C836 WGU COMPLETE Study Guide
to set a limit on the amount of data we expect to receive to set
aside storage for that data
bounds checking *required in most programming languages
* prevents buffer overflows
A type of software development vulnerability that occurs when
multiple processes or multiple threads within a process control
race conditions or share access to a particular resource, and the correct
handling of that resource depends on the proper ordering or
timing of transactions
a type of attack that can occur when we fail to validate the input
input validation
to our applications or take steps to filter out unexpected or
undesirable content
a type of input validation attacks in which certain print functions
format string attack within a programming language can be used to manipulate or view
the internal memory of an application
A type of attack that can occur when we fail to use strong
authentication attack
authentication mechanisms for our applications
A type of attack that can occur when we fail to use authorization
authorization attack
best practices for our applications
A type of attack that can occur when we fail to properly design our
cryptographic attack
security mechanisms when implementing cryptographic controls in
our applications
A type of attack that takes advantage of weaknesses in the
client-side attack software loaded on client machines or one that uses social
engineering techniques to trick us into going along with the
attack
an attack carried out by placing code in the form of a scripting
XSS (Cross Site Scripting)
language into a web page or other media that is interpreted by
a client browser
, an attack in which the attacker places a link on a web page in
XSRF (cross-site request forgery) such a way that it will be automatically executed to initiate a
particular activity on another web page or application where
the user is currently authenticated
An attack that takes advantage of the graphical display capabilities
clickjacking
of our browser to trick us into clicking on something we might
not otherwise
A type of attack on the web server that can target vulnerabilities
server-side attack such as lack of input validation, improper or inadequate
permissions, or extraneous files left on the server from the
development process
Protocol issues, unauthenticated Name the 4 main categories of database security issues
access, arbitrary code execution,
and privilege escalation
A type of tool that analyzes web pages or web-based applications
web application analysis tool and searches for common flaws such as XSS or SQL injection flaws,
and improperly set permissions, extraneous files, outdated
software versions, and many more such items
unauthenticated flaws in network protocols, authenticated flaws in
protocol issues
network protocols, flaws in authentication protocols
An attack that exploits an applications vulnerability into allowing
arbitrary code execution the attacker to execute commands on a user's computer.
* arbitrary code execution in intrinsic or securable SQL elements
An attack that exploits a vulnerability in software to gain access to
Privilege Escalation resources that the user normally would be restricted from
accessing.
* via SQL injection or local issues
a security best practice for all software
validating user inputs
* the most effective way of mitigating SQL injection attacks
A web server analysis tool that performs checks for many common
Nikto (and Wikto) server-side vulnerabilities & creates an index of all the files and
directories it can see on the target web server (a process known
as spidering)
A well-known GUI web analysis tool that offers a free and
burp suite
professional version; the pro version includes advanced tools for
conducting more in-depth attacks
A type of tool that works by bombarding our applications with all
fuzzer manner of data and inputs from a wide variety of sources, in the
hope that we can cause the application to fail or to perform in
to set a limit on the amount of data we expect to receive to set
aside storage for that data
bounds checking *required in most programming languages
* prevents buffer overflows
A type of software development vulnerability that occurs when
multiple processes or multiple threads within a process control
race conditions or share access to a particular resource, and the correct
handling of that resource depends on the proper ordering or
timing of transactions
a type of attack that can occur when we fail to validate the input
input validation
to our applications or take steps to filter out unexpected or
undesirable content
a type of input validation attacks in which certain print functions
format string attack within a programming language can be used to manipulate or view
the internal memory of an application
A type of attack that can occur when we fail to use strong
authentication attack
authentication mechanisms for our applications
A type of attack that can occur when we fail to use authorization
authorization attack
best practices for our applications
A type of attack that can occur when we fail to properly design our
cryptographic attack
security mechanisms when implementing cryptographic controls in
our applications
A type of attack that takes advantage of weaknesses in the
client-side attack software loaded on client machines or one that uses social
engineering techniques to trick us into going along with the
attack
an attack carried out by placing code in the form of a scripting
XSS (Cross Site Scripting)
language into a web page or other media that is interpreted by
a client browser
, an attack in which the attacker places a link on a web page in
XSRF (cross-site request forgery) such a way that it will be automatically executed to initiate a
particular activity on another web page or application where
the user is currently authenticated
An attack that takes advantage of the graphical display capabilities
clickjacking
of our browser to trick us into clicking on something we might
not otherwise
A type of attack on the web server that can target vulnerabilities
server-side attack such as lack of input validation, improper or inadequate
permissions, or extraneous files left on the server from the
development process
Protocol issues, unauthenticated Name the 4 main categories of database security issues
access, arbitrary code execution,
and privilege escalation
A type of tool that analyzes web pages or web-based applications
web application analysis tool and searches for common flaws such as XSS or SQL injection flaws,
and improperly set permissions, extraneous files, outdated
software versions, and many more such items
unauthenticated flaws in network protocols, authenticated flaws in
protocol issues
network protocols, flaws in authentication protocols
An attack that exploits an applications vulnerability into allowing
arbitrary code execution the attacker to execute commands on a user's computer.
* arbitrary code execution in intrinsic or securable SQL elements
An attack that exploits a vulnerability in software to gain access to
Privilege Escalation resources that the user normally would be restricted from
accessing.
* via SQL injection or local issues
a security best practice for all software
validating user inputs
* the most effective way of mitigating SQL injection attacks
A web server analysis tool that performs checks for many common
Nikto (and Wikto) server-side vulnerabilities & creates an index of all the files and
directories it can see on the target web server (a process known
as spidering)
A well-known GUI web analysis tool that offers a free and
burp suite
professional version; the pro version includes advanced tools for
conducting more in-depth attacks
A type of tool that works by bombarding our applications with all
fuzzer manner of data and inputs from a wide variety of sources, in the
hope that we can cause the application to fail or to perform in
