412-79 Practice Test

The Web parameter tampering attack is based on the manipulation of parameters
exchanged between client and server in order to modify application data, such as user
credentials and permissions, price and quantity of products, etc. Usually, this information is
stored in cookies, hidden form fields, or URL Query Strings, and is used to increase
application functionality and control.
This attack takes advantage of the fact that many programmers rely on hidden or fixed
fields (such as a hidden tag in a form or a parameter in a URL) as the only security   measure for certain operations. Attackers can easily modify these parameters to bypass
the security mechanisms that rely on them.

What is the best way to protect web applications from parameter tampering attacks?

A.

Validating some parameters of the web application

B.

Minimizing the allowable length of parameters

C.

Using an easily guessable hashing algorithm

D.

Applying effective input field filtering parameters

The term social engineering is used to describe the various tricks used to fool people
(employees, business partners, or customers) into voluntarily giving away information that
would not normally be known to the general public.

What is the criminal practice of social engineering where an attacker uses the telephone
system in an attempt to scam the user into surrendering private information?

A.

Phishing

B.

Spoofing

C.

Tapping

D.

Vishing

A directory traversal (or path traversal) consists in exploiting insufficient security
validation/sanitization of user-supplied input file names, so that characters representing
"traverse to parent directory" are passed through to the file APIs.
The goal of this attack is to order an application to access a computer file that is not
intended to be accessible. This attack exploits a lack of security (the software is acting
exactly as it is supposed to) as opposed to exploiting a bug in the code

To perform a directory traversal attack, which sequence does a pen tester need to follow to
manipulate variables of reference files?

A.

dot-dot-slash (../) sequence

B.

Denial-of-Service sequence

C.

Brute force sequence

D.

SQL Injection sequence

Which one of the following scans starts, but does not complete the TCP handshake sequence for each port selected, and it works well for direct scanning and often works well
through firewalls?

A.

SYN Scan

B.

Connect() scan

C.

XMAS Scan

D.

Null Scan

What information can be collected by dumpster diving?

A.

Sensitive documents

B.

Email messages

C.

Customer contact information

D.

All the above