Chapter 8: Software Development Security (Domain 8) 399
- B. Client-side input validation is not an effective control against any type of attack
because the attacker can easily bypass the validation by altering the code on the client.
Escaping restricted characters prevents them from being passed to the database, as does
parameterization. Limiting database permissions prevents dangerous code from executing. - B. PERT charts use nodes to represent milestones or deliverables and then show the
estimated time to move between milestones. Gantt charts use a different format with a
row for each task and lines showing the expected duration of the task. Work breakdown
structures are an earlier deliverable that divides project work into achievable tasks.
Wireframe diagrams are used in web design. - D. Regression testing is performed after developers make changes to an application. It
reruns a number of test cases and compares the results to baseline results. Orthogonal
array testing is a method for generating test cases based on statistical analysis. Pattern
testing uses records of past software bugs to inform the analysis. Matrix testing develops a
matrix of all possible inputs and outputs to inform the test plan. - B. Cross-site scripting (XSS) attacks may take advantage of the use of reflected input in
a web application where input provided by one user is displayed to another user. Input
validation is a control used to prevent XSS attacks. XSS does not require an unpatched
server or any firewall rules beyond those permitting access to the web application. - A. In a white box test, the attacker has access to full implementation details of the system,
including source code, prior to beginning the test. In gray box testing, the attacker has
partial knowledge. In black box testing, the attacker has no knowledge of the system and
tests it from a user perspective. Blue boxes are a phone hacking tool and are not used in
software testing. - C. Heuristic-based antimalware software has a higher likelihood of detecting a zero-day
exploit than signature-based methods. Heuristic-based software does not require frequent
signature updates because it does not rely upon monitoring systems for the presence of
known malware. The trade-off with this approach is that it has a higher false positive rate
than signature detection methods. - D. One possibility for the clean scan results is that the virus is using stealth techniques,
such as intercepting read requests from the antivirus software and returning a correct-
looking version of the infected file. The system may also be the victim of a zero-day
attack, using a virus that is not yet included in the signature definition files provided by
the antivirus vendor. - A. In URL encoding, the. character is replaced by %252E and the / character is replaced
by %252F. You can see this in the log entry, where the expected pattern of ../../ is replaced
by %252E%252E%252F%252E%252E%252F. - C. Attacks where the malicious user tricks the victim’s web browser into executing a
script through the use of a third-party site are known as cross-site scripting (XSS) attacks.
This particular attack is a persistent XSS attack because it remains on the discussion
forum until an administrator discovers and deletes it, giving it the ability to affect many
users.