ECSAv8 무료 덤프문제 온라인 액세스

Fuzz testing or fuzzing is a software/application testing technique used to discover coding errors and security loopholes in software, operating systems, or networks by inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash.
Fuzzers work best for problems that can cause a program to crash, such as buffer overflow, cross-site scripting, denial of service attacks, format bugs, and SQL injection.
Fuzzer helps to generate and submit a large number of inputs supplied to the application for testing it against the inputs. This will help us to identify the SQL inputs that generate malicious output.
Suppose a pen tester knows the underlying structure of the database used by the application (i.e., name, number of columns, etc.) that she is testing.
Which of the following fuzz testing she will perform where she can supply specific data to the application to discover vulnerabilities?

• A.Smart Fuzz Testing
• B.Complete Fuzz Testing
• C.Dumb Fuzz Testing
• D.Clever Fuzz Testing

During the process of fingerprinting a web application environment, what do you need to do in order to analyze HTTP and HTTPS request headers and the HTML source code?

• A.Perform Web Spidering
• B.Check the HTTP and HTML Processing by the Browser
• C.Examine Source of the Available Pages
• D.Perform Banner Grabbing

A directory traversal (or path traversal) consists in exploiting insufficient security validation/sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.

To perform a directory traversal attack, which sequence does a pen tester need to follow to manipulate variables of reference files?

• A.Denial-of-Service sequence
• B.dot-dot-slash (../) sequence
• C.SQL Injection sequence
• D.Brute force sequence

The Web parameter tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.
This attack takes advantage of the fact that many programmers rely on hidden or fixed fields (such as a hidden tag in a form or a parameter in a URL) as the only security measure for certain operations. Attackers can easily modify these parameters to bypass the security mechanisms that rely on them.

What is the best way to protect web applications from parameter tampering attacks?

• A.Applying effective input field filtering parameters
• B.Validating some parameters of the web application
• C.Minimizing the allowable length of parameters
• D.Using an easily guessable hashing algorithm

The first and foremost step for a penetration test is information gathering. The main objective of this test is to gather information about the target system which can be used in a
malicious manner to gain access to the target systems.

Which of the following information gathering terminologies refers to gathering information through social engineering on-site visits, face-to-face interviews, and direct questionnaires?

• A.Active Information Gathering
• B.Pseudonymous Information Gathering
• C.Open Source or Passive Information Gathering
• D.Anonymous Information Gathering