WGU C836
FUNDAMENTALS OF INFORMATION SECURITY
2025-2026 VERSION
DETAILED QUESTION SET WITH 250 QUESTIONS AND
RATIONALES
To set a limit on the amount of data we expect to receive to set aside storage for that data
*required in most programming languages
* prevents buffer overflows - Bounds checking
A type of software development vulnerability that occurs when multiple processes or multiple threads within a
process control or share access to a particular resource, and the correct handling of that resource depends on the
proper ordering or timing of transactions - Race conditions
A type of attack that can occur when we fail to validate the input to our applications or take steps to filter out
unexpected or undesirable content - input validation
A type of input validation attacks in which certain print functions within a programming language can be used
to manipulate or view the internal memory of an application - Format string attack
A type of attack that can occur when we fail to use strong authentication mechanisms for our applications -
Authentication attack
A type of attack that can occur when we fail to use authorization best practices for our applications -
Authorization attack
,A type of attack that can occur when we fail to properly design our security mechanisms when implementing
cryptographic controls in our applications - Cryptographic attack
A type of attack that takes advantage of weaknesses in the software loaded on client machines or one that uses
social engineering techniques to trick us into going along with the attack - Client-side attack
EXPLANATIONS OF TERMS
XSS (Cross Site Scripting)
An attack carried out by placing code in the form of a scripting language into a web page or other media that is
interpreted by a client browser
XSRF (cross-site request forgery)
An attack in which the attacker places a link on a web page in such a way that it will be automatically executed
to initiate a particular activity on another web page or application where the user is currently authenticated
SQL Injection Attack
Attacks against a web site that take advantage of vulnerabilities in poorly coded SQL (a standard and common
database software application) applications in order to introduce malicious program code into a company's
systems and networks.
clickjacking
An attack that takes advantage of the graphical display capabilities of our browser to trick us into clicking on
something we might not otherwise
server-side attack
A type of attack on the web server that can target vulnerabilities such as lack of input validation, improper or
inadequate permissions, or extraneous files left on the server from the development process
Protocol issues, unauthenticated access, arbitrary code execution, and privilege escalation
Name the 4 main categories of database security issues
web application analysis tool
A type of tool that analyzes web pages or web-based applications and searches for common flaws such as XSS
or SQL injection flaws, and improperly set permissions, extraneous files, outdated software versions, and many
more such items
protocol issues
, Unauthenticated flaws in network protocols, authenticated flaws in network protocols, flaws in authentication
protocols
arbitrary code execution
An attack that exploits an applications vulnerability into allowing the attacker to execute commands on a user's
computer.
* arbitrary code execution in intrinsic or securable SQL elements
Privilege Escalation
An attack that exploits a vulnerability in software to gain access to resources that the user normally would be
restricted from accessing.
* via SQL injection or local issues
validating user inputs
A security best practice for all software
* the most effective way of mitigating SQL injection attacks
Nikto (and Wikto)
A web server analysis tool that performs checks for many common server-side vulnerabilities & creates an
index of all the files and directories it can see on the target web server (a process known as spidering)
burp suite
A well-known GUI web analysis tool that offers a free and professional version; the pro version includes
advanced tools for conducting more in-depth attacks
FUNDAMENTALS OF INFORMATION SECURITY
2025-2026 VERSION
DETAILED QUESTION SET WITH 250 QUESTIONS AND
RATIONALES
To set a limit on the amount of data we expect to receive to set aside storage for that data
*required in most programming languages
* prevents buffer overflows - Bounds checking
A type of software development vulnerability that occurs when multiple processes or multiple threads within a
process control or share access to a particular resource, and the correct handling of that resource depends on the
proper ordering or timing of transactions - Race conditions
A type of attack that can occur when we fail to validate the input to our applications or take steps to filter out
unexpected or undesirable content - input validation
A type of input validation attacks in which certain print functions within a programming language can be used
to manipulate or view the internal memory of an application - Format string attack
A type of attack that can occur when we fail to use strong authentication mechanisms for our applications -
Authentication attack
A type of attack that can occur when we fail to use authorization best practices for our applications -
Authorization attack
,A type of attack that can occur when we fail to properly design our security mechanisms when implementing
cryptographic controls in our applications - Cryptographic attack
A type of attack that takes advantage of weaknesses in the software loaded on client machines or one that uses
social engineering techniques to trick us into going along with the attack - Client-side attack
EXPLANATIONS OF TERMS
XSS (Cross Site Scripting)
An attack carried out by placing code in the form of a scripting language into a web page or other media that is
interpreted by a client browser
XSRF (cross-site request forgery)
An attack in which the attacker places a link on a web page in such a way that it will be automatically executed
to initiate a particular activity on another web page or application where the user is currently authenticated
SQL Injection Attack
Attacks against a web site that take advantage of vulnerabilities in poorly coded SQL (a standard and common
database software application) applications in order to introduce malicious program code into a company's
systems and networks.
clickjacking
An attack that takes advantage of the graphical display capabilities of our browser to trick us into clicking on
something we might not otherwise
server-side attack
A type of attack on the web server that can target vulnerabilities such as lack of input validation, improper or
inadequate permissions, or extraneous files left on the server from the development process
Protocol issues, unauthenticated access, arbitrary code execution, and privilege escalation
Name the 4 main categories of database security issues
web application analysis tool
A type of tool that analyzes web pages or web-based applications and searches for common flaws such as XSS
or SQL injection flaws, and improperly set permissions, extraneous files, outdated software versions, and many
more such items
protocol issues
, Unauthenticated flaws in network protocols, authenticated flaws in network protocols, flaws in authentication
protocols
arbitrary code execution
An attack that exploits an applications vulnerability into allowing the attacker to execute commands on a user's
computer.
* arbitrary code execution in intrinsic or securable SQL elements
Privilege Escalation
An attack that exploits a vulnerability in software to gain access to resources that the user normally would be
restricted from accessing.
* via SQL injection or local issues
validating user inputs
A security best practice for all software
* the most effective way of mitigating SQL injection attacks
Nikto (and Wikto)
A web server analysis tool that performs checks for many common server-side vulnerabilities & creates an
index of all the files and directories it can see on the target web server (a process known as spidering)
burp suite
A well-known GUI web analysis tool that offers a free and professional version; the pro version includes
advanced tools for conducting more in-depth attacks
