396 Appendix ■ Answers
3 1. A. Black box testing begins with no prior knowledge of the system implementation,
simulating a user perspective. White box and gray box testing provide full and partial
knowledge of the system, respectively, in advance of the test. Blue boxes are a phone
hacking tool and are not used in software testing.
- B. In this example, the two SQL commands are indeed bundled in a transaction, but it
is not an error to issue an update command that does not match any rows. Therefore,
the first command would “succeed” in updating zero rows and not generate an error or
cause the transaction to roll back. The second command would then execute, reducing the
balance of the second account by $250. - D. Worms have built-in propagation mechanisms that do not require user interaction,
such as scanning for systems containing known vulnerabilities and then exploiting those
vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction
to spread. Logic bombs do not spread from system to system but lie in wait until certain
conditions are met, triggering the delivery of their payload. - C. A fail open configuration may be appropriate in this case. In this configuration, the
firewall would continue to pass traffic without inspection while it is restarting. This would
minimize downtime, and the traffic would still be protected by the other security controls
described in the scenario. Failover devices and high availability clusters would indeed
increase availability, but at potentially significant expense. Redundant disks would not
help in this scenario because no disk failure is described. - D. An inference problem occurs when an attacker can pull together pieces of less sensitive
information and use them to derive information of greater sensitivity. Aggregation is a
security issue that arises when a collection of facts has a higher classification than the
classification of any of those facts standing alone. SQL injection is a web application
exploit. Multilevel security is a system control that allows the simultaneous processing of
information at different classification levels. - B. Polymorphic viruses mutate each time they infect a system by making adjustments to
their code that assists them in evading signature detection mechanisms. Encrypted viruses
also mutate from infection to infection but do so by encrypting themselves with different
keys on each device. - A. The message forum is clearly susceptible to a cross-site scripting (XSS) attack. The
code that Linda discovered in the message is a definitive example of an attempt to conduct
cross-site scripting, and the alert box that she received demonstrates that the vulnerability
exists. The website may also be vulnerable to cross-site request forgery, SQL injection,
improper authentication, and other attacks, but there is no evidence of this provided in the
scenario. - A. The script that Linda discovered merely pops up a message on a user’s screen and
does not perform any more malicious action. This type of script, using an alert() call, is
commonly used to probe websites for cross-site scripting vulnerabilities.