issuhub.com

CEH

(Jeff_L) #1

430 Appendix A ■ Answers to Review Questions



  1. A. Web applications can be vulnerable to session fixation if the right conditions exist. Typi-
    cally this means that session IDs are not regenerated often enough or can be easily ascer-
    tained.

  2. C. Authentication mechanisms such as Kerberos can provide protection against session
    hijacking. Authentication provides verification of the party or parties involved in the com-
    munication.

  3. C. XSS is targeted toward web browsers and can take advantage of defects in web applica-
    tions and browsers.

  4. D. Trojans are commonly used to deploy malware onto a client system, which can be used
    to perform a session hijack.

  5. C. A man-in-the-middle attack is where the attacking party inserts themselves into the com-
    munication between two different parties.

  6. A. Session hijacks can occur with both network and application traffic, depending on the
    attacker’s desired goals.

  7. D. Cookies can be used during a session hijack and indeed the information contained
    therein may be the goal of the attack, but devices alone cannot initiate an attack.

  8. D. A session hijack can be used to read cookies on a client but not on a server.


Chapter 13: Web Servers and Web


Applications



  1. B. A web application is code designed to be run on the server with the results sent to the
    client for presentation.

  2. A. JavaScript is a client-side scripting language as opposed to languages such as ASP and
    A S P. N E T.

  3. B. PHP is a server-side language that has its actions handled by the server before delivering
    the results to the requester.

  4. D. Directory traversals are used to browse outside the root of the site or location and access
    files or directories that should otherwise be hidden.

  5. B. Input validation is the process of checking input for correctness prior to its being
    accepted by an application. Unlike filtering, which works on the server side, validation
    works on the client side and prevents bad input from making it to the server.

  6. B. A banner grab can be used to connect to a service and extract information about it.

  7. A. Defense in depth provides much better protection than a single layer. It also provides a
    means of slowing down and frustrating an attacker.


bapp01.indd 430 22-07-2014 10:56:36

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.