundaries.
Two significant examples of such poor data validation are as follows:
i) While entering month number, when user gives input as number 13, it is wrong.
ii) When user wrongly puts name in place of address, it is poor data validation.
d) Answer: The sanitization approach helps to accept the user data. There is a broad
range of acceptable input.
For example, when there is a form filed like <input type="text" id="title"
name="title" />
The data could be sanitized with sanitize_text_field() function.
It is extremely useful for protecting against the XSS attacks as it helps to secure the
output. The option is known as escaping.
e) Answer: The differences between XSRF and XSS attacks are as follows:
5
SECURITY TESTING THEORY AND PRACTICE
XSRF attacks occur in authenticated sessions, where the server builds trust on the user
or browser. Whereas, XSS attacks do not require any authenticate session and thus could be
exploited when the vulnerable website does not do the basic of escaping or validating input.
Question 5
a) Answer: The popular methodology for security testing is OSSTMM or Open
Source Security Testing Methodology Manual.
b) Answer: CVE system gives a typical reference method for publicly recognized
information security exposures and vulnerabilities.
CVE Identifiers are common unique identifiers for the publicly recognized
information security vulnerabilities.
CVE identifiers are extremely useful for security testing as it has a number with it and
it makes it a unique identifier.
c) Answer: A well known automated vulnerability scanner is OpenVAS or Open
Vulnerability Assessment System.
i) The benefit of performing vulnerability identification manually is that it helps to
identify programming errors, which can be cyber attacks.
ii) The benefit of performing vulnerability identification automatically is that it helps
to gather information.
d) Answer: Fuzzing is the technique of automated software testing, which involves
including unexpected, invalid and random data as the input to any computer program.
Fuzzing method can be utilized during security assessment of an organization as it
helps to remove the software vulnerabilities.
SECURITY TESTING THEORY AND PRACTICE
XSRF attacks occur in authenticated sessions, where the server builds trust on the user
or browser. Whereas, XSS attacks do not require any authenticate session and thus could be
exploited when the vulnerable website does not do the basic of escaping or validating input.
Question 5
a) Answer: The popular methodology for security testing is OSSTMM or Open
Source Security Testing Methodology Manual.
b) Answer: CVE system gives a typical reference method for publicly recognized
information security exposures and vulnerabilities.
CVE Identifiers are common unique identifiers for the publicly recognized
information security vulnerabilities.
CVE identifiers are extremely useful for security testing as it has a number with it and
it makes it a unique identifier.
c) Answer: A well known automated vulnerability scanner is OpenVAS or Open
Vulnerability Assessment System.
i) The benefit of performing vulnerability identification manually is that it helps to
identify programming errors, which can be cyber attacks.
ii) The benefit of performing vulnerability identification automatically is that it helps
to gather information.
d) Answer: Fuzzing is the technique of automated software testing, which involves
including unexpected, invalid and random data as the input to any computer program.
Fuzzing method can be utilized during security assessment of an organization as it
helps to remove the software vulnerabilities.
6
SECURITY TESTING THEORY AND PRACTICE
e) Answer: The three OS countermeasures, which could be utilized for protecting
against the buffer overflow attacks, are as follows:
i) Stack Canaries: These are values, which are inserted in known locations within
memory for detecting buffer overflows.
ii) ASLR: Address Space Layout Randomization introduces the randomness in layout
of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it
through system.
f) Answer: The goals of Maintaining Access phase is to detect and filter the transfer
content to all internal devices or external sites and also prevent direct session initiation
amongst the servers in data centre and network.
The goals of Covering Tracks phase are to hide the intrusion and all possible controls
for future visit. Moreover, it helps to provide personal firewalls and anti malware solutions.
The two methods, used in Maintaining Access phase are Privilege escalation and
Creating own credentials.
The two methods, used in Covering Tracks phase are Remove Logging and
Installation of rootkits.
Year 2014
Question 2
a) Answer: Poor data or input validation can be defined as the data is not strongly
typed, improper syntax or does not contain permitted characters within ranged boundaries.
SECURITY TESTING THEORY AND PRACTICE
e) Answer: The three OS countermeasures, which could be utilized for protecting
against the buffer overflow attacks, are as follows:
i) Stack Canaries: These are values, which are inserted in known locations within
memory for detecting buffer overflows.
ii) ASLR: Address Space Layout Randomization introduces the randomness in layout
of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it
through system.
f) Answer: The goals of Maintaining Access phase is to detect and filter the transfer
content to all internal devices or external sites and also prevent direct session initiation
amongst the servers in data centre and network.
The goals of Covering Tracks phase are to hide the intrusion and all possible controls
for future visit. Moreover, it helps to provide personal firewalls and anti malware solutions.
The two methods, used in Maintaining Access phase are Privilege escalation and
Creating own credentials.
The two methods, used in Covering Tracks phase are Remove Logging and
Installation of rootkits.
Year 2014
Question 2
a) Answer: Poor data or input validation can be defined as the data is not strongly
typed, improper syntax or does not contain permitted characters within ranged boundaries.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7
SECURITY TESTING THEORY AND PRACTICE
Two significant examples of such poor data validation are as follows:
i) While entering month number, when user gives input as number 13, it is wrong.
ii) When user wrongly puts name in place of address, it is poor data validation.
b) Answer: Code injection tacks are the exploitation of any particular computer bug,
which is caused by the procession of invalid data. Hackers inject code in any computer
program and thus code injection attacks are done. This is extremely vulnerable for any user.
The two examples of code injection attacks are Cross Site Scripting or XSS attack and
OS command attack.
c) Answer: SQL injection attacks are specific types of code injection that is utilized
for attacking any data driven application, where the nefarious SQL statements are solely
inserted in the entry field for the purpose of execution. The hacker searches for an input in the
web application, which is included in the SQL query. Then the vulnerable website requires to
be directly included by the user input within the SQL statement.
d) Answer: Blind SQL injection attack is the kind of SQL injection attack, which
verifies whether the database is true or false and determines if the answer is based on various
applications response. This type of attack mainly occurs when configuration of web
application is done for showing generic error messages.
e) Answer: The two countermeasures against SQL injection attacks are as follows:
i) Performing systematic input validation.
ii) Utilization of parameterized stored processed for accessing database to ensure
whether the strings of input is not treated.
Question 3
SECURITY TESTING THEORY AND PRACTICE
Two significant examples of such poor data validation are as follows:
i) While entering month number, when user gives input as number 13, it is wrong.
ii) When user wrongly puts name in place of address, it is poor data validation.
b) Answer: Code injection tacks are the exploitation of any particular computer bug,
which is caused by the procession of invalid data. Hackers inject code in any computer
program and thus code injection attacks are done. This is extremely vulnerable for any user.
The two examples of code injection attacks are Cross Site Scripting or XSS attack and
OS command attack.
c) Answer: SQL injection attacks are specific types of code injection that is utilized
for attacking any data driven application, where the nefarious SQL statements are solely
inserted in the entry field for the purpose of execution. The hacker searches for an input in the
web application, which is included in the SQL query. Then the vulnerable website requires to
be directly included by the user input within the SQL statement.
d) Answer: Blind SQL injection attack is the kind of SQL injection attack, which
verifies whether the database is true or false and determines if the answer is based on various
applications response. This type of attack mainly occurs when configuration of web
application is done for showing generic error messages.
e) Answer: The two countermeasures against SQL injection attacks are as follows:
i) Performing systematic input validation.
ii) Utilization of parameterized stored processed for accessing database to ensure
whether the strings of input is not treated.
Question 3
8
SECURITY TESTING THEORY AND PRACTICE
3. Answer: The Security Testing Methodologies and Frameworks mainly include
OSSTMM or Open Source Security Testing Methodology Manual, OWASP or Open Web
Application Security Project, MSF or Metaspoilt Framework, ISSAF or Information Systems
Security Assessment Framework and BSIMM or Building Security in Maturity Model.
The main domains of OSSTMM are information security, process security, internet
technology security, communication security and wireless security.
The phases of OWASP include before development begins, during definition and
design, during development, during deployment, and finally maintenance and operations.
The five phases of MSF include envisioning, planning, development, stabilizing and
deploying.
The phases of ISSAF include Planning, Assessment, Treatment, and Accreditation.
The domains of BSIMM include governance, intelligence, secure software
development lifecycle (SSDL) touch points, and deployment.
Question 4
a) Answer: The buffer overflow aims to force the execution of any malicious codes
for providing root shell to the user. These instructions are solely stored within a buffer and it
is overflowed in allowing unexpected utilization of process to change several memory
sections.
b) Answer: The three OS countermeasures, which could be utilized for protecting
against the buffer overflow attacks, are as follows:
i) Stack Canaries: These are values, which are inserted in known locations within
memory for detecting buffer overflows.
SECURITY TESTING THEORY AND PRACTICE
3. Answer: The Security Testing Methodologies and Frameworks mainly include
OSSTMM or Open Source Security Testing Methodology Manual, OWASP or Open Web
Application Security Project, MSF or Metaspoilt Framework, ISSAF or Information Systems
Security Assessment Framework and BSIMM or Building Security in Maturity Model.
The main domains of OSSTMM are information security, process security, internet
technology security, communication security and wireless security.
The phases of OWASP include before development begins, during definition and
design, during development, during deployment, and finally maintenance and operations.
The five phases of MSF include envisioning, planning, development, stabilizing and
deploying.
The phases of ISSAF include Planning, Assessment, Treatment, and Accreditation.
The domains of BSIMM include governance, intelligence, secure software
development lifecycle (SSDL) touch points, and deployment.
Question 4
a) Answer: The buffer overflow aims to force the execution of any malicious codes
for providing root shell to the user. These instructions are solely stored within a buffer and it
is overflowed in allowing unexpected utilization of process to change several memory
sections.
b) Answer: The three OS countermeasures, which could be utilized for protecting
against the buffer overflow attacks, are as follows:
i) Stack Canaries: These are values, which are inserted in known locations within
memory for detecting buffer overflows.
9
SECURITY TESTING THEORY AND PRACTICE
ii) ASLR: Address Space Layout Randomization introduces the randomness in layout
of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it
through system.
c) Answer: This type of attack occurs when the arithmetic operation is attempted for
the creation of any numeric value, which is outside of its range. This can be either larger or
smaller.
This can be stopped by not using signed integer for array indexing.
d) Answer: Fuzzing is the technique of automated software testing, which involves
including unexpected, invalid and random data as the input to any computer program.
Fuzzing method can be utilized during security assessment of an organization as it
helps to remove the software vulnerabilities.
Year 2015
Question 1
a) Answer: The steps are as follows:
Step 1: Understand Attack Scenarios
Step 2: Analyze Causes and Countermeasures
Step 3: Start Testing and Exploring
Step 4: Fine-tune Test Cases
SECURITY TESTING THEORY AND PRACTICE
ii) ASLR: Address Space Layout Randomization introduces the randomness in layout
of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it
through system.
c) Answer: This type of attack occurs when the arithmetic operation is attempted for
the creation of any numeric value, which is outside of its range. This can be either larger or
smaller.
This can be stopped by not using signed integer for array indexing.
d) Answer: Fuzzing is the technique of automated software testing, which involves
including unexpected, invalid and random data as the input to any computer program.
Fuzzing method can be utilized during security assessment of an organization as it
helps to remove the software vulnerabilities.
Year 2015
Question 1
a) Answer: The steps are as follows:
Step 1: Understand Attack Scenarios
Step 2: Analyze Causes and Countermeasures
Step 3: Start Testing and Exploring
Step 4: Fine-tune Test Cases
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
10
SECURITY TESTING THEORY AND PRACTICE
b) Answer: Yes XSRF vulnerabilities are due to the poor data or input validation by
the tested web application as this type of attacks occur in authenticated sessions, where the
server builds trust on the user or browser. Poor data validation is one of the major cause of
this type of attack.
c) Answer: The two countermeasures for protecting XSRF attacks are as follows:
i) Trick the victim in clicking a link.
ii) Send a crafted request in victim’s browser.
d) Answer: The differences between XSRF and XSS attacks are as follows:
XSRF attacks occur in authenticated sessions, where the server builds trust on the user
or browser. Whereas, XSS attacks do not require any authenticate session and thus could be
exploited when the vulnerable website does not do the basic of escaping or validating input.
Question 3
a) Answer: The main differences between real time brute force password recovery
attacks and table based pre computation password recovery attacks are as follows:
i) Brute force password recovery attack is extremely easy to crack and also takes up
lower time whereas the pre-computation password recovery attack could not be cracked
easily and takes up longer time.
ii) Brute force password recovery attack is utilized for checking weak passwords and
it is completely opposite for pre-computation password recovery attack.
b) Answer: The three best practice approaches for designing the schemes of password
hashing are Lookup Tables, Reverse Lookup Tables and Rainbow Tables.
SECURITY TESTING THEORY AND PRACTICE
b) Answer: Yes XSRF vulnerabilities are due to the poor data or input validation by
the tested web application as this type of attacks occur in authenticated sessions, where the
server builds trust on the user or browser. Poor data validation is one of the major cause of
this type of attack.
c) Answer: The two countermeasures for protecting XSRF attacks are as follows:
i) Trick the victim in clicking a link.
ii) Send a crafted request in victim’s browser.
d) Answer: The differences between XSRF and XSS attacks are as follows:
XSRF attacks occur in authenticated sessions, where the server builds trust on the user
or browser. Whereas, XSS attacks do not require any authenticate session and thus could be
exploited when the vulnerable website does not do the basic of escaping or validating input.
Question 3
a) Answer: The main differences between real time brute force password recovery
attacks and table based pre computation password recovery attacks are as follows:
i) Brute force password recovery attack is extremely easy to crack and also takes up
lower time whereas the pre-computation password recovery attack could not be cracked
easily and takes up longer time.
ii) Brute force password recovery attack is utilized for checking weak passwords and
it is completely opposite for pre-computation password recovery attack.
b) Answer: The three best practice approaches for designing the schemes of password
hashing are Lookup Tables, Reverse Lookup Tables and Rainbow Tables.
11
SECURITY TESTING THEORY AND PRACTICE
i) Lookup Tables are the most effective ways for cracking all hashes of same type
extremely fast.
ii) The Reverse Lookup Tables helps to create a particular lookup table, which
eventually maps a password hash from the database of a user. The attacker then hashes the
password guess and utilizes the lookup table for getting the user’s list of guessed password.
iii) The Rainbow Tables can be defined as the techniques of time memory trade off.
c) Answer: i) Brute Force Password Recovery Attacks: This type of attack enables the
attacker in applying the attack to several hashes simultaneously, without pre-computing the
reverse lookup table. It does affect the complexity of brute force attack. The second approach
that affects the complexity of brute force attack is rainbow table. They help to sacrifice he
speed of hash cracking.
ii) Pre-Computation Password Recovery Attack: The lookup tables are extremely
effective for the complexities of this type of attack. The main advantage of this type of attack
is that it saves computation time and makes running less stressful.
d) Answer: In UNIX systems, the user passwords are protected in the password files
known as /etc/password, which is world readable. Later it is moved to /etc/shadow and then
backed up in /etc/shadow-. This is read by root and the passwords are hashed and salted.
e) Answer: Pre-computed hash tables or rainbow tables are utilized for cracking
password hashes. It eventually reversed the functions of cryptographic hash. The plaintext
password can be recovered up to a specific length that comprises of a restricted character
collection. Rainbow tables are defined as the time memory trade off techniques and are
extremely effective in increasing the effectiveness of password cracking tools.
Question 4
SECURITY TESTING THEORY AND PRACTICE
i) Lookup Tables are the most effective ways for cracking all hashes of same type
extremely fast.
ii) The Reverse Lookup Tables helps to create a particular lookup table, which
eventually maps a password hash from the database of a user. The attacker then hashes the
password guess and utilizes the lookup table for getting the user’s list of guessed password.
iii) The Rainbow Tables can be defined as the techniques of time memory trade off.
c) Answer: i) Brute Force Password Recovery Attacks: This type of attack enables the
attacker in applying the attack to several hashes simultaneously, without pre-computing the
reverse lookup table. It does affect the complexity of brute force attack. The second approach
that affects the complexity of brute force attack is rainbow table. They help to sacrifice he
speed of hash cracking.
ii) Pre-Computation Password Recovery Attack: The lookup tables are extremely
effective for the complexities of this type of attack. The main advantage of this type of attack
is that it saves computation time and makes running less stressful.
d) Answer: In UNIX systems, the user passwords are protected in the password files
known as /etc/password, which is world readable. Later it is moved to /etc/shadow and then
backed up in /etc/shadow-. This is read by root and the passwords are hashed and salted.
e) Answer: Pre-computed hash tables or rainbow tables are utilized for cracking
password hashes. It eventually reversed the functions of cryptographic hash. The plaintext
password can be recovered up to a specific length that comprises of a restricted character
collection. Rainbow tables are defined as the time memory trade off techniques and are
extremely effective in increasing the effectiveness of password cracking tools.
Question 4
12
SECURITY TESTING THEORY AND PRACTICE
a) Answer: CVE system gives a typical reference method for publicly recognized
information security exposures and vulnerabilities.
CVE Identifiers are common unique identifiers for the publicly recognized
information security vulnerabilities.
CVE identifiers are extremely useful for security testing as it has a number with it and
it makes it a unique identifier.
b) Answer: A well-known automated vulnerability scanner is OpenVAS or Open
Vulnerability Assessment System.
i) The benefit of performing vulnerability identification manually is that it helps to
identify programming errors, which can be cyber attacks.
ii) The benefit of performing vulnerability identification automatically is that it helps
to gather information.
c) Answer: Functional testing is the procedure for testing software that is utilized
within the software development, where this software could be tested for ensuring that it
fulfils all requirements.
Robustness testing is the procedure of verification of the robustness of test cases in
any particular test process. This is extremely important when the software is tested through
system interface.
d) Answer: Fuzzing is the technique of automated software testing, which involves
unexpected, invalid and random data as the input to any computer program.
Fuzzing method can be utilized during security assessment of an organization as it
helps to remove the software vulnerabilities.
SECURITY TESTING THEORY AND PRACTICE
a) Answer: CVE system gives a typical reference method for publicly recognized
information security exposures and vulnerabilities.
CVE Identifiers are common unique identifiers for the publicly recognized
information security vulnerabilities.
CVE identifiers are extremely useful for security testing as it has a number with it and
it makes it a unique identifier.
b) Answer: A well-known automated vulnerability scanner is OpenVAS or Open
Vulnerability Assessment System.
i) The benefit of performing vulnerability identification manually is that it helps to
identify programming errors, which can be cyber attacks.
ii) The benefit of performing vulnerability identification automatically is that it helps
to gather information.
c) Answer: Functional testing is the procedure for testing software that is utilized
within the software development, where this software could be tested for ensuring that it
fulfils all requirements.
Robustness testing is the procedure of verification of the robustness of test cases in
any particular test process. This is extremely important when the software is tested through
system interface.
d) Answer: Fuzzing is the technique of automated software testing, which involves
unexpected, invalid and random data as the input to any computer program.
Fuzzing method can be utilized during security assessment of an organization as it
helps to remove the software vulnerabilities.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
13
SECURITY TESTING THEORY AND PRACTICE
e) Answer: The two techniques that are utilized for obtaining higher privileges in
compromised host are as follows:
i) Access Token Manipulation: This technique manipulates access token and thus the
privilege is escalated.
ii) Accessibility Features: This technique helps to access the features and thus the
privilege is escalated.
f) Answer: The three OS countermeasures, which could be utilized for protecting
against the buffer overflow attacks, are as follows:
i) Stack Canaries: These are values, which are inserted in known locations within
memory for detecting buffer overflows.
ii) ASLR: Address Space Layout Randomization introduces the randomness in layout
of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it
through system.
Year 2016
Question 1
a) Answer: The three steps of XSS attack are as follows:
i) Searching for the Vulnerable Website: The hackers utilize google dork for
searching any vulnerable site and thus target the users.
ii) Testing the Vulnerability: The vulnerability of the site needs to be tested by
injecting the own script.
SECURITY TESTING THEORY AND PRACTICE
e) Answer: The two techniques that are utilized for obtaining higher privileges in
compromised host are as follows:
i) Access Token Manipulation: This technique manipulates access token and thus the
privilege is escalated.
ii) Accessibility Features: This technique helps to access the features and thus the
privilege is escalated.
f) Answer: The three OS countermeasures, which could be utilized for protecting
against the buffer overflow attacks, are as follows:
i) Stack Canaries: These are values, which are inserted in known locations within
memory for detecting buffer overflows.
ii) ASLR: Address Space Layout Randomization introduces the randomness in layout
of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it
through system.
Year 2016
Question 1
a) Answer: The three steps of XSS attack are as follows:
i) Searching for the Vulnerable Website: The hackers utilize google dork for
searching any vulnerable site and thus target the users.
ii) Testing the Vulnerability: The vulnerability of the site needs to be tested by
injecting the own script.
14
SECURITY TESTING THEORY AND PRACTICE
iii) Exploiting the Vulnerability: The third step is to exploit the vulnerability of the
targeted website.
b) Answer: The differences between reflected and stored XSS attacks are as follows:
Reflected attacks are those attacks where an injected script is solely reflected from the
web server like the search result, error message or other responses. It includes most of the
input that is sent to the server as a request. When the user is tricked into clicking on any
malicious link, the injected code enters into the website that reflects back the attack in the
browser of the user. This is also known Non Persistent or Type II XSS.
Stored XSS attacks are those particular attacks where the script that is injected can be
stored permanently on the targeted servers like in a visitor log, database, and comment field
and message forum. The victim eventually retrieves the infected script from server when the
stored information is requested. This type of attack is also known as Persistent or Type I
XSS.
c) Answer: Poor data or input validation can be defined as the data is not strongly
typed, improper syntax or does not contain permitted characters within ranged boundaries.
Two significant examples of such poor data validation are as follows:
i) While entering month number, when user gives input as number 13, it is wrong.
ii) When user wrongly puts name in place of address, it is poor data validation.
d) Answer: The sanitization approach helps to accept the user data. There is a broad
range of acceptable input.
For example, when there is a form field like <input type="text" id="title"
name="title" />
SECURITY TESTING THEORY AND PRACTICE
iii) Exploiting the Vulnerability: The third step is to exploit the vulnerability of the
targeted website.
b) Answer: The differences between reflected and stored XSS attacks are as follows:
Reflected attacks are those attacks where an injected script is solely reflected from the
web server like the search result, error message or other responses. It includes most of the
input that is sent to the server as a request. When the user is tricked into clicking on any
malicious link, the injected code enters into the website that reflects back the attack in the
browser of the user. This is also known Non Persistent or Type II XSS.
Stored XSS attacks are those particular attacks where the script that is injected can be
stored permanently on the targeted servers like in a visitor log, database, and comment field
and message forum. The victim eventually retrieves the infected script from server when the
stored information is requested. This type of attack is also known as Persistent or Type I
XSS.
c) Answer: Poor data or input validation can be defined as the data is not strongly
typed, improper syntax or does not contain permitted characters within ranged boundaries.
Two significant examples of such poor data validation are as follows:
i) While entering month number, when user gives input as number 13, it is wrong.
ii) When user wrongly puts name in place of address, it is poor data validation.
d) Answer: The sanitization approach helps to accept the user data. There is a broad
range of acceptable input.
For example, when there is a form field like <input type="text" id="title"
name="title" />
15
SECURITY TESTING THEORY AND PRACTICE
The data could be sanitized with sanitize_text_field() function.
It is extremely useful for protecting against the XSS attacks as it helps to secure the
output. The option is known as escaping.
Sanitization approach should utilize whitelists of allowed symbols as blacklists detect
dangerous patterns and characters such as apostrophe or string. There is a high risk that the
attacker can get access of these filters.
e) Answer: Yes XSRF vulnerabilities are due to the poor data or input validation by
the tested web application as this type of attacks occur in authenticated sessions, where the
server builds trust on the user or browser. Poor data validation is one of the major cause of
this type of attack.
Question 4
a) Answer: The buffer overflow aims to force the execution of any malicious codes
for providing root shell to the user. These instructions are solely stored within a buffer and it
is overflowed in allowing unexpected utilization of process to change several memory
sections.
b) Answer: The three OS countermeasures, which could be utilized for protecting
against the buffer overflow attacks, are as follows:
i) Stack Canaries: These are values, which are inserted in known locations within
memory for detecting buffer overflows.
ii) ASLR: Address Space Layout Randomization introduces the randomness in layout
of virtual memory of any process for changing the binary mapping.
SECURITY TESTING THEORY AND PRACTICE
The data could be sanitized with sanitize_text_field() function.
It is extremely useful for protecting against the XSS attacks as it helps to secure the
output. The option is known as escaping.
Sanitization approach should utilize whitelists of allowed symbols as blacklists detect
dangerous patterns and characters such as apostrophe or string. There is a high risk that the
attacker can get access of these filters.
e) Answer: Yes XSRF vulnerabilities are due to the poor data or input validation by
the tested web application as this type of attacks occur in authenticated sessions, where the
server builds trust on the user or browser. Poor data validation is one of the major cause of
this type of attack.
Question 4
a) Answer: The buffer overflow aims to force the execution of any malicious codes
for providing root shell to the user. These instructions are solely stored within a buffer and it
is overflowed in allowing unexpected utilization of process to change several memory
sections.
b) Answer: The three OS countermeasures, which could be utilized for protecting
against the buffer overflow attacks, are as follows:
i) Stack Canaries: These are values, which are inserted in known locations within
memory for detecting buffer overflows.
ii) ASLR: Address Space Layout Randomization introduces the randomness in layout
of virtual memory of any process for changing the binary mapping.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
16
SECURITY TESTING THEORY AND PRACTICE
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it
through system.
c) Answer: This type of attack occurs when the arithmetic operation is attempted for
the creation of any numeric value, which is outside of its range. This can be either larger or
smaller.
This type of attacks can be stopped by not using signed integer for array indexing.
d) Answer: Fuzzing is the technique of automated software testing, which involves
including unexpected, invalid and random data as the input to any computer program.
Fuzzing method can be utilized during security assessment of an organization as it
helps to remove the software vulnerabilities.
Year 2017
Question 1
a) Answer: Poor data or input validation can be defined as the data is not strongly
typed, improper syntax or does not contain permitted characters within ranged boundaries.
Two significant examples of such poor data validation are as follows:
i) While entering month number, when user gives input as number 13, it is wrong.
ii) When user wrongly puts name in place of address, it is poor data validation.
b) Answer: Code injection tacks are the exploitation of any particular computer bug,
which is caused by the procession of invalid data. Hackers inject code in any computer
program and thus code injection attacks are done. This is extremely vulnerable for any user.
SECURITY TESTING THEORY AND PRACTICE
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it
through system.
c) Answer: This type of attack occurs when the arithmetic operation is attempted for
the creation of any numeric value, which is outside of its range. This can be either larger or
smaller.
This type of attacks can be stopped by not using signed integer for array indexing.
d) Answer: Fuzzing is the technique of automated software testing, which involves
including unexpected, invalid and random data as the input to any computer program.
Fuzzing method can be utilized during security assessment of an organization as it
helps to remove the software vulnerabilities.
Year 2017
Question 1
a) Answer: Poor data or input validation can be defined as the data is not strongly
typed, improper syntax or does not contain permitted characters within ranged boundaries.
Two significant examples of such poor data validation are as follows:
i) While entering month number, when user gives input as number 13, it is wrong.
ii) When user wrongly puts name in place of address, it is poor data validation.
b) Answer: Code injection tacks are the exploitation of any particular computer bug,
which is caused by the procession of invalid data. Hackers inject code in any computer
program and thus code injection attacks are done. This is extremely vulnerable for any user.
17
SECURITY TESTING THEORY AND PRACTICE
The two examples of code injection attacks are Cross Site Scripting or XSS attack and
OS command attack.
c) Answer: SQL injection attacks are specific types of code injection that is utilized
for attacking any data driven application, where the nefarious SQL statements are solely
inserted in the entry field for the purpose of execution. The hacker searches for an input in the
web application, which is included in the SQL query. Then the vulnerable website requires to
be directly included by the user input within the SQL statement.
SQL query for SQL injection is as follows:
SELECT * FROM Users WHERE UserId = 105 OR 1=1;
d) Answer: Blind SQL injection attack is the kind of SQL injection attack, which
verifies whether the database is true or false and determines if the answer is based on various
applications response. This type of attack mainly occurs when configuration of web
application is done for showing generic error messages.
Example of Blind SQL is as follows:
A shop’s web portal that displays items, which could be sold. For the item number 34,
following query could be run.
SELECT name, description, price FROM Store_table WHERE id = 34;
The attacker will manipulate this to SELECT name, description, price FROM
Store_table WHERE ID = 34 and 1=2;
The above query is false and thus no items would be displayed.
Next time, if the hacker will give 1=2, the query would be true and thus item number
34 would be displayed.
SECURITY TESTING THEORY AND PRACTICE
The two examples of code injection attacks are Cross Site Scripting or XSS attack and
OS command attack.
c) Answer: SQL injection attacks are specific types of code injection that is utilized
for attacking any data driven application, where the nefarious SQL statements are solely
inserted in the entry field for the purpose of execution. The hacker searches for an input in the
web application, which is included in the SQL query. Then the vulnerable website requires to
be directly included by the user input within the SQL statement.
SQL query for SQL injection is as follows:
SELECT * FROM Users WHERE UserId = 105 OR 1=1;
d) Answer: Blind SQL injection attack is the kind of SQL injection attack, which
verifies whether the database is true or false and determines if the answer is based on various
applications response. This type of attack mainly occurs when configuration of web
application is done for showing generic error messages.
Example of Blind SQL is as follows:
A shop’s web portal that displays items, which could be sold. For the item number 34,
following query could be run.
SELECT name, description, price FROM Store_table WHERE id = 34;
The attacker will manipulate this to SELECT name, description, price FROM
Store_table WHERE ID = 34 and 1=2;
The above query is false and thus no items would be displayed.
Next time, if the hacker will give 1=2, the query would be true and thus item number
34 would be displayed.
18
SECURITY TESTING THEORY AND PRACTICE
e) Answer: The two countermeasures against SQL injection attacks are as follows:
i) Performing systematic input validation.
ii) Utilization of parameterized stored processed for accessing database to ensure
whether the strings of input is not treated.
These two countermeasures can be easily utilized against the SQL injection attacks.
Question 3
a) i) Answer: The main differences between real time brute force password recovery
attacks and table based pre computation password recovery attacks are as follows:
i) Brute force password recovery attack is extremely easy to crack and also takes up
lower time whereas the pre-computation password recovery attack could not be cracked
easily and takes up longer time.
ii) Brute force password recovery attack is utilized for checking weak passwords and
it is completely opposite for pre-computation password recovery attack.
a) ii) Answer: The main differences between brute force and dictionary based
password recovery attacks are as follows:
i) The brute force attack utilizes different types of possible key combinations, whereas
dictionary attack utilizes list of all known passwords.
ii) Brute force attack has large number of combination of keys and dictionary attack is
limited to specific common keys.
These are the major and the most significant differences between dictionary and brute
force password recovery attacks.
SECURITY TESTING THEORY AND PRACTICE
e) Answer: The two countermeasures against SQL injection attacks are as follows:
i) Performing systematic input validation.
ii) Utilization of parameterized stored processed for accessing database to ensure
whether the strings of input is not treated.
These two countermeasures can be easily utilized against the SQL injection attacks.
Question 3
a) i) Answer: The main differences between real time brute force password recovery
attacks and table based pre computation password recovery attacks are as follows:
i) Brute force password recovery attack is extremely easy to crack and also takes up
lower time whereas the pre-computation password recovery attack could not be cracked
easily and takes up longer time.
ii) Brute force password recovery attack is utilized for checking weak passwords and
it is completely opposite for pre-computation password recovery attack.
a) ii) Answer: The main differences between brute force and dictionary based
password recovery attacks are as follows:
i) The brute force attack utilizes different types of possible key combinations, whereas
dictionary attack utilizes list of all known passwords.
ii) Brute force attack has large number of combination of keys and dictionary attack is
limited to specific common keys.
These are the major and the most significant differences between dictionary and brute
force password recovery attacks.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
19
SECURITY TESTING THEORY AND PRACTICE
b) Answer: The three best practice approaches for designing the schemes of password
hashing are Lookup Tables, Reverse Lookup Tables and Rainbow Tables.
i) Lookup Tables are the most effective ways for cracking all hashes of same type
extremely fast.
ii) The Reverse Lookup Tables helps to create a particular lookup table, which
eventually maps a password hash from the database of a user. The attacker then hashes the
password guess and utilizes the lookup table for getting the user’s list of guessed password.
iii) The Rainbow Tables can be defined as the techniques of time memory trade off.
c) Answer: In UNIX systems, the user passwords are protected in the password files
known as /etc/password, which is world readable. Later it is moved to /etc/shadow and then
backed up in /etc/shadow-. This is read by root and the passwords are hashed and salted.
d) i) Answer: Pre-computed hash tables or rainbow tables are utilized for cracking
password hashes. It eventually reversed the functions of cryptographic hash. The plaintext
password can be recovered up to a specific length that comprises of a restricted character
collection.
d) ii) Answer: Rainbow tables are defined as the time memory trade off techniques
and are extremely effective in increasing the effectiveness of password cracking tools. This is
extremely effective and thus could be certainly termed as the most effective table for
password cracking.
Question 5
a) i) Answer: Control flow and local memory is organized on the modern operating
system by reducing organization and data flow.
SECURITY TESTING THEORY AND PRACTICE
b) Answer: The three best practice approaches for designing the schemes of password
hashing are Lookup Tables, Reverse Lookup Tables and Rainbow Tables.
i) Lookup Tables are the most effective ways for cracking all hashes of same type
extremely fast.
ii) The Reverse Lookup Tables helps to create a particular lookup table, which
eventually maps a password hash from the database of a user. The attacker then hashes the
password guess and utilizes the lookup table for getting the user’s list of guessed password.
iii) The Rainbow Tables can be defined as the techniques of time memory trade off.
c) Answer: In UNIX systems, the user passwords are protected in the password files
known as /etc/password, which is world readable. Later it is moved to /etc/shadow and then
backed up in /etc/shadow-. This is read by root and the passwords are hashed and salted.
d) i) Answer: Pre-computed hash tables or rainbow tables are utilized for cracking
password hashes. It eventually reversed the functions of cryptographic hash. The plaintext
password can be recovered up to a specific length that comprises of a restricted character
collection.
d) ii) Answer: Rainbow tables are defined as the time memory trade off techniques
and are extremely effective in increasing the effectiveness of password cracking tools. This is
extremely effective and thus could be certainly termed as the most effective table for
password cracking.
Question 5
a) i) Answer: Control flow and local memory is organized on the modern operating
system by reducing organization and data flow.
20
SECURITY TESTING THEORY AND PRACTICE
ii) Answer: The buffer overflow aims to force the execution of any malicious codes
for providing root shell to the user. These instructions are solely stored within a buffer and it
is overflowed in allowing unexpected utilization of process to change several memory
sections.
b) Answer: The three OS countermeasures, which could be utilized for protecting
against the buffer overflow attacks, are as follows:
i) Stack Canaries: These are values, which are inserted in known locations within
memory for detecting buffer overflows.
ii) ASLR: Address Space Layout Randomization introduces the randomness in layout
of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it
through system.
c) i) Answer: Format string attacks occur when there is a specific output and the
submitted data of the input string is calculated as a specific command by an application.
ii) Answer: The measure for preventing format string attack includes avoiding poor
input validation.
d) Answer: This type of attack occurs when the arithmetic operation is attempted for
the creation of any numeric value, which is outside of its range. This can be either larger or
smaller.
SECURITY TESTING THEORY AND PRACTICE
ii) Answer: The buffer overflow aims to force the execution of any malicious codes
for providing root shell to the user. These instructions are solely stored within a buffer and it
is overflowed in allowing unexpected utilization of process to change several memory
sections.
b) Answer: The three OS countermeasures, which could be utilized for protecting
against the buffer overflow attacks, are as follows:
i) Stack Canaries: These are values, which are inserted in known locations within
memory for detecting buffer overflows.
ii) ASLR: Address Space Layout Randomization introduces the randomness in layout
of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it
through system.
c) i) Answer: Format string attacks occur when there is a specific output and the
submitted data of the input string is calculated as a specific command by an application.
ii) Answer: The measure for preventing format string attack includes avoiding poor
input validation.
d) Answer: This type of attack occurs when the arithmetic operation is attempted for
the creation of any numeric value, which is outside of its range. This can be either larger or
smaller.
21
SECURITY TESTING THEORY AND PRACTICE
Bibliography
Allen, L., Heriyanto, T., & Ali, S. (2014). Kali Linux–Assuring security by penetration
testing. Packt Publishing Ltd.
O'Connor, T. J. (2012). Violent Python: a cookbook for hackers, forensic analysts,
penetration testers and security engineers. Newnes.
Spasojevic, B. (2011). Gray Hat Hacking. 3rd Edition. McGraw Hill.
Stevens, W. R. (1994). TCP/IP illustrated, volume 1: The protocols. addison-Wesley.
Stuttard, D., & Pinto, M. (2011). The web application hacker's handbook: Finding and
exploiting security flaws. John Wiley & Sons.
Wilhelm, T. (2013). Professional penetration testing: Creating and learning in a hacking lab.
Newnes.
SECURITY TESTING THEORY AND PRACTICE
Bibliography
Allen, L., Heriyanto, T., & Ali, S. (2014). Kali Linux–Assuring security by penetration
testing. Packt Publishing Ltd.
O'Connor, T. J. (2012). Violent Python: a cookbook for hackers, forensic analysts,
penetration testers and security engineers. Newnes.
Spasojevic, B. (2011). Gray Hat Hacking. 3rd Edition. McGraw Hill.
Stevens, W. R. (1994). TCP/IP illustrated, volume 1: The protocols. addison-Wesley.
Stuttard, D., & Pinto, M. (2011). The web application hacker's handbook: Finding and
exploiting security flaws. John Wiley & Sons.
Wilhelm, T. (2013). Professional penetration testing: Creating and learning in a hacking lab.
Newnes.
1 out of 22
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.