IT395 Ch 3

A ____ attack is similar to a passive man-in-the-middle attack
replay
A client-side attack that results in a user’s computer becoming compromised just by viewing a Web page and not even clicking any content is known as a ____.
drive-by-download
A(n) ____________________ cookie is stored in Random Access Memory (RAM), instead of on the hard drive, and only lasts for the duration of visiting the Web site.
session
A(n) ____________________ is a method for adding annotations to the text so that the additions can be distinguished from the text itself.
markup language
ARP poisoning is successful because there are few authentication procedures to verify ARP requests and replies.
False
All Web traffic is based on the ____________________ protocol.
HTTP
Although traditional network security devices can block traditional network attacks, they cannot always block Web application attacks.
True
Because of the minor role it plays, DNS is never the focus of attacks
False
Because the XSS is a widely known attack, the number of Web sites that are vulnerable is very small.
False
For a Web server’s Linux system, the default root directory is typically ____.
/var/www
HTML is a markup language that uses specific ____ embedded in brackets.
tags
Exploits previously unknown vulnerabilities so victims have no time to prepare or defend against the attacks.
Zero day attack
Injects scripts into a Web application server that will then direct attacks at clients
Cross-site scripting (XSS) attack
Takes advantage of vulnerability in the Web application program or the Web server software so that a user can move from the root directory to other restricted directories
Directory traversal attack
The ability to move to another directory could allow an unauthorized user to view confidential files or even enter commands to execute on a server
Command injection
Targets vulnerabilities in client applications that interact with a compromised server or process malicious data
Client-side attack
Created from the Web site that a user is currently viewing
First-party cookie
Privileges that are granted to users to access hardware and software resources
Access rights
Exploiting a vulnerability in software to gain access to resources that the user would normally be restricted from obtaining
Privilege escalation
An attack involving using a third party to gain access rights.
Transitive access
The “omnipresence” of access from any computer with only an Internet connection and a Web browser has made Web applications an essential element of organizations today.
True
The Chinese government uses _____ to prevent Internet content that it considers unfavorable from reaching its citizenry.
DNS poisoning
The SQL injection statement ____ determines the names of different fields in a database.
whatever’ AND email IS NULL; —
The SQL injection statement ____ discovers the name of a table.
whatever’ AND 1=(SELECT COUNT(*) FROM tabname); —
The SQL injection statement ____ erases the database table.
whatever’; DROP TABLE members; —
The SQL injection statement ____ finds specific users
whatever’ OR full_name LIKE ‘%Mia%’
The ____ is part of an HTTP packet that is composed of fields that contain the different characteristics of the data being transmitted.
HTTP header
The ____________________ directory is a specific directory on a Web server’s file system.
root
The default root directory of the Microsoft Internet Information Services (IIS) Web server is ____.
C:Inetpub wwwroot
The expression ____ up one directory level.
../ traverses
The predecessor to today’s Internet was a network known as ____________________.
ARPAnet
Users who access a Web server are usually restricted to the ____ directory.
root
Web application attacks are considered ____ attacks.
server-side
When DNS servers exchange information among themselves it is known as a ____.
zone transfer
When TCP/IP was developed, the host table concept was expanded to a hierarchical name system for matching computer names and numbers known as the ____.
DNS
____ is a language used to view and manipulate data that is stored in a relational database.
SQL
____ is an attack in which an attacker attempts to impersonate the user by using his session token.
Session hijacking
____ is designed to display data, with the primary focus on how the data looks.
HTML
____ is for the transport and storage of data, with the focus on what the data is.
XML
____ substitutes DNS addresses so that the computer is automatically redirected to another
DNS poisoning